Applies To:

Show Versions Show Versions

Manual Chapter: BIG-IP® Network and System Management Guide: 5 - Configuring VLANs and VLAN Groups
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>


5

Configuring VLANs and VLAN Groups


Introducing virtual LANs

In Chapter 1, Introducing BIG-IP Network and System Management , we described the BIG-IP system as being a multilayer switch instead of a standard IP router. This allows you to create and deploy virtual local area networks (VLANs). A VLAN is a logical subset of hosts on a local area network (LAN) that operate in the same IP address space. Grouping hosts together in a VLAN has distinct advantages. For example, with VLANs, you can:

  • Reduce the size of broadcast domains, thereby enhancing overall network performance.
  • Reduce system and network maintenance tasks substantially. Functionally-related hosts no longer need to physically reside together to achieve optimal network performance.
  • Enhance security on your network by segmenting hosts that must transmit sensitive data.

The way that you group hosts into VLANs is by using the Configuration utility to create a VLAN and associate physical interfaces with that VLAN. In this way, any host that sends traffic to a BIG-IP system interface is logically a member of the VLAN or VLANs to which that interface belongs.

Understanding VLANs on a BIG-IP system

The BIG-IP system is a port-based switch that includes multilayer processing capabilities. These capabilities enhance standard VLAN behavior, in these ways:

  • You can associate physical interfaces on the BIG-IP system directly with VLANs. In this way, you can associate multiple interfaces with a single VLAN, or you can associate a single interface with multiple VLANs.
  • You do not need physical routers to establish communication between separate VLANs. Instead, the BIG-IP system can process messages between VLANs.
  • You can incorporate a BIG-IP system into existing, multi-vendor switched environments, due to the BIG-IP system's compliance with the IEEE 802.1q VLAN standard.
  • You can combine two or more VLANs into an object known as a VLAN group. With a VLAN group, a host in one VLAN can communicate with a host in another VLAN using a combination of layer 2 forwarding and IP routing. This offers both performance and reliability benefits.

Understanding the default VLAN configuration

By default, the BIG-IP system includes two VLANs, named internal and external. When you initially ran the Setup utility, you assigned the following to each of these VLANs:

  • A static and a floating self IP address
  • A VLAN tag
  • One or more BIG-IP system interfaces

A typical VLAN configuration is one in which you create the two VLANs external and internal, and one or more BIG-IP system interfaces assigned to each VLAN. You then create a virtual server, and associate a default load balancing pool with that virtual server. Figure 5.1 shows a typical configuration using the default VLANs external and internal.

 

Figure 5.1 A typical configuration using the default VLANs

Every VLAN must have a static self IP address associated with it. The self IP address of a VLAN represents an address space, that is, the range of IP addresses pertaining to the hosts in that VLAN. When you ran the Setup utility earlier, you assigned one static self IP address to the VLAN external, and one static self IP address to the VLAN internal. When sending a request to a destination server, the BIG-IP system can use these self IP addresses to determine the specific VLAN that contains the destination server.

For example, suppose the self IP address of VLAN external is 12.1.0.100, and the self IP address of the VLAN internal is 11.1.0.100, and both self IP addresses have a netmask of 255.255.0.0. If the IP address of the destination server is 11.1.0.20, then the BIG-IP system can compare the self IP addresses to the host's IP address to determine that the destination server is in the VLAN internal. This process, combined with checking the ARP cache and a VLAN's L2 forwarding table, ensures that the BIG-IP system successfully sends the request to the destination server.

Note

By default, the MAC address that the BIG-IP system assigns to a VLAN self IP address is the MAC address of the lowest-numbered interface associated with that VLAN. You can change this behavior by configuring the bigdbTM configuration key Vlan.MacAssignment. For more information, see the man page for the bigpipe db command.

Creating and managing VLANs

When you create a VLAN, you assign a name and an identifying tag to the VLAN. Then you associate one or more BIG-IP system interfaces with the VLAN. Also, if the BIG-IP system is a unit of a redundant system, you can specify a special MAC address that the two units share, as a way to ensure that connections are successfully processed when failover occurs. Finally, you can specify that you want the BIG-IP system to use VLAN-related events to trigger failover in a redundant-system configuration.

