How to: Configure a Generic L3 Inline service¶
Overview¶
An Inline Layer 3 inspection service passes traffic through one or more service devices at Layer 3 (IP). You use inline services in service chains, where each service device communicates with BIG-IP Next on the ingress side and over two VLANs. These VLANs, called (From: VLAN and TO: VLAN), route traffic toward the intranet and the internet, respectively.
An Inline layer 3 service assigns IP addresses to network interfaces and participates in traffic routing. It has physically or logically separate inbound (to-device) and outbound (from-device) interfaces.
Note: Ensure that the ingress/egress VLANs are already defined on the BIG-IP Next Instance to which you want to deploy the service.
Procedure¶
To create an L3 Inline inspection service using the BIG-IP Next Central Manager user interface:
Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and click SSL Orchestrator.
At the top of the screen, click + Create.
In the Inspection Service* drop-down list, select Generic Inline L3.
If you have not created any Inspection Service before, click Start Creating or click + Create if you already have some inspection services and want to create more inspection services.
Specify General Properties for the policy.
For Name*, enter a name for the TAP Service.
For Description, add a description for the service, if required.
For Device Monitor, specify the monitor to track the availability and performance of services on the nodes, pools, or pool members to which you attach them.
For Service Down Action, specify the action to be taken when a destination device associated with the service becomes unavailable or goes down.
Ignore: Traffic to the service is ignored and is sent to the next service in the chain.
Drop: Stops forwarding traffic to the affected service.
Reset: Resets the connection to the client.
For SNAT, select whether you want to use a SNAT Pool or SNAT Auto Map to translate addresses. SNAT Auto Map uses a BIG-IP Next Self IP address to replace each client source-IP address. With SNAT Auto Map you do not have to define a pool of distinct host addresses for SNAT to use. Unless your traffic volume is small, you should define SNAT addresses instead of using SNAT Auto Map.
For Remap Port, specify the port to which you want to remap the traffic.
Toggle the iRules radio button in the Additional Features section, if you want to include iRules for creating the service. The iRules tab will be added to the left pane.
Specify Network settings for the policy.
In the To: VLAN section,
For VLAN, specify the L1 network VLAN Name* created during BIG-IP Next Onboarding for entry of traffic . Entry refers to the traffic that leaves BIG-IP Next and enters the inspection device.
Note: Do not use the same To: VLAN for more than one inspection service.
For Inspection Service Endpoint, specify the server addresses where network traffic is to be monitored and analyzed.
In the From:VLAN section,
For VLAN, specify the L1 network VLAN Name* created during BIG-IP Next Onboarding for return of traffic. Return refers to the traffic that the device sends back to BIG-IP Next.
For Inspection Service Endpoints, specify the server addresses where network traffic is to be monitored and analyzed.
In the iRules tab,
In the To iRules section:
Click Start Adding.
Select the required iRules from the drop-down list.
Click Add to List.
Click Save & Continue.
In the From iRules section:
Click Start Adding.
Select the required iRules from the drop-down list.
Click Add to List.
Click Save & Continue.
Select Review & Deploy to deploy the configuration.
Verify the details in the Summary section and click Start Adding.
Select the BIG-IP Instances to which you want to deploy the service.
Click Add to List.
Note: While adding instances to which you want to deploy the inspection service, the instances that do not have SSL Orchestrator provisioned are also listed in Start Adding drop-down. These instances are disabled and can be selected only when you provision SSL Orchestrator on that BIG-IP Next instance.
You can select each instance to which you want to deploy the inspection service and click Validate. It will validate whether the VLAN configured for this Inspection Service exists on the Instance and display the relevant status.
If you want to modify the network configuration for an instance or if the VLAN configured for this Inspection Service does not exist on the instances added, you can create VLANs or modify the netowrk configuration on the instances using the respective Configure icon. To modify the network configuration of an instance:
Click the Configure icon. The Network page appears.
In the To: VLAN section, select an available VLAN or click + Create Vlan to create a new VLAN.
Click the L1networks tab. Skip this step if you want to use an existing L1 network.
