Manual Chapter : VLANs, VLAN Groups, and VXLAN

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP APM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Analytics

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP Link Controller

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP LTM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP PEM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP AFM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP DNS

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0

BIG-IP ASM

  • 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0, 16.0.1, 16.0.0, 15.1.9, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0, 14.1.5, 14.1.4, 14.1.3, 14.1.2, 14.1.0
Manual Chapter

VLANs, VLAN Groups, and VXLAN

About VLANs

A
VLAN
is a logical subset of hosts on a local area network (LAN) that operate in the same IP address space. Grouping hosts together in a VLAN has distinct advantages. For example, with VLANs, you can:
  • Reduce the size of broadcast domains, thereby enhancing overall network performance.
  • Reduce system and network maintenance tasks substantially. Functionally-related hosts no longer need to physically reside together to achieve optimal network performance.
  • Enhance security on your network by segmenting hosts that must transmit sensitive data.
You can create a VLAN and associate physical interfaces with that VLAN. In this way, any host that sends traffic to a BIG-IP® system interface is logically a member of the VLAN or VLANs to which that interface belongs.

Default VLAN configuration

By default, the BIG-IP® system includes VLANs named
internal
and
external
. When you initially ran the Setup utility, you assigned the following to each of these VLANs:
  • A static and a floating self IP address
  • A VLAN tag
  • One or more BIG-IP system interfaces
A typical VLAN configuration is one in which the system has the two VLANs
external
and
internal
, and one or more BIG-IP system interfaces assigned to each VLAN. You then create a virtual server, and associate a default load balancing pool with that virtual server. This figure shows a typical configuration using the default VLANs external and internal.
A typical configuration using the default VLANs
Example of a trunk configured for two switches
VLANs
internal
and
external
reside in partition
Common
.

About VLANs and interfaces

VLANs are directly associated with the physical interfaces on the BIG-IP® system.

Interface assignments

For each VLAN that you create, you must assign one or more BIG-IP® system interfaces to that VLAN. When you assign an interface to a VLAN, you indirectly control the hosts from which the BIG-IP system interface sends or receives messages.
You can assign not only individual interfaces to the VLAN, but also trunks.
For example, if you assign interface 1.11 to
VLAN A
, and you then associate
VLAN A
with a virtual server, then the virtual server sends its outgoing traffic through interface 1.11, to a destination host in
VLAN A
. Similarly, when a destination host sends a message to the BIG-IP system, the host’s VLAN membership determines the BIG-IP system interface that should receive the incoming traffic.
Each VLAN has a MAC address. The MAC address of a VLAN is the same MAC address of the lowest-numbered interface assigned to that VLAN.

About tagged interfaces

You can create a VLAN and assign interfaces to the VLAN as single- or double-tagged interfaces. When you assign interfaces as
tagged interfaces
, you can associate multiple VLANs with those interfaces.
A VLAN
tag
is a unique ID number that you assign to a VLAN, to identify the VLAN to which each packet belongs. If you do not explicitly assign a tag to a VLAN, the BIG-IP® system assigns a tag automatically. The value of a VLAN tag can be between 1 and 4094. Once you or the BIG-IP system assigns a tag to a VLAN, any message sent from a host in that VLAN includes this VLAN tag as a header in the message.
If a device connected to a BIG-IP system interface is another switch, the VLAN tag that you assign to the VLAN on the BIG-IP system interface must match the VLAN tag assigned to the VLAN on the interface of the other switch.
About single tagging
This figure shows the difference between using three untagged interfaces (where each interface must belong to a separate VLAN) versus one single-tagged interface (which belongs to multiple VLANs).
Solutions using untagged (left) and single-tagged interfaces (right)
Solutions using untagged (left) and tagged interfaces (right)
The configuration on the left shows a BIG-IP system with three internal interfaces, each a separate, untagged interface. This is a typical solution for supporting three separate customer sites. In this scenario, each interface can accept traffic only from its own VLAN.
Conversely, the configuration on the right shows a BIG-IP system with one internal interface and an external switch. The switch places the internal interface on three separate VLANs. The interface is configured on each VLAN as a single-tagged interface. In this way, the single interface becomes a tagged member of all three VLANs, and accepts traffic from all three. The configuration on the right is the functional equivalent of the configuration of the left.
If you are connecting another switch into a BIG-IP system interface, the VLAN tag that you assign to the VLAN on the BIG-IP system must match the VLAN tag on the interface of the other switch.
About double tagging
For BIG-IP systems with ePVA hardware support, the system includes support for the IEEE 802.1QinQ standard. Known informally as
Q-in-Q
or
double tagging
, this standard provides a way for you to insert multiple VLAN tags into a single frame. This allows you to encapsulate single-tagged traffic from disparate customers with only one tag.
Double tagging expands the number of possible VLAN IDs in a network. With double tagging, the theoretical limitation in the number of VLAN IDs expands from 4096 to 4096*4096.
When you implement double tagging, you specify an
inner tag
that encapsulates all of the single-tagged traffic. You then designate all other tags as
outer tags
, or
customer tags
(C-tags), which serve to identify and segregate the traffic from those customers.
A common use case is one in which an internet service provider creates a single VLAN within which multiple customers can retain their own VLANs without regard for overlapping VLAN IDs. Moreover, you can use double-tagged VLANs within route domains or vCMP guests. In the latter case, vCMP host administrators can create double-tagged VLANs and assign the VLANs to guests, just as they do with single-tagged VLANs. For a vCMP guest running an older version of the BIG-IP software, double-tagged VLANs are not available for assignment to the guest.
On systems that support double tagging, if you configure a Fast L4 local traffic profile, you cannot enable Packet Velocity Asic (PVA) hardware acceleration.