To create a VLAN, you use the Configuration utility. For information on managing an existing VLAN, see Managing a VLAN .

Creating a VLAN

The BIG-IP system offers several settings that you can configure for a VLAN. These settings are summarized in Table 5.1 .

Table 5.1 Configuration settings for a VLAN
Setting
Description
Default Value
Name
Specifies a unique name for the VLAN. This value is required.
No default value
Tag
Specifies the VLAN ID. If you do not specify a VLAN ID, the BIG-IP system assigns an ID automatically. The value of a VLAN tag can be between 1 and 4094.
No default value
Interfaces
Specifies any tagged or untagged interfaces or trunks that you want to associate with the VLAN.
No default value
Source Check
Causes the BIG-IP system to verify that the return path of an initial packet is through the same VLAN from which the packet originated.
Unchecked
MTU
Specifies the maximum transmission unit for the VLAN.
1500
MAC Masquerade
Sets up a media access control (MAC) address that is shared by a redundant system.
No default value
Fail-safe
Triggers fail-over in a redundant system when certain VLAN-related events occur.
Unchecked

Use the following procedure to create a VLAN. For detailed information about each setting, see the sections following the procedure.

Important

In addition to configuring the settings listed in Table 5.1 , you must also assign a self IP address to the VLAN. For more information, see Assigning self IPs to VLANs and VLAN groups , and Chapter 6, Configuring Self IP Addresses .

To create a VLAN

  1. On the Main tab of the navigation pane, expand Network and click VLANs.
    This displays a list of all existing VLANs.
  2. In the upper-right corner, click Create.
    The VLANs screen opens.
  3. Locate the General Properties area, and in the Name box, type a unique name for the VLAN.
  4. In the Tag box, type a tag for the VLAN, or leave the box blank.
    If you do not specify a tag, the BIG-IP system assigns one automatically.
  5. In the Resources area, for the Interfaces setting, click an interface number or trunk name in the Available box, and using a Move button (<< or >>), move the interface number to the Untagged or Tagged box. Repeat this step as necessary.
    For more information on tagged and untagged interfaces, see Assigning interfaces to a VLAN .
  6. If you want to enable source checking, then in the Configuration area, click the Source Check box.
  7. For the MTU setting, use the default value or type a new value.
  8. In the MAC Masquerade box, type a MAC address.
    For more information, see Specifying a MAC masquerade address .
  9. For the Fail-safe setting, check the box if you want to base redundant-system failover on VLAN-related events.
    For more information, see Chapter 13, Setting up a Redundant System .
  10. Click Finished.

Specifying a VLAN name

When creating a VLAN, you must assign it a unique name. Once you have finished creating the VLAN, the VLAN name appears in the list of existing VLANs.

Specifying a VLAN tag

A VLAN tag is a unique ID number that you assign to a VLAN. If you do not explicitly assign a tag to a VLAN, the BIG-IP system assigns a tag automatically. The value of a VLAN tag can be between 1 and 4094. Once you or the BIG-IP assigns a tag to a VLAN, any message sent from a host in that VLAN includes this VLAN tag as a header in the message.

A VLAN tag is useful when an interface has multiple VLANs associated with it; that is, when the interfaces you assigned to the VLAN are assigned as tagged interfaces. In this case, the BIG-IP system can read the VLAN tag in the header of a message to determine the specific VLAN in which the source or destination host resides. For more information on tagged interfaces, see Tag-based access to VLANs .

Important

If the device connected to a BIG-IP system interface is another switch, the VLAN tag that you assign to the VLAN on the BIG-IP system interface must match the VLAN tag assigned to the VLAN on the interface of the other switch.

Assigning interfaces to a VLAN

For each VLAN that you create, you must assign one or more BIG-IP system interfaces to that VLAN, using the Interfaces setting. When you assign an interface to a VLAN, you indirectly control the hosts from which the BIG-IP system interface sends or receives messages.

Tip


You can use the Interfaces setting to assign not only individual interfaces to the VLAN, but also trunks. Any trunks that you create are automatically included for selection in the list of available interfaces. For more information on trunks, see Chapter 10, Working with Trunks .

