The insertion of inline security devices into an existing network infrastructure can require significant network re-design and architecture changes. Deploying tools that operate transparently at Layer 2 of the OSI model (L2) can greatly reduce the complexity and disruption associated with these implementations. This type of insertion eliminates the need to make changes to the infrastructure and provides failsafe mechanisms to ensure business continuity should a security device fail.
This document covers the design and implementation of the Ixia bypass switch, Ixia packet broker in conjunction with the BIG-IP i5800 appliance configured with hardware virtualization (vCMP), VLAN Groups and VLAN tagging (IEEE 802.1q tagging). Emphasis is made on the network insertion, integration and Layer 2 configuration.
The configuration of BIG-IP modules, such as those providing DDoS protection/mitigation or SSL visibility, is beyond the scope of this document and is the subject of other deployment guides. For more information on F5 security modules and their configuration please refer to www.f5.com to access user guides, recommended practices and other deployment documentation.
Enterprise networks are built using various architectures depending on business objectives and budget requirements. As corporate security policies, regulations and requirements evolve, new security services need to be inserted into the existing infrastructure. These new services can be provided by tools such as intrusion detection and prevention systems (IDS/IPS), web application firewalls (WAF), denial of service protection (DoS), or data loss prevention devices (DLP). These are often implemented in the form of physical or virtual appliances requiring network-level integration.
Figure 1- Bypass Switch Operation
This document focuses on using bypass switches as insertion points and network packet brokers to provide further flexibility.
Bypass switches are passive networking devices that mimic the behavior of a straight piece of wire between devices while offering the flexibility to forward traffic to a security service. They offer the possibility to detecting service failure and bypassing the service completely should it become unavailable. This is illustrated in the Figure 1. The bypass switch forwards traffic to the service during normal operation, and bypasses the tool in other circumstances (e.g. tool failure, maintenance, manual offline). Capabilities of the bypass switch can be enhanced with the use of network packet brokers.
Note: Going forward, “tool” or “security service” refers to the appliance providing a security service. In the example below, this is an F5 BIG-IP appliance providing DDoS protection.
Network packet brokers are similar to bypass switches in that they operate at L2 and do not take part in the switching infrastructure signaling (STP, bpdu, etc.) and are transparent to the rest of the network. They provide forwarding flexibility to integrate and forward traffic to more than one device and create a chain. These chains allow for the use of multiple security services tools. The Figure 2 provides a simplified example where the network packet broker is connected to 2 different tools/security services. Network packet brokers operate programmatically and are capable to conditionally forward traffic to tools. Administrators are able to create multiple service chains based on ingress conditions or traffic types. Another function of the network packet broker is to provide logical forwarding and encapsulation (Q-in-Q) functions without taking part into the Ethernet switching. This includes adding,removing, replacing 802.1q tags and conditional forwarding based on frame type, VLAN tags, etc.
Figure 2-Network Packet Broker - Service Chain
When inserted into the network at L2, BIG-IP devices leveraging system-level virtualization (vCMP) require the use of VLAN Groups. VLAN groups bridge 2 VLAN’s together. In this document, the VLANs utilized are tagged using 802.1q. This means that tagging used on traffic ingress is different from tagging used on traffic egress as shown in Figure 3.
From an enterprise network perspective, the infrastructure typically consists of border routers feeding into border switches. Firewalls connect into the border switches with their outside (unsecured/internet-facing) interfaces. They connect to the core switching mesh with their inside (protected, corporate and systems-facing) interfaces. The Figure 3 below shows the insertion of the bypass switch in the infrastructure between the firewall and the core switching layer. A network packet broker is also inserted between the bypass switch and the security services.
Figure 3. Service Chain Insertion
Note: the core switch and firewall configuration are not altered in anyway.
Figure 4 describes how frames traverse the bypass switch, network packet broker and security device. It also shows the transformation of the frames in transit. VLAN tags used in the diagram are provided for illustration purposes. Network administrators may wish to use VLAN tags consistent with their environment.
Prior to the tool chain insertion, packets egress the core and ingress the firewall with a VLAN tag of 101. After the insertion, packets egress the core (blue path) tagged with 101 and ingress the Bypass 1 (BP1) switch (1). They are redirected to the network packet broker (PB1). On ingress to the PB1 (2), an outer VLAN tag of 2001 is added. The VLAN tag is then changed to match the BIG-IP VLAN Group tag of 4001 before egressing the PB1 (3). An explanation of the network packet broker use of VLAN tags and the VLAN ID replacement is covered in the next section. The packet is processed by the BIG-IP 1 (4) and returns it to the PB1 with a replaced outer VLAN of 2001(5). The PB1 removes the outer VLAN tag and sends it back to BP1 (6). The BP1 forwards it to the north switch (1) with the original VLAN tag of 101.
