For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

SMHanson_176662's avatar
SMHanson_176662
Icon for Nimbostratus rankNimbostratus
Feb 01, 2016

VLAN Tagging not working

I have a BIG-IP 11.6.0 (Build 5.123.429 HF5) conencted to a HP HP 5920AF-24XG (Version 7.1.035, Release 2207)

 

Looking at the F5, packets SEEM to be tagged...

 

[xxxxxxxx@xxxxxxx:Active:Standalone] ~ tcpdump -ni 2.2 -e tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on 2.2, link-type EN10MB (Ethernet), capture size 96 bytes 14:26:29.559468 00:23:e9:5d:50:0a > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 30, p 0, ethertype ARP, arp who-has 10.13.6.8 tell 10.13.6.1 14:26:30.002977 d0:7e:28:bc:b6:b3 > 01:80:c2:00:00:00, ethertype 802.1Q (0x8100), length 123: vlan 10, p 0, LLC, dsap STP (0x42), ssap STP (0x42), cmd 0x03: 802.1d unknown version 0x0000: 0180 c200 0000 d07e 28bc b6b3 8100 000a .......~(....... 0x0010: 0069 4242 0300 0003 027c f000 d07e 28bc .iBB.....|...~(. 0x0020: b67e 0000 0000 f000 d07e 28bc b67e 800d .~.......~(..~.. 0x0030: 0000 1400 0200 0f00 0000 4000 4f72 696f ..........@.Orio 0x0040: 6e68 6561 6c74 682d 7361 6173 0000 0000 nhealth-saas.... 0x0050: 0000 .. 14:26:30.149784 00:23:e9:5d:50:0a > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 30, p 0, ethertype ARP, arp who-has 10.13.6.212 tell 10.13.6.1 14:26:30.255603 00:23:e9:5d:50:0a > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 30, p 0, ethertype ARP, arp who-has 10.13.6.9 tell 10.13.6.1 14:26:30.316360 00:23:e9:5d:50:0a > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 30, p 0, ethertype ARP, arp who-has 10.13.6.4 tell 10.13.6.1 14:26:30.346447 00:23:e9:5d:50:04 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP, arp who-has 10.13.0.25 tell 10.13.0.1 14:26:30.351616 00:23:e9:5d:50:04 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP, arp who-has 10.13.0.77 tell 10.13.0.1 14:26:30.364972 00:23:e9:5d:50:04 > Broadcast, ethertype 802.1Q (0x8100), length 46: vlan 10, p 0, ethertype ARP, arp who-has 10.13.0.44 tell 10.13.0.1 14:26:30.368736 00:50:56:a6:3a:ca > Broadcast, ethertype 802.1Q (0x8100), length 64: vlan 10, p 0, ethertype ARP, arp who-has 10.13.0.44 tell 10.13.0.13

 

however the switch isn't seeing the MAC's...

 

[xxxxx]display mac-address interface Ten-GigabitEthernet 1/0/9

 

MAC Address VLAN ID State Port/NickName Aging [xxxxx]display mac-address interface Ten-GigabitEthernet 2/0/9

 

MAC Address VLAN ID State Port/NickName Aging [xxxxx]display mac-address interface Bridge-Aggregation 7

 

MAC Address VLAN ID State Port/NickName Aging [xxxxx]

 

The switch can see other MAC's on the VLAN...

 

[xxxxx]display mac-address vlan 30 MAC Address VLAN ID State Port/NickName Aging

 

0050-5694-14c0 30 Learned BAGG3 Y

 

0050-5694-20f1 30 Learned BAGG3 Y

 

0050-5694-363b 30 Learned BAGG4 Y

 

0050-5694-3bab 30 Learned BAGG4 Y

 

0050-5694-407d 30 Learned BAGG4 Y

 

any thoughts on where to look next?

 

Thanks

 

SHANE

 

application delivery
BIG-IP
LTM
security
vlan

4 Replies

  • Stephan_Mierau's avatar
    Stephan_Mierau
    Icon for Employee rankEmployee
    Feb 01, 2016

    Hi,

     

    could you post the VLAN/Interface config of the F5 and the switch?

     

    Thx, Stephan

     

  • SMHanson_176662's avatar
    SMHanson_176662
    Icon for Nimbostratus rankNimbostratus
    Feb 01, 2016

    Hi Stephen...

    {

    Switch config...

    interface Ten-GigabitEthernet1/0/9

    description Secondary-F5-21

    port link-type trunk

    undo port trunk permit vlan 1

    port trunk permit vlan 2 to 9 11 to 4094

    port link-aggregation group 7

    interface Bridge-Aggregation7

    description To-Second-F5

    port link-type trunk

    undo port trunk permit vlan 1

    port trunk permit vlan 2 to 9 11 to 4094

    link-aggregation mode dynamic

    F5 configuration

    } net interface 2.1 {

    if-index 864

lldp-tlvmap 114552

mac-address 00:23:e9:5d:50:0a

media-active 10000SR-FD

media-max 10000T-FD

mtu 9198

serial MY2BD3ZLGW

stp-link-type shared

vendor "FINISAR CORP."

    } net interface 2.2 {

    if-index 880

lldp-tlvmap 114552

mac-address 00:23:e9:5d:50:0b

media-active 10000SR-FD

media-max 10000T-FD

mtu 9198

serial MY2BD3ZLH5

stp-link-type shared


net trunk Trunk_01_to_HP_Core {

bandwidth 20000

cfg-mbr-count 2

id 1

interfaces {

    2.1

    2.2

}

lacp enabled

mac-address 00:23:e9:5d:50:39

working-mbr-count 2

    }

    } net vlan VLAN_30_Internal_DMZ {

    if-index 1008    

interfaces {

    Trunk_01_to_HP_Core {

        tag-mode service

        tagged

    }

}

tag 30

    }

    }

    hope it helps!

    SHANE

  • SMHanson_176662's avatar
    SMHanson_176662
    Icon for Nimbostratus rankNimbostratus
    Feb 01, 2016

    Apologies for the crappy formatting, If you can tell me how to fix it I'll re-post the info.

     

    SHANE

     

  • SMHanson_176662's avatar
    SMHanson_176662
    Icon for Nimbostratus rankNimbostratus
    Feb 09, 2016

    further investigation showed that the Switch (HP) is not seeing any MAC addressing from the F5.

     

    we reconfigured the switch port as an ACCESS port, and remove Tagging from the F5.

     

    Still no joy.

     

    We then replaced the DAC cables with cabled that are working on our other F5 and we still cannot see any MAC addresses on the switch port.

     

    Has anyone came across a similar situation?

     

    Thanks

     

    SHANE