For example, if you assign interface 1.11 to VLAN A, and you then associate VLAN A with a virtual server, then the virtual server sends its outgoing traffic through interface 1.11, to a destination host in VLAN A. Similarly, when a destination host sends a message to the BIG-IP system, the host's VLAN membership determines the BIG-IP system interface that should receive the incoming traffic.

Each VLAN has a MAC address. The MAC address of a VLAN is the same MAC address of the lowest-numbered interface assigned to that VLAN.

The BIG-IP system supports two methods for sending and receiving messages through an interface that is a member of one or more VLANs. These two methods are port-based access to VLANs and tag-based access to VLANs. The method used by a VLAN is determined by the way that you add a member interface to a VLAN.

Port-based access to VLANs

With port-based access to VLANs, the BIG-IP system accepts frames for a VLAN simply because they are received on an interface that is a member of that VLAN. With this method, an interface is an untagged member of the VLAN. Frames sent out through untagged interfaces contain no tag in their header.

Port-based access to VLANs occurs when you add an interface to a VLAN as an untagged interface. In this case, the VLAN is the only VLAN that you can associate with that interface. This limits the interface to accepting traffic only from that VLAN, instead of from multiple VLANs. If you want to give an interface the ability to accept and receive traffic for multiple VLANs, you add the same interface to each VLAN as a tagged interface. The following section describes tagged interfaces.

Tag-based access to VLANs

With tag-based access to VLANs, the BIG-IP system accepts frames for a VLAN because the frames have tags in their headers and the tag matches the VLAN identification number for the VLAN. An interface that accepts frames containing VLAN tags is a tagged member of the VLAN. Frames sent out through tagged interfaces contain a tag in their header.

Tag-based access to VLANs occurs when you add an interface to a VLAN as a tagged interface. You can add the same tagged interface to multiple VLANs, thereby allowing the interface to accept traffic from each VLAN with which the interface is associated.

When you add an interface to a VLAN as a tagged interface, the BIG-IP system associates the interface with the VLAN identification number, or tag, which becomes embedded in a header of a frame.

Note

Every VLAN has a tag. You can assign the tag explicitly when creating the VLAN, or the BIG-IP system assigns it automatically if you do not supply one. For more information on VLAN tags, see Specifying a VLAN tag .

Each time you add an interface to a VLAN, either when creating a VLAN or modifying its properties, you can designate that interface as a tagged interface. A single interface can therefore have multiple tags associated with it.

The result is that whenever a frame comes into that interface, the interface reads the tag that is embedded in a header of the frame. If the tag in the frame matches any of the tags associated with the interface, the interface accepts the frame. If the tag in the frame does not match any of the tags associated with the interface, the interface rejects the frame.

Example

Figure 5.2 shows the difference between using three untagged interfaces (where each interface must belong to a separate VLAN) versus one tagged interface (which belongs to multiple VLANs).

 

Figure 5.2 Equivalent solutions using untagged and tagged interfaces

The configuration on the left shows a BIG-IP unit with three internal interfaces, each a separate, untagged interface. This is a typical solution for supporting three separate customer sites. In this scenario, each interface can accept traffic only from its own VLAN.

Conversely, the configuration on the right shows a BIG-IP system with one internal interface and an external switch. The switch places the internal interface on three separate VLANs. The interface is configured on each VLAN as a tagged interface. In this way, the single interface becomes a tagged member of all three VLANs, and accepts traffic from all three. The configuration on the right is the functional equivalent of the configuration on the left.

Important

If you are connecting another switch into a BIG-IP system interface, the VLAN tag that you assign to the VLAN on the BIG-IP system must match the VLAN tag on the interface of the other switch.

Enabling source checking

When you enable the Source Check setting, the BIG-IP system verifies that the return path for an initial packet is through the same VLAN from which the packet originated. The system performs this verification only if you check the Source Check box for the VLAN, and if the global setting Auto Last Hop is not enabled. For information on the Auto Last Hop setting, see Chapter 4, Configuring the BIG-IP Platform and General Properties .

Specifying the maximum transmission units

The value of the maximum transmission unit, or MTU, is the largest size that the BIG-IP system allows for an IP datagram passing through a BIG-IP system interface. The default value is 1500.

