Applies To:

Show Versions Show Versions

Manual Chapter: VLANs and VLAN Groups
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Introduction to virtual LANs

A VLAN is a logical subset of hosts on a local area network (LAN) that operate in the same IP address space. Grouping hosts together in a VLAN has distinct advantages. For example, with VLANs, you can:

  • Reduce the size of broadcast domains, thereby enhancing overall network performance.
  • Reduce system and network maintenance tasks substantially. Functionally-related hosts no longer need to physically reside together to achieve optimal network performance.
  • Enhance security on your network by segmenting hosts that must transmit sensitive data.

The way that you group hosts into VLANs is by using the Configuration utility to create a VLAN and associate physical interfaces with that VLAN. In this way, any host that sends traffic to a BIG-IP system interface is logically a member of the VLAN or VLANs to which that interface belongs.

VLANs on a BIG-IP system

The BIG-IP system is a port-based switch that includes multilayer processing capabilities. These capabilities enhance standard VLAN behavior, in these ways:

  • You can associate physical interfaces on the BIG-IP system directly with VLANs. In this way, you can associate multiple interfaces with a single VLAN, or you can associate a single interface with multiple VLANs.
  • You do not need physical routers to establish communication between separate VLANs. Instead, the BIG-IP system can process messages between VLANs.
  • You can incorporate a BIG-IP system into existing, multi-vendor switched environments, due to the BIG-IP system’s compliance with the IEEE 802.1q VLAN standard.
  • You can combine two or more VLANs into an object known as a VLAN group. With a VLAN group, a host in one VLAN can communicate with a host in another VLAN using a combination of Layer 2 forwarding and IP routing. This offers both performance and reliability benefits.

Default VLAN configuration

By default, the BIG-IP system includes two VLANs, named internal and external. When you initially ran the Setup utility, you assigned the following to each of these VLANs:

  • A static and a floating self IP address
  • A VLAN tag
  • One or more BIG-IP system interfaces

A typical VLAN configuration is one in which you create the two VLANs external and internal, and one or more BIG-IP system interfaces assigned to each VLAN. You then create a virtual server, and associate a default load balancing pool with that virtual server. This figure shows a typical configuration using the default VLANs external and internal.

Example of a trunk configured for two switches A typical configuration using the default VLANs
Note: VLANs internal and external reside in partition Common.

Every VLAN must have a static self IP address associated with it. The self IP address of a VLAN represents an address space, that is, the range of IP addresses pertaining to the hosts in that VLAN. When you ran the Setup utility earlier, you assigned one static self IP address to the VLAN external, and one static self IP address to the VLAN internal. When sending a request to a destination server, the BIG-IP system can use these self IP addresses to determine the specific VLAN that contains the destination server.

For example, suppose the self IP address of VLAN external is 12.1.0.100, and the self IP address of the VLAN internal is 11.1.0.100, and both self IP addresses have a netmask of 255.255.0.0. If the IP address of the destination server is 11.1.0.20, then the BIG-IP system can compare the self IP addresses to the host’s IP address to determine that the destination server is in the VLAN internal. This process, combined with checking the ARP cache and a VLAN’s L2 forwarding table, ensures that the BIG-IP system successfully sends the request to the destination server.

Important: In addition to configuring VLAN properties, you must also assign a self IP address to the VLAN.

VLAN name

When creating a VLAN, you must assign it a unique name. Once you have finished creating the VLAN, the VLAN name appears in the list of existing VLANs.

VLAN tags

A VLAN tag is a unique ID number that you assign to a VLAN. If you do not explicitly assign a tag to a VLAN, the BIG-IP system assigns a tag automatically. The value of a VLAN tag can be between 1 and 4094. Once you or the BIG-IP system assigns a tag to a VLAN, any message sent from a host in that VLAN includes this VLAN tag as a header in the message.

