on 13-Jul-2021 12:03
This article is part of a series on deploying BIG-IPs with bypass switches and network packet brokers. These devices allow for the transparent integration of network security tools with little to no network redesign and configuration change. For more information about bypass switch devices refer to https://en.wikipedia.org/wiki/Bypass_switch; for network packet brokers, refer to https://www.ixiacom.com/company/blog/network-packet-brokers-abcs-network-visibility and https://www.gigamon.com/campaigns/next-generation-network-packet-broker.html. The article series introduces network designs to forward traffic to the inline tools at layer 2 (L2).
F5’s BIG-IP hardware appliances can be inserted in L2 networks. This can be achieved using either virtual Wire (vWire) or by bridging 2 Virtual LANs using a VLAN Groups.
This document covers the design and implementation of the Gigamon Bypass Switch/Network Packet Broker in conjunction with the BIG-IP i5800 appliance and Virtual Wire (vWire).
This document focuses on Gigamon Bypass Switch / Network Packet Broker. For more information about architecture overview of bypass switch and network packet broker refer to https://devcentral.f5.com/s/articles/L2-Deployment-of-vCMP-guest-with-Ixia-network-packet-broker?tab.... Gigamon provides internal bypass switch within network packet broker device whereas Ixia has external bypass switch.
Below diagram is a representation of the actual lab network. This shows deployment of BIG-IP with Gigamon.
Figure 1 - Topology before deployment of Gigamon and BIG-IP
Figure 2 - Topology after deployment of Gigamon and BIG-IP
Figure 3 - Connection between Gigamon and BIG-IP
Hardware used in this article are
Note: All the Interfaces/Ports are 1G speed
Software used in this article are
In this lab, the Gigamon is configured with two type of ports, Inline Network and Inline Tool.
First and Foremost step is to configure Ports. Figure 2 shows all the ports that are connected between Switches and Gigamon. Ports that are connected to switch should be configured as Inline Network Ports. As per Figure 2, find below Inline Network ports
Inline Network ports: 1/1/x1, 1/1/x2, 1/1/x3, 1/1/x4, 1/1/x5. 1/1/x6, 1/1/x7, 1/1/x8
Figure 3 shows all the ports that are connected between BIG-IP and Gigamon. Ports that are connected to BIG-IP should be configured as Inline Tool Ports. As per Figure 3, find below Inline Tool ports
Inline Tool ports: 1/1/x9, 1/1/x10, 1/1/x11, 1/1/x12, 1/1/g1, 1/1/g2, 1/1/g3, 1/1/g4
To configure Port Type, do the following
Figure 4 - GUI configuration of Port Types
Equivalent command for configuring Inline Network port and other port configuration
port 1/1/x1 type inline-net port 1/1/x1 alias N-SW1-36 port 1/1/x1 params admin enable autoneg enable
Equivalent command for configuring Inline Tool Port and other port configuration
port 1/1/x9 type inline-tool port 1/1/x9 alias BIGIP-1.1 port 1/1/x9 params admin enable autoneg enable
Figure 1 shows direct connections between switches. An inline network bypass pair will ensure the same connections through Gigamon. An inline network is an arrangement of two ports of the inline-network type. The arrangement facilitates access to a bidirectional link between two networks (two far-end network devices) that need to be linked through an inline tool. As per Figure 2, find below Inline Network bypass pairs
To configure the inline network bypass pair, do the following
Figure 5 - Example GUI configuration of Inline Network Bypass Pair
Equivalent command for configuring Inline Network Bypass Pair
inline-network alias Bypass1 pair net-a 1/1/x1 and net-b 1/1/x2 physical-bypass disable traffic-path to-inline-tool
An inline network group is an arrangement of multiple inline networks that share the same inline tool.
To configure the inline network bypass group, do the following
Figure 6 - Example GUI configuration of Inline Network Bypass Group
Equivalent command for configuring Inline Network Bypass Group
inline-network-group alias Bypassgroup network-list Bypass1,Bypass2,Bypass3,Bypass4
Figure 3 shows connection between BIG-IP and Gigamon which will be in pairs. An inline tool consists of inline tool ports, always in pairs, running at the same speed, on the same medium. As per Figure 3, find below Inline Tool pairs.