VLAN association with a self IP address

Every VLAN must have a static self IP address associated with it. The self IP address of a VLAN represents an address space, that is, the range of IP addresses pertaining to the hosts in that VLAN. When you ran the Setup utility earlier, you assigned one static self IP address to the VLAN external, and one static self IP address to the VLAN internal. When sending a request to a destination server, the BIG-IP system can use these self IP addresses to determine the specific VLAN that contains the destination server.
The self IP address with which you associate a VLAN should represent an address space that includes the IP addresses of the hosts that the VLAN contains. For example, if the address of one host is
11.0.0.1
and the address of the other host is
11.0.0.2
, you could associate the VLAN with a self IP address of
11.0.0.100
, with a netmask of
255.255.255.0
.

VLAN assignment to route domains

If you explicitly create route domains, you should consider the following facts:
  • You can assign VLANs (and VLAN groups) to route domain objects that you create. Traffic pertaining to that route domain uses those assigned VLANs.
  • During BIG-IP® system installation, the system automatically creates a default route domain, with an ID of 0. Route domain 0 has two VLANs assigned to it, VLAN
    internal
    and VLAN
    external
    .
  • If you create one or more VLANs in an administrative partition other than
    Common
    , but do not create a route domain in that partition, then the VLANs you create in that partition are automatically assigned to route domain 0.

Maintaining the L2 forwarding table

Layer 2 forwarding is the means by which frames are exchanged directly between hosts, with no IP routing required. This is accomplished using a simple forwarding table for each VLAN. The L2 forwarding table is a list that shows, for each host in the VLAN, the MAC address of the host, along with the interface that the BIG-IP® system needs for sending frames to that host. The intent of the L2 forwarding table is to help the BIG-IP system determine the correct interface for sending frames, when the system determines that no routing is required.
The format of an entry in the L2 forwarding table is:
<MAC address> -> <if>
For example, an entry for a host in the VLAN might look like this:
00:a0:c9:9e:1e:2f -> 2.1
The BIG-IP system learns the interfaces that correspond to various MAC entries as frames pass through the system, and automatically adds entries to the table accordingly. These entries are known as
dynamic entries
. You can also add entries to the table manually, and these are known as
static entries
. Entering static entries is useful if you have network devices that do not advertise their MAC addresses. The system does not automatically update static entries.
The BIG-IP system does not always need to use the L2 forwarding table to find an interface for frame transmission. For instance, if a VLAN has only one interface assigned to it, then the BIG-IP system automatically uses that interface.
Occasionally, the L2 forwarding table does not include an entry for the destination MAC address and its corresponding BIG-IP system interface. In this case, the BIG-IP system floods the frame through all interfaces associated with the VLAN, until a reply creates an entry in the L2 forwarding table.

Additional VLAN configuration options

There are a number of settings that you can configure for a VLAN.

Source checking

When you enable source checking, the BIG-IP® system verifies that the return path for an initial packet is through the same VLAN from which the packet originated. Note that the system only enables source checking if the global setting Auto Last Hop is disabled.

Maximum transmission units

The value that you configure for the maximum transmission unit, or MTU, is the largest size that the BIG-IP® system allows for an IP datagram passing through a BIG-IP system interface. By default, the BIG-IP system uses the standard Ethernet frame size of 1518 bytes (1522 bytes if VLAN tagging is used), with a corresponding MTU value of 1500 bytes for a VLAN.
One reason for changing the value of the
MTU
setting is when your BIG-IP platform supports jumbo frames. A
jumbo frame
is an Ethernet frame with more than 1500 bytes, and fewer than 9000 bytes, of payload.
If your BIG-IP platform does not support jumbo frames and a VLAN receives a jumbo frame, the system discards the frame.

