F5 101 – Part 5: Troubleshooting Network and Applications Part 2
June 28, 2023

6. Layer 2 Connectivity Issues Part 1

Now let’s troubleshoot layer connectivity issues. In our diagram, we have three servers, and each servers are residing in three different Vlans. We have server one in vlan ten with an IP address of 172 1610 one, server two in Vlan 20 with an IP address of 22, and server three in vlan 30 with an IP address of 33. They are connected to this switch. And we already informed by the network guy managing this switch that these servers are correctly configured in their corresponding Vlan. Also, when we connect when we connect a server, for example a server with an IP address of 170 216 ten two in vlan ten, it will be able to successfully communicate with the first server.

And it also works with other servers. Let’s say this is vlan 2025, for example, it will be able to communicate with a second server.  All right? We also have a big IP device in our big IP device. It is connected to the switch in this interface one three to switch interface e one. Now, the issue here is, despite of the big IP self IP address configuration, we have self IP address ten with an IP address of 170 216 1031. It’s unable to communicate with the first server. We also have the second self IP address with a 170 216 2031 IP address unable to communicate to the second server.

It’s the same with the first self IP unable to communicate with the third server. Now, based on all of the requirements, it seems to me that the issue is it’s in between the switch and the big IP device. Please think what protocol or what feature that needs to be configured needs to be enabled and verified for us to be able to communicate from big IP device to the three servers. All right, this is an interface that should be carrying three Vlans vlan 1020 and 30 in the big IP device uninterface. One three should also be carrying three Vlans self IP ten in vlan. Ten, self IP 20 in Vlan 20, and self IP 30 in Vlan 30.

In order for us to send packets or in this case frame and packets from one link from one switch to the big IP, we need to enable this to interface with an eight, two one Q protocol, not only in the switch as well as in our F five interface one three again eight two one Q protocol. This is also known as the tag interface, where we can carry not just one Vlan, but multiple Vlans. Okay? All right. Now, when we enable this, we should be able to communicate from self IP ten to Server one, self IP 20 to server two, self IP 32, server three, three different Vlans, different server one link in between switch and big IP device.

7. Layer 2 Connectivity Issues Part 2

Now, we already enabled 802 one Q on both switch interface eone and big IP interface one three. We are now able to communicate and reach these servers. Self IP Ten to Server One. Self IP 30 to Server Three. So big IP able to reach all nodes except for this node. It’s the server Two with an IP address of 170 216 22. And again, all nodes are in three different Vlans. Physical connection from big IP to the switch is working properly. Also, Vlan configuration on switch is also reported working properly. Now, it seems that the issue is still related to 802 because we were able to now reach Server One and Server Three. So there was an improvement except for Server Two.

What maybe caused the issue? Now, if you think about it, what is the possible issue when it comes to 802 one Q or tagged interface configuration? There’s only two possible answers here. One is on the switch side and one is on the big IP side. This interface E one. Let’s say we already enabled eight two one Q protocol. And in other vendors, this eight two one Q. Once you enable it, it will carry all Vlans vlan one two, the highest Vlan 4000 plus it really depends on the vendor. It is possible that they limit the Vlan that needs to be carried in this E one interface. It’s possible that Vlans ten and Vlans 30 are added in this eight two one Q port, but not Vlan 20.

That is one possible answer. The other answer is on the big IP device configuration and in big IP. As we’ve already discussed in our previous section, there are two steps. One is create a Vlan 20, create a Vlan 20 and assign it on this interface one. Three as tan interface, you already created a Vlan 20 and you also need to add the Vlan ID, which is 20. Once you created the Vlan 20, you must associate this to our self IP 20 with an IP address of 170 216 2031, because this will only allows us to create an IP address to that Vlan that we created. So again, there are only two reasons why the big IP is still unable to communicate with the second server.

One is on the Swiss side. Vlan 20 is not added on this eight two one Q port. And the other reason might be on the big IP side. It’s possible that Vlan 20 is still not created, or it’s possible that Vlan 20 still is already created but not yet assigned to the self IP 20. I’m here in our Fib IP device and I’m going to show you how to create a tagged interface and assign it to multiple Vlans. And this Vlans that we created will also be assigned to three self IP addresses. First, I will go to the network module. I will click Network and I’m going to select Vlan list under Vlan. You see that we already have two Vlans, the external and the internal. I’m going to click Create because we want to create a new Vlan.

We’ll name it Vlan Ten. And we’re also going to add a tag ID or a Vlan ID Ten. I’m going to select Interface One Three and select Tagging as Tag. I’m going to click Add. Now, what we’re about to do is we are creating a Tab interface and assign Vlantin as one of the Vlans to be carried on this link. There you go. I’m going to click Create because we still want to add more Vlans. For this tab interface, I’m going to assign or add Tag ID 20 and I’m going to repeat the same process. I will select Interface One Three. And under Tagging I will select Tag. I will click add, click finish. I’m going to hit Create again. This time I’m going to name it Vlan 30, and under Tag I’m going to add ID 30, interface One Three and Tag.

