A VLAN is a logical subset of hosts on a local area network (LAN) that operate in the same IP address space. Grouping hosts together in a VLAN has distinct advantages. For example, with VLANs, you can:
The way that you group hosts into VLANs is by using the Configuration utility to create a VLAN and associate physical interfaces with that VLAN. In this way, any host that sends traffic to a BIG-IP system interface is logically a member of the VLAN or VLANs to which that interface belongs.
The BIG-IP system is a port-based switch that includes multilayer processing capabilities. These capabilities enhance standard VLAN behavior, in these ways:
By default, the BIG-IP system includes two VLANs, named internal and external. When you initially ran the Setup utility, you assigned the following to each of these VLANs:
A typical VLAN configuration is one in which you create the two VLANs external and internal, and one or more BIG-IP system interfaces assigned to each VLAN. You then create a virtual server, and associate a default load balancing pool with that virtual server. This figure shows a typical configuration using the default VLANs external and internal.
Every VLAN must have a static self IP address associated with it. The self IP address of a VLAN represents an address space, that is, the range of IP addresses pertaining to the hosts in that VLAN. When you ran the Setup utility earlier, you assigned one static self IP address to the VLAN external, and one static self IP address to the VLAN internal. When sending a request to a destination server, the BIG-IP system can use these self IP addresses to determine the specific VLAN that contains the destination server.
For example, suppose the self IP address of VLAN external is 22.214.171.124, and the self IP address of the VLAN internal is 126.96.36.199, and both self IP addresses have a netmask of 255.255.0.0. If the IP address of the destination server is 188.8.131.52, then the BIG-IP system can compare the self IP addresses to the host’s IP address to determine that the destination server is in the VLAN internal. This process, combined with checking the ARP cache and a VLAN’s L2 forwarding table, ensures that the BIG-IP system successfully sends the request to the destination server.
When creating a VLAN, you must assign it a unique name. Once you have finished creating the VLAN, the VLAN name appears in the list of existing VLANs.
A VLAN tag is a unique ID number that you assign to a VLAN. If you do not explicitly assign a tag to a VLAN, the BIG-IP system assigns a tag automatically. The value of a VLAN tag can be between 1 and 4094. Once you or the BIG-IP system assigns a tag to a VLAN, any message sent from a host in that VLAN includes this VLAN tag as a header in the message.
A VLAN tag is useful when an interface has multiple VLANs associated with it; that is, when the interfaces you assigned to the VLAN are assigned as tagged interfaces. In this case, the BIG-IP system can read the VLAN tag in the header of a message to determine the specific VLAN in which the source or destination host resides.
For each VLAN that you create, you must assign one or more BIG-IP system interfaces to that VLAN, using the Interfaces setting. When you assign an interface to a VLAN, you indirectly control the hosts from which the BIG-IP system interface sends or receives messages.
For example, if you assign interface 1.11 to VLAN A, and you then associate VLAN A with a virtual server, then the virtual server sends its outgoing traffic through interface 1.11, to a destination host in VLAN A. Similarly, when a destination host sends a message to the BIG-IP system, the host’s VLAN membership determines the BIG-IP system interface that should receive the incoming traffic.
Each VLAN has a MAC address. The MAC address of a VLAN is the same MAC address of the lowest-numbered interface assigned to that VLAN.
The BIG-IP system supports two methods for sending and receiving messages through an interface that is a member of one or more VLANs. These two methods are port-based access to VLANs and tag-based access to VLANs. The method used by a VLAN is determined by the way that you add a member interface to a VLAN.
With port-based access to VLANs, the BIG-IP system accepts frames for a VLAN simply because they are received on an interface that is a member of that VLAN. With this method, an interface is an untagged member of the VLAN. Frames sent out through untagged interfaces contain no tag in their header.
Port-based access to VLANs occurs when you add an interface to a VLAN as an untagged interface. In this case, the VLAN is the only VLAN that you can associate with that interface. This limits the interface to accepting traffic only from that VLAN, instead of from multiple VLANs. If you want to give an interface the ability to accept and receive traffic for multiple VLANs, you add the same interface to each VLAN as a tagged interface.
With tag-based access to VLANs, the BIG-IP system accepts frames for a VLAN because the frames have tags in their headers and the tag matches the VLAN identification number for the VLAN. An interface that accepts frames containing VLAN tags is a tagged member of the VLAN. Frames sent out through tagged interfaces contain a tag in their header.
