BIG-IP_TMOS__Routing_Administration.pdf

® ® BIG-IP TMOS : Routing Administration Version 13.1 Table of Contents Table of Contents Overview of TMOS Rout...

® ® BIG-IP TMOS : Routing Administration Version 13.1 Table of Contents Table of Contents Overview of TMOS Routing........................................................................................................9 Overview of routing administration in TMOS......................................................................9 About BIG-IP system routing tables................................................................................. 10 About BIG-IP management routes and TMM routes........................................................10 About traffic load balancing across TMM instances.........................................................10 Load balancing traffic across multiple blades or HSBs.................................................... 11 Viewing routes on the BIG-IP system.............................................................................. 11 Virtual Wires..............................................................................................................................13 Overview: Configuring the BIG-IP system as a Layer 2 device with wildcard VLANs......13 Forwarding behavior and user actions............................................................................. 14 Create BIG-IP objects for Layer 2 transparency.............................................................. 16 Interfaces................................................................................................................................... 17 Introduction to BIG-IP system interfaces..........................................................................17 About link layer discovery protocol...................................................................................17 Interface properties.......................................................................................................... 18 Interface naming conventions................................................................................18 About interface information and media properties.................................................19 Interface state........................................................................................................19 Fixed Requested Media........................................................................................ 19 About flow control..................................................................................................19 About the Ether Type property.............................................................................. 20 About the LLDP property.......................................................................................20 LLDP Attributes..................................................................................................... 20 About the forwarding mode................................................................................... 20 About Switch Port Analyzer (SPAN) interfaces......................................................21 About interface mirroring..................................................................................................21 Neighbor settings............................................................................................................. 21 Configuring settings for an interface................................................................................ 22 Related configuration tasks..............................................................................................22 Trunks........................................................................................................................................ 25 Introduction to trunks....................................................................................................... 25 Creating a trunk............................................................................................................... 25 How do trunks operate?................................................................................................... 26 Overview of LACP............................................................................................................ 26 Interfaces for a trunk........................................................................................................ 26 About Spanning Tree and trunk interfaces............................................................ 27 About tagging for trunk interfaces......................................................................... 27 About trunk configuration...................................................................................... 27 About the Ether Type property......................................................................................... 27 About enabling LACP....................................................................................................... 28 LACP mode......................................................................................................................28 LACP timeout................................................................................................................... 28 Link selection policy......................................................................................................... 29 Automatic link selection.........................................................................................29 Maximum bandwidth link selection........................................................................29 3 Table of Contents Frame distribution hash....................................................................................................30 VLANs, VLAN Groups, and VXLAN......................................................................................... 31 About VLANs................................................................................................................... 31 Default VLAN configuration................................................................................... 31 About VLANs and interfaces................................................................................. 32 VLAN association with a self IP address...............................................................34 VLAN assignment to route domains......................................................................34 Maintaining the L2 forwarding table.......................................................................34 Additional VLAN configuration options.................................................................. 35 Creating a VLAN................................................................................................... 37 About VLAN groups......................................................................................................... 39 About VLAN group names.....................................................................................39 VLAN group ID...................................................................................................... 40 VLAN group association with a self IP address.....................................................40 About transparency mode..................................................................................... 40 About traffic bridging............................................................................................. 40 About traffic bridging with standby units................................................................40 About migration keepalive frames......................................................................... 41 About host exclusion from proxy ARP forwarding................................................. 41 Creating a VLAN group......................................................................................... 41 About bridging VLAN and VXLAN networks.................................................................... 42 About VXLAN multicast configuration................................................................... 43 Self IP Addresses......................................................................................................................45 Introduction to self IP addresses......................................................................................45 Types of self IP addresses............................................................................................... 45 Self IP addresses and MAC addresses........................................................................... 45 Self IP addresses for SNATs............................................................................................46 Self IP address properties................................................................................................46 Creating a self IP address................................................................................................47 Creating a self IP for a VLAN group.................................................................................48 Packet Filters.............................................................................................................................51 Introduction to packet filtering.......................................................................................... 51 Global settings................................................................................................................. 51 Global properties..............................................................................................................51 Global exemptions............................................................................................................52 Protocols............................................................................................................... 53 MAC addresses.....................................................................................................53 IP addresses......................................................................................................... 53 VLANs................................................................................................................... 