VLAN Group and Asymmetric Deployment
A VLAN group is a logical container that includes two or more distinct VLANs. VLAN groups are intended for load balancing traffic in a Layer 2 network, when you want to minimize the reconfiguration of hosts on that network.
A VLAN group ensures that the BIG-IP system can process traffic between a client and server, when the two hosts reside in the same address space but on two different VLAN’s.
Configuring VLAN group in UI
- On the Main tab, click Network > VLANs.
- Click on create.
3. Provide the following details on the VLAN creation page.
- VLAN Name
- VLAN Tag
- Interface Details
- Tag type - Tagged/Untagged
4. Similarly create another VLAN as mentioned in step 3.
5. Click on VLAN groups to create a VLAN group.
6. Select VLAN interfaces and appropriate mode from the Transparency mode drop down.
Note: Mandatory to create self IP for opaque mode
VLAN Group Modes
The BIG-IP system is capable of processing traffic using a combination of Layer 2 and Layer 3 forwarding, that is, switching and IP routing. When you set the transparency mode, you specify the type of forwarding that the BIG-IP system performs when forwarding a message to a host in a VLAN. The default setting is translucent, which means that the BIG-IP system uses a mix of Layer 2 and Layer 3 processing. The allowed modes are:
1. Transparent
2. Translucent
3. Opaque
Transparent mode:
In transparent mode original MAC address of the remote system preserved across VLANs.
Configuring in cli mode
tmsh modify net interface 1/1.1 port-fwd-mode l3 tmsh modify net interface 2/1.2 port-fwd-mode l3 tmsh create net vlan left_vlan_1 tag 77 interfaces add {1/1.1 {tagged}} tmsh create net vlan right_vlan_1 tag 78 interfaces add {2/1.2 {tagged}} tmsh create net vlan-group vg_1 bridge-traffic enabled mode transparent members add { left_vlan_1 right_vlan_1 }
Sample ICMP packet capture on BIGIP
tcpdump -nne -s0 -i 0.0:nn icmp 22:34:43.858872 3c:41:0e:9b:36:e4 > 3c:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 189: vlan 81, p 0, ethertype IPv4, 10.0.81.1 > 10.0.81.2: ICMP echo request, id 207, seq 0, length 80 in slot4/tmm4 lis= port=1/1.1 trunk= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=19 inport=4 haunit=0 priority=3 22:34:43.859194 3c:41:0e:9b:36:e4 > 3c:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 199: vlan 82, p 0, ethertype IPv4, 10.0.81.1 > 10.0.81.2: ICMP echo request, id 207, seq 0, length 80 out slot4/tmm9 lis=_vlangroup port=2/1.2 trunk= flowtype=132 flowid=560CED5A8500 peerid=560CED5A8400 conflags=100000E26 inslot=19 inport=4 haunit=1 priority=3 22:34:43.860821 3c:41:0e:9b:1c:6a > 3c:41:0e:9b:36:e4, ethertype 802.1Q (0x8100), length 189: vlan 82, p 0, ethertype IPv4, 10.0.81.2 > 10.0.81.1: ICMP echo reply, id 207, seq 0, length 80 in slot4/tmm4 lis= port=2/1.2 trunk= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=19 inport=4 haunit=0 priority=3 22:34:43.860830 3c:41:0e:9b:1c:6a > 3c:41:0e:9b:36:e4, ethertype 802.1Q (0x8100), length 199: vlan 81, p 0, ethertype IPv4, 10.0.81.2 > 10.0.81.1: ICMP echo reply, id 207, seq 0, length 80 out slot4/tmm9 lis=_vlangroup port=1/1.1 trunk=
From the above packet capture we can see the mac address is preserved 3c:41:0e:9b:36:e4 > 3c:41:0e:9b:1c:6a
Translucent mode:
In Translucent mode, locally-unique bit is toggled in all the packets across VLAN
Configuring in cli mode
tmsh modify net interface 1/1.1 port-fwd-mode l3 tmsh modify net interface 2/1.2 port-fwd-mode l3 tmsh create net vlan left_vlan_1 tag 77 interfaces add {1/1.1 {tagged}} tmsh create net vlan right_vlan_1 tag 78 interfaces add {2/1.2 {tagged}} tmsh create net vlan-group vg_1 bridge-traffic enabled mode translucent members add { left_vlan_1 right_vlan_1 }