Tag-based access to VLANs occurs when you add an interface to a VLAN as a tagged interface. You can add the same tagged interface to multiple VLANs, thereby allowing the interface to accept traffic from each VLAN with which the interface is associated.
When you add an interface to a VLAN as a tagged interface, the BIG-IP system associates the interface with the VLAN identification number, or tag, which becomes embedded in a header of a frame.
Each time you add an interface to a VLAN, either when creating a VLAN or modifying its properties, you can designate that interface as a tagged interface. A single interface can therefore have multiple tags associated with it.
The result is that whenever a frame comes into that interface, the interface reads the tag that is embedded in a header of the frame. If the tag in the frame matches any of the tags associated with the interface, the interface accepts the frame. If the tag in the frame does not match any of the tags associated with the interface, the interface rejects the frame.
This figure shows the difference between using three untagged interfaces (where each interface must belong to a separate VLAN) versus one tagged interface (which belongs to multiple VLANs)
The configuration on the left shows a BIG-IP system with three internal interfaces, each a separate, untagged interface. This is a typical solution for supporting three separate customer sites. In this scenario, each interface can accept traffic only from its own VLAN.
Conversely, the configuration on the right shows a BIG-IP system with one internal interface and an external switch. The switch places the internal interface on three separate VLANs. The interface is configured on each VLAN as a tagged interface. In this way, the single interface becomes a tagged member of all three VLANs, and accepts traffic from all three. The configuration on the right is the functional equivalent of the configuration of the left.
When you enable source checking, the BIG-IP system verifies that the return path for an initial packet is through the same VLAN from which the packet originated. Note that the system only enables source checking if the global setting Auto Last Hop is disabled.
The value of the maximum transmission unit, or MTU, is the largest size that the BIG-IP system allows for an IP datagram passing through a BIG-IP system interface. The default value is 1500.
VLAN fail-safe is a feature you enable when you want to base redundant-system failover on VLAN-related events. To configure VLAN fail-safe, you specify a timeout value and the action that you want the system to take when the timeout period expires.
The CMP Hash setting allows all connections from a client system to use the same set of TMMs. This improves system performance. In configuring the CMP Hash value, you can choose the traffic disaggregation criteria for the VLAN, either source IP address, destination IP address, or TCP/UDP source/destination ports. The default value uses TCP/UDP source/destination ports. Note that the CMP Hash setting appears only on the properties screen for an existing VLAN.
Layer 2 forwarding is the means by which frames are exchanged directly between hosts, with no IP routing required. This is accomplished using a simple forwarding table for each VLAN. The L2 forwarding table is a list that shows, for each host in the VLAN, the MAC address of the host, along with the interface that the BIG-IP system needs for sending frames to that host. The intent of the L2 forwarding table is to help the BIG-IP system determine the correct interface for sending frames, when the system determines that no routing is required.
The format of an entry in the L2 forwarding table is:<MAC address> -> <if>
For example, an entry for a host in the VLAN might look like this:00:a0:c9:9e:1e:2f -> 2.1
The BIG-IP system learns the interfaces that correspond to various MAC entries as frames pass through the system, and automatically adds entries to the table accordingly. These entries are known as dynamic entries. You can also add entries to the table manually, and these are known as static entries. Entering static entries is useful if you have network devices that do not advertise their MAC addresses. The system does not automatically update static entries.
The BIG-IP system does not always need to use the L2 forwarding table to find an interface for frame transmission. For instance, if a VLAN has only one interface assigned to it, then the BIG-IP system automatically uses that interface.
Occasionally, the L2 forwarding table does not include an entry for the destination MAC address and its corresponding BIG-IP system interface. In this case, the BIG-IP system floods the frame through all interfaces associated with the VLAN, until a reply creates an entry in the L2 forwarding table.
A VLAN group is a logical container that includes two or more distinct VLANs. VLAN groups are intended for load balancing traffic in a Layer 2 network, when you want to minimize the reconfiguration of hosts on that network. This figure shows an example of a VLAN group.
A VLAN group also ensures that the BIG-IP system can process traffic successfully between a client and server when the two hosts reside in the same address space. Without a VLAN group, when the client and server both reside in the same address space, the client request goes through the virtual server, but instead of sending its response back through the virtual server, the server attempts to send its response directly to the client, bypassing the virtual server altogether. As a result, the client cannot receive the response, because the client expects the address of the response to be the virtual server IP address, not the server IP address.
