How to: Configure Generic Inline L2 Inspection Service

Overview

An inline layer 2 service passively passes traffic through physically or logically separate interfaces. Unlike a layer 3 device, layer 2 devices do not expose IP addresses and do not participate in routing. And unlike passive TAP devices, layer 2 devices are able to affect the traffic in real time. They may, for example, drop/reset a traffic flow, rewrite/scrub content, or generate blocking page actions.

Note: L2 inline service is only supported on VE. It is not supported on BIG-IP hardware platforms.

Note: For L2 inspection service, the ingress and egress VLANs must reside on a different switch port than the other VLANs not involved in the inspection process.

Procedure

To create a Generic Inline L2 inspection service using the BIG-IP Next Central Manager user interface:

  1. Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click SSL Orchestrator.

  2. At the top of the screen, click + Create.

  3. In the Inspection Service drop-down list, select Generic Inline L2.

  4. Click Start Creating.

  5. Specify General Properties for the Inline L2 inspection service.
    a. For Name, enter a name for the Generic Inline L2 Service.

    b. For Description, add a description for the service, if required.

  6. For Device Monitor, specify the monitor to track the availability and performance of services on the nodes, pools, or pool members to which you attach them.

  7. For Service Down Action, specify the action to be taken when a destination device associated with the service becomes unavailable or goes down.

    • Ignore: Skips forwarding traffic to the down service and forwards traffic to the next service in the chain.

    • Drop: Stops forwarding traffic to the affected service.

    • Reset: Resets the connection to the client.

  8. Toggle the iRules radio button in the Additional Features section if you want to include iRules for creating the service. The iRules tab will be added to the left pane.

  9. Click Save & Continue.

  10. Click Start Adding, if you have not added any Inspection Service Endpoints yet.

  11. Specify Network settings for the policy.

    a. In the To:VLAN section, for VLAN, specify the L1 network VLAN for entry of traffic. Entry refers to the traffic that leaves BIG-IP Next and enters the inspection device.

    b. In the From:VLAN section, for VLAN, specify the L1 network VLAN for return of traffic. Return refers to the traffic that the device sends back to BIG-IP Next.

  12. In the iRules tab: a. Click Start Adding. b. Select the required iRules from the drop-down list. c. Click Add to List. d. Click Save & Continue.

  13. Select Review & Deploy to deploy the configuration.

  14. Verify the configuration details in the Summary section and click Start Adding.

  15. Select the BIG-IP Next instances to which you want to deploy the service.

  16. Click Add to List, and then click Deploy Changes.

  17. Click Yes, Deploy to deploy the service to the selected instances.

Results

The Generic Inline L2 inspection service is created and deployed to the selected BIG-IP instances.

To configure a Generic Inline L2 inspection service using the Central Manager API:

  1. Send a POST request to the /spaces/default/security/inspection-services endpoint.

    POST http:// {{cm_mgmt_ip }}:443/api/v1/spaces/default/security/inspection-services/
    
  2. For the API body, use the following example, substituting appropriate values for the service you want to create:

    • Type: For an Inline HTTP Explicit inspection service, the value of this property is set to l2.

    • toVlan (network): Specify the L1 network VLAN created during BIG-IP Next Onboarding for entry of traffic.

    • fromVlan (network): Specify the L1 network VLAN created during BIG-IP Next Onboarding for return of traffic.

    • monitor: Specify the monitor to track the availability and performance of services on the nodes, pools, or pool members to which you attach them. BIG-IP Next SSL Orchestrator currently supports only the ICMP monitor.

    Basic

      {
        "name": "my-sslo-inlinel2",
        "description": "My SSLO L2 Inspection Service",
        "type": "l2",
        "serviceDownAction": "ignore",
        "network": [
          {
            "toVlan": "sslo-insp-l2-in",
            "fromVlan": "sslo-insp-l2-out"
          }
        ],
        "monitor": {
          "icmp": {
            "interval": 5,
            "timeout": 16
          }
        }
      }
    