Sample ICMP packet capture on BIGIP
tcpdump -nne -s0 -i 0.0:nn icmp 22:46:40.143781 3c:41:0e:9b:36:e4 > 3e:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 189: vlan 81, p 0, ethertype IPv4, 10.0.81.1 > 10.0.81.2: ICMP echo request, id 208, seq 1, length 80 in slot4/tmm1 lis= port=1/1.1 trunk= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=19 inport=17 haunit=0 priority=3 22:46:40.143859 3e:41:0e:9b:36:e4 > 3c:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 199: vlan 82, p 0, ethertype IPv4, 10.0.81.1 > 10.0.81.2: ICMP echo request, id 208, seq 1, length 80 out slot4/tmm6 lis=_vlangroup port=2/1.2 trunk= flowtype=132 flowid=56089F3A8300 peerid=56089F3A8200 conflags=100000E26 inslot=19 inport=17 haunit=1 priority=3 22:46:40.145613 3c:41:0e:9b:1c:6a > 3e:41:0e:9b:36:e4, ethertype 802.1Q (0x8100), length 189: vlan 82, p 0, ethertype IPv4, 10.0.81.2 > 10.0.81.1: ICMP echo reply, id 208, seq 1, length 80 in slot4/tmm1 lis= port=2/1.2 trunk= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=19 inport=17 haunit=0 priority=3 22:46:40.145781 3e:41:0e:9b:1c:6a > 3c:41:0e:9b:36:e4, ethertype 802.1Q (0x8100), length 199: vlan 81, p 0, ethertype IPv4, 10.0.81.2 > 10.0.81.1: ICMP echo reply, id 208, seq 1, length 80 out slot4/tmm6 lis=_vlangroup port=1/1.1 trunk=
From the above packet capture we can see locally-unique bit is toggled from 3c:41:0e:9b:36:e4 to 3e:41:0e:9b:36:e4.
Opaque mode:
Opaque mode uses proxy ARP with Layer 3 forwarding. Proxy ARP occurs when one host is responding to an ARP request on behalf of another host. In opaque mode we need to configure self IP on VLAN group to forward the traffic.
Configuring in cli mode
tmsh modify net interface 1/1.1 port-fwd-mode l3 tmsh modify net interface 2/1.2 port-fwd-mode l3 tmsh create net vlan left_vlan_1 tag 81 interfaces add {1/1.1 {tagged}} tmsh create net vlan right_vlan_1 tag 82 interfaces add {2/1.2 {tagged}} tmsh create net vlan-group vg_1 bridge-traffic enabled mode opaque members add { left_vlan_1 right_vlan_1 }
Sample ICMP packet capture on BIGIP
tcpdump -nne -s0 -i 0.0:nn icmp listening on 0.0:nn, link-type EN10MB (Ethernet), capture size 65535 bytes 22:59:12.866402 3c:41:0e:9b:36:e4 > 02:23:e9:04:98:06, ethertype 802.1Q (0x8100), length 189: vlan 81, p 0, ethertype IPv4, 10.0.81.1 > 10.0.81.2: ICMP echo request, id 221, seq 0, length 80 in slot4/tmm2 lis= port=1/1.1 trunk= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=19 inport=2 haunit=0 priority=3 22:59:12.866634 02:23:e9:04:98:06 > 3c:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 199: vlan 82, p 0, ethertype IPv4, 10.0.81.1 > 10.0.81.2: ICMP echo request, id 221, seq 0, length 80 out slot4/tmm3 lis=_vlangroup port=2/1.2 trunk= flowtype=132 flowid=5604511A8100 peerid=5604511A8000 conflags=E26 inslot=19 inport=2 haunit=1 priority=3 22:59:12.868114 3c:41:0e:9b:1c:6a > 02:23:e9:04:98:06, ethertype 802.1Q (0x8100), length 189: vlan 82, p 0, ethertype IPv4, 10.0.81.2 > 10.0.81.1: ICMP echo reply, id 221, seq 0, length 80 in slot4/tmm2 lis= port=2/1.2 trunk= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=19 inport=2 haunit=0 priority=3 22:59:12.868266 02:23:e9:04:98:06 > 3c:41:0e:9b:36:e4, ethertype 802.1Q (0x8100), length 199: vlan 81, p 0, ethertype IPv4, 10.0.81.2 > 10.0.81.1: ICMP echo reply, id 221, seq 0, length 80 out slot4/tmm3 lis=_vlangroup port=1/1.1 trunk= flowtype=68 flowid=5604511A8000 peerid=5604511A8100 conflags=100200000000E26 inslot=19 inport=2 haunit=1 priority=3
From the above packet capture we can see BIG IP is doing proxy by sending its BIGIP mac 02:23:e9:04:98:06 to neighbor switch.
