BIG-IP L2 vWire LACP Passthrough Deployment with IXIA Bypass Switch and NPB (Tool Sharing Enabled)

Introduction

This article is part of a series on deploying BIG-IPs with bypass switches and network packet brokers. These devices allow for the transparent integration of network security tools with little to no network redesign and configuration change. For more information about bypass switch devices refer to https://en.wikipedia.org/wiki/Bypass_switch; for network packet brokers, refer to https://www.ixiacom.com/company/blog/network-packet-brokers-abcs-network-visibility and https://www.gigamon.com/campaigns/next-generation-network-packet-broker.html. The article series introduces network designs to forward traffic to the inline tools at layer 2 (L2).

F5’s BIG-IP hardware appliances can be inserted in L2 networks. This can be achieved using either virtual Wire (vWire) or by bridging 2 Virtual LANs using a VLAN Groups.

This document covers the design and implementation of the IXIA Bypass Switch/Network Packet Broker in conjunction with the BIG-IP i5800 appliance and Virtual Wire (vWire).

This document focus on IXIA Bypass Switch / Network Packet Broker. For more information about architecture overview of bypass switch and network packet broker refer to https://devcentral.f5.com/s/articles/L2-Deployment-of-vCMP-guest-with-Ixia-network-packet-broker?tab=series&page=1.

Previous articles focused on configuration and scenarios specific to tagged frames whereas this article will be focusing on configuration and scenarios specific to untagged frames.

Network Topology

Below diagram is a representation of the actual lab network. This shows deployment of BIG-IP with IXIA Bypass Switch and Network Packet Broker.

Figure 1 - Deployment of BIG-IP with IXIA Bypass Switch and Network Packet Broker

Please refer Lab Overview section in https://devcentral.f5.com/s/articles/BIG-IP-L2-Deployment-with-Bypasss-Network-Packet-Broker-and-LACP?tab=series&page=1 for more insights on lab topology and connections.

Hardware Specification

Hardware used in this article are

• IXIA iBypass DUO ( Bypass Switch)
• IXIA Vision E40 (Network Packet Broker)
• BIG-IP - i5800
• Arista DCS-7010T-48 (all the four switches)

Software Specification

Software used in this article are

• BIG-IP 16.1.0
• IXIA iBypass DUO 1.4.1
• IXIA Vision E40 5.9.1.8
• Arista 4.21.3F (North Switches)
• Arista 4.19.2F (South Switches)

Switch Configuration

Most of switch configurations are same as mentioned in below article

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-I

Only difference is specific to port-channel configurations as below

North Switch1:

interface Port-Channel513
   switchport access vlan 513
   mlag 513
interface Ethernet50
   channel-group 513 mode active

North Switch2:

interface Port-Channel513
   switchport access vlan 513
   mlag 513
interface Ethernet50
   channel-group 513 mode active

South Switch1:

interface Port-Channel513
   switchport access vlan 513
   mlag 513
interface Ethernet50
   channel-group 513 mode active

South Switch2:

interface Port-Channel513
   switchport access vlan 513
   mlag 513
interface Ethernet50
   channel-group 513 mode active

Ixia iBypass Duo Configuration

Most of Ixia Bypass Switch configurations are same as mentioned in below article

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-I

Only difference is specific to Heart Beat configurations as below

Figure 2 - Heartbeat Configuration of Bypass Switch 1 ( A side)

Figure 3 - Heartbeat Configuration of Bypass Switch 1 ( B side)

Figure 4 - Heartbeat Configuration of Bypass Switch 2 ( A side)

Figure 5 - Heartbeat Configuration of Bypass Switch 2 ( B side)

Note: In previous articles, explicit vlans are configured in Bypass switch, as frames are tagged. As this article focuses on untagged frames, no vlans specified in the configuration

IXIA Vision E40 Configuration

Most of the configurations are same as mentioned in below articles specific to their deployments

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-I

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-II

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-III

 

Only difference is Inline Tool Sharing will be enabled and VLAN Translation will be disabled. As frames are untagged, there won't be any tag in packet to get translated, so Inline Tool Sharing should be enabled. Enabling Inline Tool Sharing will automatically disable VLAN Translation in NPB. This configuration applies same to both Single and Multiple Service Chain Deployment.

Figure 6 - Inline Tool Sharing Enabled

BIG-IP Configuration

BIG-IP configurations are exactly same as mentioned in below articles specific to their deployments

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-I

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-II

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-III

Scenarios and Observations

All the test scenarios and observations are exactly same as mentioned below articles for both Single and Multiple Service Chain deployments.

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-I

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-II

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-III

This article specifies the exact configuration needed for deploying BIG-IP with IXIA Bypass Switch and NPB if frames are sent as untagged.

Conclusion

This article covers BIG-IP L2 Virtual Wire Passthrough deployment with IXIA for Untagged traffic. IXIA configured using Single Service Chain / Multiple Service Chain. Observations of this deployment are as below

1. Tool Sharing will add extra tag ( 2001 and 2002) to the untagged frames before sending to BIG-IP
2. BIG-IP receives tagged (2001 and 2002)) packets, as NPB adds extra tag.
3. Tagged frames which reaches NPB will be dropped, as VLAN translation is disabled.
4. All other traffic specific observations are same as below articles specific to their mentioned deployment

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-I

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-II

https://devcentral.f5.com/s/articles/BIG-IP-L2-Virtual-Wire-LACP-Passthrough-Deployment-with-IXIA-Bypass-Switch-and-Network-Packet-Broker-III

All the articles in IXIA- BIG IP series are specific to passthorugh mode, LACP termination in BIG IP cannot be achieved. In these articles, NPB is configured to redirect LACP and hence passthrough mode works fine. LACP termination in BIG IP cannot be achieved due to below limitations

1. For VLAN Translation in NPB,  LACP packet must be bypassed using Redirect Heart Beat features inside Bypass Port Pair configuration, as requirement for VLAN translation.  All traffics must be in VLAN tag and VLAN translation must be configured.
2. No LACP Termination  can be done, as link must be established first before passing packets  due to point 1 for VLAN Translation and with Tool Sharing LACP packets will be tagged, which result different packet when it reach Inline BIG-IP.