    Curl

        INSP=$(cat <<EOF
        {
          "name": "my-sslo-inlinel2",
          "description": "My SSLO L2 Inspection Service",
          "type": "l2",
          "serviceDownAction": "ignore",
          "network": [
            {
              "toVlan": "sslo-insp-l2-in",
              "fromVlan": "sslo-insp-l2-out"
            }
          ],
          "monitor": {
            "icmp": {
              "interval": 5,
              "timeout": 16
            }
          }
        }
        EOF
        )
        insp_id=$(curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/security/inspection-services" -d "${INSP}" |jq -r '.id')  
    
    

Ansible Reference

Execute with:

export CMPASS='mypassword'
ansible-playbook -i notahost, sslo-service-inlinel2.yaml
---
- hosts: all
  connection: local

  vars:
    bigip_next_cm_mgmt_ip: "10.1.1.6"
    bigip_next_cm_password: "{{ lookup('ansible.builtin.env', 'CMPASS') }}"
  tasks:
    - name: Check if BIG-IP Next Central Manager instance is available (HTTPS responding 405 on /api/login)
      uri:
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
        method: GET
        status_code: 405
        validate_certs: false
      until: json_response.status == 405
      retries: 50
      delay: 30
      register: json_response


    - name: Authenticate to BIG-IP Next CM API
      uri:
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
        method: POST
        headers:
          Content-Type: application/json
        body: |
          {
              "username": "admin",
              "password": "{{ bigip_next_cm_password }}"
          }
        body_format: json
        timeout: 60
        status_code: 200
        validate_certs: false
      register: bigip_next_cm_token
      retries: 30
      delay: 30

    - name: Set the BIG-IP Next CM token
      set_fact:
        bigip_next_cm_token: "{{ bigip_next_cm_token.json.access_token }}"

    
    - name: Get BIG-IP Next ID
      uri:
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/instances?filter=hostname+eq+%27bigip-next.f5labs.com%27&select=hostname,id
        method: GET
        headers:
          Authorization: "Bearer {{ bigip_next_cm_token }}"
          Content-Type: application/json
        timeout: 60
        status_code: 200
        validate_certs: false
      register: json_response

    - name: Set BIG-IP Instance ID
      set_fact:
        bigip_id: "{{ json_response.json._embedded.devices | map(attribute='id') }}"


    - name: Get BIG-IP Admin User ID
      uri: 
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/users?filter=username+eq+%27admin%27&select=username,id
        method: GET
        headers:
          Authorization: "Bearer {{ bigip_next_cm_token }}"
          Content-Type: application/json
        timeout: 60
        status_code: 200
        validate_certs: false
      register: json_response
    
    - name: Set BIG-IP Admin User ID
      set_fact:
        admin_id: "{{ json_response.json._embedded.users[0].id }}"


    - name: Create SSLO Inline L2 Inspection Service
      uri:
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/security/inspection-services
        method: POST
        headers:
          Authorization: "Bearer {{ bigip_next_cm_token }}"
          Content-Type: application/json
        body: |
          {
            "name": "my-sslo-inlinel2",
            "description": "My SSLO L2 Inspection Service",
            "type": "l2",
            "serviceDownAction": "ignore",
            "network": [
              {
                "toVlan": "sslo-insp-l2-in",
                "fromVlan": "sslo-insp-l2-out"
              }
            ],
            "monitor": {
              "icmp": {
                "interval": 5,
                "timeout": 16
              }
            },
            "irules": [
              {
                "name": "testrule",
                "version": "1",
                "stage": false,
                "created_by": "{{ admin_id }}"
              }
            ]
          }
        body_format: json
        timeout: 60
        status_code: 200
        validate_certs: false
      register: json_response

    - name: Set Inspection Service ID
      set_fact:
        insp_id: "{{ json_response.json.id}}"

        
    - name: Deploy SSLO Inline L2 Inspection Service to BIG-IP Instance
      uri:
        url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/security/inspection-services/{{ insp_id }}/deployments
        method: POST
        headers:
          Authorization: "Bearer {{ bigip_next_cm_token }}"
          Content-Type: application/json
        body: |
          {
            "deploy-instances": {{ bigip_id }},
            "undeploy-instances": []
          }
        body_format: json
        timeout: 60
        status_code: 202
        validate_certs: false
      register: json_response

    - debug:
        var: json_response

Results

The Generic Inline L2 inspection service is created.

Next Steps

Deploy the Service to a BIG-IP Instance using CM APIs

Create instance specific configuration using CM APIs

References

For more information on the APIs, refer to Open API documentation