VLAN Group Trunk
In VLAN group deployment trunk can be configured in two LACP modes on BIGIP with neighboring devices . The two LACP mode are mentioned below
Active: Specifies that the BIGIP periodically sends control packets regardless of whether the partner system has issued a request.
Passive: Specifies that the BIGIP sends control packets only when the partner system has issued a request.
Configuring Trunk in Active mode
tmsh modify net interface 1.1 port-fwd-mode l3 tmsh modify net interface 1.2 port-fwd-mode l3 tmsh create net trunk left_trunk_1 interfaces add { 1.1 1.2 } qinq-ethertype 0x8100 link-select-policy auto lacp enabled lacp-mode active tmsh create net vlan left_vlan_1 tag 31 interfaces add {left_trunk_1 {tagged}} tmsh modify net interface 1.1 port-fwd-mode l3 tmsh modify net interface 1.2 port-fwd-mode l3 tmsh create net vlan left_vlan_2 tag 32 interfaces add {left_trunk_1 {tagged}} tmsh modify net interface 2.1 port-fwd-mode l3 tmsh modify net interface 2.2 port-fwd-mode l3 tmsh create net trunk right_trunk_1 interfaces add { 2.1 2.2 } qinq-ethertype 0x8100 link-select-policy auto lacp enabled lacp-mode active tmhs create net vlan right_vlan_1 tag 41 interfaces add {right_trunk_1 {tagged}} tmsh modify net interface 2.1 port-fwd-mode l3 tmsh modify net interface 2.2 port-fwd-mode l3 tmsh create net vlan right_vlan_2 tag 42 interfaces add {right_trunk_1 {tagged}} tmsh create net vlan-group vg_1 bridge-traffic enabled mode transparent members add { left_vlan_1 right_vlan_1 } tmsh create net vlan-group vg_2 bridge-traffic enabled mode transparent members add { left_vlan_2 right_vlan_2 }
Configuring Trunk in passive mode
tmsh modify net interface 1.1 port-fwd-mode l3 tmsh modify net interface 1.2 port-fwd-mode l3 tmsh create net trunk left_trunk_1 interfaces add { 1.1 1.2 } qinq-ethertype 0x8100 link-select-policy auto lacp enabled lacp-mode passive tmsh create net vlan left_vlan_1 tag 31 interfaces add {left_trunk_1 {tagged}} tmsh modify net interface 1.1 port-fwd-mode l3 tmsh modify net interface 1.2 port-fwd-mode l3 tmsh create net vlan left_vlan_2 tag 32 interfaces add {left_trunk_1 {tagged}} tmsh modify net interface 2.1 port-fwd-mode l3 tmsh modify net interface 2.2 port-fwd-mode l3 tmsh create net trunk right_trunk_1 interfaces add { 2.1 2.2 } qinq-ethertype 0x8100 link-select-policy auto lacp enabled lacp-mode passive tmhs create net vlan right_vlan_1 tag 41 interfaces add {right_trunk_1 {tagged}} tmsh modify net interface 2.1 port-fwd-mode l3 tmsh modify net interface 2.2 port-fwd-mode l3 tmsh create net vlan right_vlan_2 tag 42 interfaces add {right_trunk_1 {tagged}} tmsh create net vlan-group vg_1 bridge-traffic enabled mode transparent members add { left_vlan_1 right_vlan_1 } tmsh create net vlan-group vg_2 bridge-traffic enabled mode transparent members add { left_vlan_2 right_vlan_2 }
VLAN Group Options
VLAN-based fail-safe:
VLAN fail-safe is a feature you enable when you want to base redundant-system failover on VLAN-related events. To configure VLAN fail-safe, you specify a timeout value and the action that you want the system to take when the timeout period expires.