The Path 2 (green) follows the same flow but on a different bypass switch, network packet broker and BIG-IP. Path 2 is assigned a different outer VLAN tags (2003 and 4003) by packet broker.
Figure 4 - South-North traffic flow
Heartbeats are configured on both bypass switches to monitor tools in their primary path and secondary paths. If a tool failure is detected, the bypass switch forwards traffic to the secondary path. This is illustrated in Figure 4.5.
Figure 4.5. Heartbeat and
Network Packet Broker (NPB) VLAN Re-write
The network packet broker utilizes VLANs to keep track of flows from different paths in a tool-sharing configuration. A unique VLAN ID is configured for each path. The tag is added on ingress and removed on egress. The VLAN tags enable the packet broker to keep track of flows in and out of the shared tool and return them to the correct path. If the flow entering the network packet broker has a VLAN tag, than the packet broker must be configured to use Q-in-Q to add an outer tag.
In this document, the BIG-IP is deployed as a tool in the network packet broker service chain. The Big-IP is running vCMP and is configured in VLAN Group mode. In this mode, the BIG-IP requires two VLANs to operate, one facing north and the other facing south. As packets traverse the BIG-IP, the VLAN tag is changed. This presents a challenge for the network packet broker because it expects to receive same the unaltered packets that it sends to the inline tools. The network packet broker will drop the altered packets. To address this issue, additional configurations are required, using service chains, filters and hard loops.
Network Packet Broker VLAN Replacement
1. The frames ingress the network packet broker on port 2. An outer VLAN tag of 2001 is added to the frames by the Service Chain 3 (SC3).
2. The frames are forwarded of port 17 and egress the network packet broker, which is externally patched to port 18.
3. Port 18 is internally linked to port 10 by a filter.
4. As traffic egress port 10, a filter is applied to change the VLAN from 2001 to 4001.
5. The outer VLAN tag on the frames are changed from 4001 to 2001 as they traverse the BIG-IP. The frames egress port 2.1 on the BIG-IP and ingress the network packet broker on port 9.
6. The frames are sent through the SC3, where the outer VLAN is stripped off and egress on port 1.
7. Frames are forwarded back to the bypass.
The return traffic follows the same flow as described above but in reverse order. The only difference is a different filter is applied to port 10 to replace the 4001 tag with 2001.
Figure 5. Network Packet Broker VLAN Tag Replacement
The use case selected for this verified design is based on a customer design. The customer’s requirements were the BIG-IPs must be deployed in vCMP mode and in layer 2. This limits the BIG-IP deployment to VLAN Group. The design presented challenges and creative solutions to overcome them. The intention is not for reader to replicate the design but to ….
The focus of this lab is the L2 insertion point and the flow traffic through the service chain. A pair of switches were used to represent the north and south ends of each path, a pair for blue and a pair for green. One physical bypass switch configured with two logical bypass switches and one physical network packet broker simulating two network packet brokers.
Lab Equipment List
Figure 6. Lab diagram
Arista network switches
Ixia Bypass switch
Ixia Network Packet Broker
Arista Network Switches
Four Arista switches were used to generate the north-south traffic. A pair of switches represents the Path 1 (blue) with a firewall to the north of the insertion and the core to the south. The second pair of switches represents Path 2 (green). A VLAN 101 and a VLAN interface 101 were created on each switch. Each VLAN interface was assigned an IP address in the 10.10.101.0/24 range.
Ixia iBypass Duo Configuration
Step 1. Power Fail State
Step 2. Enable ports
Step 3. Bypass Switch
Step 4. Heartbeat
The initial setup of the iBypass Duo switch is covered in the Ixia iBypass Duo User’s Guide. Please visit the Ixia website to download a copy.
This section will cover the the configuration of the bypass switch to forwards traffic to the network packet broker (PB1). In the event the PB1 fails, forward traffic to the secondary network packet broker (PB2). As the last the last resort, fail open and permit traffic to flow, bypassing the service chain.
