API Developer Portal
API Docs
Community
Knowledgebase
Training
menu icon
  1. Home
  2.  / How To
  3.  / Site Management
  4.  / Create Secure Mesh Site

Create Secure Mesh Site

On This Page:

Objective

This document provides instructions on how to install F5® Distributed Cloud single-node or multi-node F5 Distributed Cloud Secure Mesh Sites on devices such as Baremetal or Virtual Machines (VM) running on KVM or VMware. A Secure Mesh Site is a Distributed Cloud Customer Edge (CE) Site engineered specifically for the purpose of providing ease for users to create Sites with non-cloud, F5® Distributed Cloud Mesh (Mesh) certified hardware. To know more about Distributed Cloud sites, see Site.

Using the instructions provided in this document, you can create a single-node or multi-node Secure Mesh Site object in the F5® Distributed Cloud Console, perform required configurations such as interface configuration, install the image to the respective device or VM, and register the Site to complete Site deployment.

Note: After deployment, Secure Mesh Site functions similar to other non-cloud Mesh Sites but as opposed to other Sites, Secure Mesh Site makes it easier to manage the Site and perform advanced configurations.

Secure Mesh Site vs Other Mesh Sites

The Secure Mesh Site makes it easier to plan, choose infrasturcture settings such as interfaces before installation, and also perform advanced configuration steps that are not available using Fleet or regular Site management functionalities. The following list presents the benefits of Secure Mesh Site over other non-cloud Mesh Sites:

  • Provides ease of operation to configure Sites with non-cloud, Mesh certified hardware.

Note: This is similar to App Stack Sites for deploying Sites with AppStack functionality. See App Stack Site for more information.

  • Prevents common errors while configuring Mesh Sites, by simplifying the form and enhancing validation in cases such as the following:

    • Choosing correct hardware when configuring inside interface from Global Controller
    • Misconfiguration of in DHCP server on interfaces

  • Expose features that are not available in Fleet and Site configuration, for example:

    • Offline Survivability
    • Multi-Tunnel Site Mesh Group configuration for public and private IPs

Note: The following are not supported for Secure Mesh Site:

  • Storage Interfaces, Devices and Classes
  • Site Local K8s API access
  • USB devices
  • VM support (running VMs on the Site)

Prerequisites

  • An F5 Distributed Cloud Account. If you do not have an account, see Create an Account.

  • One or more devices or VMs consisting of interfaces with internet reachability for Site installation.

  • Resources required per node: Minimum 4 vCPUs and 14 GB RAM.

Deploy Site

Perform the steps provided in the following chapters to deploy a Secure Mesh Site.

Create Site Token

Create a site token or use an existing token. If you are configuring a multi-node site, use the same token for all nodes.

Step 1: Navigate to site tokens page.

  • Log into F5® Distributed Cloud Console.

  • Click Multi-Cloud Network Connect.

Figure: Console Homepage
Figure: Console Homepage

  • Select Manage > Site Management > Site Tokens.

  • Click Add Site Token to create a new token.

Figure
Figure: Site Tokens
Step 2: Generate a new site token.

  • In the Name field, enter the token name.

  • In the Description field, enter a description for the token.

  • Click Save and Exit.

Figure
Figure: Site Token Form
Step 3: Note down the new token.

  • Find the token previously created or choose an existing token from the list of tokens displayed.

  • Click > to expand the token details in JSON format and note down the value of the uid field.

Figure
Figure: UID Field

Create Secure Mesh Site Object

Log into F5 Distributed Cloud Console and perform the following steps:

Step 1: Start creating an Secure Mesh Site object.

  • In Multi-Cloud Network Connect service, navigate to Manage > Site Management > Secure Mesh Sites.

  • Select Add Secure Mesh Site to open the Secure Mesh Site configuration form.

Figure
Figure: Navigate to Secure Mesh Site Configuration

  • Enter a name in the Metadata section for your Secure Mesh Site object.

  • Optionally, select labels and add a description.

Step 2: Set the fields for the basic configuration section.

  • From the Generic Server Certified Hardware menu, select an option. The isv-8000-series-voltmesh is selected by default.

