Introduction
This article is part of a series on deploying BIG-IPs with bypass switches and network packet brokers. These devices allow for the transparent integration of network security tools with little to no network redesign and configuration change. For more information about bypass switch devices refer to https://en.wikipedia.org/wiki/Bypass_switch; for network packet brokers, refer to https://www.ixiacom.com/company/blog/network-packet-brokers-abcs-network-visibility and https://www.gigamon.com/campaigns/next-generation-network-packet-broker.html. The article series introduces network designs to forward traffic to the inline tools at layer 2 (L2).
F5’s BIG-IP hardware appliances can be inserted in L2 networks. This can be achieved using either virtual Wire (vWire) or by bridging 2 Virtual LANs using a VLAN Groups.
This document covers the design and implementation of the IXIA Bypass Switch/Network Packet Broker in conjunction with the BIG-IP i5800 appliance and Virtual Wire (vWire).
This document focus on IXIA Bypass Switch / Network Packet Broker. For more information about architecture overview of bypass switch and network packet broker refer to https://devcentral.f5.com/s/articles/L2-Deployment-of-vCMP-guest-with-Ixia-network-packet-broker?tab....
Previous articles focused on configuration and scenarios specific to tagged frames whereas this article will be focusing on configuration and scenarios specific to untagged frames.
Network Topology
Below diagram is a representation of the actual lab network. This shows deployment of BIG-IP with IXIA Bypass Switch and Network Packet Broker.
Figure 1 - Deployment of BIG-IP with IXIA Bypass Switch and Network Packet Broker
Please refer Lab Overview section in https://devcentral.f5.com/s/articles/BIG-IP-L2-Deployment-with-Bypasss-Network-Packet-Broker-and-LAC... for more insights on lab topology and connections.
Hardware Specification
Hardware used in this article are
- IXIA iBypass DUO ( Bypass Switch)
- IXIA Vision E40 (Network Packet Broker)
- BIG-IP - i5800
- Arista DCS-7010T-48 (all the four switches)
Software Specification
Software used in this article are
- BIG-IP 16.1.0
- IXIA iBypass DUO 1.4.1
- IXIA Vision E40 5.9.1.8
- Arista 4.21.3F (North Switches)
- Arista 4.19.2F (South Switches)
Switch Configuration
Most of switch configurations are same as mentioned in below article
Only difference is specific to port-channel configurations as below
North Switch1:
interface Port-Channel513
switchport access vlan 513
mlag 513
interface Ethernet50
channel-group 513 mode active
North Switch2:
interface Port-Channel513
switchport access vlan 513
mlag 513
interface Ethernet50
channel-group 513 mode active
South Switch1:
interface Port-Channel513
switchport access vlan 513
mlag 513
interface Ethernet50
channel-group 513 mode active
South Switch2:
interface Port-Channel513
switchport access vlan 513
mlag 513
interface Ethernet50
channel-group 513 mode active
Ixia iBypass Duo Configuration
Most of Ixia Bypass Switch configurations are same as mentioned in below article
Only difference is specific to Heart Beat configurations as below
Figure 2 - Heartbeat Configuration of Bypass Switch 1 ( A side)
Figure 3 - Heartbeat Configuration of Bypass Switch 1 ( B side)
Figure 4 - Heartbeat Configuration of Bypass Switch 2 ( A side)
Figure 5 - Heartbeat Configuration of Bypass Switch 2 ( B side)
Note: In previous articles, explicit vlans are configured in Bypass switch, as frames are tagged. As this article focuses on untagged frames, no vlans specified in the configuration
IXIA Vision E40 Configuration
Most of the configurations are same as mentioned in below articles specific to their deployments
https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-By...I
Only difference is Inline Tool Sharing will be enabled and VLAN Translation will be disabled. As frames are untagged, there won't be any tag in packet to get translated, so Inline Tool Sharing should be enabled. Enabling Inline Tool Sharing will automatically disable VLAN Translation in NPB. This configuration applies same to both Single and Multiple Service Chain Deployment.
Figure 6 - Inline Tool Sharing Enabled
BIG-IP Configuration
BIG-IP configurations are exactly same as mentioned in below articles specific to their deployments
https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-By...I
Scenarios and Observations
All the test scenarios and observations are exactly same as mentioned below articles for both Single and Multiple Service Chain deployments.
https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-By...I
This article specifies the exact configuration needed for deploying BIG-IP with IXIA Bypass Switch and NPB if frames are sent as untagged.
Conclusion
This article covers BIG-IP L2 Virtual Wire Passthrough deployment with IXIA for Untagged traffic. IXIA configured using Single Service Chain / Multiple Service Chain. Observations of this deployment are as below
- Tool Sharing will add extra tag ( 2001 and 2002) to the untagged frames before sending to BIG-IP
- BIG-IP receives tagged (2001 and 2002)) packets, as NPB adds extra tag.
- Tagged frames which reaches NPB will be dropped, as VLAN translation is disabled.
- All other traffic specific observations are same as below articles specific to their mentioned deployment
https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-By...I
All the articles in IXIA- BIG IP series are specific to passthorugh mode, LACP termination in BIG IP cannot be achieved. In these articles, NPB is configured to redirect LACP and hence passthrough mode works fine. LACP termination in BIG IP cannot be achieved due to below limitations
- For VLAN Translation in NPB, LACP packet must be bypassed using Redirect Heart Beat features inside Bypass Port Pair configuration, as requirement for VLAN translation. All traffics must be in VLAN tag and VLAN translation must be configured.
- No LACP Termination can be done, as link must be established first before passing packets due to point 1 for VLAN Translation and with Tool Sharing LACP packets will be tagged, which result different packet when it reach Inline BIG-IP.