When you create a VLAN group, the two existing VLANs become child VLANs of the VLAN group.
VLAN groups reside in administrative partitions. To create a VLAN group, you must first set the current partition to the partition in which you want the VLAN group to reside.
When creating a VLAN group, you must assign it a unique name. Once you have finished creating the VLAN group, the VLAN group name appears in the list of existing VLANs groups.
A VLAN group ID is a tag for the VLAN group. Every VLAN group needs a unique ID number. If you do not specify an ID for the VLAN group, the BIG-IP system automatically assigns one. The value of a VLAN group ID can be between 1 and 4094.
The BIG-IP system is capable of processing traffic using a combination of Layer 2 and Layer 3 forwarding, that is, switching and IP routing. When you set the transparency mode, you specify the type of forwarding that the BIG-IP system performs when forwarding a message to a host in a VLAN. The default setting is translucent, which means that the BIG-IP system uses a mix of Layer 2 and Layer 3 processing. The allowed values are:
When you enable the traffic bridging option, you are instructing the VLAN group to forward all non-IP traffic. Note that IP traffic is bridged by default. The default value for this setting is disabled (unchecked).
When enabled, the Bridge in Standby setting ensures that the VLAN group can forward packets when the system is the standby device of a redundant system configuration. Note that this setting applies to non-IP and non-ARP frames only, such as Bridge Protocol Data Units (BPDUs).
This setting is designed for deployments in which the VLAN group is defined on a redundant system. You can use the Bridge in Standby setting in transparent or translucent modes, or in opaque mode when the global variable Failover.Standby.LinkDownTime is set to 0.
A host in a VLAN cannot normally communicate to a host in another VLAN. This rule applies to ARP requests as well. However, if you put the VLANs into a single VLAN group, the BIG-IP system can perform a proxied ARP request.
A proxied ARP request is an ARP request that the BIG-IP system can send, on behalf of a host in a VLAN, to hosts in another VLAN. A proxied ARP request requires that both VLANs belong to the same VLAN group.
In some cases, you might not want a host to forward proxied ARP requests to a specific host, or to other hosts in the configuration. To exclude specific hosts from receiving forwarded proxied ARP requests, you use the Configuration utility and specify the IP addresses that you want to exclude.
After you create a VLAN or a VLAN group, you must associate it with a self IP address. You associate a VLAN or VLAN group with a self IP address using the New Self IPs screens of the Configuration utility:
If you explicitly create route domains, you should consider the following facts:
Large data centers and cloud service providers are benefiting from the use of Layer 2 over Layer 3 overlay networks to support large scale network virtualization. You can configure Virtual eXtended LAN (VXLAN) on a BIG-IP system to enable a physical VLAN to communicate with virtual machines (VMs) in a virtual network. The BIG-IP system becomes a gateway to bridge the data center virtual network with the physical external network. Connecting these two networks allows for expansion, and provides a mechanism to streamline the transition of data centers into a virtualized model, while maintaining connectivity.
When you configure a BIG-IP system as a VXLAN gateway, the system represents the VXLAN as a tunnel, which provides a Layer 2 interface on the virtual network. You can use the tunnel interface in both Layer 2 and Layer 3 configurations. After you configure the VXLAN tunnel, the BIG-IP system joins the configured multicast group, and can forward both unicast and multicast or broadcast frames on the virtual network. The BIG-IP system learns about MAC address and VTEP associations dynamically, thus avoiding unnecessary transmission of multicast traffic.
Virtual eXtended LAN (VXLAN) is a network virtualization scheme that overlays Layer 2 over Layer 3. VXLAN uses Layer 3 multicast to support the transmission of multicast and broadcast traffic in the virtual network, while decoupling the virtual network from the physical infrastructure. VXLAN uses a UDP-based encapsulation to tunnel Ethernet frames. In a VMware environment, VXLAN can extend the virtual network across a set of VMware ESXi servers, providing Layer 2 connectivity among the hosted virtual machines (VMs). Each VMware ESXI server represents a VXLAN Tunnel Endpoint. In this environment, a VXLAN gateway device can be used to terminate the VXLAN tunnel and forward traffic to and from a physical network.
These definitions assist in understanding VXLAN.