A VLAN tag is useful when an interface has multiple VLANs associated with it; that is, when the interfaces you assigned to the VLAN are assigned as tagged interfaces. In this case, the BIG-IP system can read the VLAN tag in the header of a message to determine the specific VLAN in which the source or destination host resides.

Important: If the device connected to a BIG-IP system interface is another switch, the VLAN tag that you assign to the VLAN on the BIG-IP system interface must match the VLAN tag assigned to the VLAN on the interface of the other switch.

Interface assignments

For each VLAN that you create, you must assign one or more BIG-IP system interfaces to that VLAN, using the Interfaces setting. When you assign an interface to a VLAN, you indirectly control the hosts from which the BIG-IP system interface sends or receives messages.

Tip: You can assign not only individual interfaces to the VLAN, but also trunks.

For example, if you assign interface 1.11 to VLAN A, and you then associate VLAN A with a virtual server, then the virtual server sends its outgoing traffic through interface 1.11, to a destination host in VLAN A. Similarly, when a destination host sends a message to the BIG-IP system, the host’s VLAN membership determines the BIG-IP system interface that should receive the incoming traffic.

Each VLAN has a MAC address. The MAC address of a VLAN is the same MAC address of the lowest-numbered interface assigned to that VLAN.

The BIG-IP system supports two methods for sending and receiving messages through an interface that is a member of one or more VLANs. These two methods are port-based access to VLANs and tag-based access to VLANs. The method used by a VLAN is determined by the way that you add a member interface to a VLAN.

Port-based access to VLANs

With port-based access to VLANs, the BIG-IP system accepts frames for a VLAN simply because they are received on an interface that is a member of that VLAN. With this method, an interface is an untagged member of the VLAN. Frames sent out through untagged interfaces contain no tag in their header.

Port-based access to VLANs occurs when you add an interface to a VLAN as an untagged interface. In this case, the VLAN is the only VLAN that you can associate with that interface. This limits the interface to accepting traffic only from that VLAN, instead of from multiple VLANs. If you want to give an interface the ability to accept and receive traffic for multiple VLANs, you add the same interface to each VLAN as a tagged interface.

Tag-based access to VLANs

With tag-based access to VLANs, the BIG-IP system accepts frames for a VLAN because the frames have tags in their headers and the tag matches the VLAN identification number for the VLAN. An interface that accepts frames containing VLAN tags is a tagged member of the VLAN. Frames sent out through tagged interfaces contain a tag in their header.

Tag-based access to VLANs occurs when you add an interface to a VLAN as a tagged interface. You can add the same tagged interface to multiple VLANs, thereby allowing the interface to accept traffic from each VLAN with which the interface is associated.

When you add an interface to a VLAN as a tagged interface, the BIG-IP system associates the interface with the VLAN identification number, or tag, which becomes embedded in a header of a frame.

Note: Every VLAN has a tag. You can assign the tag explicitly when creating the VLAN, or the BIG-IP system assigns it automatically if you do not supply one.

Each time you add an interface to a VLAN, either when creating a VLAN or modifying its properties, you can designate that interface as a tagged interface. A single interface can therefore have multiple tags associated with it.

The result is that whenever a frame comes into that interface, the interface reads the tag that is embedded in a header of the frame. If the tag in the frame matches any of the tags associated with the interface, the interface accepts the frame. If the tag in the frame does not match any of the tags associated with the interface, the interface rejects the frame.

This figure shows the difference between using three untagged interfaces (where each interface must belong to a separate VLAN) versus one tagged interface (which belongs to multiple VLANs)

Solutions using untagged (left) and tagged interfaces (right) Solutions using untagged (left) and tagged interfaces (right)

The configuration on the left shows a BIG-IP system with three internal interfaces, each a separate, untagged interface. This is a typical solution for supporting three separate customer sites. In this scenario, each interface can accept traffic only from its own VLAN.