Specifying a MAC masquerade address

Every VLAN has a media access control (MAC) address that corresponds to the VLAN's self IP address. The MAC address of a VLAN is the MAC address of the lowest-numbered interface assigned to that VLAN. For example, if the lowest-numbered interface assigned to VLAN internal is 3.1, and the MAC address of that interface is 0:0:0:ac:4c:a2, then the MAC address of VLAN internal is also 0:0:0:ac:4c:a2.

A MAC masquerade address is a variation of the VLAN's MAC address, and this address is shared between two units of a redundant system. When you specify a MAC masquerade address, a destination server sending a response to the BIG-IP system sends its response to the VLAN's MAC masquerade address, instead of to the VLAN's regular MAC address. The server accomplishes this by using the VLAN's floating self IP address as the default route when sending responses to the BIG-IP system. (For more information on configuring a server to use a floating IP address as the default route, see Chapter 13, Setting up a Redundant System .)

Specifying a MAC masquerade address for a VLAN has the following advantages:

  • Increased reliability and failover speed, especially in lossy networks
  • Interoperability with switches that are slow to respond to the network changes
  • Interoperability with switches that are configured to ignore network changes

When you assign a MAC masquerade address to a VLAN, the BIG-IP system automatically sends a gratuitous ARP message to the default router and other devices on the network. This gratuitous ARP message notifies these devices that the MAC address of the BIG-IP system interface assigned to the VLAN has changed to the MAC masquerade address.

The MAC masquerade address must be a unique address, in order to avoid frame collisions. The safest way to create a MAC masquerade address is to first determine the MAC address of the VLAN (that is, the MAC address of the lowest-numbered interface assigned to that VLAN), and then logically OR the first byte with 0x02. This makes the MAC address a locally-administered MAC address.

Continuing with the example above where the VLAN's MAC address is 0:0:0:ac:4c:a2, a MAC masquerade address of 02:0:0:ac:4c:a2 is suitable to use on both BIG-IP units in the redundant system. For help in finding the MAC address of a VLAN, see To find the MAC address of a VLAN , following.

Important

We highly recommend that you set the MAC masquerade address to be the same on both the active and standby units.

To find the MAC address of a VLAN

  1. On the Main tab of the navigation pane, expand Network and click VLANs.
    This displays a list of existing VLANs.
  2. Click a VLAN name.
    This displays the properties for that VLAN.
  3. In the Interfaces setting, note the lowest-numbered interface assigned to the VLAN.
  4. On the Main tab of the navigation pane, expand Network and click Interfaces.
    This displays a list of all BIG-IP system interfaces and their MAC addresses.
  5. Locate the interface number that you noted on the VLAN's properties screen.
  6. In the MAC Address column, view the MAC address for the interface.

After you have found the correct MAC address, create the MAC masquerade address using the procedure described in step 8 in Creating a VLAN .

Specifying fail-safe

VLAN fail-safe is a feature you enable when you want to base redundant-system failover on VLAN-related events. For more information, see Chapter 13, Setting up a Redundant System .

Managing a VLAN

After you have created a VLAN, you can use the Configuration utility to modify its properties, delete the VLAN, or to maintain its layer 2 forwarding table.

Managing VLAN properties

Using the Configuration utility, you can modify all of the properties of a VLAN, except the VLAN name, the tag, and the MAC address with which the VLAN is associated (that is, the MAC address of the lowest-numbered interface that is assigned to the VLAN).

You can also use the Configuration utility to delete a VLAN.

To change VLAN properties

  1. On the Main tab of the navigation pane, expand Network and click VLANs.
    This displays a list of all existing VLANs.
  2. Click the name of the VLAN you want to modify.
    This opens the properties screen for the VLAN.
  3. Modify the values of any settings.
  4. Click Update.

To delete a VLAN

  1. On the Main tab of the navigation pane, expand Network and click VLANs.
    This displays a list of all existing VLANs.
  2. Check the Select box next to the VLAN name.
  3. Click Delete.
    A confirmation query appears.
  4. Click Delete.

Maintaining the L2 forwarding table

Layer 2 forwarding is the means by which frames are exchanged directly between hosts, with no IP routing required. This is accomplished using a simple forwarding table for each VLAN. The L2 forwarding table is a list that shows, for each host in the VLAN, the MAC address of the host, along with the interface that the BIG-IP system needs for sending frames to that host. The intent of the L2 forwarding table is to help the BIG-IP system determine the correct interface for sending frames, when the system determines that no routing is required.