Configure in CLI
tmsh create net vlan test1 {failsafe enabled failsafe-action reboot failsafe-timeout 90}
Configure in UI
1. Follow the steps mentioned above for creating VLAN.
2. In VLAN click on advance menu and enable the failsafe.
3. Also mention failsafe time out and failsafe action.
If the VLAN failsafe enabled link goes down, then BIGIP will wait for the failsafe timeout time and do a reboot or restart of BIGIP based on the failsafe action on a HA system. It is recommend to configure failsafe on HA system.
Proxy Exclusion List:
A host in a VLAN cannot normally communicate to a host in another VLAN. This rule applies to ARP requests as well. However, if you put the VLANs into a single VLAN group, the BIG-IP system can perform a proxy ARP request. The ARP request should be learned on member VLAN and not VLAN group
Proxy ARP request is an ARP request that the BIG-IP system can send, on behalf of a host in a VLAN, to hosts in another VLAN. A proxied ARP request requires that both VLANs belong to the same VLAN group.
In some cases, you might not want a host to forward proxied ARP requests to a specific host, or to other hosts in the configuration. To exclude specific hosts from receiving forwarded proxied ARP requests, specify the IP addresses in proxy exclusion list.
Configuring in CLI
tmsh modify net vlan-group vlt1001 proxy-excludes add {10.10.10.2}
Configuring in UI
1. Follow the steps mention above as in mentioned in VLAN group configuration.
2. Click on proxy exclusion list.
3. Click on create button.
4. Add IP address which you want to block the ARP request.
5. Final config will look like below.
VLAN GROUP Asymmetric Deployment
When VLAN group is deployed in asymmetric way then network packets enter via VLAN AçèVLAN B and return via VLAN D & VLANC unlike symmetric path, in which packets come and go using the VLAN A and VLAN B.For the traffic to work in asymmetric path we need to disable db variable connection.vlankeyed.
Disabling VLAN-keyed connections
With VLAN-keyed connections enabled, the VLAN for the ingress traffic must match the configured VLAN and be present in the BIG-IP connflow lookup table, otherwise, the connection will not be processed by the BIG-IP system. This behavior is different for egress traffic, as egress traffic may use an alternate VLAN. For example, when a client sends SYN packets to a virtual server address configured on VLAN A, and that virtual server address replies to the connection request with a SYN/ACK from VLAN B, the ACK from that client will be matched when arriving on VLAN A or VLAN B. The BIG-IP system will not process the client's ACK reply if the reply arrives on a VLAN that is on VLAN C or VLAN D.
Disabling VLAN-keyed connections allows the BIG-IP system to accept asymmetrically routed connections across multiple VLANs.
To disable VLAN-keyed in CLI
tmsh modify sys db connection.vlankeyed value disable
To disable VLAN-keyed in CLI
1. On the Main tab, click Configuration > Local Traffic.
2. Uncheck the VLAN-keyed connection to disable.
Sample TCP packet capture on BIGIP