To configure the inline tool pair, do the following
Figure 7 - Example GUI configuration of Inline Tool Pair
Equivalent command for configuring Inline Tool pair
inline-tool alias BIGIP1 pair tool-a 1/1/x9 and tool-b 1/1/x10 enable shared true
An inline tool group is an arrangement of multiple inline tools to which traffic is distributed to the inline tools based on hardware-calculated hash values. For example, if one tool goes down, traffic is redistributed to other tools in the group using hashing.
To configure the inline tool group, do the following
Figure 8 - Example GUI configuration of Inline Tool Group
Equivalent command for configuring Inline Tool Group
inline-tool-group alias BIGIPgroup tool-list BIGIP1,BIGIP2,BIGIP3,BIGIP4 enable
Flow mapping takes traffic from a network TAP or a SPAN/mirror port and sends it through a set of user-defined map rules to the tools and applications that secure, monitor and analyze IT infrastructure. As per Figure 2, it is the high-level process for configuring traffic to flow from the inline network links to the inline tool group, allowing you to test the deployment functionality of the BIG-IP appliances within the group.
To configure the inline tool group, do the following
Figure 9 - Example GUI configuration of Flow Maps
Note: Above configuration allows all traffic from Inline Network Group to flow through Inline Tool Group
Equivalent command for configuring PASS ALL Flow Map
map-passall alias Map1 to BIGIPgroup from Bypassgroup
Flow Maps can be configured specific to certain traffic. For example, If LACP traffic should bypass BIG-IP and all other traffic should pass through BIG-IP. Find below command to achieve mentioned condition
map alias inMap type inline byRule roles replace admin to owner_roles comment " " rule add pass ethertype 8809 to bypass from Bypassgroup exit map-scollector alias SCollector roles replace admin to owner_roles from Bypassgroup collector BIGIPgroup exit
Note: For more details on Gigamon, refer https://docs.gigamon.com/pdfs/Content/Shared/5700-doclist.html
In series of BIG-IP and Gigamon deployment, BIG-IP configured in L2 mode with Virtual Wire (vWire)
Note: Steps mentioned above are specific to topology in Figure 2. For more details on Virtual Wire (vWire), refer https://devcentral.f5.com/s/articles/BIG-IP-vWire-Configuration?tab=series&page=1 and https://devcentral.f5.com/s/articles/vWire-Deployment-Configuration-and-Troubleshooting?tab=series&p...
To configure interfaces to support vWire, do the following
Figure 10 - Example GUI configuration of interface to support vWire
To configure trunk, do the following
Figure 11 - Example GUI configuration of Trunk in LACP Mode
Figure 12 - Example GUI configuration of Trunk in LACP Passthrough Mode
As per Figure 2, when configured in LACP Mode, LACP will be established between BIG-IP and switches. When configured in LACP passthrough mode, LACP will be established between North and South Switches.
As per Figure 2 and 3 , there will be four trunk configured as below,
Left_Trunk ensure connectivity between BIG-IP and North Switches. Right_Trunk ensure connectivity between BIG-IP and South Switches.
Note: Trunks can be configured for individual interfaces, if LACP passthrough configured as LACP frames not getting terminated at BIG-IP
To configure trunk, do the following
Figure 13 - Example GUI configuration of Virtual Wire
Above Virtual Wire configuration will work for both Tagged and Untagged traffic. Figure 2 and 3, requires both the Virtual Wire configured. This configuration works for both LACP mode and LACP passthrough mode. If each interface configured with specific trunk in passthrough deployment, then there will be 4 specific Virtual Wires configured.
Note: In this series, all the mentioned scenarios and configuration will be covered in upcoming articles.
This deployment ensures transparent integration of network security tools with little to no network redesign and configuration change. The Merits of above network deployment are
we are using something similiar.
But we had 2 environments with each one HC2 and i5800. and we had some special configuration to works well with Gigamon. As the BUG <https://cdn.f5.com/product/bugtracker/ID885961.html>, so just after run this workaround the Gigamon works Well.
Thanks for sharing your experience and details. This example of vWire configuration is specific to untagged packets where we explicitly mentioned untagged vlan in vWire configuration. Default vWire configuration will allow any tag, so this configuration will allow both Tagged and Untagged packets. We have other articles in pipeline which covers various scenarios and configuration.
Thank you so much for publishing L2-deployment article.
have a challenge over here, using QinQ in this deployment, to send vlans to big IP. I understand that we don't support QinQ in vWire Mode. anyone with this issue too?