Click +Create to create a new L1 Network.
Enter a network name and interface name for the L1 network and the number of VLANs associated.
Click Save.
Click the VLANs tab.
Click +Create to create a new VLAN.
Enter the VLAN names that you added at step 7 or enter a new VLAN name.
Enter a tag and select the L1 Network from the dropdown.
Note: You can also use an exisiting L1 Network without creating a new L1 Network.
Click the Addresses field or Click IP Addresses tab.
Click + Create.
Add IP Address and Device Name.
Select the VLAN you created.
Repeat the above steps for From: VLAN configuration.
Click Save. The VLANs are deployed on the BIG-IP Next Instance.
Note: You can also use an exisiting VLAN without creating a new VLAN.
Note: When you create and configure a new VLAN for an instance, the respective Vlan column is updated with the new VLAN name.
14.Select the Instance(s).
15.Click Deploy Changes.
16. Click Yes, Deploy to deploy to the service to the selected instances.
Configure network objects
Typically, a BIG-IP Next user configures L1-networks objects during BIG-IP Next onboarding, including VLANs and self-IPs. If any additional network configuration objects (Virtual Routing Function (VRFs)) are not available on the instance, they are auto generated when you deploy the service.
You can create a VLAN during the onboarding and specify the VLAN while configuring an inspection service in Central Manager. For more details, see Getting Started with Installation. You can also create the VLAN from Central Manager before deploying the inspection service to an instance. For more details, see How to: Configure Instance Specific Network Settings using CM APIs
Configure an L3 Inline Service
To configure an L3 Inline service using Central Manager API:
Send a POST request to the /v1/spaces/default/security/inspection-services endpoint.
POST https:// {{cm_mgmt_ip }}//api/v1/spaces/default/security/inspection-services
For the API body, use the following example, substituting appropriate values for the service you want to create.
For schema details, refer to the L3 Inline service section in the Reference: Inspection Service objects page.
In the following example:
type - For an L3 Inline service, the value of this property is set to l3 .
to- Refers to To Service Configuration. Specifies the L4-serverside entry object for entry of traffic from BIG-IP Next to the inspection device.
from - Refers to From Service Configuration. Specifies the L4-clientside return object for return of traffic from the inspection device to BIG-IP Next.
For the Inline L3 inspection service, the minimum requirements for defining are illustrated in the following examples. The resulting ID will be at
.id.
Basic
POST https://{{cm_mgmt_ip }}//api/v1/spaces/default/security/inspection-services
{
"name": "my-sslo-ngfw",
"description": "My SSLO L3 Inspection Service",
"type": "l3",
"serviceDownAction": "ignore",
"to": {
"network": {
"vlan": "sslo-insp-l3-in",
"endpoints": [
{
"address": "198.19.64.30:0"
}
],
"snat": {
"snatType": "NONE"
}
},
"monitor": {
"icmp": {
"interval": 5,
"timeout": 16
}
}
},
"from": {
"network": {
"vlan": "sslo-insp-l3-out"
}
}
}
Curl
INSP=$(cat <<EOF
{
"name": "my-sslo-ngfw",
"description": "My SSLO L3 Inspection Service",
"type": "l3",
"serviceDownAction": "ignore",
"to": {
"network": {
"vlan": "sslo-insp-l3-in",
"endpoints": [
{
"address": "198.19.64.30:0"
}
],
"snat": {
"snatType": "NONE"
}
},
"monitor": {
"icmp": {
"interval": 5,
"timeout": 16
}
}
},
"from": {
"network": {
"vlan": "sslo-insp-l3-out"
}
}
}
EOF
)
insp_id=$(curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/security/inspection-services" -d "${INSP}" |jq -r '.id')
API Reference
| Required | Attribute | Defaults | Notes |
|---|---|---|---|
| * | name | none | |
| * | description | none | |
| * | type | none | string: must be "l3" |
| * | serviceDownAction | none | "ignore", "drop", or "reset" |
| * | to: network: vlan | none | string: vlan-name |