53 Order of packet filter rules................................................................................................54 About the action setting in packet filter rules....................................................................54 Rate class assignment..................................................................................................... 55 One or more VLANs.........................................................................................................55 Logging............................................................................................................................ 55 About filter expression creation........................................................................................55 Enabling packet filtering................................................................................................... 55 Creating a packet filter rule.............................................................................................. 56 NATS and SNATs.......................................................................................................................59 Introduction to NATs and SNATs......................................................................................59 4 Table of Contents Comparison of NATs and SNATs..................................................................................... 59 About NATs...................................................................................................................... 59 NATs for inbound connections...............................................................................60 NATs for outbound connections............................................................................ 61 Creating a NAT...................................................................................................... 62 About SNATs....................................................................................................................62 SNATs for client-initiated (inbound) connections................................................... 63 SNATs for server-initiated (outbound) connections............................................... 65 SNAT types............................................................................................................65 About translation addresses..................................................................................66 Original IP addresses............................................................................................66 VLAN traffic........................................................................................................... 66 About ephemeral port exhaustion......................................................................... 66 Creating a SNAT....................................................................................................67 Creating a SNAT pool............................................................................................67 Route Domains......................................................................................................................... 69 What is a route domain?.................................................................................................. 69 Benefits of route domains................................................................................................ 69 Sample partitions with route domain objects................................................................... 69 Sample route domain deployment................................................................................... 70 About route domain IDs................................................................................................... 70 Traffic forwarding across route domains...........................................................................71 About parent IDs................................................................................................... 71 About strict isolation.............................................................................................. 71 About default route domains for administrative partitions................................................ 72 About VLAN and tunnel assignments for a route domain................................................ 72 About advanced routing modules for a route domain.......................................................73 About throughput limits on route domain traffic................................................................73 Creating a route domain on the BIG-IP system............................................................... 73 Static Routes............................................................................................................................. 75 Static route management on the BIG-IP system..............................................................75 Adding a static route........................................................................................................ 75 Dynamic Routing...................................................................................................................... 77 Dynamic routing on the BIG-IP system............................................................................ 77 Supported protocols for dynamic routing......................................................................... 77 About the Bidirectional Forwarding Detection protocol.................................................... 78 Configuration overview..........................................................................................78 Enabling the BFD protocol for a route domain...................................................... 79 Common commands for BFD base configuration................................................. 79 Common commands for BFD routing configuration.............................................. 79 About the Protocol Independent Multicast protocol..........................................................80 About using PIM sparse mode.............................................................................. 80 About using PIM dense mode............................................................................... 80 About using PIM sparse-dense mode................................................................... 80 About reverse path forwarding functionality.......................................................... 81 About Maximum Multicast Rate functionality.........................................................81 Configuration overview..........................................................................................81 Enabling a PIM protocol for a route domain.......................................................... 81 Common commands for enabling multicast routing.............................................. 82 Common commands for configuring PIM interfaces............................................. 82 Common tmsh commands for PIM interfaces....................................................... 82 5 Table of Contents PIM protocol supported tunnel types.....................................................................82 About ECMP routing........................................................................................................ 83 Advanced routing modules that support ECMP.................................................... 83 Enabling the ECMP protocol for BGP4................................................................. 83 Viewing routes that use ECMP..............................................................................84 Location of startup configuration for advanced routing modules......................................84 Accessing the IMI Shell....................................................................................................84 Relationship of advanced routing modules and BFD to route domains........................... 84 Enabling a protocol for a route domain................................................................. 85 Disabling a protocol for a route domain.................................................................85 Displaying the status of enabled protocols............................................................ 86 About Route Health Injection........................................................................................... 86 About route advertisement of virtual addresses....................................................86 Redistribution of routes for BIG-IP virtual addresses............................................ 91 Advertisement of next-hop addresses..............................................................................91 IPv6 next-hop address selection (BGP4 only).......................................................91 Parameter combinations for next-hop address selection.......................................91 Visibility of static routes....................................................................................................92 About dynamic routing for redundant system configurations........................................... 92 Special considerations for BGP4, RIP, and IS-IS.................................................. 92 Special considerations for OSPF.......................................................................... 93 Displaying OSPF interface status..........................................................................93 Listing the OSPF link state database.................................................................... 93 Dynamic routing on a VIPRION system........................................................................... 93 VIPRION appearance as a single router............................................................... 93 Redundancy for the dynamic routing control plane............................................... 94 Operational modes for primary and secondary blades......................................... 