Step 1. In the invent of a power failure, the bypass switch is configured to fail open and permit the traffic to flow uninterrupted.
a. Click the CONFIGURATION (1) menu bar and select Chassis (2). Select Open (3) from the Power Fail State and click SAVE (4) on the menu bar.
Step 2. Enable Ports
a. Click the CONFIGURATION (1) menu bar and select Port (2)
b. Check the box (3) at the top of the column to select all ports and click and Enable (4)
c. Click SAVE (5)on the menu bar
Step 3. Configure Bypass Switch 1 and 2
a. Click Diagram (1) and click +Add Bypass Switch (2)
b. Select the Inline Network Links tab (1) and click Add Ports (2). From the pop-up window, select port A. The B side port will automatically be selected.
c. Select the Inline Tools (1) tab and click the + (2)
d. From the Edit Tool Connections window, on the A side (top) , click Add Ports (1) and select port 1 from the pop-up windows (2). Repeat and select port 5. On the B side (bottom), click Add Ports and select port 2 (3). Repeat and select port 6.
Note: The position of the ports is also the priority of the ports. In this example, ports 1 (A side) and 2 (B side) are the primary path.
e. Repeat steps a through d to create Bypass Switch 2 with Inline Network Links C and D and Inline Tools ports 7,8 and 3,4 as the secondary.
Step 4. Heartbeat config
a. From the Diagram view, click the Bypass Switch 1 menu square (1) and select Properties (2).
b. Click the Heartbeats tab (1), click show (2) and populate the values (3). To edit a field, just click the field and edit. Click OK and check the Enabled box (4).
Note: To edit the heartbeat values, just click on the field and type.
c. Repeat steps a. and b. to create the heartbeats for the remaining interfaces. Ideally, heartbeats are configured to check both directions. From tool port 1 -> tool port 2 and from tool port 2 -> tool port 1. Repeat steps to create the heartbeat for port 2 but reverse the MACs for SMAC and DMAC
Use a different set of MACs (ex. 0050 c23c 6012 and 0050 c23c 6013) when configuring the heartbeat for tool ports 5 and 6.
This concludes the bypass switch configuration.
Network Packet Broker (NPB) Configuration
In this lab, the NPB is configured with three type of ports, Bypass, Inline Tool and Network.
Step 1. Configure Bypass Port Pairs
Step 2. Create Inline Tool Resources Ports
Step 3. Create Service Chains
Step 4. Link the Bypass Pairs with the Service Chains
Step 5. Create Dynamic Filters
Step 6. Apply the Filters
Step 1. Configure Bypass Port Pairs (BPP)
Bypass ports are ports that send and receive traffic from the network side. In this lab, they are connected to the bypass switches.
a. Click the INLINE menu (1) and click the Add Bypass Port Pair (2).
b. In the Add Bypass Port Pair window, enter a name (ByPass 1 Primary). To select Side A Port, click the Select Port button (2). In the pop-up window, select a port ( P0 1). Now select the Side B Port (P02) (3) and click OK.
Repeat these steps to create the remain BPPs.
ByPass 1 Secondary with P05 (Side A) and P06 (Side B)
ByPass 2 Primary with P07 (Side A) and P08 (Side B)
ByPass 2 Secondary with P03 (Side A) and P04 (Side B)
Step 2. Create Inline Tool Resources Ports
Inline Tool Resources (ITR) are ports connected to tools, such as the BIG-IP. These ports are used in the service chain configuration to connect BPPs to ITRs.
a. Click the INLINE menu (1) and click the Add Tool Resource (2).
b. Enter a name (BIG-IP 1) (1) and click the Inline Tool Ports tab (2)
c. To select the Side 1 Port, click the Select Port (1) button and select a port (P09) from the pop-up window. Do the same for Side 2 port(P17) (2). Provide an Inline Tool Name (BIG-IP 1) (3) and click Create Port Pair (4). Repeat these steps to create ITR BIG-IP 2 using ports P13 and P21.
NOTE: The Side B port do not match the diagram due to the VLAN replacement explained previously.
Step3. Create Service Chains
A Service Chain connects BPPs to the inline tools. It controls how traffic flows from the BPPs to the tools in the chain through the use of Dynamic Filters.
a. Click the INLINE menu (1) and click the Add Service Chain (2).
b. In the pop-up window, enter a name (Service Chain 1) (1) and check the box to Enable Tool Sharing (2). Click Add (3) and in the pop-up window, select Bypass 1 Primary and Bypass 2 Secondary. Once added, the BPPs are displayed in the window. Select each VLAN Id field and replace them with (4) 2001 and (5) 2002. Repeat these steps to create Service Chain 2. Use BPPs Bypass 2 Primary and Bypass 1 Secondary and VLAN 2003 and 2004 respectively. Click the Inline Tool Resource tab (6) to add ITRs.
c. On the Inline Tool Resource, click Add and select the ITR (BIG-IP 1) from the pop-up window. Repeat these steps for Service Chain 2 and select BIG-IP 2.
d. The next step connects the network (BPPs) to the tools using the service chains.