07:47:00.648140 3c:41:0e:9b:36:e4 > 3c:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 109: vlan 81, p 0, ethertype IPv4, 10.0.80.2.42568 > 10.0.90.2.80: Flags [S], seq 1701549128, win 64240, options [mss 1460,sackOK,TS val 1817130709 ecr 0,nop,wscale 7], length 0 in slot1/tmm4 lis= port=1/1.1 trunk= 07:47:00.648216 3c:41:0e:9b:36:e4 > 3c:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 121: vlan 82, p 0, ethertype IPv4, 10.0.80.2.42568 > 10.0.90.2.80: Flags [S], seq 1701549128, win 64240, options [mss 1460,sackOK,TS val 1817130709 ecr 0,nop,wscale 7], length 0 out slot1/tmm4 lis=/Common/test port=2/1.2 trunk= 07:47:00.648702 3c:41:0e:9b:1c:52 > 3c:41:0e:9b:36:d8, ethertype 802.1Q (0x8100), length 121: vlan 84, p 0, ethertype IPv4, 10.0.90.2.80 > 10.0.80.2.42568: Flags [S.], seq 41553624, ack 1701549129, win 65160, options [mss 1460,sackOK,TS val 2143595190 ecr 1817130709,nop,wscale 7], length 0 in slot1/tmm4 lis=/Common/test port=2/1.1 trunk= 07:47:00.648710 3c:41:0e:9b:1c:52 > 3c:41:0e:9b:36:d8, ethertype 802.1Q (0x8100), length 121: vlan 83, p 0, ethertype IPv4, 10.0.90.2.80 > 10.0.80.2.42568: Flags [S.], seq 41553624, ack 1701549129, win 65160, options [mss 1460,sackOK,TS val 2143595190 ecr 1817130709,nop,wscale 7], length 0 out slot1/tmm4 lis=/Common/test port=1/1.2 trunk= 07:47:00.648950 3c:41:0e:9b:36:e4 > 3c:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 113: vlan 81, p 0, ethertype IPv4, 10.0.80.2.42568 > 10.0.90.2.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 1817130710 ecr 2143595190], length 0 in slot1/tmm4 lis=/Common/test port=1/1.1 trunk= 07:47:00.648957 3c:41:0e:9b:36:e4 > 3c:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 113: vlan 82, p 0, ethertype IPv4, 10.0.80.2.42568 > 10.0.90.2.80: Flags [.], ack 1, win 502, options [nop,nop,TS val 1817130710 ecr 2143595190], length 0 out slot1/tmm4 lis=/Common/test port=2/1.2 trunk 07:47:00.649193 3c:41:0e:9b:36:e4 > 3c:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 186: vlan 81, p 0, ethertype IPv4, 10.0.80.2.42568 > 10.0.90.2.80: Flags [P.], seq 1:74, ack 1, win 502, options [nop,nop,TS val 1817130710 ecr 2143595190], length 73: HTTP: GET / HTTP/1.1 in slot1/tmm4 lis=/Common/test port=1/1.1 trunk= 07:47:00.649198 3c:41:0e:9b:36:e4 > 3c:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 186: vlan 82, p 0, ethertype IPv4, 10.0.80.2.42568 > 10.0.90.2.80: Flags [P.], seq 1:74, ack 1, win 502, options [nop,nop,TS val 1817130710 ecr 2143595190], length 73: HTTP: GET / HTTP/1.1 out slot1/tmm4 lis=/Common/test port=2/1.2 trunk= 07:47:00.649495 3c:41:0e:9b:1c:52 > 3c:41:0e:9b:36:d8, ethertype 802.1Q (0x8100), length 113: vlan 84, p 0, ethertype IPv4, 10.0.90.2.80 > 10.0.80.2.42568: Flags [.], ack 74, win 509, options [nop,nop,TS val 2143595190 ecr 1817130710], length 0 in slot1/tmm4 lis=/Common/test port=2/1.1 trunk= 07:47:00.649500 3c:41:0e:9b:1c:52 > 3c:41:0e:9b:36:d8, ethertype 802.1Q (0x8100), length 113: vlan 83, p 0, ethertype IPv4, 10.0.90.2.80 > 10.0.80.2.42568: Flags [.], ack 74, win 509, options [nop,nop,TS val 2143595190 ecr 1817130710], length 0 out slot1/tmm4 lis=/Common/test port=1/1.2 trunk= 07:47:00.653094 3c:41:0e:9b:1c:52 > 3c:41:0e:9b:36:d8, ethertype 802.1Q (0x8100), length 1561: vlan 84, p 0, ethertype IPv4, 10.0.90.2.80 > 10.0.80.2.42568: Flags [.], seq 1:1449, ack 74, win 509, options [nop,nop,TS val 2143595192 ecr 1817130710], length 1448: HTTP: HTTP/1.1 200 OK in slot1/tmm4 lis=/Common/test port=2/1.1 trunk= 07:47:00.653097 3c:41:0e:9b:1c:52 > 3c:41:0e:9b:36:d8, ethertype 802.1Q (0x8100), length 220: vlan 84, p 0, ethertype IPv4, 10.0.90.2.80 > 10.0.80.2.42568: Flags [P.], seq 1449:1556, ack 74, win 509, options [nop,nop,TS val 2143595192 ecr 1817130710], length 107: HTTP in slot1/tmm4 lis=/Common/test port=2/1.1 trunk=
From the above packet capture we can see the syn packet coming from VLAN 81 , VLAN 82 and the sync ack is going on the VLAN 84, VLAN 83 . The BIG-IP will process the packets with different vlan matching the same connflow
DB Variables
The below table describes VLAN group behavior with system database variables