VLAN-based fail-safe

VLAN fail-safe is a feature you enable when you want to base redundant-system failover on VLAN-related events. To configure VLAN fail-safe, you specify a timeout value and the action that you want the system to take when the timeout period expires.

Auto last hop

When you create a VLAN, you can designate the VLAN as the last hop for TMM traffic.

CMP hash

The
CMP Hash
setting allows all connections from a client system to use the same set of TMMs. This improves system performance. In configuring the
CMP Hash
value, you can choose the traffic disaggregation criteria for the VLAN, either source IP address, destination IP address, or source and destination addresses and ports. The default value uses TCP/UDP source/destination ports. Note that the
CMP Hash
setting appears only on the properties screen for an existing VLAN.

DAG round robin

You can use the
DAG Round Robin
setting on a VLAN to prevent stateless traffic from overloading a few TMM instances, a condition that can disable an entire BIG-IP system. When enabled, this setting causes the BIG-IP system to load balance the traffic among TMMs evenly, instead of using a static hash. Stateless traffic in this case includes non-IP Layer 2 traffic, ICMP, some UDP protocols, and so on. This setting is disabled by default.
This feature is particularly useful for firewall and Domain Name System (DNS) traffic. For example, this feature prevents certain types of DDoS attacks, such as an ICMP DDoS attack that can overload the system by sending the same packets repeatedly to a specific subset of TMMs.
The disaggregation of traffic occurs only to TMMs that are local to a given high-speed bridge (HSB).
Specifying port numbers
Before you perform this task, confirm that you have enabled the
DAG Round Robin
setting on the relevant VLAN.
When you enable the DAG Round Robin feature on a VLAN, you must also configure a
bigdb
variable that specifies the relevant destination ports.
  1. Open the TMOS Shell (
    tmsh
    ).
    tmsh
  2. Specify the port numbers to be used.
    modify sys db dag.roundrobin.udp.portlist value "
    port_number
    :
    port_number
    :
    port_number
    :
    port_number
    "
    The values that you specify with this
    bigdb
    variable apply to all VLANs on which the
    DAG Round Robin
    setting is enabled.
    This example specifies that the system load balances packets destined for ports 53, 26, 19, and 45:
    modify sys db dag.roundrobin.udp.portlist value "53:26:19:45"

DAG tunnel

You can use the
DAG Tunnel
setting on a VLAN to enable hardware-based disaggregation. This defines how the disaggregator (DAG) processes received packets that are encapsulated using one of the supported tunneling protocols (such as, NVGRE, VXLAN, EtherIP, IPIP).
There are two options for DAG tunnel:
Inner
Disaggregates encapsulated packets based on the inner headers. Using the inner headers typically provides more information to the DAG which allows for a better distribution of packets across TMM instances. If you select a value of
Inner
, you must also configure a bigdb variable to specify a port number before any associated tunnels can use the inner headers.
Outer
Uses the outer headers of encapsulated packets without inspecting the inner headers. This is the default value.
Specifying a port number
Before you perform this task, confirm that you have enabled the
DAG Tunnel
setting on the relevant VLAN.
When you enable the DAG tunnel feature on a VLAN, you must also configure a
bigdb
variable that specifies a port number so that associated tunnels can disaggregate based on the inner header of a packet.
  1. Open the TMOS Shell (
    tmsh
    ).
    tmsh
  2. Specify a port number to be used.
    modify sys db iptunnel.vxlan.udpport
    value
    <
    port_number
    >
    The value that you specify with this
    bigdb
    variable applies to all VLANs on which the
    DAG Tunnel
    setting is enabled.
    Typically, a tunnel uses port 4789. If you choose to use a different port number, you must ensure that the port number specified in the relevant VXLAN profile matches the value you set with this command.
Configuring DAG tunnel using tmsh
Before you perform this task, confirm that you have configured the
iptunnel.vxlan.udpport
variable with a port number.
You can use the Traffic Management Shell (
tmsh
) to configure the DAG tunnel feature on a VLAN. The default value is
outer
.
  1. Open the TMOS Shell (
    tmsh
    ).
    tmsh
  2. Configure whether to use inner or outer headers.
    modify vlan
    vlan_name
    dag-tunnel
    [
    outer
    |
    inner
    ]

About sFlow polling intervals and sampling rates

You can change the sFlow settings for a specific VLAN when you want the traffic flowing through the VLAN to be sampled at a different rate than the global sFlow settings on the BIG-IP® system.