Conversely, the configuration on the right shows a BIG-IP system with one internal interface and an external switch. The switch places the internal interface on three separate VLANs. The interface is configured on each VLAN as a tagged interface. In this way, the single interface becomes a tagged member of all three VLANs, and accepts traffic from all three. The configuration on the right is the functional equivalent of the configuration of the left.

Important: If you are connecting another switch into a BIG-IP system interface, the VLAN tag that you assign to the VLAN on the BIG-IP system must match the VLAN tag on the interface of the other switch.

Source checking

When you enable source checking, the BIG-IP system verifies that the return path for an initial packet is through the same VLAN from which the packet originated. Note that the system only enables source checking if the global setting Auto Last Hop is disabled.

Maximum transmission units

The value of the maximum transmission unit, or MTU, is the largest size that the BIG-IP system allows for an IP datagram passing through a BIG-IP system interface. The default value is 1500.

VLAN-based fail-safe

VLAN fail-safe is a feature you enable when you want to base redundant-system failover on VLAN-related events. To configure VLAN fail-safe, you specify a timeout value and the action that you want the system to take when the timeout period expires.

Auto last hop

When you create a VLAN, you can designate the VLAN as the last hop for TMM traffic.

About the CMP hash setting

The CMP Hash setting allows all connections from a client system to use the same set of TMMs. This improves system performance. In configuring the CMP Hash value, you can choose the traffic disaggregation criteria for the VLAN, either source IP address, destination IP address, or TCP/UDP source/destination ports. The default value uses TCP/UDP source/destination ports. Note that the CMP Hash setting appears only on the properties screen for an existing VLAN.

Maintaining the L2 forwarding table

Layer 2 forwarding is the means by which frames are exchanged directly between hosts, with no IP routing required. This is accomplished using a simple forwarding table for each VLAN. The L2 forwarding table is a list that shows, for each host in the VLAN, the MAC address of the host, along with the interface that the BIG-IP system needs for sending frames to that host. The intent of the L2 forwarding table is to help the BIG-IP system determine the correct interface for sending frames, when the system determines that no routing is required.

The format of an entry in the L2 forwarding table is:

<MAC address> -> <if>

For example, an entry for a host in the VLAN might look like this:

00:a0:c9:9e:1e:2f -> 2.1

The BIG-IP system learns the interfaces that correspond to various MAC entries as frames pass through the system, and automatically adds entries to the table accordingly. These entries are known as dynamic entries. You can also add entries to the table manually, and these are known as static entries. Entering static entries is useful if you have network devices that do not advertise their MAC addresses. The system does not automatically update static entries.

The BIG-IP system does not always need to use the L2 forwarding table to find an interface for frame transmission. For instance, if a VLAN has only one interface assigned to it, then the BIG-IP system automatically uses that interface.

Occasionally, the L2 forwarding table does not include an entry for the destination MAC address and its corresponding BIG-IP system interface. In this case, the BIG-IP system floods the frame through all interfaces associated with the VLAN, until a reply creates an entry in the L2 forwarding table.

About sFlow polling intervals and sampling rates

You can change the sFlow settings for a specific VLAN when you want the traffic flowing through the VLAN to be sampled at a different rate than the global sFlow settings on the BIG-IP system.

About VLAN groups

A VLAN group is a logical container that includes two or more distinct VLANs. VLAN groups are intended for load balancing traffic in a Layer 2 network, when you want to minimize the reconfiguration of hosts on that network. This figure shows an example of a VLAN group.

Example of a VLAN group Example of a VLAN group

A VLAN group also ensures that the BIG-IP system can process traffic successfully between a client and server when the two hosts reside in the same address space. Without a VLAN group, when the client and server both reside in the same address space, the client request goes through the virtual server, but instead of sending its response back through the virtual server, the server attempts to send its response directly to the client, bypassing the virtual server altogether. As a result, the client cannot receive the response, because the client expects the address of the response to be the virtual server IP address, not the server IP address.

Tip: You can configure the behavior of the BIG-IP system so that it always creates a proxy for any ARP requests between VLANs.

