cancel
Showing results for 
Search instead for 
Did you mean: 
Romain
F5 Employee
F5 Employee

Introduction

The insertion of inline security and application delivery devices into an existing network infrastructure can require significant network re-design and architecture changes. Deploying tools that operate transparently at Layer 2 of the OSI model (L2) can greatly reduce the complexity and disruption associated with these implementations. 

F5’s BIG-IP hardware appliances can be inserted as L2 devices in existing networks.  This can be achieved using either virtual Wire (vWire) or by bridging 2 Virtual LANs using a VLAN Groups.   

This article focusses on the configuration of vWire on a standalone BIG-IP with 2 physical interface. The 2 physical interfaces are bridged together and allow traffic through the BIG-IP behaving like a wire.

Note: Virtual Wire is available on BIG-IP hardware.

0151T000003lNy3QAE.png

For more information on F5 security and other modules and their configuration please refer to www.f5.com to access user guides, recommended practices and other deployment documentation.  The configuration of BIG-IP modules, such as those providing DDoS protection/mitigation or SSL visibility, is beyond the scope of this article and is the subject of other user guides. 

Under the covers

Building virtual wires leverages the underlying configuration of two separate VLAN objects that are bridged using a VLAN group.  For convenience, going forward, one will be called the “ingress VLAN object” and the other one the “egress VLAN object”. This is significant because, you will be able to use these objects in your configuration to setup listeners and associate them to either VLAN object.

Configuration

Using the CLI

Overview:

  1. Modify the 2 interfaces' mode to support virtual wire
  2. Create 2 VLAN objects using the interfaces selected above using VLAN id 4096 - this is the default "any" VLAN ID which will accept and forward all 802.1Q tagged traffic.
  3. Create 2 VLAN objects using the same interfaces above using the desired VLAN id (512 will be used as an example below)
  4. Create VLAN Groups to bridge the VLAN's created above

Sample Configuration:

The sample below creates a virtual wire that will work with 802.1Q VLAN id. 512.

Configure interfaces to support virtual wire:

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify net interface 1.1 port-fwd-mode virtual-wire
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# modify net interface 1.2 port-fwd-mode virtual-wire

Create all VLAN tag VLAN objects:

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net vlan Direct_all_vlan_4096_1 tag 4096 interfaces add { 1.1 { tagged } }
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net vlan Direct_all_vlan_4096_2 tag 4096 interfaces add { 1.2 { tagged } }

Create specific (802.1Q tag 512) VLAN objects:

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net vlan Direct_vlan_512_1 tag 512 interfaces add { 1.1 { tagged } }
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net vlan Direct_vlan_512_2 tag 512 interfaces add { 1.2 { tagged } }

Create VLAN Groups:

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net vlan-group Direct_all_vlan members add { Direct_all_vlan_4096_1 Direct_all_vlan_4096_2 } mode virtual-wire
root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# create net vlan-group Direct_vlan_512 members add { Direct_vlan_512_1 Direct_vlan_512_2 } mode virtual-wire

Don't forget to save:

root@(localhost)(cfg-sync Standalone)(Active)(/Common)(tmos)# save sys config partitions all

Using the WEBUI:

Overview:

There is a single interface to create and configure the necessary configuration objects.

  1. Create a virtual wire with the desired interfaces
  2. Associate VLANs that will be used by the BIG-IP function (e.g. SSL Orchestrator, Traffic Manager, etc.)
  3. Apply the configuration

Sample Configuration:

From the BIG-IP WebUI (Network>>Virtual Wire):

  • Select Create (upper right)
  • Enter the values for interfaces added to the virtual wire
  • Enter VLAN information and click on Add for every VLAN object created

0151T000003lNyNQAU.png

Once the all the selections are made and you are ready to implement, click on "Commig Changes to System":

0151T000003lNySQAU.png

The resulting screen will look like the following:

0151T000003lNycQAE.png

The resulting VLAN configuration will look as follows:

0151T000003lNyXQAU.png

Notable Effects-Caveats

Virtual Wire Created Through WebUI

  • Configuring vWire via the WebUI will result in creating the aforementioned VLANs automatically. During the creation process, an identifier is appended to the VLAN object-name. This identifier will vary from one BIG-IP to another.  
  • When deploying a pair of BIG-IP’s in HA mode, the virtual wire configuration will create objects with different names on each BIG-IP. So for example, the creation of vwire_lab01 will result in the creation of VLAN objects vwire_lab01_1_567 and vwire_lab01_2_567 on one BIG-IP, while the other BIG-IP will have vwire_lab01_1_000 and vwire_lab01_2_000 in its configuration. For modules like SSL Orchestrator, or in cases where a Virtual Server needs to be associated with a specific VLAN, the numbering is problematic. The administrator will not be able to associate the topology or Virtual Server to one VLAN object (vwire_lab01_2_567) on the first BIG-IP and the other VLAN object (vwire_lab01_2_000) on the peer BIG-IP. (this is not possible for a number of reasons, one of which is the way configurations are synchronized between BIG-IP devices)
  • This results in the necessary manual configuration using the procedure described above.

VLAN Objects Available for Configuration

After creating virtual wire objects, VLANs are available for you to configure the desired services. This includes BIG-IP LTM or SSL Orchestrator objects allowing you to take different actions when traffic comes in one or the other "side" of the virtual wire. For example, you might want connections initiated from the LAN (in the picture above) to be decrypted for security inspection purposes, while having traffic coming in from the firewall passed through transparently.


Conclusion

Deploying the BIG-IP in virtual wire mode provides a great way to insert services into your network without affecting the rest of the network configuration, routing and forwarding. The flexibility of the BIG-IP allows you to control the traffic traversing the BIG-IP on what ever VLAN (tagged or not). I hope this has been useful.

Comments
Dojs
Cirrostratus
Cirrostratus

Great article.

We are using this feature and works very well. The same configuration that you shared.

Saravanan_M_K
F5 Employee
F5 Employee

Thanks for the article. What is the purpose of creating 4096 vlan (in addition to the one we want which is 511)?

Romain
F5 Employee
F5 Employee

VLAN 4096 is a reserved VLAN number that represents a wildcard. Basically the 4096 VLAN allows all tagged traffic to traverse the BIG-IP.

Adding a specific VLAN number (VLAN 501 in this case) allows the administrator to associate a listener to that specific VLAN. For example if this is deployed with F5's SSL inspection product, you can associate a service chain/topology to that specific VLAN and associate another service-chain/topology to another VLAN (602?).

 

I hope this answers your question.

Saravanan_M_K
F5 Employee
F5 Employee

Yes. Thanks for the clarification.

ARAV
Nimbostratus
Nimbostratus

Good article

Thanks saw this on Palo Alto but I did not know that F5 can also do it.

Version history
Last update:
‎21-Jan-2020 12:43
Updated by:
Contributors