To connect the BPPs to the service chains, simply drag a line to link them. The lines in the red box are created manually. The lines in the blue box are automatically created to correlate with the links in the red box. This means traffic sent out BPP port A, into the service chain, is automatically return to port B.
4. Configure Filters
Filters are used to link ports, filter,
a. Click the OBJECTS menu (1), select Dynamic Filters (2), click the +Add (3) and select Dynamic Filters.
b. Enter a name (1)
c. On the Filter Criteria tab, select Pass by Criteria (1) and click VLAN (2). In the pop-up window, enter a VLAN ID (4001) and select Match Any (3)
d. On the Connections tab, click Add Ports (1) to add a network port. In the pop-up window, select a port (P10). Add a port for tools (P18) (2).
e. Skip the Access Control tab and select the VLAN Replacement tab. Check the Enable VLAN Replacement box and enter a VLAN ID (2001).
Repeat these steps and create the remaining filters using the table below.
NOTE: The filter name (Fx) does not need to match this table exactly.
This concludes the network packet broker configuration.
This section describes how to configure a vCMP BIG-IP device to utilize VLAN Groups.
As a reminder a VLAN Group is a configuration element that allows the bridging of VLANs.
In vCMP, the hypervisor is called the vCMP host. Virtual machines running on the host are called guests.
Lower layer configuration for networking on vCMP is done at the host level. VLAN’s are then made available to the guest. The VLAN bridging is configured at the guest level.
In the setup described herein, the VLAN interfaces are tagged with two 802.1q tags. Q-in-Q is used to provide inner and outer tagging.
The following assumes that the BIG-IP’s are up and running, that they are upgraded, licensed and provisioned for vCMP. Also, it is assumed that all physical connectivity is completed as appropriate following a design identifying port, VLAN tagging and other ethernet media choices. Prior to proceeding you will need the following information for each BIG-IP that will be configured:
1. [vCMP host] Create VLANs that will be bridged
2. [vCMP host] Create the vCMP guest:
a. Configure – define what version of software, size of VM, associate the VLANs etc.
b. Provision – create the BIG-IP virtual machine or guest
c. Deploy – start the BIG-IP guest
3. [vCMP guest] Bridge VLAN group
Create VLANs that will be bridged:
· Login to the vCMP host interface
· Go to Network>> VLAN >> VLAN List
· Select “Create”
· In the VLAN configuration panel:
o Provide a name for the object
o Enter the Tag (this corresponds to the “outer” tag)
o Select “Specify” in the Customer Tag dropdown
o Enter a value for the Customer Tag, this is a value between 1 and 4094 (this is the “inner” tag)
o Select an interface to associate the VLAN to
o Select “Tagged” in the “Tagging” drop down
o Select “Double” in the “Tag Mode” drop down
o Click on the “add” button in the Resources box
o Select “Finished” as shown in the figure below
Repeat the steps above to create a second VLAN that will be added to the VLAN group. Once the above steps completed the VLAN webUI should look like:
Create vCMP Guest
· Login to the vCMP host interface
· Go to vCMP>>Guest List
· Select “Create…” (upper right-hand corner)
· Populate the following fields:
o Host Name
o Management Port
o IP Address
o Network Mask
o Management Route
o VLAN List, ensure that the VLANs that need to be bridged are in the “selected” pane
· Set the “Requested State” to “Deployed” (this will create a virtual BIG-IP
· Click on “Finish” – window should look like the following:
Clicking on “Finish” will configure, provision and deploy the BIG-IP guest
Bridge VLAN group
· Login to the vCMP guest interface
· Go to Network >> VLANs >> VLAN Groups
· Select “Create
· In the configuration window as shown below:
o Enter a unique name for the VLAN group object
o Select the VLAN’s to associate that need to be bridged
o Keep the default configuration for the other settings
o Select “Finished”
Once created, traffic should be able to traverse the BIG-IP.
This concludes the BIG-IPs configuration.