When you create a VLAN group, the two existing VLANs become child VLANs of the VLAN group.

VLAN groups reside in administrative partitions. To create a VLAN group, you must first set the current partition to the partition in which you want the VLAN group to reside.

Note: Only users with the Administrator user role can create and manage VLAN groups.

About VLAN group names

When creating a VLAN group, you must assign it a unique name. Once you have finished creating the VLAN group, the VLAN group name appears in the list of existing VLANs groups.

VLAN group ID

A VLAN group ID is a tag for the VLAN group. Every VLAN group needs a unique ID number. If you do not specify an ID for the VLAN group, the BIG-IP system automatically assigns one. The value of a VLAN group ID can be between 1 and 4094.

About transparency mode

The BIG-IP system is capable of processing traffic using a combination of Layer 2 and Layer 3 forwarding, that is, switching and IP routing. When you set the transparency mode, you specify the type of forwarding that the BIG-IP system performs when forwarding a message to a host in a VLAN. The default setting is translucent, which means that the BIG-IP system uses a mix of Layer 2 and Layer 3 processing. The allowed values are:

opaque
A proxy ARP with Layer 3 forwarding
translucent
Layer 2 forwarding with a locally-unique bit, toggled in ARP response across VLANs. This is the default setting. When you choose this value and you have a virtual server that references a Fast L4 profile, the BIG-IP system automatically changes the PVA Acceleration setting to None
transparent
Layer 2 forwarding with the original MAC address of the remote system preserved across VLANs. When you choose this value and you have a virtual server that references a Fast L4 profile, the BIG-IP system automatically changes the PVA Acceleration setting to None.

About traffic bridging

When you enable the traffic bridging option, you are instructing the VLAN group to forward all non-IP traffic. Note that IP traffic is bridged by default. The default value for this setting is disabled (unchecked).

About traffic bridging with standby units

When enabled, the Bridge in Standby setting ensures that the VLAN group can forward packets when the system is the standby device of a redundant system configuration. Note that this setting applies to non-IP and non-ARP frames only, such as Bridge Protocol Data Units (BPDUs).

This setting is designed for deployments in which the VLAN group is defined on a redundant system. You can use the Bridge in Standby setting in transparent or translucent modes, or in opaque mode when the global variable Failover.Standby.LinkDownTime is set to 0.

Warning: This setting can cause adverse effects if the VLAN group exists on more than one device in a device group. The setting is intended for configurations where the VLAN group exists on one device only. The default setting is enabled (checked).

About host exclusion from proxy ARP forwarding

A host in a VLAN cannot normally communicate to a host in another VLAN. This rule applies to ARP requests as well. However, if you put the VLANs into a single VLAN group, the BIG-IP system can perform a proxied ARP request.

A proxied ARP request is an ARP request that the BIG-IP system can send, on behalf of a host in a VLAN, to hosts in another VLAN. A proxied ARP request requires that both VLANs belong to the same VLAN group.

In some cases, you might not want a host to forward proxied ARP requests to a specific host, or to other hosts in the configuration. To exclude specific hosts from receiving forwarded proxied ARP requests, you use the Configuration utility and specify the IP addresses that you want to exclude.

Warning: Although hosts on an ARP exclusion list are specified using their IP addresses, this does not prevent the BIG-IP system from routing traffic to those hosts. A more secure way to prevent traffic from passing between hosts in separate VLANs is to create a packet filter for each VLAN.

