Back to all videos

F5 BIG-IP SSL Orchestrator Layer 2 Services with rSeries & VELOS

By F5 DevCentral Community

Network SecurityF5 TechnologiesSSL OrchestrationVirtualization
Share:

Key Concepts

  • F5OS: The operating system running on F5 R series and Vellos platforms.
  • BIG-IP: F5’s application delivery controller, configured as a tenant within F5OS.
  • SSO Orchestrator: (SSL Orchestrator) Used for configuring and managing security services.
  • VLANs (Virtual LANs): Logically separate broadcast domains within a network.
  • Self IP Addresses: IP addresses assigned to the BIG-IP for management and service access.
  • MAC Data/Block Size: Allocation of unique MAC addresses for the BIG-IP tenant to utilize for layer 2 services.
  • Port Remap: A feature enabling the BIG-IP to modify source/destination ports during traffic interception.
  • Interception Rule: Defines the criteria for intercepting network traffic.
  • Inline Layer 2 Service: A service that sits directly in the network path to inspect and process traffic.

F5OS Configuration & VLAN Setup

The initial configuration begins within F5OS, specifically focusing on VLAN creation. The demonstrator highlights the presence of VLANs designated for LAN and WAN traffic, alongside four additional VLANs intended for layer 2 service deployment. These VLANs must then be assigned to the physical interfaces within the F5OS interface configuration screen to enable their functionality. This ensures the interfaces are aware of and can handle traffic for the defined VLANs.

BIG-IP Tenant Deployment & MAC Address Allocation

BIG-IP configuration for layer 2 services requires the instance to be stopped before modifications can be made. The demonstrator emphasizes performing these changes during a maintenance window. The core of the BIG-IP configuration involves associating the LAN, WAN, and layer 2 interfaces with the BIG-IP tenant. Crucially, the “MAC data” or “MAC block size” setting dictates the number of unique MAC addresses allocated to the BIG-IP for use by its layer 2 services. Options include “one” (default), “small,” “medium,” and “large.”

The demonstrator chose the “medium” allocation despite having only six interfaces, explaining this provides headroom for future expansion of layer 2 services. This proactive approach avoids potential MAC address exhaustion as the network evolves. After saving the MAC block size, the BIG-IP instance is started.

BIG-IP Interface Population & Self IP Configuration

Upon BIG-IP startup, the VLANs created in F5OS are automatically populated within the BIG-IP interface configuration. This demonstrates the integration between the F5OS and BIG-IP layers. While not strictly required, the demonstrator configures Self IP addresses for both the LAN and WAN interfaces. These Self IPs are essential for management access and for the subsequent configuration of the SSO Orchestrator.

SSO Orchestrator Configuration: Service & Network Path Creation

The demonstration then transitions to the SSO Orchestrator configuration. A topology is first created, followed by the addition of a service. The demonstrator selects a “generic inline layer 2 service.” This service requires the configuration of “network paths,” which utilize the previously created VLANs. A path is created for a single layer 2 device, followed by a second path, illustrating the ability to support multiple inline services – examples given include FireEye, IPS, or Palo Alto devices.

The demonstrator notes that enabling “port remap” is generally recommended, particularly when deploying multiple inline services. Port remap allows the BIG-IP to modify source and destination ports during traffic interception, which can be crucial for maintaining application functionality.

Interception Rule Configuration & Traffic Direction

The final configuration step involves defining an “interception rule.” This rule specifies which VLANs the SSO Orchestrator should monitor for traffic to intercept. The demonstrator configures the rule to intercept only traffic originating from the LAN VLAN, as the topology is configured for outbound traffic inspection. This selective interception ensures that only relevant traffic is processed by the layer 2 services.

Notable Quote

“Considering that I have…six interfaces here, I could use the small allocation of MAC addresses and that would suit my needs. But in this case, I want to use medium because that’ll give me a ceiling in the future to add additional layer 2 services.” – Demonstrator, explaining the rationale for choosing a larger MAC block size.

Logical Connections

The demonstration follows a clear, sequential flow: F5OS VLAN creation -> BIG-IP tenant configuration (including MAC allocation) -> BIG-IP VLAN population -> SSO Orchestrator service and network path creation -> Interception rule definition. Each step builds upon the previous one, creating a fully functional layer 2 service deployment. The integration between F5OS and BIG-IP is a key element, with VLANs created in F5OS automatically appearing within the BIG-IP configuration.

Conclusion

This demonstration provides a practical guide to configuring layer 2 services with SSO Orchestrator on F5 R series and Vellos platforms. The key takeaways are the importance of proper VLAN configuration in F5OS, careful planning of MAC address allocation within the BIG-IP tenant, and the flexible service configuration options available within the SSO Orchestrator. The emphasis on future scalability (using the “medium” MAC block size) and the recommendation to enable port remap highlight best practices for robust and adaptable layer 2 service deployments.

Chat with this Video

AI-Powered

Hi! I can answer questions about this video "F5 BIG-IP SSL Orchestrator Layer 2 Services with rSeries & VELOS". What would you like to know?

Chat is based on the transcript of this video and may not be 100% accurate.

Related Videos

Ready to summarize another video?

Summarize YouTube Video