Going from Untagged to Tagged VLANs

Question

Problem:&nbsp;
Our Network team has recently added a new VLAN to our current Network Topology and use those addresses for our Virtual Servers on our LTMs.  Our typical configuration is to use trunk two interfaces, enable them for LACP and assign them to a VLAN.  Then configure the ports on the switch with LACP and as access ports for a given VLAN.  We also have Self-IPs for each F5 VLAN (floating and non-floating).  In our UAT environment, we have used all our interfaces and now need to make a decision to incorporate the new VLAN.&nbsp;
My thought is that we could take an existing F5 VLAN and convert it from untagged to tagged.  This would essentially allow us to tag on the F5 as opposed to tagging on the Cisco side.  My concern is taking an existing VLAN and reconfiguring it as a tagged VLAN without causing any issues.  We are in an Active/Standby configuration so we could make the change on the Standby unit and then failover to make the changes on the "Active" after then fail back.  Each Self-IP is assigned a VLAN which at this point is untagged.  Can we simply just create a new VLAN as a tagged VLAN and just update the Self-IPs to use that new tagged VLAN?&nbsp;
I know on there will need to be a port configuration change on the switch to become a trunk port but I'm more concerned with adding the new tagged VLAN and updating the Self-IPs without having to remove that configuration and start over.&nbsp;
Any thoughts?&nbsp;

simon_blakely · Answer

You can't just create a new vlan and change the self-IPs to use the new VLAN. You need to change both the non-floating and floating self-IPs at the same time, so the same IP address range is not applied to two different VLANs at the same time. &nbsp;
You can make the change on the VLAN settings to modify the VLAN from untagged to tagged and change the VLAN interfaces to the trunk without too many problems.&nbsp;

hannes_rapp · Answer

The work you need to do with BigIPs is 15 minutes max. I'm more concerned about possible impact due absence of dot1q interface configuration in servers or VM hypervisor.

Do what S Blakely recommended on Standby unit. Update Standby unit's status to ForcedOffline as a safety measure. This works as insurance against possible unwanted Auto-Sync updates from Standby to Active unit among other things. Unlike self-only IP configuration, FloatingIP configuration is synced in HA clusters. If you or your managers are paranoid, also disable HA configuration auto-sync feature. Assuming ForcedOffline works as intended, IP address conflict with Floating IP being present in two different VLANs is unlikely to cause any harm. The unit you're working on should not consider itself owner of any Floating IPs while in Standby state and ForcedOffline state. That's the case in my experience but I give no guarantees.

Changes implemented, try to ping some of the back-end servers. Using Bash shell of the Standby unit, specify the tagged VLAN as source interface. I.e ping -I VLAN200 172.16.200.15. If you want to be extra safe, try to ping all of your backend servers that BigIP uses as nodes in any of its pools.

When you're happy with results, release ForcedOffline state and fail over to that unit. Then repeat configuration changes on the unit which was previously active.

If you run into any problems, lmk. I usually respond in 24 hours if question is clear and relevant.

Forum Discussion

Going from Untagged to Tagged VLANs

2 Replies

Recent Discussions

Related Content

F5 Essential App Protect: Go !

Google Tag Manager

Ready to Go! Deploying F5 Infrastructure Using Terraform

Client SSL Authentication on BIG-IP as in-depth as it can go

VLAN Tagged vs Untagged. What does this mean.