VLAN association with a self IP address

After you create a VLAN or a VLAN group, you must associate it with a self IP address. You associate a VLAN or VLAN group with a self IP address using the New Self IPs screens of the Configuration utility:

Associating a VLAN with a self IP address
The self IP address with which you associate a VLAN should represent an address space that includes the IP addresses of the hosts that the VLAN contains. For example, if the address of one host is 11.0.0.1 and the address of the other host is 11.0.0.2, you could associate the VLAN with a self IP address of 11.0.0.100, with a netmask of 255.255.255.0.
Associating a VLAN group with a self IP address
The self IP address with which you associate a VLAN group should represent an address space that includes the self IP addresses of the VLANs that you assigned to the group. For example, if the address of one VLAN is 10.0.0.1 and the address of the other VLAN is 10.0.0.2, you could associate the VLAN group with a self IP address of 10.0.0.100, with a netmask of 255.255.255.0.

VLAN assignment to route domains

If you explicitly create route domains, you should consider the following facts:

  • You can assign VLANs (and VLAN groups) to route domain objects that you create. Traffic pertaining to that route domain uses those assigned VLANs,
  • During BIG-IP system installation, the system automatically creates a default route domain, with an ID of 0. Route domain 0 has two VLANs assigned to it, VLAN internal and VLAN external.
  • If you create one or more VLANs in an administrative partition other than Common, but do not create a route domain in that partition, then the VLANs you create in that partition are automatically assigned to route domain 0.

Overview: Bridging VLAN and VXLAN networks

Large data centers and cloud service providers are benefiting from the use of Layer 2 over Layer 3 overlay networks to support large scale network virtualization. You can configure Virtual eXtended LAN (VXLAN) on a BIG-IP system to enable a physical VLAN to communicate with virtual machines (VMs) in a virtual network. The BIG-IP system becomes a gateway to bridge the data center virtual network with the physical external network. Connecting these two networks allows for expansion, and provides a mechanism to streamline the transition of data centers into a virtualized model, while maintaining connectivity.

The VXLAN gateway The VXLAN gateway

When you configure a BIG-IP system as a VXLAN gateway, the system represents the VXLAN as a tunnel, which provides a Layer 2 interface on the virtual network. You can use the tunnel interface in both Layer 2 and Layer 3 configurations. After you configure the VXLAN tunnel, the BIG-IP system joins the configured multicast group, and can forward both unicast and multicast or broadcast frames on the virtual network. The BIG-IP system learns about MAC address and VTEP associations dynamically, thus avoiding unnecessary transmission of multicast traffic.

Multiple VXLAN tunnels Multiple VXLAN tunnels

About Virtual eXtended LAN (VXLAN)

Virtual eXtended LAN (VXLAN) is a network virtualization scheme that overlays Layer 2 over Layer 3. VXLAN uses Layer 3 multicast to support the transmission of multicast and broadcast traffic in the virtual network, while decoupling the virtual network from the physical infrastructure. VXLAN uses a UDP-based encapsulation to tunnel Ethernet frames. In a VMware environment, VXLAN can extend the virtual network across a set of VMware ESXi servers, providing Layer 2 connectivity among the hosted virtual machines (VMs). Each VMware ESXI server represents a VXLAN Tunnel Endpoint. In this environment, a VXLAN gateway device can be used to terminate the VXLAN tunnel and forward traffic to and from a physical network.

VXLAN Terminology

These definitions assist in understanding VXLAN.

VXLAN gateway
A VXLAN gateway bridges traffic between VXLAN and non-VXLAN environments. The BIG-IP system uses a VXLAN gateway to bridge a traditional VLAN and a VXLAN network, by becoming a virtual network endpoint.
VXLAN segment
A VXLAN segment is a Layer 2 overlay network over which VMs communicate. Only VMs within the same VXLAN segment can communicate with each other.
VNI
The Virtual Network Identifier (VNI) is also called the VXLAN segment ID. The system uses the VNI, along with the VLAN ID, to identify the appropriate tunnel.
VTEP
The VXLAN Tunnel Endpoint (VTEP) originates or terminates a VXLAN tunnel. The same local IP address can be used for multiple tunnels.
VXLAN header
In addition to the UDP header, encapsulated packets include a VXLAN header, which carries a 24-bit VNI to uniquely identify Layer 2 segments within the overlay.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)