BIG-IP L2 Virtual Wire LACP Passthrough Deployment with Gigamon Network Packet Broker - II

Introduction

This article is part of a series on deploying BIG-IPs with bypass switches and network packet brokers. These devices allow for the transparent integration of network security tools with little to no network redesign and configuration change. For more information about bypass switch devices refer to https://en.wikipedia.org/wiki/Bypass_switch; for network packet brokers, refer to https://www.ixiacom.com/company/blog/network-packet-brokers-abcs-network-visibility and https://www.gigamon.com/campaigns/next-generation-network-packet-broker.html. The article series introduces network designs to forward traffic to the inline tools at layer 2 (L2).


This article covers the design and implementation of one to one mapping of Gigamon Bypass Switch / Network Packet Broker in conjunction with BIG-IP i5800 appliance and Virtual Wire (vWire) with LACP Passthrough Mode. Previous article https://devcentral.f5.com/s/articles/BIG-IP-L2-V-Wire-LACP-Passthorugh-Deployment-with-Gigamon focused on group mapping of Gigamon and it will be ideal only for untagged packets. One to one mapping of Gigamon doesn't insert additional tag, so it will be ideal for both Tagged and Untagged packets.


Network Topology


Below diagram is a representation of the actual lab network. This shows deployment of BIG-IP with Gigamon.


Figure 1 - Topology with MLAG and LAG before deployment of Gigamon and BIG-IP


Figure 2 - Topology with MLAG and LAG after deployment of Gigamon and BIG-IP


Figure 3 - Connection between Gigamon and BIG-IP


Hardware Specification


Hardware used in this article are

  • BIG-IP i5800
  • GigaVUE-HC1
  • Arista DCS-7010T-48 (all the four switches)


Note: All the Interfaces/Ports are 1G speed


Software Specification


Software used in this article are

  • BIG-IP 16.1.0
  • GigaVUE-OS 5.7.01
  • Arista 4.21.3F (North Switches)
  • Arista 4.19.2F (South Switches)


Switch Configuration


Switch Configuration is same as previous article https://devcentral.f5.com/s/articles/BIG-IP-L2-V-Wire-LACP-Passthorugh-Deployment-with-Gigamon


Gigamon Configuration


In this article, Gigamon will be configured without Inline Network Groups and Inline Tools Groups. For GUI and Port configurations of Gigamon refer https://devcentral.f5.com/s/articles/L2-Deployment-of-BIG-IP-with-Gigamon. Find below configuration of Gigamon in Command line


Inline-network Configurations:

inline-network alias Bypass1
 pair net-a 1/1/x1 and net-b 1/1/x2
 physical-bypass disable
 traffic-path to-inline-tool
 exit
inline-network alias Bypass2
 pair net-a 1/1/x3 and net-b 1/1/x4
 physical-bypass disable
 traffic-path to-inline-tool
 exit
inline-network alias Bypass3
 pair net-a 1/1/x5 and net-b 1/1/x6
 physical-bypass disable
 traffic-path to-inline-tool
 exit
inline-network alias Bypass4
 pair net-a 1/1/x7 and net-b 1/1/x8
 physical-bypass disable
 traffic-path to-inline-tool
 exit


Inline-tool Configurations:

inline-tool alias BIGIP1
 pair tool-a 1/1/x9 and tool-b 1/1/x10
 enable
 exit
inline-tool alias BIGIP2
 pair tool-a 1/1/x11 and tool-b 1/1/x12
 enable
 exit
inline-tool alias BIGIP3
 pair tool-a 1/1/g1 and tool-b 1/1/g2
 enable
 exit
inline-tool alias BIGIP4
 pair tool-a 1/1/g3 and tool-b 1/1/g4
 enable
 exit


Traffic map connection configuration:

map-passall alias lacp1bypass
 roles replace admin to owner_roles
 to BIGIP1
 from Bypass1
 exit
map-passall alias lacp4bypass
 roles replace admin to owner_roles
 to BIGIP4
 from Bypass4
 exit
map-passall alias lacpbypass2
 roles replace admin to owner_roles
 to BIGIP2
 from Bypass2
 exit
map-passall alias lacp3bypass
 roles replace admin to owner_roles
 to BIGIP3
 from Bypass3
 exit


In this article, Traffic Flow Maps are configured between individual Inline-network pairs and Inline-tool pairs. So traffic from specific Inline-network will be forwarded to specific Inline-tool. If any Inline-tool goes down, related Inline-Network enables bypass for that specific flow.


Figure 4 - Example GUI configuration of Traffic Flow Map


BIG-IP Configuration


BIG-IP configuration is exactly same as configuration mentioned in https://devcentral.f5.com/s/articles/L2-Deployment-of-BIG-IP-with-Gigamon


Scenarios


As per Figure 2 and 3, setup is completely up and functional. As LACP passthrough mode configured in BIG-IP, LACP frames will passthrough BIG-IP. LACP will be established between North and South Switches. ICMP traffic is used to represent network traffic from the north switches to the south switches.


