How to: Configure Generic Inline L2 Inspection Service¶
Overview¶
An inline layer 2 service passively passes traffic through physically or logically separate interfaces. Unlike a layer 3 device, layer 2 devices do not expose IP addresses and do not participate in routing. And unlike passive TAP devices, layer 2 devices are able to affect the traffic in real time. They may, for example, drop/reset a traffic flow, rewrite/scrub content, or generate blocking page actions.
Note: L2 inline service is only supported on VE. It is not supported on BIG-IP hardware platforms.
Note: For L2 inspection service, the ingress and egress VLANs must reside on a different switch port than the other VLANs not involved in the inspection process.
Procedure¶
To create a Generic Inline L2 inspection service using the BIG-IP Next Central Manager user interface:
Log in to BIG-IP Next Central Manager as admin, click the Workspace icon, click Security, and then click SSL Orchestrator.
At the top of the screen, click + Create.
In the Inspection Service drop-down list, select Generic Inline L2.
Click Start Creating.
Specify General Properties for the Inline L2 inspection service.
a. For Name, enter a name for the Generic Inline L2 Service.b. For Description, add a description for the service, if required.
For Device Monitor, specify the monitor to track the availability and performance of services on the nodes, pools, or pool members to which you attach them.
For Service Down Action, specify the action to be taken when a destination device associated with the service becomes unavailable or goes down.
Ignore: Skips forwarding traffic to the down service and forwards traffic to the next service in the chain.
Drop: Stops forwarding traffic to the affected service.
Reset: Resets the connection to the client.
Toggle the iRules radio button in the Additional Features section if you want to include iRules for creating the service. The iRules tab will be added to the left pane.
Click Save & Continue.
Click Start Adding, if you have not added any Inspection Service Endpoints yet.
Specify Network settings for the policy.
a. In the To:VLAN section, for VLAN, specify the L1 network VLAN for entry of traffic. Entry refers to the traffic that leaves BIG-IP Next and enters the inspection device.
b. In the From:VLAN section, for VLAN, specify the L1 network VLAN for return of traffic. Return refers to the traffic that the device sends back to BIG-IP Next.
In the iRules tab: a. Click Start Adding. b. Select the required iRules from the drop-down list. c. Click Add to List. d. Click Save & Continue.
Select Review & Deploy to deploy the configuration.
Verify the configuration details in the Summary section and click Start Adding.
Select the BIG-IP Next instances to which you want to deploy the service.
Click Add to List, and then click Deploy Changes.
Click Yes, Deploy to deploy the service to the selected instances.
Results
The Generic Inline L2 inspection service is created and deployed to the selected BIG-IP instances.
To configure a Generic Inline L2 inspection service using the Central Manager API:
Send a POST request to the
/spaces/default/security/inspection-services
endpoint.POST http:// {{cm_mgmt_ip }}:443/api/v1/spaces/default/security/inspection-services/
For the API body, use the following example, substituting appropriate values for the service you want to create:
Type: For an Inline HTTP Explicit inspection service, the value of this property is set to
l2
.toVlan (network): Specify the L1 network VLAN created during BIG-IP Next Onboarding for entry of traffic.
fromVlan (network): Specify the L1 network VLAN created during BIG-IP Next Onboarding for return of traffic.
monitor: Specify the monitor to track the availability and performance of services on the nodes, pools, or pool members to which you attach them. BIG-IP Next SSL Orchestrator currently supports only the ICMP monitor.