Creating a VLAN

VLANs
represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with that VLAN.
  1. On the Main tab, click
    Network
    VLANs
    .
    The VLAN List screen opens.
  2. Click
    Create
    .
    The New VLAN screen opens.
  3. In the
    Name
    field, type a unique name for the VLAN.
  4. In the
    Tag
    field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. If you want to use Q-in-Q (double) tagging, use the
    Customer Tag
    setting to perform the following two steps. If you do not see the
    Customer Tag
    setting, your hardware platform does not support Q-in-Q tagging and you can skip this step.
    1. From the
      Customer Tag
      list, select
      Specify
      .
    2. Type a numeric tag, from 1-4094, for the VLAN.
    The customer tag specifies the inner tag of any frame passing through the VLAN.
  6. For the
    Interfaces
    setting,
    1. From the
      Interface
      list, select an interface number.
    2. From the
      Tagging
      list, select
      Untagged
      .
    3. Click
      Add
      .
  7. For the
    Hardware SYN Cookie
    setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  8. For the
    Syncache Threshold
    setting, retain the default value or change it to suit your needs.
    The
    Syncache Threshold
    value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.
    When the
    Hardware SYN Cookie
    setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:
    • The number of TCP half-open connections defined in the LTM setting
      Global SYN Check Threshold
      is reached.
    • The number of SYN flood packets defined in this
      Syncache Threshold
      setting is reached.
  9. For the
    SYN Flood Rate Limit
    setting, retain the default value or change it to suit your needs.
    The
    SYN Flood Rate Limit
    value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  10. Click
    Finished
    .
    The screen refreshes, and it displays the new VLAN in the list.

About VLAN groups

A
VLAN group
is a logical container that includes two or more distinct VLANs. VLAN groups are intended for load balancing traffic in a Layer 2 network, when you want to minimize the reconfiguration of hosts on that network. This figure shows an example of a VLAN group.
Example of a VLAN group
Example of a VLAN group
A VLAN group also ensures that the BIG-IP® system can process traffic successfully between a client and server when the two hosts reside in the same address space. Without a VLAN group, when the client and server both reside in the same address space, the client request goes through the virtual server, but instead of sending its response back through the virtual server, the server attempts to send its response directly to the client, bypassing the virtual server altogether. As a result, the client cannot receive the response, because the client expects the address of the response to be the virtual server IP address, not the server IP address.
You can configure the behavior of the BIG-IP system so that it always creates a proxy for any ARP requests between VLANs.
When you create a VLAN group, the two existing VLANs become child VLANs of the VLAN group.
VLAN groups reside in administrative partitions. To create a VLAN group, you must first set the current partition to the partition in which you want the VLAN group to reside.
Only users with the Administrator user role can create and manage VLAN groups.

About VLAN group names

When creating a VLAN group, you must assign it a unique name. Once you have finished creating the VLAN group, the VLAN group name appears in the list of existing VLANs groups.

VLAN group ID

A
VLAN group ID
is a tag for the VLAN group. Every VLAN group needs a unique ID number. If you do not specify an ID for the VLAN group, the BIG-IP® system automatically assigns one. The value of a VLAN group ID can be between 1 and 4094.

About untagged interfaces

You can create a VLAN and assign interfaces to the VLAN as untagged interfaces. When you assign interfaces as
untagged interfaces
, you cannot associate other VLANs with those interfaces. This limits the interface to accepting traffic only from that VLAN, instead of from multiple VLANs. If you want to give an interface the ability to accept and receive traffic for multiple VLANs, you add the same interface to each VLAN as a tagged interface.

VLAN group association with a self IP address

A VLAN group is used to bridge traffic between two or more VLANs. All member VLANs contain hosts that reside in the same IP address space (for example,
10.0.0.0/24
). When using a VLAN group, you normally only need to assign a self IP address to the VLAN group itself (that is, a member VLAN does not require a self IP address of its own). The self IP address that you associate with a VLAN group should represent the IP address space covered by the VLAN group. For example, if some of the hosts in one member VLAN use IP addresses
10.0.0.1
and
10.0.0.2
, and some of the hosts in another member VLAN use IP addresses
10.0.0.201
and
10.0.0.202
, you could then associate the VLAN group with a self IP address of
10.0.0.100
, with a netmask of
255.255.255.0
.

