BIG-IP L2 Virtual Wire LACP Passthrough Deployment with IXIA Bypass Switch and Network Packet Broker (Single Service Chain - Active / Standby)
Introduction
This article is part of a series on deploying BIG-IPs with bypass switches and network packet brokers. These devices allow for the transparent integration of network security tools with little to no network redesign and configuration change. For more information about bypass switch devices refer to https://en.wikipedia.org/wiki/Bypass_switch; for network packet brokers, refer to https://www.ixiacom.com/company/blog/network-packet-brokers-abcs-network-visibility and https://www.gigamon.com/campaigns/next-generation-network-packet-broker.html. The article series introduces network designs to forward traffic to the inline tools at layer 2 (L2).
F5’s BIG-IP hardware appliances can be inserted in L2 networks. This can be achieved using either virtual Wire (vWire) or by bridging 2 Virtual LANs using a VLAN Groups.
This document covers the design and implementation of the IXIA Bypass Switch/Network Packet Broker in conjunction with the BIG-IP i5800 appliance and Virtual Wire (vWire).
This document focuses on IXIA Bypass Switch / Network Packet Broker. For more information about architecture overview of bypass switch and network packet broker refer to https://devcentral.f5.com/s/articles/L2-Deployment-of-vCMP-guest-with-Ixia-network-packet-broker?tab=series&page=1.
This article focuses on Active / Standby configuration of Inline Tool Port Pairs in IXIA NPB
Network Topology
Below diagram is a representation of the actual lab network. This shows deployment of BIG-IP with IXIA Bypass Switch and Network Packet Broker.
Figure 1 - Deployment of BIG-IP with IXIA Bypass Switch and Network Packet Broker
Please refer Lab Overview section in https://devcentral.f5.com/s/articles/BIG-IP-L2-Deployment-with-Bypasss-Network-Packet-Broker-and-LACP?tab=series&page=1 for more insights on lab topology and connections.
Hardware Specification
Hardware used in this article are
- IXIA iBypass DUO ( Bypass Switch)
- IXIA Vision E40 (Network Packet Broker)
- BIG-IP
- Arista DCS-7010T-48 (all the four switches)
Software Specification
Software used in this article are
- BIG-IP 16.1.0
- IXIA iBypass DUO 1.4.1
- IXIA Vision E40 5.9.1.8
- Arista 4.21.3F (North Switches)
- Arista 4.19.2F (South Switches)
Switch and Ixia iBypass Duo Configuration
Switch and IXIA iBypass configurations are same as mentioned in below article
IXIA Vision E40 Configuration
Most of the configurations are same as mentioned in https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-I. In this article Inline Tool Port pairs are configured as Active/ Standby in Tool Resources as below
Figure 2 - Configuration of Tool Resources
Here BIG IP1 Inline Tool Port Pair is Active and BIG IP2 Inline Tool Port Pair is Standby. Traffic will be passing through BIG IP1 Inline Tool Port Pair initially and once it is down then BIG IP2 will become active
BIG-IP Configuration
Most of the configurations are same as mentioned in https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-I. In this article, vWire is configured with Links State Propagation disabled as below
Figure 3 - Configuration of Virtual Wire
Note: As we covered Propagate Virtual Wire Link Status enabled in previous article, here plan is to disable Propagate Virtual Wire Link Status and test the scenarios. Both the Enabling and disabling of Link state Propagation work for both Active / Active and Active / Standby configuration of Inline Tool Port Pair in NPB.
Scenarios
As LACP passthrough mode configured in BIG-IP, LACP frames will passthrough BIG-IP. LACP will be established between North and South Switches. ICMP traffic is used to represent network traffic from the north switches to the south switches.
Scenario 1: Traffic flow through BIG-IP with North and South Switches configured in LACP active mode
Above configurations shows that all the four switches are configured with LACP active mode.
Figure 4 - MLAG after deployment of BIG-IP and IXIA with Switches configured in LACP ACTIVE mode
Figure 4 shows that port-channels 513 is active at both North Switches and South Switches.