Troubleshooting
1. Verify that traffic flowing through default Virtual Server(_vlangroup)
Tcpdump cmd: tcpdump -nne -s0 -i 0.0:nnn 22:46:40.143781 3c:41:0e:9b:36:e4 > 3e:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 189: vlan 81, p 0, ethertype IPv4, 10.0.81.1 > 10.0.81.2: ICMP echo request, id 208, seq 1, length 80 in slot4/tmm1 lis= port=1/1.1 trunk= flowtype=0 flowid=0 peerid=0 conflags=0 inslot=19 inport=17 haunit=0 priority=3 22:46:40.143859 3e:41:0e:9b:36:e4 > 3c:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 199: vlan 82, p 0, ethertype IPv4, 10.0.81.1 > 10.0.81.2: ICMP echo request, id 208, seq 1, length 80 out slot4/tmm6 lis=_vlangroup port=2/1.2 trunk= flowtype=132 flowid=56089F3A8300 peerid=56089F3A8200 conflags=100000E26 inslot=19 inport=17 haunit=1 priority=3 flowtype=0 flowid=0 peerid=0 conflags=0 inslot=19 inport=17 haunit=0 priority=3 22:46:40.145781 3e:41:0e:9b:1c:6a > 3c:41:0e:9b:36:e4, ethertype 802.1Q (0x8100), length 199: vlan 81, p 0, ethertype IPv4, 10.0.81.2 > 10.0.81.1: ICMP echo reply, id 208, seq 1, length 80 out slot4/tmm6 lis=_vlangroup port=1/1.1 trunk=
2. Now create Virtual Server based on requirements like TCP, UDP and ICMP with VS name as test.Verify traffic is hitting Virtual Server
Tcpdump cmd: tcpdump -nne -s0 -i 0.0:nnn tcp 07:53:33.112175 3c:41:0e:9b:36:e4 > 3c:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 109: vlan 81, p 0, ethertype IPv4, 10.0.80.2.42570 > 10.0.90.2.80: Flags [S], seq 4156824303, win 64240, options [mss 1460,sackOK,TS val 1817523173 ecr 0,nop,wscale 7], length 0 in slot1/tmm6 lis= port=1/1.1 trunk= 07:53:33.112251 3c:41:0e:9b:36:e4 > 3c:41:0e:9b:1c:6a, ethertype 802.1Q (0x8100), length 121: vlan 82, p 0, ethertype IPv4, 10.0.80.2.42570 > 10.0.90.2.80: Flags [S], seq 4156824303, win 64240, options [mss 1460,sackOK,TS val 1817523173 ecr 0,nop,wscale 7], length 0 out slot1/tmm6 lis=/Common/test port=2/1.2 trunk= 07:53:33.112779 3c:41:0e:9b:1c:6a > 3c:41:0e:9b:36:e4, ethertype 802.1Q (0x8100), length 121: vlan 82, p 0, ethertype IPv4, 10.0.90.2.80 > 10.0.80.2.42570: Flags [S.], seq 1696348196, ack 4156824304, win 65160, options [mss 1460,sackOK,TS val 2143987653 ecr 1817523173,nop,wscale 7], length 0 in slot1/tmm6 lis=/Common/test port=2/1.2 trunk= 07:53:33.112786 3c:41:0e:9b:1c:6a > 3c:41:0e:9b:36:e4, ethertype 802.1Q (0x8100), length 121: vlan 81, p 0, ethertype IPv4, 10.0.90.2.80 > 10.0.80.2.42570: Flags [S.], seq 1696348196, ack 4156824304, win 65160, options [mss 1460,sackOK,TS val 2143987653 ecr 1817523173,nop,wscale 7], length 0 out slot1/tmm6 lis=/Common/test port=1/1.1 trunk=
3. Debugging steps
a. Get the tcpdump and check the traffic hitting VS or not
b. If traffic is dropped, enable “tmsh modify sys db vlangroup.forwarding.override value enable” with destination as catch all and check whether traffic is hitting _vlangroup and going out or not. If traffic is going without any issue, then there is an issue with created VS.
c. Check ARP entries are learned on member vlan
d. Even after enabling vlangroup.forwarding.override db variable, then take the ouput of below commands
- tmctl ifc_stats- Displays interface statistics
- tmctl ip_stat - Displays IP statistics
- tmctl ip6_stat- Displays IPV6 statistics
Notable Effects-Caveats
- Active/Active deployment is not supported
- STP should be disabled with VLAN groups
- Asymmetric is not supported on Translucent mode
Conclusion
VLAN group is deployed to bridge between two L2 network segments and used for load balancing traffic in Layer 2 networks.