94 Viewing the current operational mode...................................................................94 About graceful restart on the VIPRION system.....................................................95 Runtime monitoring of individual blades................................................................95 Troubleshooting information for dynamic routing..............................................................95 Checking the status of the tmrouted daemon........................................................95 Stopping the tmrouted daemon............................................................................. 96 Restarting the tmrouted daemon...........................................................................96 Configuring tmrouted recovery actions..................................................................96 Location and content of log files............................................................................97 Creating a debug log file....................................................................................... 97 Address Resolution Protocol.................................................................................................. 99 Address Resolution Protocol on the BIG-IP system.........................................................99 What are the states of ARP entries?................................................................................99 About BIG-IP responses to ARP requests from firewall devices......................................99 About gratuitous ARP messages..................................................................................... 99 Management of static ARP entries................................................................................ 100 Adding a static ARP entry................................................................................... 100 Viewing static ARP entries.................................................................................. 100 Deleting static ARP entries................................................................................. 100 Management of dynamic ARP entries........................................................................... 101 Viewing dynamic ARP entries............................................................................. 101 Deleting dynamic ARP entries............................................................................ 101 Configuring global options for dynamic ARP entries........................................... 101 Spanning Tree Protocol..........................................................................................................103 Introduction to spanning tree protocols.......................................................................... 103 About STP protocol........................................................................................................ 103 6 Table of Contents About the RSTP protocol............................................................................................... 103 About the MSTP protocol............................................................................................... 104 About spanning tree with legacy bridges....................................................................... 104 Configuration overview...................................................................................................105 Spanning tree mode.......................................................................................................105 Global timers.................................................................................................................. 106 About the hello time option..................................................................................106 About the maximum age option...........................................................................106 About the forward delay option............................................................................106 About the transmit hold count option..............................................................................107 MSTP-specific global properties.................................................................................... 107 Management of spanning tree instances....................................................................... 107 Spanning tree instances list................................................................................ 108 About spanning tree instance (MSTP-only) creation...........................................108 About instance ID assignment.............................................................................109 Bridge priority...................................................................................................... 109 VLAN assignment................................................................................................109 About viewing and modifying a spanning tree instance...................................... 110 About deleting a spanning tree instance or its members (MSTP-only)............... 110 Interfaces for spanning tree............................................................................................110 About enabling and disabling spanning tree....................................................... 110 STP link type....................................................................................................... 111 STP edge port..................................................................................................... 111 About spanning tree protocol reset..................................................................... 112 About managing interfaces for a specific instance.............................................. 112 About viewing a list of interface IDs for an instance............................................ 112 About port roles...................................................................................................112 Port states........................................................................................................... 113 Settings to configure for an interface for a specific instance............................... 113 WCCP....................................................................................................................................... 115 About WCCPv2 redirection on the BIG-IP system......................................................... 115 A common deployment of the WCCPv2 protocol...........................................................116 Rate Shaping with srTCM Policers........................................................................................117 About Single Rate Three Color Marker Policers............................................................ 117 Creating a Single Rate Three Color Marker policer....................................................... 117 Legal Notices.......................................................................................................................... 119 Legal notices.................................................................................................................. 119 7 Table of Contents 8 Overview of TMOS Routing Overview of routing administration in TMOS As a BIG-IP ®system administrator, you typically manage routing on the system by configuring these BIG-IP system features. Table 1: BIG-IP system features for route configuration BIG-IP system Benefit feature Interfaces For the physical interfaces on the BIG-IP system, you can configure properties such as flow control and sFlow polling intervals. You can also configure the Link Layer Discovery Protocol (LLDP), globally for all interfaces and on a per-interface basis. Trunks A trunk is a logical grouping of interfaces on the BIG-IP system. When you create a trunk, this logical group of interfaces functions as a single interface. The BIG-IP system uses a trunk to distribute traffic across multiple links, in a process known as link aggregation. VLANs You create VLANs for the external and internal BIG-IP networks, as well as for high-availability communications in a BIG-IP device clustering configuration. The BIG-IP system supports VLANs associated with both tagged and untagged interfaces. Virtual and self IP You can create two kinds of IP addresses locally on the BIG-IP system. A addresses virtual IP address is the address associated with a virtual server. A self IP address is an IP address on the BIG-IP system that you associate with a VLAN or VLAN group, to access hosts in that VLAN or VLAN group. Whenever you create virtual IP addresses and self IP addresses on the BIG-IP system, the system automatically adds routes to the system that pertain to those addresses, as directly-connected routes. DHCP support You can configure the BIG-IP system to function as a DHCP relay or renewal agent. You can also force the renewal of the DHCP lease for the BIG-IP system management port. Packet filtering Using packet filters, you can specify whether a BIG-IP system interface should accept or reject certain packets based on criteria such as source or destination IP address. Packet filters enforce an access policy on incoming traffic. IP address translation You can configure network address translation (NATs) and source network address translation (SNATs) on the BIG-IP system. Creating a SNAT for a virtual server is a common way to ensure that pool members return responses to the client through the BIG-IP system. Route domains You create route domains to segment traffic associated with different applications and to allow devices to have duplicate IP addresses within the same network. Overview of TMOS Routing BIG-IP system Benefit feature Static routes For destination IP addresses that are not on the directly-connected network, you can explicitly add static routes. You can add both management (administrative) and TMM static routes to the BIG-IP system. Dynamic routing You can configure the advanced routing modules (a set of dynamic routing protocols and core daemons) to ensure that the BIG-IP system can learn about routes from other routers and advertise BIG-IP system routes. These advertised routes can include BIG-IP virtual addresses. Spanning Tree Protocol You can configure any of the Spanning Tree protocols to block redundant (STP) paths on a network, thus preventing bridging loops. The ARP cache You can manage static and dynamic entries in the ARP cache to resolve IP addresses into MAC addresses. WCCPv2 support WCCPv2 is a content-routing protocol developed by Cisco® Systems. It provides a mechanism to redirect traffic flows in real time. The primary purpose of the interaction between WCCPv2-enabled routers and a BIG-IP® system is to establish and maintain the transparent redirection of selected types of traffic flowing through those routers. About BIG-IP system routing tables The BIG-IP system contains two sets of routing tables: The Linux routing tables, for routing administrative traffic through the management interface A special TMM routing table, for routing application and administrative traffic through the TMM interfaces As a BIG-IP administrator, you configure the system so that the BIG-IP system can use these routing tables to route both management and application traffic successfully. About BIG-IP management routes and TMM routes The BIG-IP system maintains two kinds of routes: Management routes Management routes are routes that the BIG-IP system uses to forward traffic through the special management interface. The BIG-IP system stores management routes in the Linux (that is, kernel) routing table. TMM routes TMM routes are routes that the BIG-IP system uses to forward traffic through the Traffic Management Microkernel (TMM) interfaces instead of through the management interface. The BIG- IP system stores TMM routes in both the TMM and kernel routing tables. About traffic load balancing across TMM instances On eDAG-enabled hardware platforms, you can configure the BIG-IP® system to scatter stateless traffic in round-robin fashion across TMM instances. This feature is particularly beneficial for networks with 10 BIG-IP TMOS: Routing Administration heavy Domain Name Server (DNS) or Session Initiation Protocol (SIP) traffic, as well as for the management of Distributed Denial of Service (DDoS) attacks. You can configure this feature in one of two modes: Global Across TMM instances across multiples blades or HSBs on the system. You configure this mode by setting a global value using the Traffic Management Shell (tmsh). This is the default mode. Local Per individual high-speed bridge (HSB). In this case, the system load balances the traffic across TMM instances within a single blade or HSB but not across multiple blades or HSBs. You configure this mode when you create or modify a VLAN on the BIG-IP system. Load balancing traffic across multiple blades or HSBs Before performing this task, confirm that the BIG-IP®software is running on an eDAG-enabled hardware platform. You can configure whether the BIG-IP system load balances traffic across TMM instances between blades/high-speed bridges (HSBs) or only across TMM instances that are local to a given HSB. 1. Open the TMOS Shell (tmsh). tmsh 2. Enable the load balancing of traffic across all TMMs between blades or HSBs on the system. modify net dag-globals round-robin-mode global After you use this command, the BIG-IP system load balances traffic across all TMM instances on the system, regardless of the associated blade or HSB. 3. Disable the load balancing of traffic across TMMs between all blades or HSBs on the system. modify net dag-globals round-robin-mode local After you use this command, the BIG-IP system load balances traffic across any TMM instances that are local to a specific blade or HSB, but only if you have selected the Round Robin DAG setting on the relevant VLAN. Viewing routes on the BIG-IP system You can use the tmsh utility to view different kinds of routes on the BIG-IP system. 1. Open a console window, or an SSH session using the management port, on the BIG-IP system. 2. Use your user credentials to log in to the system. 3. Perform one of these actions at the command prompt: To view all routes on the system, type: tmsh show /net route To view all configured static routes on the system, type: tmsh list /net route You are now able to view BIG-IP system routes. 11 Overview of TMOS Routing 12 Virtual Wires Overview: Configuring the BIG-IP system as a Layer 2 device with wildcard VLANs Introduction To deploy a BIG-IP® system without making changes to other devices on your network, you can configure the system to operate strictly at Layer 2. By deploying a virtual wire configuration, you transparently add the device to the network without having to create self IP addresses or change the configuration of other network devices that the BIG-IP device is connected to. A virtual wire logically connects two interfaces or trunks, in any combination, to each other, enabling the BIG-IP system to forward traffic from one interface to the other, in either direction. This type of configuration is typically used for security monitoring, where the BIG-IP system inspects ingress packets without modifying them in any way. Sample configuration This illustration shows a virtual wire configuration on the BIG-IP system. In this configuration, a VLAN group contains two VLANs tagged with VLAN ID 4096. Each VLAN is associated with a trunk, allowing the VLAN to accept all traffic for forwarding to the other trunk. Directly connected to a Layer 2 or 3 networking device, each interface or trunk of the virtual wire is attached to a wildcard VLAN, which accepts all ingress traffic. On receiving a packet, an interface of a virtual wire trunk forwards the frame to the other trunk and then to another network device. Virtual Wires Optionally, you can create a forwarding virtual server that applies a security policy to ingress traffic before forwarding the traffic to the other trunk. Key points There are a few key points to remember about virtual wire configurations in general: An interface accepts packets in promiscuous mode, which means there is no packet modification. The system bridges both tagged and untagged data. Source MAC address learning is disabled. Forwarding decisions are based on the ingress interface. Neither VLANs nor MAC addresses change. Note: VLAN double tagging is not supported in a virtual wire configuration. Forwarding behavior and user actions When an interface in virtual wire mode receives traffic, it first tries to associate the traffic with a VLAN defined on the virtual wire and then looks for a matching virtual server. If a virtual server is found, the forwarding action is determined by the policies configured on the virtual server. This table describes how the BIG-IP® system handles certain conditions when the relevant interfaces are configured to use a virtual wire. The table also shows what actions you can take, if possible. 14 BIG-IP TMOS: Routing Administration Condition Default Behavior User Action No VLAN for tagged If the traffic is tagged but there is no None. traffic is found. VLAN for that traffic, the virtual wire dynamically creates data-path objects that enable the system to engage the forwarding path. No VLAN for untagged Unlike for tagged traffic, where a Be sure to configure an untagged traffic is found. specific VLAN is not needed, a VLAN on the relevant virtual wire virtual wire needs a specific VLAN to interface to enable the system to associated with untagged traffic. correctly handle untagged traffic. Note that many Layer 2 protocols, such as Spanning Tree Protocol (STP), employ untagged traffic in the form of BPDUs. An "any" VLAN group A virtual wire object can include both Although not a requirement, consider and a VLAN configured an "any" VLAN group and a separate creating a separate virtual server to for specific traffic exist, VLAN that's configured to handle match specific traffic being but there is no virtual specific traffic. If the only virtual forwarded. server for the specific server you create is the one that traffic. listens for the VLAN group traffic and not specific traffic, the virtual server configured to listen for traffic on the VLAN group behaves like a wildcard virtual server. That is, the virtual server accepts all traffic for the virtual wire, including the traffic intended for the specific VLAN. No virtual server for If there is no matching vitual server Create one or more virtual servers tagged traffic is found. for tagged traffic, a virtual wire that match tagged TCP traffic on the forwards the traffic at Layer 2, virtual wire. Or, if unsure of the ignoring headers at Layer 3 and traffic types, you can create a above. However, even in this case the wildcard virtual server. By creating system keeps a "connection" state matching or wildcard virtual servers, with a default age of 300 seconds. you can prevent such spikes in With a large number of TCP memory use. The type of virtual connections, this can cause temporary servers you create should be either spikes in memory use. The system Forwarding (IP) or Performance eventually clears these memory (Layer 4). This enables the system to spikes through idle timeouts. close connections much faster and therefore improve system performance. Alternatively, you can configure a lower idle timeout threshold using the tmsh command sys db tm.l2forwardidletimeout. Layer 2 BPDU traffic. As long as the virtual wire is able to Because many Layer 2 protocols associate the Layer 2 BPDUs to a employ untagged BPDUs, it's a good VLAN (tagged or untagged), the idea to make sure you have both system forwards all Layer 2 BPDU tagged and untagged VLANs on the traffic to the peer interface. virtual wire for forwarding BPDUs. 15 Virtual Wires Create BIG-IP objects for Layer 2 transparency To configure the BIG-IP® system as an inline device operating in Layer 2 transparency mode, you first need to create a virtual wire configuration object. Creating a virtual wire object causes the BIG-IP system to automatically perform these actions: Create trunks for accepting all VLAN traffic, with Link Aggregation Protocol (LACP) enabled. Set the trunk members (interfaces) to virtual wire mode. Create two VLANs with tag 4096 that allow all Layer 2 ingress traffic. Create a VLAN group to logically connect the VLANs. 1. On the Main tab, click Network > Virtual Wire. This object appears on certain BIG-IP platforms only. The Virtual Wire screen opens. 