Figure 5 - ICMP traffic flow from client to server through BIG-IP
Figure 5 shows ICMP is reachable from client to server through BIG-IP. This verifies test case 1, LACP getting established between Switches and traffic passthrough BIG-IP successfully.
Scenario 2: Active BIG-IP link goes down with link state propagation disabled in BIG-IP
Figure 3 shows Propagate Virtual Wire Link Status enabled in BIG-IP. Figure 5 shows that interface 1.1 of BIG-IP is active incoming interface and interface 1.4 of BIG-IP is active outgoing interface. Disabling BIG-IP interface 1.1 will make active link down as below
Figure 6 - BIG-IP interface 1.1 disabled
Figure 7 - Trunk state after BIG-IP interface 1.1 disabled
Figure 7 shows that the trunks are up even though interface 1.1 is down. As per configuration, North_Trunk has 2 interfaces connected to it 1.1 and 1.3 and one of the interface is still up, so North_Trunk status is active.
Figure 8 - MLAG status with interface 1.1 down and Link State Propagation disabled
Figure 8 shows that port-channel 513 is active at both North Switches and South Switches. This shows that switches are not aware of link failure and it is been handled by IXIA configuration.
Figure 9 - IXIA Bypass Switch after 1.1 interface of BIG-IP goes down
As Single Service Chain is configured and which will be down only if both Inline Tool Port pairs are down in NPB. So Bypass will be enabled only if Service Chain goes down in NPB. Figure 9 shows that still Bypass is not enabled in IXIA Bypass Switch.
Figure 10 - Service Chain and Inline Tool Port Pair status in IXIA Vision E40 ( NPB )
Figure 10 shows that Service Chain is still up as BIG IP2 ( Inline Tool Port Pair ) is active whereas BIG IP1 is down. Figure 1 shows that P09 of NPB is connected 1.1 of BIG-IP which is down. As Tool Status of active Inline Tool Port Pair is offline, Standby will become active.
Figure 11 - ICMP traffic flow from client to server through BIG-IP
Figure 11 shows that still traffic flows through BIG-IP even though 1.1 interface of BIG-IP is down. Now active incoming interface is 1.3 and active outgoing interface is 1.4. Low bandwidth traffic is still allowed through BIG-IP as bypass not enabled and IXIA handles rate limit process.
Scenario 3: When North_Trunk goes down with link state propagation enabled in BIG-IP
Figure 12 - BIG-IP interfaces 1.1 and 1.3 disabled
Figure 13 - Trunk state after BIG-IP interfaces 1.1 and 1.3 disabled
As Propagate Virtual Wire Link State disabled, only North_Trunk is down.
Figure 14 - IXIA Bypass Switch after 1.1 and 1.3 interfaces of BIG-IP goes down
Figure 15 - ICMP traffic flow from client to server bypassing BIG-IP
Conclusion
This article covers BIG-IP L2 Virtual Wire Passthrough deployment with IXIA. IXIA configured using Single Service Chain and Tool Resource configured with Active/Standby of Inline Tool Port Pairs. Observations of this deployment are as below
- VLAN Translation in IXIA NPB will convert real VLAN ID (513) to Translated VLAN ID (2001 and 2002)
- BIG-IP will receive packets with translated VLAN ID (2001 and 2002)
- VLAN Translation needs all packets to be tagged, untagged packets will be dropped.
- LACP frames are untagged and thus bypass configured in NPB for LACP.
- Tool Sharing needs to be enabled for allowing untagged packet which will add extra tag. This type of configuration and testing will be covered in upcoming articles.
- With Single Service Chain, If any one of the Inline Tool Port Pairs goes down, low bandwidth traffic will be still allowed to pass through BIG-IP (tool)
- If any of the Inline Tool link goes down, IXIA handles whether to bypass or rate limit. Switches will be still unaware of the changes.
- With Single Service Chain, if Tool resource configured with Inline Tool Port pairs in Active - Standby state then primary Port Pair will be active and if Primary Port pair goes down, Standby will become active
- Multiple Service Chains in IXIA NPB can be used instead of Single Service Chain to remove rate limit process. This type of configuration and testing will be covered in upcoming articles.
- If BIG-IP goes down, IXIA enables bypass and ensures there is no packet drop.