1. If you can, make your external VLAN on a separate interface than the
dot1q trunk. This is just good security practice. In theory, it's not
possible to send VLAN tags over a WAN link or the Internet, but no
security manager would suggest you do that.

2. You can if you VLSM it. The bigip works on L3, it routes each packet,
even between virtual sub-interfaces on a dot1q trunk. The VIPs will be
processed if the packet contains the VIP in the destination field of the
packet. No matter which interface it came in on. If there is a way to
make a VIP only "face" some interfaces, I'd like to know how. You could
maybe use ACLs (filters) to stop some VIPs from being reached on some

3. Trunk both F5 switches to the core etherswitch using dot1q, create
floaters for each virtual sub-interface. Sync the two. The nature of the
failover subsystem is such that you can't make some of the virtuals
primary and some backup, one box needs to be the VRRP primary for all

4. It would be best to set up some sort of MRTG graph of your gig port
on the etherswitch, to determine this. Traffic will come up the trunk
with one VLAN tag, get stripped, routed, and a new VLAN tag pushed onto
the frame as the packets arrive, are ordered and processed. The BIGIP
2000 class can't route a gig worth of traffic between two gig
interfaces, using an average of 64 byte packets. If the # of flows don't
kill the state table, the sheer amount of traffic will. On ours, I've
seen about 500k flows run about 500Mb sustained, which is pretty good,
but that had the box humming. I'd need a Smartbits or IXIA to generate
more traffic than our production net.

We are in the process of implementing bigip in our data center
I have few questions about design and performance of the bigip in dot1q
interface mode. Can some one please help in few issue?

Design consideration:

1. We have three Internal VLANs to which we are connecting our real
Web tier/middle tier and Database tier
2. There is one external VLAN with virtual IP. Majority of VIP are
mapped to
the front-end web servers. Middle tier and database tier servers are not
talking to Internet at all, but web tier talks to middle tier and,
tier talks to database tier.
3. All servers are connected to two layer 2 switches, and that switch is
trunk connection (Dot1q) to the F5 big-IP gigabit port.

1. How Can I configure the load balancing between the tiers?
2. Can I use the same IP subnet for all three VLANs?
3. How do I configure this design with dual F5 in redundant mode?
4. Any performance issue on gigabit port since all traffic is passing
through it?

Any input from all Guru's are appreciated.


Alpesh Patel
Network Analyst

