NimbostratusI have an AFM running with a vlan group with vlan 8 and vlan 9.
I want to create a layer 2 forwarding VS with that vlan group attached to it and apply a dos profile.
if I do a tmsh show sys connections I see all of them being bridged through the vlan group, but I can't see any connections actually hitting the forwarding VS.
Is this not possible?
CumulonimbusWhy are you configuring VLAN group?
VLAN group is a bad idea, working with VLAN group and AFM is searching for problems.
NimbostratusRouter Vlan 8 10.0.0.8 ---> f5 ---> Router vlan 9 10.0.0.9
If I do not use a vlan group, the two can not talk. Even with a layer 2 VS.
The second I add the vlan group everything works, but nothing goes through the VS.
NimbostratusIn case anyone else has this problem: https://support.f5.com/csp/article/K16528
Topic This article applies to BIG-IP 11.x. For information about other versions, refer to the following article:
K11509: Overview of the vlangroup.forwarding.override db key (9.x - 10.x) The vlangroup.forwarding.override database key allows you to control how the BIG-IP system handles traffic that has a destination MAC address that does not match any of the BIG-IP system's local MAC addresses, when the BIG-IP system is configured with both a VLAN group and a wildcard forwarding virtual server.
Description When the vlangroup.forwarding.override database key is enabled (default value), traffic with a destination MAC address that does not match any of the BIG-IP system's local MAC addresses is bridged by the VLAN group, even if an applicable wildcard forwarding virtual server is present.
When the vlangroup.forwarding.override database key is disabled, traffic with a destination MAC address that does not match any of the BIG-IP system's local MAC addresses is handled by an applicable wildcard forwarding virtual server (if one exists), even if a VLAN group is present.
Note: The BIG-IP system does not generally receive traffic with a destination MAC address that does not match any of the BIG-IP system's local MAC addresses. However, the BIG-IP system can receive traffic in this situation when the system is configured with a VLAN group. A VLAN group merges two or more member VLANs by bridging them at the Layer 2 level. This action allows a node on a member VLAN to ARP for a destination node on another member VLAN. After the source node has learned the destination node’s MAC address, the source node can send Ethernet frames directly to the destination node by using the BIG-IP system as a Layer 2 switch. It is within this context that the BIG-IP system can receive traffic with a destination MAC address other than its own. Forwarding certain traffic using a wildcard forwarding virtual server instead of VLAN group bridging allows a BIG-IP administrator to control protocol level settings (such as idle timeout values) by way of a FastL4 profile.
Recommendations