NimbostratusL2-Forwarding not working
I have a customer that has an urgent request to implement GEO blocking. The only device on the network that supports this is the F5, which runs AFM currently for another traffic pattern. In effort to implement GEO blocking for the customer, I was hoping to get traffic into and out of the F5 for the whole network in an L2 forwarding VIP on new interfaces and in a route domain to keep traffic separate from the current flow. Here is the current setup. The current configuration is the firewall and the layer 3 switch/core are L2 adjacent via VLAN 999. Inet interface was created. VLAN 998 was bridged to VLAN 999 via a bridge group. The ASA port on the core switched to VLAN 998 making it layer 2 to the F5 to force the traffic through. Below is my configuration. During the maintenance, the ASA could ping the F5 self IPs but I could not get traffic beyond the F5. I could not ping the switch. Am I doing something wrong below? The F5 inet interface is tagged correctly into the core.
} net vlan vlan998 { description 998 if-index 624 interfaces { inet { tag-mode service tagged } } tag 998 } net vlan vlan999 { description 999 if-index 608 interfaces { inet { tag-mode service tagged } } tag 999 net vlan-group vlan999-998 { description "999-998 for internet" if-index 640 members { vlan998 vlan999 } mode transparent }
} net route-domain inet-rd { id 9 vlans { vlan999 vlan999-998 vlan998 } } } net self vlan999-Floating { address 10.251.17.200%9/24 } net self vlan999 { address 10.251.17.201%9/24
ltm virtual Inet-l2 { description "layer 2 forwarder for inet" destination 0.0.0.0%9:any mask any profiles { fastL4 { } } source 0.0.0.0%9/0 translate-address enabled translate-port enabled vlans { vlan998 vlan999 vlan999-998 } vlans-enabled vs-index 4 }