2. Click Create. 3. In the Name field, type a name for the virtual wire object. 4. On the right side of the screen, click the double-arrow symbol to expand the Shared Objects panel. 5. Click within the Trunks heading area. This displays a list of existing trunks, and displays the + symbol for creating a trunk. 6. Click the + symbol. 7. In the Name field, type a name for the trunk, such as trunk_external or trunk_internal. 8. In the Interfaces list, select the check boxes for the interfaces that you want to include in the trunk. 9. From the LACP list, select Enabled. This enables the Link Aggregation Control Protocol (LACP) to monitor link availability within the trunk. 10. Click Commit. If you do not see the Commit button, try using a different browser. This creates the trunk that you can specify as an interface when you complete the creation of the virtual wire object. 11. Repeat steps 6 through 10 to create a second trunk. 12. In the Member 1 column, from the Interfaces/Trunks list, select a trunk name, such as trunk_external. 13. In the Member 2 column, from the Interfaces/Trunks list, select another trunk name, such as trunk_internal. 14. In the VLAN Traffic Management Configuration column, for the Define VLANs list, use the default value of No. 15. Click Done Editing. 16. Click Commit Changes to System. After you perform this task, the BIG-IP system contains a virtual wire object, two trunks, two VLANs, and a VLAN group. 16 Interfaces Introduction to BIG-IP system interfaces A key task of the BIG-IP® system configuration is the configuration of BIG-IP system interfaces. The interfaces on a BIG-IP system are the physical ports that you use to connect the BIG-IP system to other devices on the network. These other devices can be next-hop routers, Layer 2 devices, destination servers, and so on. Through its interfaces, the BIG-IP system can forward traffic to or from other network devices. Note: The term interface refers to the physical ports on the BIG-IP system. Every BIG-IP system includes multiple interfaces. The exact number of interfaces that you have on the BIG-IP system depends on the platform type. A BIG-IP system has two types of interfaces: A management interface The management interface is a special interface dedicated to performing a specific set of system management functions. TMM switch interfaces TMM switch interfaces are those interfaces that the BIG-IP system uses to send or receive application traffic, that is, traffic slated for application delivery. Each of the interfaces on the BIG-IP system has unique properties, such as the MAC address, media speed, duplex mode, and support for Link Layer Discovery Protocol (LLDP). In addition to configuring interface properties, you can implement a feature known as interface mirroring, which you can use to duplicate traffic from one or more interfaces to another. You can also view statistics about the traffic on each interface. Once you have configured the properties of each interface, you can configure several other features of the BIG-IP system that control the way that interfaces operate. For example, by creating a virtual local area network (VLAN) and assigning interfaces to it, the BIG-IP system can insert a VLAN ID, or tag, into frames passing through those interfaces. In this way, a single interface can forward traffic for multiple VLANs. About link layer discovery protocol The BIG-IP® system supports Link Layer Discovery Protocol (LLDP). LLDP is a Layer 2 industry- standard protocol (IEEE 802.1AB) that enables a network device such as the BIG-IP system to advertise its identity and capabilities to multi-vendor neighbor devices on a network. The protocol also enables a network device to receive information from neighbor devices. LLDP transmits device information in the form of LLDP messages known as LLDP Data Units (LLDPDUs). In general, this protocol: Advertises connectivity and management information about the local BIG-IP device to neighbor devices on the same IEEE 802 LAN. Receives network management information from neighbor devices on the same IEEE 802 LAN. Operates with all IEEE 802 access protocols and network media. Interfaces Using the BIG-IP Configuration utility or tmsh, you can configure the BIG-IP system interfaces to transmit or receive LLDPDUs. More specifically, you can: Specify the exact content of LLDPDUs that a BIG-IP system interface transmits to a neighbor device. You specify this content by configuring the LLDP Attributes setting on each individual interface. Globally specify the frequencies of various message transmittal properties, and specify the number of neighbors from which each interface can receive messages. These properties apply to all interfaces on the BIG-IP system. This figure shows a local LLDP-enabled BIG-IP system, configured to both transmit and receive LLDP messages from neighbor devices on a LAN. Figure 1: A local BIG-IP system that transmits and receives LLDPDUs Interface properties Each interface on the BIG-IP® system has a set of properties that you can configure, such as enabling or disabling the interface, setting the requested media type and duplex mode, and configuring flow control. Configuring the properties of each interface is one of the first tasks you do after running the Setup utility on the BIG-IP system. While you can change some of these properties, such as media speed and duplex mode, you cannot change other properties, such as the media access control (MAC) address. Note: You can configure STP-related properties on an interface by configuring one of the Spanning Tree protocols. Before configuring interface properties, it is helpful to understand interface naming conventions. Only users with either the Administrator or Resource Administrator user role can create and manage interfaces. Interface naming conventions By convention, the names of the interfaces on the BIG-IP® system use the format. where s is the slot number of the network interface card (NIC), and p is the port number on the NIC. Examples of interface names are 1.1, 1.2, and 2.1. BIG-IP system interfaces already have names assigned to them; you do not explicitly assign them. 18 BIG-IP TMOS: Routing Administration An exception to the interface naming convention is the management interface, which has the special name, MGMT. About interface information and media properties Using the BIG-IP Configuration utility, you can display a screen that lists all of the BIG-IP® system interfaces, as well as their current status (UP or DOWN). You can also view other information about each interface: MAC address of the interface Interface availability Media type Media speed Active mode (such as full) This information is useful when you want to assess the way that a particular interface is forwarding traffic. For example, you can use this information to determine the specific VLANs for which an interface is currently forwarding traffic. You can also use this information to determine the speed at which an interface is currently operating. Interface state You can either enable or disable an interface on the BIG-IP® system. By default, each interface is set to Enabled, where it can accept ingress or egress traffic. When you set the interface to Disabled, the interface cannot accept ingress or egress traffic. Fixed Requested Media The Fixed Requested Media property shows that the interface auto-detects the duplex mode of the interface. About flow control You can configure the way that an interface handles pause frames for flow control. Pause frames are frames that an interface sends to a peer interface as a way to control frame transmission from that peer interface. Pausing a peer’s frame transmissions prevents an interface’s First-in, First-out (FIFO) queue from filling up and resulting in a loss of data. Possible values for this property are: Pause None Disables flow control. Pause TX/RX Specifies that the interface honors pause frames from its peer, and also generates pause frames when necessary. This is the default value. Pause TX Specifies that the interface ignores pause frames from its peer, and generates pause frames when necessary. Pause RX Specifies that the interface honors pause frames from its peer, but does not generate pause frames. 19 Interfaces About the Ether Type property The Ether Type property appears in the BIG-IP® Configuration utility only when the system includes ePVA hardware support. An ether type is a two-octet field in an Ethernet frame, used to indicate the protocol encapsulated in the payload. The BIG-IP system uses the value of this property when an interface or trunk is associated with a IEEE 802.1QinQ (double tagged) VLAN. By default, the system sets this value to 0x8100. About the LLDP property The LLDP property is one of two properties related to LLDP that you can configure for a specific interface. The possible values for this setting are: Disabled When set to this value, the interface neither transmits (sends) LLDP messages to, nor receives LLDP messages from, neighboring devices. Transmit Only When set to this value, the interface transmits LLDP messages to neighbor devices but does not receive LLDP messages from neighbor devices. Receive Only When set to this value, the interface receives LLDP messages from neighbor devices but does not transmit LLDP messages to neighbor devices. Transmit and Receive When set to this value, the interface transmits LLDP messages to and receives LLDP messages from neighboring devices. In addition to the LLDP-related settings that you can configure per interface, you can configure some global LLDP settings that apply to all interfaces on the system. Moreover, you can view statistics pertaining to any neighbor devices that have transmitted LLDP messages to the local BIG-IP® system. LLDP Attributes The LLDP Attributes setting is one of two settings related to LLDP that you can configure for a specific interface. You use this interface setting to specify the content of an LLDP message being sent or received. Each LLDP attribute that you specify with this setting is optional and is in the form of Type, Length, Value (TLV). About the