  • Enter the names of the master nodes in the List of Master Nodes field. Select Add item to add more than one entry. Only a single node or 3 master nodes are supported.

Note: Enter the public IP in the Public IP field for the master nodes. These IP addresses are only used when a Site is part of a Site Mesh Group, and you have selected the Site Mesh Group Connection Via Public Ip option for Site Mesh Group Connection Type field as shown in Step 4.6.

  • Optionally, enter the names of worker nodes in the List of Worker Nodes field. Select Add item to add more than one entry.

  • Optionally, enter the following fields:

    • Geographical Address: This derives geographical coordinates.

    • Coordinates: Latitude and longitude.

Figure
Figure: Secure Mesh Site Basic Configuration Section
Step 3: Optionally, configure bond interfaces.

In the Bond Configuration section, perform the following:

  • From the Select Bond Configuration menu, select Configure Bond Interfaces.

  • Select Configure to open bond interface configuration page.

  • Select Add Item under the Bond Devices List field.

  • Select on the Bond Device Name field and select See Common Values. You can also type a custom name and click Add item to set the device name while also adding it to the existing options.

  • Select on the Member Ethernet Devices field and select See Common Values for the Ethernet device that is part of this bond. Use Add item option to add more devices.

  • From the Select Bond Mode menu, select the bonding mode. LACP (802.3ad) is selected by default for the bonding mode with the default LACP packet interval as 30 seconds. You can set the bond mode to Active/Backup to set the bond members function in active and backup combination.

  • Select Add Item.

Note: Use the Add item option in the Bond Devices List to add more than one bond device.

  • Select Apply in the Bond Devices page to apply the bond configuration.
Step 4: Optionally, configure network settings.

The network configuration is applied with default settings. To customize network settings, do the following:

  • In the Network Configuration section, select Custom Network Configuration from the Select to Configure Networking menu.

  • Select View Configuration to open the network configuration page and do the following:

Step 4.1: Configure site local network settings.

Site local network is applied with default configuration. Perform the following set of steps to apply custom configuration:

  • Select Configure Site Local Network from the Select Configuration For Site Local Network menu.

  • Select View Configuration.

  • Optionally, set labels for the Network Labels field in the Network Metadata section.

  • Select Manage Static Routes from the Manage Static Routes menu.

  • Select Add Item and perform the following:

    • Enter IP prefixes for the IP Prefixes section. These prefixes will be mapped to the same next-hop and attributes.

    • Select IP Address or Interface or Default Gateway from the Select Type of Next Hop menu and specify IP address or interface accordingly. In the case of Interface, you can select an existing interface or create a new interface using the options for the interface field.

    • Optionally, select one or more options for the Attributes field to set attributes for the static route.

    • Select Apply.

Note: You can use Add Item button in the Static Routes section to add more than one static route.

  • Optionally, configure DC Cluster Group using the following guidelines:

    • Select Member of DC Cluster Group from the Select DC Cluster Group menu.

    • In the Member of DC Cluster Group field, select a DC cluster group. You can also select Create New DC Cluster Group to create a new cluster group. Performing this adds this site to a DC cluster group, enabling full connectivity between the members of the group.

Figure
Figure: Site Local Network Configuration
  • Select Apply.

Note: For more information, see the Configure DC Cluster Group guide.

Step 4.2: Configure site local inside network settings.

Site local inside network is applied with default configuration. Perform the following set of steps to apply custom configuration:

  • Select Configure Site Local Inside Network from the Select Configuration For Site Local Network menu.

  • Select Configure.

  • Optionally, set labels for the Network Labels field in the Network Metadata section.

  • Select Manage Static Routes from the Manage Static Routes menu.

  • Select Add Item and perform the following:

    • Enter IP prefixes for the IP Prefixes section. These prefixes will be mapped to the same next-hop and attributes.

    • Select IP Address or Interface or Default Gateway from the Select Type of Next Hop menu and specify IP address or interface accordingly. In the case of Interface, you can select an existing interface or create a new interface using the options for the interface field.

    • Optionally, select one or more options for the Attributes field to set attributes for the static route.

    • Select Apply.

Note: You can use Add Item button in the Static Routes section to add more than one static route.