About transparency mode

The BIG-IP® system is capable of processing traffic using a combination of Layer 2 and Layer 3 forwarding, that is, switching and IP routing. When you set the transparency mode, you specify the type of forwarding that the BIG-IP system performs when forwarding a message to a host in a VLAN. The default setting is
Translucent
, which means that the BIG-IP system uses a mix of Layer 2 and Layer 3 processing. The allowed values are:
Opaque
A proxy ARP with Layer 3 forwarding.
Translucent
Layer 2 forwarding with a locally-unique bit, toggled in ARP response across VLANs. This is the default setting.
Transparent
Layer 2 forwarding with the original MAC address of the remote system preserved across VLANs.
When VLAN groups are configured and the virtual server references a Fast L4 profile, Packet Velocity® ASIC (PVA) acceleration is not supported, and the BIG-IP system automatically changes the
PVA Acceleration
setting to
None
.

About traffic bridging

When you enable the traffic bridging option, you are instructing the VLAN group to forward all non-IP traffic. Note that IP traffic is bridged by default. The default value for this setting is disabled (unchecked).

About traffic bridging with standby units

When enabled, the
Bridge in Standby
setting ensures that the VLAN group can forward packets when the system is the standby device of a redundant system configuration. Note that this setting applies to non-IP and non-ARP frames only, such as Bridge Protocol Data Units (BPDUs).
This setting is designed for deployments in which the VLAN group is defined on a redundant system. You can use the
Bridge in Standby
setting in transparent or translucent modes, or in opaque mode when the global variable
Failover.Standby.LinkDownTime
is set to 0.
This setting can cause adverse effects if the VLAN group exists on more than one device in a device group. The setting is intended for configurations where the VLAN group exists on one device only. The default setting is enabled (checked).

About migration keepalive frames

The Migration Keepalive setting for a VLAN group, when enabled, instructs the BIG-IP system to send keepalive frames (that is, TCP keepalives and empty UDP packets, depending on the connection type) when a node is moved from one VLAN group member to another VLAN group member for all existing BIG-IP connections to that node.

About host exclusion from proxy ARP forwarding

A host in a VLAN cannot normally communicate to a host in another VLAN. This rule applies to ARP requests as well. However, if you put the VLANs into a single VLAN group, the BIG-IP system can perform a proxied ARP request.
A
proxied ARP request
is an ARP request that the BIG-IP system can send, on behalf of a host in a VLAN, to hosts in another VLAN. A proxied ARP request requires that both VLANs belong to the same VLAN group.
In some cases, you might not want a host to forward proxied ARP requests to a specific host, or to other hosts in the configuration. To exclude specific hosts from receiving forwarded proxied ARP requests, you use the BIG-IP Configuration utility and specify the IP addresses that you want to exclude.
Although hosts on an ARP exclusion list are specified using their IP addresses, this does not prevent the BIG-IP system from routing traffic to those hosts. A more secure way to prevent traffic from passing between hosts in separate VLANs is to create a packet filter for each VLAN.

Creating a VLAN group

VLAN groups consolidate Layer 2 traffic from two or more separate VLANs.
  1. On the Main tab, click
    Network
    VLANs
    VLAN Groups
    .
    The VLAN Groups list screen opens.
  2. From the VLAN Groups menu, choose List.
  3. Click
    Create
    .
    The New VLAN Group screen opens.
  4. In the General Properties area, in the
    VLAN Group
    field, type a unique name for the VLAN group.
  5. For the
    VLANs
    setting, from the
    Available
    field select the
    internal
    and
    external
    VLAN names, and click
    <<
    to move the VLAN names to the
    Members
    field.
  6. Click
    Finished
    .

About bridging VLAN and VXLAN networks

You can configure Virtual eXtended LAN (VXLAN) on a BIG-IP® system to enable a physical VLAN to communicate with virtual machines (VMs) in a virtual network.
The VXLAN gateway
The VXLAN gateway
When you configure a BIG-IP system as an L2 VXLAN gateway, the BIG-IP system joins the configured multicast group, and can forward both unicast and multicast or broadcast frames on the virtual network. The BIG-IP system learns about MAC address and VTEP associations dynamically, thus avoiding unnecessary transmission of multicast traffic.
Multiple VXLAN tunnels
Multiple VXLAN tunnels

About VXLAN multicast configuration

In a VMware vSphere 5.1 environment, you can configure VXLAN without knowing all the remote tunnel endpoints. The BIG-IP® system uses multicast flooding to learn unknown and broadcast frames. VXLAN can extend the virtual network across a set of hypervisors, providing L2 connectivity among the hosted virtual machines (VMs). Each hypervisor represents a VXLAN tunnel endpoint (VTEP). In this environment, you can configure a BIG-IP system as an L2 VXLAN gateway device to terminate the VXLAN tunnel and forward traffic to and from a physical network.