forwarding mode Each physical interface on the BIG-IP® system has a forwarding mode that you can set. The Forwarding Mode setting on an interface has these values to choose from: Forwarding This is the normal, default mode of operation of an interface on a BIG-IP system. In this mode, the BIG-IP forwards data received on the interface according to its internal instructions. Passive The BIG-IP interface accepts client or server traffic that is mirrored from another network device and passes it through the Traffic Management Microkernel (TMM) for processing. However, the system never forwards the traffic out of the BIG-IP system. Instead, the BIG-IP system drops the traffic, 20 BIG-IP TMOS: Routing Administration often after gathering analytics and logging data and sending it to an analytics/logging server. This mode is sometimes referred to as SPAN mode. Virtual Wire The interface is part of a virtual wire. A virtual wire logically connects two interfaces or trunks, in any combination, to each other, enabling the BIG-IP system to forward traffic from one interface to the other, in either direction. This type of configuration is typically used for security monitoring, where the BIG-IP system inspects ingress packets without modifying them in any way. About Switch Port Analyzer (SPAN) interfaces A Switch Port Analyzer port, or SPAN port, is an interface that operates in passive mode. You can deploy a BIG-IP device operating in Passive mode on the network non-intrusively to collect traffic data. You can then use the collected data for traffic analysis and visibility. This can be used in different applications. These are some of the reasons for setting a BIG-IP interface to Passive mode: To collect HTTP AVR analytics To detect DDoS attacks To collect application analytics along with subscriber-awareness made available by PEM To use firewall services that report on possible infringements To analyze traffic behavior About interface mirroring For reliability reasons, you can configure a feature known as interface mirroring. When you configure interface mirroring, you cause the BIG-IP® system to copy the traffic on one or more interfaces to another interface that you specify. By default, the interface mirroring feature is disabled. Neighbor settings When a BIG-IP® system interface receives LLDP messages from neighbor devices, the BIG-IP system displays chassis, port, and system information about the content of those messages. Specifically, the system displays values for the standard TLVs for each neighbor. These TLVs are: Chassis ID Identifies the chassis containing the IEEE 802 LAN station associated with the transmitting LLDP agent. Port ID Identifies the port component of the media service access point (MSAP) identifier associated with the transmitting LLDP agent. Port description An alpha-numeric string that describes the interface. System name An alpha-numeric string that indicates the administratively-assigned name of the neighbor device. System description An alpha-numeric string that is the textual description of the network entity. The system description should include the full name and version identification of the hardware type, software operating system, and networking software of the neighbor device. 21 Interfaces System capabilities The primary functions of the system and whether these primary functions are enabled. Management address An address associated with the local LLDP agent used to reach higher layer entities. This TLV might also include the system interface number that is associated with the management address, if known. Configuring settings for an interface You can use this procedure to configure the settings for an individual interface on the BIG-IP ®system. 1. On the Main tab, click Network > Interfaces > Interface List. The Interface List screen displays the list of interfaces on the system. 2. In the Name column, click an interface number. This displays the properties of the interface. 3. For the State setting, verify that the interface is set to Enabled. 4. From the LLDP list, select a value. 5. For the LLDP Attributes setting, verify that the list of attributes in the Send field includes all Time Length Values (TLVs) that you want the BIG-IP system interface to send to neighbor devices. 6. From the Forwarding Mode list, select one of these options: Option Description Forwarding Causes traffic on the interface to behave normally, where the BIG-IP system operates on the traffic and forwards it to an external destination such as an application server pool. Forwarding is the default value on an interface. Passive Allows the interface to receive traffic being mirrored from another interface, for the purpose of anayysis and visibility. Traffic received on a SPAN port does not exit the BIG-IP system. Virtual Wire Allows two interfaces or trunks, in any combination, to connect with each other, enabling the BIG-IP system to forward traffic from one interface to the other at Layer 2, in either direction. This type of configuration is typically used for security monitoring, where the BIG-IP system inspects ingress packets without modifying them in any way. 7. Click the Update button. After you perform this task, the interface is configured to send the specified LLDP information to neighbor devices. Related configuration tasks After you have configured the interfaces on the BIG-IP® system, one of the primary tasks you perform is to assign those interfaces to the virtual LANs (VLANs) that you create. A VLAN is a logical subset of hosts on a local area network (LAN) that reside in the same IP address space. When you assign multiple interfaces to a single VLAN, traffic destined for a host in that VLAN can travel through any one of these interfaces to reach its destination. Conversely, when you assign a single interface to multiple VLANs, the BIG-IP system can use that single interface for any traffic that is intended for hosts in those VLANs. Another powerful feature that you can use for BIG-IP system interfaces is trunking, with link aggregation. A trunk is an object that logically groups physical interfaces together to increase bandwidth. Link aggregation, through the use of the industry-standard Link Aggregation Control Protocol (LACP), provides regular monitoring of link status, as well as failover if an interface becomes unavailable. 22 BIG-IP TMOS: Routing Administration Finally, you can configure the BIG-IP system interfaces to work with one of the spanning tree protocols (STP, RSTP, and MSTP). Spanning tree protocols reduce traffic on your internal network by blocking duplicate routes to prevent bridging loops. 23 Interfaces 24 Trunks Introduction to trunks A trunk is a logical grouping of interfaces on the BIG-IP® system. When you create a trunk, this logical group of interfaces functions as a single interface. The BIG-IP system uses a trunk to distribute traffic across multiple links, in a process known as link aggregation. With link aggregation, a trunk increases the bandwidth of a link by adding the bandwidth of multiple links together. For example, four fast Ethernet (100 Mbps) links, if aggregated, create a single 400 Mbps link. The purpose of a trunk is two-fold: To increase bandwidth without upgrading hardware To provide link failover if a member link becomes unavailable You can use trunks to transmit traffic from a BIG-IP system to another vendor switch. Two systems that use trunks to exchange frames are known as peer systems. The maximum number of interfaces that you can configure in a trunk depends on your specific BIG-IP platform and software version. For optimal performance, you should aggregate links in powers of two. Important: For more information on trunks and the maximum number of interfaces allowed for your platform, see article K1689, Overview of trunks on BIG-IP platforms, at http://support.f5.com. Creating a trunk You create a trunk on the BIG-IP® system so that the system can then aggregate the links to enhance bandwidth and ensure link availability. The maximum number of interfaces that you can configure in a trunk is 16 or 32, depending on your specific BIG-IP platform and software version. For optimal performance, you should aggregate links in powers of two. 1. On the Main tab, click Network > Trunks. The Trunk List screen opens. 2. Click Create. 3. Name the trunk. 4. For the Interfaces setting, in the Available field, select an interface, and using the Move button, move the interface to the Members field. Repeat this action for each interface that you want to include in the trunk. Trunk members must be untagged interfaces and cannot belong to another trunk. Therefore, only untagged interfaces that do not belong to another trunk appear in the Available list. 5. Select the LACP check box. 6. Click Finished. After you create a trunk, the BIG-IP system aggregates the links to enhance bandwidth and prevent interruption in service. Trunks How do trunks operate? In a typical configuration where trunks are configured, the member links of the trunk are connected through Ethernet cables to corresponding links on a peer system. This figure shows an example of a typical trunk configuration with two peers and three member links on each peer: Figure 2: Example of a trunk configured for two switches A primary goal of the trunks feature is to ensure that frames exchanged between peer systems are never sent out of order or duplicated on the receiving end. The BIG-IP® system is able to maintain frame order by using the source and destination addresses in each frame to calculate a hash value, and then transmitting all frames with that hash value on the same member link. The BIG-IP system automatically assigns a unique MAC address to a trunk. However, by default, the MAC address that the system uses as the source and destination address for frames that the system transmits and receives (respectively), is the MAC address of the lowest-numbered interface of the trunk. The BIG-IP system also uses the lowest-numbered interface of a trunk as a reference link. The BIG-IP system uses the reference link to take certain aggregation actions, such as implementing the automatic link selection policy. For frames coming into the reference link, the BIG-IP system load balances the frames across all member links that the BIG-IP system knows to be available. For frames going from any link in the trunk to a destination host, the BIG-IP system treats those frames as if they came from the reference link. Finally, the BIG-IP system uses the MAC address of an individual member link as the source address for any LACP control frames. Overview of LACP A key aspect of trunks is Link Aggregation Control Protocol, or LACP. Defined by IEEE standard 802.3ad, LACP is a protocol that detects error conditions on member links and redistributes traffic to other member links, thus preventing any loss of traffic on the failed link. On a BIG-IP® system, LACP is an optional feature that you can configure. You can also customize LACP behavior. For example, you can specify the way that LACP communicates its control messages from the BIG-IP system to a peer system. You can also specify the rate at which the peer system sends LACP packets to the BIG-IP system. If you want to affect the way that the BIG-IP system chooses links for link aggregation, you can specify a link control policy. Interfaces for a trunk Using the Interfaces setting, you specify the interfaces that you want the BIG-IP® system to use as member links for the trunk. Once you have created the trunk, the BIG-IP system uses these interfaces to perform link aggregation. 