  • Optionally, configure DC Cluster Group using the following guidelines:

    • Select Member of DC Cluster Group from the Select DC Cluster Group menu.

    • In the Member of DC Cluster Group field, select a DC cluster group. You can also select Create New DC Cluster Group to create a new cluster group. Performing this adds this site to a DC cluster group, enabling full connectivity between the members of the group.

  • Select Apply.

Note: For more information, see the Configure DC Cluster Group guide.

Step 4.3: Configure interface settings.

Bootstrap interface configuration is applied by default, and it is based on the certified hardware.

Perform the following to apply custom interface configuration:

  • Select List of Interface from the Select Interface Configuration menu.

  • Click Configure. This opens another interface list configuration page.

  • Select Add Item in the List of Interface table.

  • Optionally, enter an interface description and select labels.

  • Select an option from the Interface Config Type menu, and set one of the interface types using the following instructions:

Ethernet Interface:

  • Select Ethernet Interface and click Configure. This opens Ethernet interface configuration page.

  • Select an option from the Ethernet Device menu using See Common Values. You can also type a custom name to set the device name while also adding it to the existing options.

  • Select Cluster, All Nodes of the Site or Specific Node from the Select Configuration for Cluster or Specific Node menu. In case of specific node, select the specific node from the displayed options of the Specific Node field. You can also type a custom name to set the device name while also adding it to the existing options.

  • Select Untagged or VLAN Id from the Select Untagged or VLAN tagged menu. In case of VLAN ID, enter the VLAN ID in the VLAN Id field.

  • Select an option from the Select Interface Address Method menu in the IP Configuration section. The DHCP Client is selected by default. In case you select a DHCP server, click Configure and set the DHCP server configuration per the options displayed on the DHCP server configuration page and click Apply. This example shows the interface as DHCP client for brevity.

  • Select site local outside or site local inside network from the Select Virtual Network menu in the Virtual Network section. Site Local Network (Outside) is selected by default.

  • Select if the interface is primary from the Select Primary Interface menu. Default is not a primary interface. Ensure that you set only one interface as primary.

  • Select Apply.

Dedicated Interface:

  • Select Dedicated Interface from the Interface Config Type menu.

  • Select a device name from the Interface Device menu using See Common Values. You can also type a custom name to set the device name while also adding it to the existing options.

  • Select Cluster, All Nodes of the Site or Specific Node from the Select Configuration for Cluster or Specific Node menu. In case of specific node, select the specific node from the displayed options from the Specific Node menu. You can also type a custom name to set the device name while also adding it to the existing options.

  • Select if the interface is primary in the Select Primary Interface field. Default is not a primary interface. Ensure that you set only one interface as primary.

  • Select Add Item.

  • Optionally, add more than one interface using the Add item option in the List of Interface page.

  • Select Apply.

Step 4.4: Configure security settings.

In case of security configuration, the firewall policies and forward policies are disabled by default.

In the Security Configuration section, perform the following to apply network and forward policies:

  • Select Active Enhanced Firewall Policies from the Firewall Policy menu and do the following:

    • Click Configure under Enhanced Firewall Policy to switch to enhanced firewall policies list page.
    • Select an enhanced firewall policy object from the Enhanced Firewall Policy drop-down. You can also create and apply a new enhanced firewall policy using the Add Item in the drop-down.
    • Use the Add Item button in the list page to add more than one enhanced firewall policy.

  • Select Active Firewall Policies from the Firewall Policy menu and do the following:

    • Select a firewall policy object from the Firewall Policy drop-down. You can also create and apply a new firewall policy using the Add item option.
    • Use the Add Item button in the list section to add more than one firewall policy.

  • Select one of the following options from the Forward Proxy menu:

    • Select Enable Forward Proxy and Manage Policies to apply specific forward proxy policies. Select a forward proxy policy from the Forward Proxy Policies drop-down. You can also create and apply a new forward proxy policy using the Add Item option. You can apply more than one forward proxy policy using the Add item option in the list section.

    • Select Enable Forward Proxy With Allow All Policy to allow all requests.