The format of an entry in the L2 forwarding table is:

<MAC address> -> <if>

For example, an entry for a host in the VLAN might looks like this:

00:a0:c9:9e:1e:2f -> 2.1

The BIG-IP system learns the interfaces that correspond to various MAC entries as frames pass through the system, and automatically adds entries to the table accordingly. These entries are known as dynamic entries. You can also add entries to the table manually, and these are known as static entries. Entering static entries is useful if you have network devices that do not advertise their MAC addresses. The system does not automatically update static entries.

The BIG-IP system does not always need to use the L2 forwarding table to find an interface for frame transmission. For instance, if a VLAN has only one interface assigned to it, then the BIG-IP system automatically uses that interface.

Occasionally, the L2 forwarding table does not include an entry for the destination MAC address and its corresponding BIG-IP system interface. In this case, the BIG-IP system floods the frame through all interfaces associated with the VLAN, until a reply creates an entry in the L2 forwarding table.

Viewing the L2 forwarding table

You can use the Configuration utility to view the entries in the L2 forwarding table.

To view the L2 forwarding table

  1. On the Main tab of the navigation pane, expand Network and click VLANs.
    This displays a list of all existing VLANs.
  2. Click the name of the VLAN you want to modify.
    This opens the properties screen for the VLAN.
  3. On the menu bar, click Layer 2 Static Forwarding Table.
    This displays any entries currently in the L2 forwarding table.

Adding entries to the L2 forwarding table

You can add static entries to the L2 forwarding table when you want to give the BIG-IP system the ability to send messages to a specific host in the VLAN.

To add an entry to the L2 forwarding table

  1. On the Main tab of the navigation pane, expand Network and click VLANs.
    This displays a list of all existing VLANs.
  2. Click the name of the VLAN you want to modify.
    This opens the properties screen for the VLAN.
  3. On the menu bar, click Layer 2 Static Forwarding Table.
    This displays any entries currently in the L2 forwarding table.
  4. Click Create.
    This displays the screen for adding entries to the table.
  5. For the Interfaces setting, select an interface number.
  6. In the MAC Address box, type the MAC address of the host to which the entry applies.
  7. Click Repeat if you want to add another entry, or click Finished.

Setting the L2 forwarding aging time

Entries in the L2 forwarding table have a specified life span, after which they are removed if the MAC address is no longer present on the network. This life span is called the layer 2 cache aging time. The default value is 300 seconds. Using the Configuration utility, you can change this value.

To change the layer 2 cache aging time

  1. On the Main tab of the navigation pane, expand System and click General Properties.
    This displays a list of general properties for the BIG-IP system.
  2. On the menu bar, from Local Traffic, choose General.
    This displays a list of general properties related to local traffic.
  3. In the Layer 2 Cache Aging Time box, change the value.
  4. Click Update.

Creating and managing VLAN groups

A VLAN group is a logical container that includes two or more distinct VLANs. VLAN groups are intended for load balancing traffic in a layer 2 network, when you want to minimize the reconfiguration of hosts on that network. Figure 5.3 shows an example of a VLAN group.

 

Figure 5.3 Example of a VLAN group

A VLAN group also ensures that the BIG-IP system can process traffic successfully between a client and server when the two hosts reside in the same address space. Without a VLAN group, when the client and server both reside in the same address space, the client request goes through the virtual server, but instead of sending its response back through the virtual server, the server attempts to send its response directly to the client, bypassing the virtual server altogether. As a result, the client cannot receive the response, because the client expects the address of the response to be the virtual server IP address, not the server IP address.

Although one way to solve this problem is to enable source network address translation (SNAT), a simpler approach is to create a VLAN group. With a VLAN group, you do not need to translate the client IP address to a different source address. You can preserve the original client IP address, and the server can still send its response to the client successfully.

Tip


You can configure the behavior of the BIG-IP system so that it always creates a proxy for any ARP requests between VLANs. For more information, see Excluding hosts from proxy ARP forwarding .

When you create a VLAN group, the two existing VLANs become child VLANs of the VLAN group. To create a VLAN group, you use the Configuration utility. For information on managing a VLAN group, see Managing a VLAN group .

