Forum Discussion

nbhms_37291's avatar
nbhms_37291
Icon for Nimbostratus rankNimbostratus
Jul 19, 2018

Question regarding iApps, virtual servers, and VLAN tags

Have a pair of BIG IP 2000s configured in an active/passive pair, primarily to handle Exchange.

 

When installed, they were installed with VLAN tagging with an eye to supporting future applications on different VLANs, but currently just have Exchange iApp and the single Exchange VLAN tag configured.

 

The time has come to add another application, but before I proceed I've got a question on how the VLAN tagging is handled with the virtual servers (iApps).

 

When looking at the iApp config, I don't see a configuration tying the current Exchange iApp to a specific VLAN - there is an area to configure the VIP, and the load balanced servers, but no VLAN. The only place I see a VLAN config is on the virtual servers created by the iAPP, and on the self-IP. The virtual servers are currently configured to "All VLANs and Tunnels".

 

Is the "All VLANs and Tunnels" going to cause a problem when I add a new VLAN tag and configure a new application and VIP? If I have multiple virtual servers and multiple VLANs, and all virtual servers are configured to use all VLANs, how is the traffic separated? Is the LTM using the "self-IP" VLAN assignment to determine what VLAN tag to send traffic out for specific subnets, but would (hypothetically) accept traffic for any VIP on any VLAN?

 

Anyway, the primary question is do I need to configure the Exchange virtual servers configured by the Exchange iApp to use specific VLANs before adding a new VLAN tag to the LTMs to prevent issues? Or is the LTM designed to have all virtual servers assigned to all VLANs and work out the traffic based on self-IP assignment?

 

Thanks.

 

application delivery
BIG-IP
LTM

2 Replies

Sort By
  • Aaron_Booker's avatar
    Aaron_Booker
    Icon for Employee rankEmployee
    Jul 20, 2018

    Subnets for the VLANs are defined by your self IPs. So if the VIP shares the subnet with the self-IP you could say that it belongs to that VLAN (it will be in the broadcast domain); however, as you suspected "All VLANs and Tunnels" on the virtual server means that as long as there is some way for traffic to reach the VIP, it will accept connections on any VLAN even if the VIP is not on the same subnet as a self IP or any self IP. You can disable or enable specific VLANs if you want to isolate the VLANs that the VIP listens on. If not separated by the VLANs themselves, the virtual server traffic is separated by the most specific destination IP, port and source IP. Check out K14800: Order of precedence for virtual server matching (11.3.0 and later) for more info. So I don't foresee an issue with leaving the setting "All VLANs and Tunnels" on the virtual server. That's pretty common to leave at default, but you'll have to figure out what's best in your environment.

     

  • KevinA_246454's avatar
    KevinA_246454
    Icon for Cirrostratus rankCirrostratus
    Jul 23, 2018

    HI

     

    Basically vlan tagging in essence allows you setup or run multiple vlan's on a single interface on your f5 appliance virtual or physical platform.

     

    Your question regarding regarding the IApp and vlan tag. I am going to try to explain it to you for you to understand. The vlan tag and the iApp is unrelated configuration items. Your Iapp looks at your application configuration at a layer 7 level, and a couple of layers down(items such as tcp profile's). A vlan tag will and its corresponding self ip will be residing in the layer 3 and layer 2 level.

     

    if you put this in context as I am posting this answer to you I am using my web browser as the application and HTTP as the means or container, my web browser does not care much of what my ip address is or vlan my pc is configured to use, my browser requires a network to connect to a web server but it does not really care what network consist of.

     

    Your question regarding the vlan tunnel the virtual server should be listening on, as adb said its all about your enviroment, but it allows you as the administrator to lock down your virtual server to only listen for traffic in specific networks or vlans/subnets.