In tag click finish. Again. There we go. We have three Vlans and they’re all using the same interface one three. And this interface is 802 one Q enabled. Next is I will create a self IP address, and I’m going to name our self IP self IP Ten. For the IP address 172 dot 1610 dot one. I will use a net mask for slash 24 prefix. And as you see here under Vlan, it is already assigned Vlant. Because we are mapping the Vlanten we created for this specific self IP address. I’m going to click finish. Now, next is I will create the second self IP address. I will name it Self IP 20 and I will assign an IP address of 170 216 21 with a net mask of again, two for five to five to 50.

And under Vlan, I will select Vlan 20 click finish. All right, in this case, we are unable to assign this IP address because it is already assigned by a full member. Okay, what I can do is I can remove the full member, but I will just create the second self IP address, which is Self IP 30. And I’m going to use 170 216 33 with a net mask of 245-2550. I will assign Vlan 30. And there you go. Now, again, this is just an example. It is recommended not to use a self IP address that is already assigned to a pool member or to a Note, even if they are in different subnet or network. And that’s how you create a Vlan assigned to a tab interface. And that Vlan will be assigned to a Self IP address.

8. Layer 2 Connectivity Issues Part 3

This exercise is a bit different because we are using layer three switch. We also have two interfaces. And these two interfaces is assigned to a Vlan. This two Vlans also has a corresponding IP addresses. We have Vlan ten assigned to e three with an IP address of one. Nine 2116 has a Vlan 20 assigned with an IP address of 1921-6827. And this IP address supposed to be the default gateway on both the server and the PC. So they should be able to communicate to each other. And we also have these two hosts. They have IP address and obviously in two different networks. They also have Mac addresses for AC, three for the PC, and four AA two for the server.

Now, our questionnaire is we have verified that the PC and the server Mac address both have an entry in its comp table. Now you are troubleshooting, but you don’t see both entries in the art table. What causes this issue? Now, you may get this kind of question in your exam, but you don’t have any other resources. No routing table, no configuration, but you have exam options. So these are the options. First, they’re not in the same network. Well, that’s why we needed a layer three device so they can route traffic from one network to the other. So this would be an incorrect answer. And as you can see, both server and the PC, they are in a different network. Both are assigned to a different Vlans as well.

We also have the second option. It says no default gateway configured in one or both hosts. Now, this is a little more sense. We don’t have a configuration, so there’s no way for us to verify. So I will leave this as a question mark. Let’s check also the third and fourth option, option C. They’re not in the same Vlan. Well, like what we have in the first option, it’s supposed to be in two different networks in two different Vlans. So the third option is probably incorrect. The fourth option is we are required to enable a dynamic routing protocol. All right, so this is a layer three switch, right? A layer three device for us to route one network to another. It’s either we enable a routing protocol to learn this network from other devices since we only have one network device.

And this network device is directly connected to a switch 100% guarantee that this two network is already learned and is already in its routing table. So we don’t need to enable any routing at all because these two networks are already in the routing table. The layer three device itself will do the routing on its own, locally. So the fourth option is again incorrect. Now we will go in the lab and demonstrate to you why the second option is the correct answer. I’m back in my switch cli. And first let’s verify our cam table. I’m going to run Show Mac address table and from here let’s check first if we added or if we see both entries. So these are the two madras of the PC and the server.

Both are associated in gigabit port three and port four. Now, we’ve already talked about this in our previous example that we are using a layer three switch. That is why there are Vlans associated vlan ten for the PC one or the PC and vlan 20 for the server. But this is not really related to the issue. Our issue is we are not seeing complete entries in our art table. So let’s verify the art table. I’m going to enter Show IP arp hit enter. And as you can see, what we have here is only the IP address of the default gateway ten, seven and 27. Now I’m going to initiate a traffic from our PC to the server. From PC, I will initiate a traffic towards to the server. So I will use a ping command ping. 192 168 22. Request is time out.

Let’s wait if there are improvements. Still timeout. The 40 is time out and we sent four ITMP requests. Zero, received or lost 100%. Now let’s verify the arp table. When I enter show IP arp. There is an improvement. As you can see, the IP address of the PC 192, 168, ten one is now added in the arp table. But the IP address of the server is not yet here. That means the PC was able to send the packet to the server, but the server wasn’t able to send back the return packet to the layer three switch, interface vlan 20. Based on the option, the second one has the most sense. It seems like the server doesn’t have a default gateway to the router. That is why it’s not even responding and in the art is not adding its entries.

Now, what I’m going to do is I will log into the server and add its default gateway and let’s verify if there are some improvements I’m in the server and again I am going to add the default gateway. Let’s set the visibility from PC to the server. Now I can ping the server. Let’s check the switch if the arp entry for the server has been added. All right. 192, 168 22, which is the IP address of the server is now added to our arp table. So this is verified. That the reason why we are not getting the complete arp table entries because the server doesn’t have a default gateway configured. What is arp again? This is a protocol used to discover Mac address associated with a given IP address. The first time we log into our layer three switch, we verify our table and we see two entries.