Basic
{ "name": "my-sslo-inlinel2", "description": "My SSLO L2 Inspection Service", "type": "l2", "serviceDownAction": "ignore", "network": [ { "toVlan": "sslo-insp-l2-in", "fromVlan": "sslo-insp-l2-out" } ], "monitor": { "icmp": { "interval": 5, "timeout": 16 } } }
Curl
INSP=$(cat <<EOF { "name": "my-sslo-inlinel2", "description": "My SSLO L2 Inspection Service", "type": "l2", "serviceDownAction": "ignore", "network": [ { "toVlan": "sslo-insp-l2-in", "fromVlan": "sslo-insp-l2-out" } ], "monitor": { "icmp": { "interval": 5, "timeout": 16 } } } EOF ) insp_id=$(curl -sk -H "Authorization: Bearer ${token}" -H "Content-Type: application/json" "https://${CM}/api/v1/spaces/default/security/inspection-services" -d "${INSP}" |jq -r '.id')
Ansible Reference
Execute with:
export CMPASS='mypassword'
ansible-playbook -i notahost, sslo-service-inlinel2.yaml
---
- hosts: all
connection: local
vars:
bigip_next_cm_mgmt_ip: "10.1.1.6"
bigip_next_cm_password: "{{ lookup('ansible.builtin.env', 'CMPASS') }}"
tasks:
- name: Check if BIG-IP Next Central Manager instance is available (HTTPS responding 405 on /api/login)
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
method: GET
status_code: 405
validate_certs: false
until: json_response.status == 405
retries: 50
delay: 30
register: json_response
- name: Authenticate to BIG-IP Next CM API
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/login
method: POST
headers:
Content-Type: application/json
body: |
{
"username": "admin",
"password": "{{ bigip_next_cm_password }}"
}
body_format: json
timeout: 60
status_code: 200
validate_certs: false
register: bigip_next_cm_token
retries: 30
delay: 30
- name: Set the BIG-IP Next CM token
set_fact:
bigip_next_cm_token: "{{ bigip_next_cm_token.json.access_token }}"
- name: Get BIG-IP Next ID
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/instances?filter=hostname+eq+%27bigip-next.f5labs.com%27&select=hostname,id
method: GET
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
timeout: 60
status_code: 200
validate_certs: false
register: json_response
- name: Set BIG-IP Instance ID
set_fact:
bigip_id: "{{ json_response.json._embedded.devices | map(attribute='id') }}"
- name: Get BIG-IP Admin User ID
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/users?filter=username+eq+%27admin%27&select=username,id
method: GET
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
timeout: 60
status_code: 200
validate_certs: false
register: json_response
- name: Set BIG-IP Admin User ID
set_fact:
admin_id: "{{ json_response.json._embedded.users[0].id }}"
- name: Create SSLO Inline L2 Inspection Service
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/security/inspection-services
method: POST
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
body: |
{
"name": "my-sslo-inlinel2",
"description": "My SSLO L2 Inspection Service",
"type": "l2",
"serviceDownAction": "ignore",
"network": [
{
"toVlan": "sslo-insp-l2-in",
"fromVlan": "sslo-insp-l2-out"
}
],
"monitor": {
"icmp": {
"interval": 5,
"timeout": 16
}
},
"irules": [
{
"name": "testrule",
"version": "1",
"stage": false,
"created_by": "{{ admin_id }}"
}
]
}
body_format: json
timeout: 60
status_code: 200
validate_certs: false
register: json_response
- name: Set Inspection Service ID
set_fact:
insp_id: "{{ json_response.json.id}}"
- name: Deploy SSLO Inline L2 Inspection Service to BIG-IP Instance
uri:
url: https://{{ bigip_next_cm_mgmt_ip }}/api/v1/spaces/default/security/inspection-services/{{ insp_id }}/deployments
method: POST
headers:
Authorization: "Bearer {{ bigip_next_cm_token }}"
Content-Type: application/json
body: |
{
"deploy-instances": {{ bigip_id }},
"undeploy-instances": []
}
body_format: json
timeout: 60
status_code: 202
validate_certs: false
register: json_response
- debug:
var: json_response
Results
The Generic Inline L2 inspection service is created.
Next Steps
Deploy the Service to a BIG-IP Instance using CM APIs
Create instance specific configuration using CM APIs
References
For more information on the APIs, refer to Open API documentation