Creating a VLAN group

When you create a VLAN group, you assign a name and a VLAN group ID. Then you specify the existing VLANs that you want the VLAN group to contain. Finally, you specify a transparency mode, and some settings related to redundant-system configuration.

Note

Two distinct VLANs must exist on the BIG-IP system before you can create a VLAN group.

The settings that you can configure for a VLAN group are summarized in Table 5.2 .

Table 5.2 Configuration options for VLANs
Setting
Description
Default Value
Name
Specifies a unique name for the VLAN group. This value is required.
No default value
VLAN Group ID
Specifies an ID for the VLAN group. If you do not specify a VLAN group ID, the BIG-IP system assigns an ID automatically. The value of a VLAN group ID can be between 1 and 4094.
No default value
VLANs
Specifies the VLANs that you want the VLAN group to contain.
No default value
Transparency Mode
Specifies the level of exposure of remote MAC addresses within a VLAN group. Possible values are: Opaque, Translucent, and Transparent.
Translucent
Bridge All Traffic
When enabled (checked), specifies that the VLAN group forwards all frames, including non-IP traffic. The default setting is disabled (unchecked).
Disabled
Bridge in Standby
When enabled (checked), specifies that the VLAN group forwards frames, even when the system is the standby unit in a redundant system. The default setting is enabled (checked).
Enabled
MAC Masquerade
Specifies a MAC masquerade address, used when you have a redundant system.
No default value

Use the following procedure to create a VLAN group. For detailed information about each setting, see the sections following the procedure.

Important

In addition to configuring the settings listed in Table 5.2 , you must also assign a self IP address to the VLAN group. For more information, see Assigning self IPs to VLANs and VLAN groups .

To create a VLAN group

  1. On the Main tab of the navigation pane, expand Network and click VLANs.
    This displays a list of all existing VLANs.
  2. On the menu bar, from VLAN Groups, choose List.
    This displays a list of all existing VLAN groups.
  3. In the upper-right corner, click Create.
    The VLAN Groups screen opens.
  4. In the General Properties area, in the VLAN Group box, type a unique name for the VLAN group.
  5. In the VLAN Group ID box, type a unique VLAN ID.
    If you do not specify a VLAN ID, the BIG-IP system automatically assigns one.
  6. In the Configuration area, for the VLANs setting, click a VLAN name in the Available box, and using the Move button (<<), move the VLAN name to the Members box.
    Repeat this step as necessary.
  7. From the Transparency Mode list, select a transparency mode, or use the default setting.
  8. Check the Bridge All Traffic setting if you want the VLAN group to forward all frames, including non-IP traffic.
  9. For the Bridge in Standby setting, leave the box checked if you want the VLAN group to forward frames even when the system is the standby unit of a redundant system.
  10. In the MAC Masquerade box, type a MAC address.
    For more information, see Specifying a MAC masquerade address .
  11. Click Finished.

Specifying a VLAN group name

When creating a VLAN group, you must assign it a unique name. Once you have finished creating the VLAN group, the VLAN group name appears in the list of existing VLANs groups.

Specifying a VLAN group ID

A VLAN group ID is a tag for the VLAN group. Every VLAN group needs a unique ID number. If you do not specify an ID for the VLAN group, the BIG-IP system automatically assigns one. The value of a VLAN group ID can be between 1 and 4094. For more information on VLAN tags, see Tag-based access to VLANs .

Specifying the transparency mode

The BIG-IP system is capable of processing traffic using a combination of layer 2 and layer 3 forwarding, that is, switching and IP routing. When you set the transparency mode, you specify the type of forwarding that the BIG-IP system performs when forwarding a message to a host in a VLAN. The default setting is translucent, which means that the BIG-IP system uses a mix of Layer 2 and Layer 3 processing. Table 5.3 lists the allowed values.

Table 5.3 Modes for VLAN group forwarding
Value
Description
opaque
A proxy ARP with layer 3 forwarding.
translucent
Layer 2 forwarding with a locally-unique bit, toggled in ARP response across VLANs. This is the default setting.
transparent
Layer 2 forwarding with the original MAC address of the remote system preserved across VLANs.

 

Bridging all traffic

When you enable this option, you are instructing the VLAN group to forward all non-IP traffic. Note that IP traffic is bridged by default. The default value for this setting is disabled (unchecked).