26 BIG-IP TMOS: Routing Administration Tip: To optimize bandwidth utilization, F5 Networks® recommends that, if possible, the number of links in the trunk be a power of 2 (for example, 2, 4, or 8). This is due to the frame balancing algorithms that the system uses to map data streams to links. Regardless of the hashing algorithm, a trunk that has 2, 4, or 8 links prevents the possibility of skewing, which can adversely affect data throughput. The maximum number of interfaces that you can configure in a trunk is 16 or 32, depending on your specific BIG-IP platform and software version. The BIG-IP system uses the lowest-numbered interface as the reference link. The system uses the reference link to negotiate links for aggregation. After creating the trunk, you assign the trunk to one or more VLANs, using the same VLAN screen that you normally use to assign an individual interface to a VLAN. About Spanning Tree and trunk interfaces If you are using one of the spanning tree protocols (STP, RSTP, or MSTP), the BIG-IP system sends and receives spanning tree protocol packets on a trunk, rather than on individual member links. Likewise, use of a spanning tree protocol to enable or disable learning or forwarding on a trunk operates on all member links together, as a single unit. About tagging for trunk interfaces Any interface that you assign to a trunk must be an untagged interface. Furthermore, you can assign an interface to one trunk only; that is, you cannot assign the same interface to multiple trunks. Because of these restrictions, the only interfaces that appear in the Interfaces list in the BIG-IP® Configuration utility are untagged interfaces that are not assigned to another trunk. Therefore, before creating a trunk and assigning any interfaces to the trunk, you should verify that each interface for the trunk is an untagged interface. About trunk configuration For VIPRION® platforms, F5 Networks® strongly recommends that you create a trunk for each of the BIG-IP® system internal and external networks, and that each trunk contains interfaces from all slots in the cluster. For example, a trunk for the external network should contain the external interfaces of all blades in the cluster. Configuring a trunk in this way prevents interruption in service if a blade in the cluster becomes unavailable and minimizes use of the high-speed backplane when processing traffic. Also, you should connect the links in a trunk to a vendor switch on the relevant network. Important: When processing egress packets, including those of vCMP® guests, the BIG-IP system uses trunk member interfaces on local blades whenever possible. This behavior ensures efficient use of the backplane, thereby conserving backplane bandwidth for processing ingress packets. About the Ether Type property The Ether Type property appears in the BIG-IP® Configuration utility only when the system includes ePVA hardware support. An ether type is a two-octet field in an Ethernet frame, used to indicate the protocol encapsulated in the payload. The BIG-IP system uses the value of this property when an interface or trunk is associated with a IEEE 802.1QinQ (double tagged) VLAN. By default, the system sets this value to 0x8100. 27 Trunks About enabling LACP As an option, you can enable LACP on a trunk. Containing a service called lacpd, LACP is an IEEE- defined protocol that exchanges control packets over member links. The purpose of LACP is to detect link error conditions such as faulty MAC devices and link loopbacks. If LACP detects an error on a member link, the BIG-IP® system removes the member link from the link aggregation and redistributes the traffic for that link to the remaining links of the trunk. In this way, no traffic destined for the removed link is lost. LACP then continues to monitor the member links to ensure that aggregation of those links remains valid. By default, the LACP feature is disabled, to ensure backward compatibility with previous versions of the BIG-IP system. If you create a trunk and do not enable the LACP feature, the BIG-IP system does not detect link error conditions, and therefore cannot remove the member link from link aggregation. The result is that the system cannot redistribute the traffic destined for that link to the remaining links in the trunk, thereby causing traffic on the failed member link to be lost. Important: To use LACP successfully, you must enable LACP on both peer systems. LACP mode The LACP Mode setting appears on the Trunks screen only when you select the LACP setting. You use the LACP Mode setting to specify the method that LACP uses to send control packets to the peer system. The two possible modes are: Active mode You specify Active mode if you want the system to periodically send control packets, regardless of whether the peer system has issued a request. This is the default setting. Passive mode You specify Passive mode if you want the system to send control packets only when the peer system issues a request, that is, when the LACP mode of the peer system is set to Active. If you set only one of the peer systems to Active mode, the BIG-IP® system uses Active mode for both systems. Also, whenever you change the LACP mode on a trunk, LACP renegotiates the links that it uses for aggregation on that trunk. Tip: We recommend that you set the LACP mode to Passive on one peer system only. If you set both systems to Passive mode, LACP does not send control packets. LACP timeout The LACP Timeout setting appears on the Trunks screen only when you select the LACP setting. You use the LACP Timeout setting to indicate to the BIG-IP® system the interval in seconds at which the peer system should send control packets. The timeout value applies only when the LACP mode is set to Active on at least one of the switch systems. If both systems are set to Passive mode, LACP does not send control packets. If LACP sends three consecutive control packets without receiving a response from the peer system, LACP removes that member link from link aggregation. The two possible timeout values are: 28 BIG-IP TMOS: Routing Administration Short When you set the timeout value to Short, the peer system sends LACP control packets once every second. If this value is set to Short and LACP receives no peer response after sending three consecutive packets, LACP removes the link from aggregation in three seconds. Long When you set the timeout value to Long, the peer system sends LACP control packets once every 30 seconds. A timeout value of Long is the default setting. If set to Long and LACP receives no peer response after sending three consecutive packets, LACP removes the link from aggregation in ninety seconds. Whenever you change the LACP timeout value on a trunk, LACP renegotiates the links that it uses for aggregation on that trunk. Link selection policy In order for the BIG-IP® system to aggregate links, the media speed and duplex mode of each link must be the same on both peer systems. Because media properties can change dynamically, the BIG-IP system monitors these properties regularly, and if it finds that the media properties of a link are mismatched on the peer systems, the BIG-IP system must determine which links are eligible for aggregation. The way the system determines eligible links depends on a link selection policy that you choose for the trunk. When you create a trunk, you can choose one of two possible policy settings: Auto and Maximum Bandwidth. Note: The link selection policy feature represents an F5 Networks® enhancement to the standard IEEE 802.3ad specification for LACP. Automatic link selection When you set the link selection policy to Auto (the default setting), the BIG-IP® system uses the lowest- numbered interface of the trunk as a reference link. (A reference link is a link that the BIG-IP system uses to make a link aggregation decision.) The system then aggregates any links that have the same media properties and are connected to the same peer as the reference link. For example, suppose that you created a trunk to include interfaces 1.2 and 1.3, each with a media speeds of 100 Mbps, and interface 1.4, with a different media speed of 1 Gbps. If you set the link selection policy to Auto, the BIG-IP system uses the lowest-numbered interface, 1.2, as a reference link. The reference link operates at a media speed of 100 Mbps, which means that the system aggregates all links with that media speed (interfaces 1.2 and 1.3). The media speed of interface 1.4 is different (1 Gbps), and therefore is not considered for link aggregation. Only interfaces 1.2 and 1.3 become working member links and start carrying traffic. If the media speed of interface 1.4 changes to 100 Mbps, the system adds that interface