Step 4.5: Configure global networks.
  • Enable Show Advanced Fields in the Global Connections section.
  • Select Connect Global Networks from the Global Network Connections drop-down.
  • Click Add Item in the Global Network Connections section to open the global network connections page.
  • Select one of the following for the Select Network Connection Type field:
    • Direct, Site Local Inside to a Global Network to connect site local inside network to global network.
    • Direct, Site Local Outside to a Global Network to connect site local outside network to global network.
  • Select a virtual global network from the Global Virtual Network drop-down. You can also create and apply a new virtual global network using the Add Item button.
  • Click Apply to add global network connecton to the Secure Mesh Site configuration.

Note: Use Add Item in the Global Network Connections section to add more than one global network connection.

Step 4.6: Configure Site Mesh Group Connection Type.

The default connection type for incoming tunnels for Site Mesh Group (SMG) is via private IP. This option will use the Site Local Outside interface addresses for creating IPsec tunnels between two sites that are part of the SMG.

To change the connection type, select Site Mesh Group Connection Via Public Ip from the Site Mesh Group Connection Type field. This option will use the statically configured public IPs of each master node for creating IPsec between two sites that are part of the SMG.

Step 4.7: Configure advanced settings.

In the Advanced Configuration section, do the following:

  • Select Enable VRRP for VIP(s) for VIP Advertisement Mode. It is recommended to enable this and BGP if Outside VIP/Inside VIP are configured.

  • Enter a value in milliseconds in the Tunnel Dead Timeout (msec) field to detect dead tunnels within this time. By default, 10000 milliseconds is set.

Click Apply to add the custom network settings to the Secure Mesh Site configuration.

Step 5: Optionally, configure advanced features.

Do the following in the Advanced Configuration section of Secure Mesh Site main configuration page:

  • Select Enable Logs Streaming from the Logs Streaming drop-down and choose a log streaming object from the displayed Enable Logs Streaming drop-down. This enables streaming of logs from the Site to the configured log receiver. For more information on log streaming configuration, see Logs Streaming.

  • Select F5XC Software Version from the F5XC Software Version field and enter a specific version in the enabled F5XC Software Version field. By default, the latest software version is used.

  • Select Operating System Version from the Operating System Version field and enter a specific version in the enabled Operating System Version field. By default, the latest OS version is used.

  • Select Custom Blocked Services Configuration from the Blocked Services field, click Add Item to customize the service type and port you want to block, and click Apply to add the custom blocking configuration.

  • Select Enable Offline Survivability Mode from the Offline Survivability Mode field to enable offline survivablity mode.

Figure: Advanced Features
Figure: Advanced Features
  • Select L3 Mode Enhanced Performance from the Performance Mode field and choose to enable or disable jumbo frames using the L3 Mode Enhanced Performance Options field options. The L7 Enhanced Mode is enabled by default for the performance mode.
Step 6: Complete creating the Secure Mesh Site.

Select Save and Exit to complete creating the Secure Mesh Site.

Note: You can also configure multiple interfaces for Virtual Machines (VM) or containers running in a K8s cluster within an Secure Mesh Site. For instructions, see Create Workloads with Multiple Network Interfaces.

Perform Site Registration

After creating the Secure Mesh Site object in Console, the Site shows up in Console with Waiting for Registration status. Install the nodes and while doing initial configuration, ensure that the cluster name and host name for your nodes match with the Secure Mesh Site name and node name per the Basic Configuration section of Secure Mesh Site object you configured. The initial configuration during node installation can be done either using SSH or using Site Local User Interface (UI).

Note: See Create VMware Site, Create KVM Site, and Create Baremetal Site for node installation instructions. See Site Local UI for information on using Site Local UI.

Perform registration per the following instructions:

  • Navigate to Manage > Site Management > Registrations.

  • Choose your site from the list of sites displayed under the Pending Registrations tab.

  • Approve the option (blue checkmark).

  • Ensure that the cluster name and hostname is matching with those of the Secure Mesh Site.

  • Select Accept to complete registration and the Site turns online.

Concepts

© 2024 F5, Inc. All rights reserved | Trademarks | Policies | Privacy | California Privacy | Do Not Sell My Personal Information |