Scenario 1: Traffic flow through BIG-IP with North and South Switches configured in LACP active mode


Above configurations shows that all the four switches are configured with LACP active mode.


Figure 5 - MLAG and LAG status after deployment of BIG-IP and Gigamon with Switches configured in LACP ACTIVE mode

Figure 5 shows that port-channels 120 and 121 are active at both North Switches and South Switches. Above configuration shows MLAG configured at North Switches and LAG configured at South Switches.


Figure 6 - ICMP traffic flow from client to server through BIG-IPFigure 6 shows ICMP is reachable from client to server through BIG-IP. This verifies test case 1, LACP getting established between Switches and traffic passthrough BIG-IP successfully.


Scenario 2: Active BIG-IP link goes down in BIG-IP


 Figure 6 shows that interface 1.1 of BIG-IP is active incoming interface and interface 1.2 of BIG-IP is active outgoing interface. Disabling BIG-IP interface 1.1 will make active link down as below


Figure 7 - BIG-IP interface 1.1 disabled


Figure 8 - Trunk state after BIG-IP interface 1.1 disabled

Figure 8 shows that all the trunks are up even though interface 1.1 is down. As per configuration, Left_Trunk1 has 2 interfaces connected to it 1.1 and 2.3 and one of the interface is still up, so Left_Trunk1 status is active. In previous article https://devcentral.f5.com/s/articles/BIG-IP-L2-V-Wire-LACP-Passthorugh-Deployment-with-Gigamon, individual trunks got configured and status of Left_Trunk1 was down.


Figure 9 - MLAG and LAG status with interface 1.1 down

Figure 9 shows that port-channels 120 and 121 are active at both North Switches and South Switches. This shows that switches are not aware of link failure and it is been handled by Gigamon configuration.


Figure 10 - One of Inline Tool goes down after link failure

Figure 10 shows Inline Tool which is connected to interface 1.1 of BIG-IP goes down.


Figure 11 - Bypass enabled for specific flow

Figure 11 shows tool failure introduced bypass for Inline-network pair Bypass1 ( Interface 1.1 and 1.2)

If traffic hits interface 1.1 then Gigamon will send traffic directly to interface 1.2. This shows traffic bypassed BIG-IP.


Figure 12 - ICMP traffic flow from client to server bypassing BIG-IPFigure 12 shows client is reaching server and no traffic passing through BIG-IP which means traffic bypassed BIG-IP.


Figure 13 - Port Statistics of Gigamon

Figure 13 shows traffic reaches interface 1.1 of Gigamon and forwards to interface 1.2. Traffic is not routed to tool, as specific Inline-Network enabled with bypass.


In the same scenario, if traffic hits any other interface apart from interface 1.1 of Gigamon then traffic will be route to BIG-IP. Please note that only one Inline-network pair enables bypass, remaining 3 Inline-network pairs are still in normal forwarding state.


Scenario 3: BIG-IP goes down and bypass enabled in Gigamon


Figure 14 - All the BIG-IP interfaces disabled


Figure 15 - Inline tool status after BIG-IP goes down

Figure 15 shows that all the Inline Tool pair goes down once BIG-IP is down.


Figure 16 - Bypass enabled in Gigamon

Figure 16 shows bypass enabled in Gigamon and ensures there is no network failure. ICMP traffic still flows between ubuntu client and ubuntu server as below


Figure 17 - ICMP traffic flow from client to server bypassing BIG-IP


Conclusion

This article covers BIG-IP L2 Virtual Wire Passthrough deployment with Gigamon. Gigamon configured with one to one mapping between Inline-network and Inline-tool. No Inline-network group and Inline-tool group configured in Gigamon.

Observations of this deployment are as below

  1. As one to one mapping configured between Inline-network and Inline-tool, no additional tag inserted by Gigamon.
  2. As there is no additional tag in frames when reaching BIG-IP, this configuration works for both Tagged and Untagged packets.
  3. If any of the Inline Tool link goes down, Gigamon handles bypass. Switches will be still unware of the changes.
  4. If any of the Inline Tool Pairs goes down, then specific Inline-network enables bypass.
  5. If traffic hits bypass enabled Inline-network, then traffic will be bypassing BIG IP.
  6. If traffic hits Normal forward state Inline-Network, the traffic will be forwarded to BIG-IP.
  7. If BIG-IP goes down, Gigamon enables bypass and ensures there is no packet drop.
Published Aug 16, 2021
Version 1.0
BIG-IP
Gigamon
L2 Transparency
LTM
security
series-l2-mode-deployment-of-bigip
No CommentsBe the first to comment