to the aggregation. Conversely, if the media speed of interface 1.4 remains at 1 Gbps, and the speed of the reference link changes to 1 Gbps, then interfaces 1.2 and 1.4 become working members, and 1.3 is now excluded from the aggregation and no longer carries traffic. Maximum bandwidth link selection When you set the link selection policy to Maximum Bandwidth, the BIG-IP® system aggregates the subset of member links that provide the maximum amount of bandwidth to the trunk. If interfaces 1.2 and 1.3 each operate at a media speed of 100 Mbps, and interface 1.4 operates at speed of 1 Gbps, then the system selects only interface 1.4 as a working member link, providing 1 Gbps of bandwidth to the trunk. If the speed of interface 1.4 drops to 10 Mbps, the system then aggregates links 29 Trunks 1.2 and 1.3, to provide a total bandwidth to the trunk of 200 Mbps. The peer system detects any non- working member links and configures its aggregation accordingly. Tip: To ensure that link aggregation operates properly, make sure that both peer systems agree on the link membership of their trunks. Frame distribution hash When frames are transmitted on a trunk, they are distributed across the working member links. The distribution function ensures that the frames belonging to a particular conversation are neither mis- ordered nor duplicated at the receiving end. The BIG-IP® system distributes frames by calculating a hash value based on the source and destination addresses (or the destination address only) carried in the frame, and associating the hash value with a link. All frames with a particular hash value are transmitted on the same link, thereby maintaining frame order. Thus, the system uses the resulting hash to determine which interface to use for forwarding traffic. The Frame Distribution Hash setting specifies the basis for the hash that the system uses as the frame distribution algorithm. The default value is Source/Destination IP address. Possible values for this setting are: Source/Destination MAC address This value specifies that the system bases the hash on the combined MAC addresses of the source and the destination. Destination MAC address This value specifies that the system bases the hash on the MAC address of the destination. Source/Destination IP address This value specifies that the system bases the hash on the combined IP addresses of the source and the destination. 30 VLANs, VLAN Groups, and VXLAN About VLANs A VLAN is a logical subset of hosts on a local area network (LAN) that operate in the same IP address space. Grouping hosts together in a VLAN has distinct advantages. For example, with VLANs, you can: Reduce the size of broadcast domains, thereby enhancing overall network performance. Reduce system and network maintenance tasks substantially. Functionally-related hosts no longer need to physically reside together to achieve optimal network performance. Enhance security on your network by segmenting hosts that must transmit sensitive data. You can create a VLAN and associate physical interfaces with that VLAN. In this way, any host that sends traffic to a BIG-IP® system interface is logically a member of the VLAN or VLANs to which that interface belongs. Default VLAN configuration By default, the BIG-IP® system includes VLANs named internal and external. When you initially ran the Setup utility, you assigned the following to each of these VLANs: A static and a floating self IP address A VLAN tag One or more BIG-IP system interfaces A typical VLAN configuration is one in which the system has the two VLANs external and internal, and one or more BIG-IP system interfaces assigned to each VLAN. You then create a virtual server, and associate a default load balancing pool with that virtual server. This figure shows a typical configuration using the default VLANs external and internal. VLANs, VLAN Groups, and VXLAN Figure 3: A typical configuration using the default VLANs Note: VLANs internal and external reside in partition Common. About VLANs and interfaces VLANs are directly associated with the physical interfaces on the BIG-IP® system. Interface assignments For each VLAN that you create, you must assign one or more BIG-IP® system interfaces to that VLAN. When you assign an interface to a VLAN, you indirectly control the hosts from which the BIG-IP system interface sends or receives messages. Tip: You can assign not only individual interfaces to the VLAN, but also trunks. For example, if you assign interface 1.11 to VLAN A, and you then associate VLAN A with a virtual server, then the virtual server sends its outgoing traffic through interface 1.11, to a destination host in VLAN A. Similarly, when a destination host sends a message to the BIG-IP system, the host’s VLAN membership determines the BIG-IP system interface that should receive the incoming traffic. Each VLAN has a MAC address. The MAC address of a VLAN is the same MAC address of the lowest- numbered interface assigned to that VLAN. 32 BIG-IP TMOS: Routing Administration About untagged interfaces You can create a VLAN and assign interfaces to the VLAN as untagged interfaces. When you assign interfaces as untagged interfaces, you cannot associate other VLANs with those interfaces. This limits the interface to accepting traffic only from that VLAN, instead of from multiple VLANs. If you want to give an interface the ability to accept and receive traffic for multiple VLANs, you add the same interface to each VLAN as a tagged interface. About tagged interfaces You can create a VLAN and assign interfaces to the VLAN as single- or double-tagged interfaces. When you assign interfaces as tagged interfaces, you can associate multiple VLANs with those interfaces. A VLAN tag is a unique ID number that you assign to a VLAN, to identify the VLAN to which each packet belongs. If you do not explicitly assign a tag to a VLAN, the BIG-IP® system assigns a tag automatically. The value of a VLAN tag can be between 1 and 4094. Once you or the BIG-IP system assigns a tag to a VLAN, any message sent from a host in that VLAN includes this VLAN tag as a header in the message. Important: If a device connected to a BIG-IP system interface is another switch, the VLAN tag that you assign to the VLAN on the BIG-IP system interface must match the VLAN tag assigned to the VLAN on the interface of the other switch. About single tagging This figure shows the difference between using three untagged interfaces (where each interface must belong to a separate VLAN) versus one single-tagged interface (which belongs to multiple VLANs). Figure 4: Solutions using untagged (left) and single-tagged interfaces (right) The configuration on the left shows a BIG-IP system with three internal interfaces, each a separate, untagged interface. This is a typical solution for supporting three separate customer sites. In this scenario, each interface can accept traffic only from its own VLAN. Conversely, the configuration on the right shows a BIG-IP system with one internal interface and an external switch. The switch places the internal interface on three separate VLANs. The interface is configured on each VLAN as a single-tagged interface. In this way, the single interface becomes a tagged member of all three VLANs, and accepts traffic from all three. The configuration on the right is the functional equivalent of the configuration of the left. 33 VLANs, VLAN Groups, and VXLAN Important: If you are connecting another switch into a BIG-IP system interface, the VLAN tag that you assign to the VLAN on the BIG-IP system must match the VLAN tag on the interface of the other switch. About double tagging For BIG-IP® systems with ePVA hardware support, the system includes support for the IEEE 802.1QinQ standard. Known informally as Q-in-Q or double tagging, this standard provides a way for you to insert multiple VLAN tags into a single frame. This allows you to encapsulate single-tagged traffic from disparate customers with only one tag. Double tagging expands the number of possible VLAN IDs in a network. With double tagging, the theoretical limitation in the number of VLAN IDs expands from 4096 to 4096*4096. When you implement double tagging, you specify an inner tag that encapsulates all of the single-tagged traffic. You then designate all other tags as outer tags, or customer tags (C-tags), which serve to identify and segregate the traffic from those customers. A common use case is one in which an internet service provider creates a single VLAN within which multiple customers can retain their own VLANs without regard for overlapping VLAN IDs. Moreover, you can use double-tagged VLANs within route domains or vCMP® guests. In the latter case, vCMP host administrators can create double-tagged VLANs and assign the VLANs to guests, just as they do with single-tagged VLANs. For a vCMP guest running an older version of the BIG-IP software, double-tagged VLANs are not available for assignment to the guest. Note: On systems that support double tagging, if you configure a Fast L4 local traffic profile, you cannot enable Packet Velocity Asic (PVA) hardware acceleration. VLAN association with a self IP address Every VLAN must have a static self IP address associated with it. The self IP address of a VLAN represents an address space, that is, the range of IP addresses pertaining to the hosts in that VLAN. When you ran the Setup utility earlier, you assigned one static self IP address to the VLAN external, and one static self IP address to the VLAN internal. When sending a request to a destination server, the BIG-IP system can use these self IP addresses to determine the specific VLAN that contains the destination server. The self IP address with which you associate a VLAN should represent an address space that includes the IP addresses of the hosts that the VLAN contains. For example, if the address of one host is 11.0.0.1 and the address of the other host is 11.0.0.2, you could associate the VLAN with a self IP address of 11.0.0.100, with a netmask of 255.255.255.0. VLAN assignment to ro

BIG-IP_TMOS__Routing_Administration.pdf

Document Details

Tags

Related

Full Transcript

Upgrade to continue