| * | to: network: endpoints: address | none | string: ip-address:0 |
| * | to: network: snat: snatType | none | "NONE", "AUTOMAP", or "POOL" |
| to: network: snat: snatType: POOL | none | "addresses": [ "10.0.0.200", "10.0.0.201" ] |
|
| * | monitor | "icmp": { "interval": 5, "timeout": 16 } "http" { "interval": 5, "timeout": 16, "sendString": "", "receiveString": "", "receiveDisableString": "", "username": "", "password": "" } "tcp": { "interval": 5, "timeout": 16 "sendString": "" "receiveString": "" "receiveDisableString": "" } |
|
| * | from: network: vlan | string: vlan-name |
Ansible Reference
Execute with:
export CMPASS='mypassword'
ansible-playbook -i notahost, sslo-service-inlinel3.yaml
---
- hosts: all
connection: local
vars:
bigip_next_cm_mgmt_ip: "10.1.1.6"
bigip_next_cm_password: "{{ lookup('ansible.builtin.env', 'CMPASS') }}"
tasks:
- name: Check if BIG-IP Next Central Manager instance is available (HTTPS responding 405 on /api/login)
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
method: GET
status_code: 405
validate_certs: false
until: json_response.status == 405
retries: 50
delay: 30
register: json_response
- name: Authenticate to BIG-IP Next CM API
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
method: POST
headers:
Content-Type: application/json
body: |
{
"username": "admin",
"password": "{{ bigip_next_cm_password }}"
}
body_format: json
timeout: 60
status_code: 200
validate_certs: false
register: bigip_next_cm_token
retries: 30
delay: 30
- name: Set the BIG-IP Next CM token
set_fact:
bigip_next_cm_token: "{{ bigip_next_cm_token.json.access_token }}"
- name: Get BIG-IP Next ID
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/instances?filter=hostname+eq+%27bigip-next.f5labs.com%27&select=hostname,id
method: GET
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
timeout: 60
status_code: 200
validate_certs: false
register: json_response
- name: Set BIG-IP Instance ID
set_fact:
bigip_id: "{{ json_response.json._embedded.devices | map(attribute='id') }}"
- name: Get BIG-IP Admin User ID
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/users?filter=username+eq+%27admin%27&select=username,id
method: GET
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
timeout: 60
status_code: 200
validate_certs: false
register: json_response
- name: Set BIG-IP Admin User ID
set_fact:
admin_id: "{{ json_response.json._embedded.users[0].id }}"
- name: Create SSLO Inline L3 Inspection Service
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/security/inspection-services
method: POST
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
body: |
{
"name": "my-sslo-ngfw",
"description": "My SSLO L3 Inspection Service",
"type": "l3",
"serviceDownAction": "ignore",
"to": {
"network": {
"vlan": "sslo-insp-l3-in",
"endpoints": [
{
"address": "198.19.64.30:0"
}
],
"snat": {
"snatType": "NONE"
}
},
"monitor": {
"icmp": {
"interval": 5,
"timeout": 16
}
},
"irules": [
{
"name": "testrule",
"version": "1",
"stage": false,
"created_by": "{{ admin_id }}"
}
]
},
"from": {
"network": {
"vlan": "sslo-insp-l3-out"
},
"irules": [
{
"name": "testrule",
"version": "1",
"stage": false,
"created_by": "{{ admin_id }}"
}
]
},
"remapHttpsPort": 8181
}
body_format: json
timeout: 60
status_code: 200
validate_certs: false
register: json_response
- name: Set Inspection Service ID
set_fact:
insp_id: "{{ json_response.json.id}}"
- name: Deploy SSLO Inline L3 Inspection Service to BIG-IP Instance
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/security/inspection-services/{{ insp_id }}/deployments
method: POST
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
body: |
{
"deploy-instances": {{ bigip_id }},
"undeploy-instances": []
}
body_format: json
timeout: 60
status_code: 202
validate_certs: false
register: json_response
- debug:
var: json_response
For more information on the APIs, refer to Open API documentation
Note: To configure instance specific network settings, refer to How to: Configure Instance Specific Network Settings using CM APIs