These are the interface vlan ten Mac address associated with this IP address. We also see interface Vlan 20 Mac address associated with its IP address as well. We do this so that the layer three switch able to forward packet in this two or between these two subnet. Okay. As we attempt sending packet from our PC to the server via layer three switch, we also add our third arp entry. This is the PC’s, Mac and IP address. We do this so the return packet from server comes back successfully. But in our lab demonstration the layer three switch Interface vlan 20 IP address, we’re not able to receive the return traffic from the server. Why? Because the server has no default gateway configured.

And what we did next is we just added default gateway in our server as we send the second packet or attempt to our server, the server was able to send the return packet to the interface vlan 20 IP address. And as the layer three switch received this return packet from the server, we also added the Fort entry. This is the server’s Mac and IP address as the switch three or the layer three switch receive the packet from the server, it also routes the package to the Vlantin network and send the return packet to the original center, which is the PC. After adding the default gateway in our server, we were able to see four arp entries in our arp table.

9. Layer 2 Connectivity Issues Part 4

You just recently deployed a big IP active standby pair. What feature do you need to enable to optimize big IP? High Availability what I have here is a pair of big IP, and we have three pool members added to Http pool. And this is associated to Httpvs with an IP address of 1010 1100, listening to port 80 with a Mac address of AAA and this virtual server, this application object is active in the first big IP because this is also the active device of our big IP pair. Now, this Mac address is learned by the upstream switch, switch One. So, in switch one we have quadruple A, and this is learned via ethernet one. This entry is already added in our camp table.

We also have our switch two. And the switch two also has learned the Mac address for Drupala, and this time via e four. Now, this is how it will forward traffic. If we have an incoming request from the first switch, it will forward it out to e one because this is where it learned the Mac address of our virtual server. Now, if the Http request is coming from the second switch, it will forward it out to e four. Switch one will receive it and forward it out via e one. Okay, that’s what’s happening. And this is very easy. We’ve already talked about this from our previous section. Now, what will happen if the first big IP device fails? This is currently the active device. When it failed, it will fail over to the second big IP device.

And this second big IP device will be the new active VGIP. Now, the application objects will also float from the first big IP device to the second one. Here’s the question. What if we have an incoming traffic from the first switch, let’s say coming traffic by the first switch? Will it forward it again to e one? And what if we have an incoming traffic from the second switch? Will it forward it again out to e four so it will reach switch one? I would like to pause the video and think what will happen. The only answer to the question is yes or no. If your answer is yes, you are correct, because this map address entries are still in switch one and switch two’s cam table.

Now, how do you update these entries? Well, we have a couple of options. The first option is to wait for five minutes. That is by default on most switch vendors. This allows our switch to flush the map address table and update its entries. The second option will be you have to log into both switches unclear, or reset this Mac address table manually. Now, either of these is something that you would not want to do in a real world. That’s good, because we have a better option. This is what we called mac masquerading. And Mac Masquerading, how it works is something like this. So we have our first device failed, and we know that it will fail over to the second big IP device.

Now, as the second big IP device becomes the new Active, what it will also do is it will send a gratuitous arp to the second switch. The second switch will receive an update from the big IP or the second one, and the big IP two will say hey, I am sending you Aggratuitous art because I already have the 1010 one 10 IP address with the Mac address of AAA. It will tell to the switch to please update your map address table and the switch to will do that. So this Quadruple A will now be learned via e one. It will also notify the first switch to update its cam table. Quadruple A will now be learned via e four. Now, here’s what’s going to happen after the update.

When we have an incoming traffic from switch to, it will not forward it out to e four. Instead, it will forward it out to e one and the big IP will receive it process the traffic that is configured to our Http virtual server. Okay, the final question is how do we enable masculating? Is it enabled under virtual server? So we have our virtual server here, let me just remove this. I will just say active. So we have a virtual server and it’s soliciting 1010 100 port 18. Now again, will we configure our Mac Masquerading here? Think about it. The answer is no. Why? Because Mac mascarading is a High Availability feature, so it needs to be enabled under device management.

So, device management and under device management, we select the traffic group that is associated to our virtual address. Let’s say it’s traffic group one that is associated to the virtual address 1010 100. And take note, we’re talking about virtual address, not the virtual server. The virtual address of this http underscore vs is 1010 100. This is where we configure our Macmasque rating under the traffic group one, where we provide or add a custom Mac address value. Again. Mac Masquerading is one way to optimize our fib IP in High Availability Mode.

Leave a Reply

How It Works

Step 1. Choose Exam
on ExamLabs
Download IT Exams Questions & Answers
Step 2. Open Exam with
Avanset Exam Simulator
Press here to download VCE Exam Simulator that simulates real exam environment
Step 3. Study
& Pass
IT Exams Anywhere, Anytime!