Bridging traffic with standby units

When this option is enabled (checked), specifies that the VLAN group forwards frames, even when the system is the standby unit in a redundant system.

Warning

This setting can cause adverse effects if the VLAN group exists on both units of the redundant system. The setting is intended for configurations where the VLAN group exists on one unit only. The default setting is enabled (checked).

Specifying a MAC masquerade address

When you place VLANs into a VLAN group, devices on the network automatically send responses to the MAC masquerade address that you assigned to the VLAN group. In this case, the BIG-IP system ignores the MAC masquerade addresses that you assigned to the individual VLANs of the group.

The procedure for assigning a MAC masquerade address to a VLAN group is similar to the procedure for assigning one to a VLAN. However, because interfaces are not assigned directly to a VLAN group, you can use the MAC address of the lowest-numbered interface of any VLAN in the VLAN group when you decide on a MAC masquerade address for the VLAN group.

For more information on MAC masquerade addresses, see Specifying a MAC masquerade address .

Managing a VLAN group

Using the Configuration utility, you can change the properties of a VLAN group, delete the VLAN group, or manage the way that the VLAN group handles proxy ARP forwarding.

Changing VLAN group properties

Using the Configuration utility, you can modify all of the properties of a VLAN group, except the VLAN name and VLAN group ID.

To change the properties of a VLAN group

  1. On the Main tab of the navigation pane, expand Network and click VLANs.
    This displays a list of existing VLANs.
  2. From the VLAN Groups menu, choose List.
    This shows a list of existing VLAN groups.
  3. Click a VLAN group name.
  4. Change the value of any settings.
  5. Click Update.

Excluding hosts from proxy ARP forwarding

As described earlier, a host in a VLAN cannot normally communicate to a host in another VLAN. This rule applies to ARP requests as well. However, if you put the VLANs into a single VLAN group, the BIG-IP system can perform a proxied ARP request.

A proxied ARP request is an ARP request that the BIG-IP system can send, on behalf of a host in a VLAN, to hosts in another VLAN. A proxied ARP request requires that both VLANs belong to the same VLAN group.

In some cases, you might not want a host to forward proxied ARP requests to a specific host, such as an active unit in a redundant system that forwards a proxied ARP request to the standby unit, or to other hosts in the configuration. To exclude specific hosts from receiving forwarded proxied ARP requests, you use the Configuration utility and specify the IP addresses that you want to exclude.

Warning

Although hosts on an ARP exclusion list are specified using their IP addresses, this does not prevent the BIG-IP system from routing traffic to those hosts. A more secure way to prevent traffic from passing between hosts in separate VLANs is to create a packet filter for each VLAN.

To exclude the forwarding of proxied ARP requests

  1. On the Main tab of the navigation pane, expand Network and click VLANs.
    This displays a list of all existing VLANs.
  2. On the menu bar, from VLAN Groups, choose Proxy Exclusion List.
    This opens the Global Proxy Exclusion List screen.
  3. In the upper-right corner, click Create.
  4. In the IP address box, type an IP address that you want to exclude from a proxied ARP request.
  5. Click Repeat if you want to type another IP address, or click Finished.

Assigning self IPs to VLANs and VLAN groups

After you create a VLAN or a VLAN group, you must assign it a self IP address. You assign self IP addresses to VLANs and VLAN groups using the Configuration utility.

  • Assigning a self IP address to a VLAN
    The self IP address that you assign to a VLAN should represent an address space that includes the self IP addresses of the hosts that the VLAN contains. For example, if the address of one host is 11.0.0.1 and the address of the other host is 11.0.0.2, you could assign an address of 11.0.0.100, with a netmask of 255.255.255.0, to the VLAN.
  • Assigning a self IP address to the VLAN group
    The self IP address that you assign to a VLAN group should represent an address space that includes the self IP addresses of the VLANs that you assigned to the group. For example, if the address of one VLAN is 10.0.0.1 and the address of the other VLAN is 10.0.0.2, you could assign an address of 10.0.0.100, with a netmask of 255.255.255.0, to the VLAN group.

For more detailed information and the procedure for assigning self IP addresses, see Chapter 6, Configuring Self IP Addresses .




Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)