Manual Chapter : BIG-IP Solutions Guide v4.6.2: Mirroring Traffic to an Inspection Device

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.6.2
Manual Chapter

4

Mirroring Traffic to an Inspection Device


Introducing mirroring traffic to an inspection device

The BIG-IP software contains two features that provide the ability to mirror traffic from the BIG-IP system to a traffic inspection device or probe. The features are VLAN mirroring and clone pools.

These features provide the ability to replicate packets and send them to another network device. Typically, you use these features to send packets to intrusion detection systems which passively look at all packets going through a network. The examples in this documentation illustrate how the features work with an intrusion detection system (IDS).

You can use the BIG-IP system in an in-band or out-of-band configuration. In an in-band configuration, the BIG-IP system taps traffic, manages traffic flowing through itself, and traffic flowing to probes. In an out-of-band configuration, the BIG-IP system is downstream from a tap, and manages traffic to probes only.

VLAN mirroring and clone pools support the following types of probes:

  • Intrusion detection systems (IDS)
  • IDS with connection killing
  • Denial of service (DoS) attack detection systems
  • Network sniffers and LAN analyzers
  • Virus scanners
  • Email scanners

    Table 4.1 lists any additional configuration required on the BIG-IP system, the probes connected to the system, or the L2 switch between the BIG-IP system and probe, based on the behavior of the probe.

Figure 4.1 Configuration required for supported probe types

Behavior of probe Responds to ARP Has a MAC address but does not respond to ARP Completely passive, no MAC address
Configure on BIG-IP system IP address of probe MAC address of probe Name of VLAN for accessing probe
Probes connected directly No special configuration required Add L2 table entry on BIG-IP system Configure port-group VLAN containing the port to which probe is connected
Separate L2 switch between BIG-IP system and probe No special configuration required Add L2 table entry on switch Configure VLAN tags on BIG-IP system and switch, and port-group VLAN on switch

Configuring VLAN mirroring

VLAN mirroring is similar to port mirroring, in that packets received from a VLAN are copied and sent to another VLAN or set of VLANs. This occurs for all traffic received on the source VLAN in a VLAN mirroring configuration, regardless of the destination MAC address on the packet. Packets sent from the BIG-IP system out of a given VLAN are not mirrored. In this situation, the BIG-IP system performs like a network hub for these VLANs. This feature is designed to work in an out-of-band configuration.


Figure 4.2 An example out-of-band configuration with VLAN mirroring.

In Figure 4.2, the tap can be a passive splitter, active tap, or port mirror built into an Ethernet switch.

Warning


If you configure a VLAN for mirroring, only mirroring can be done on that VLAN. You cannot configure virtual servers, SNATs, self IPs, or any other kind of IP address on that VLAN. You cannot gain administrative access through a mirrored VLAN.

Note


If you configure VLAN mirroring, hardware acceleration is turned off for all virtual servers.

 

To configure VLAN mirroring using the Configuration utility

  1. In the navigation pane, click Network.
    The VLANs screen opens.
  2. Click the Add button, or click an existing VLAN name to view its properties.
  3. In the Mirrored VLANs area, select a VLAN name in the Existing VLANs box and move it to the Mirrored VLANs box, using the arrows (>>).
  4. Click Done or Apply.

To configure VLAN mirroring from the command line

Use the following syntax to configure VLAN mirroring from the command line:

b vlan <vlan_name> mirror vlans <vlan1> <vlan2>

For example, if you want to mirror traffic from the VLAN external to the VLANs ids1 and ids2, type the following command:

b vlan external mirror vlans ids1 ids2

Figure 4.3 is an example of the configuration created by this command, where ids1 and ids2 are VLANs that receive the replicated packets for any packet going through the VLAN external.

Figure 4.3 An example of VLAN mirroring syntax


vlan external {
  interfaces add 1.1
  mirror vlans ids1 ids2
}

Using hash mode with VLAN mirroring

Hash mode provides for simple load balancing feature for VLAN mirroring. Instead of copying the packet to every VLAN in the mirror list, in this mode the BIG-IP system hashes the IP addresses on the packet and sends the packet to only one of the VLANs based on the computed hash. The hash is symmetrical. That means that both sides of the connection are sent to the same mirror VLAN.

To set hash mode to Enabled using the Configuration utility

  1. In the navigation pane, click Network.
    The VLANs screen opens.
  2. Click the Add button, or click an existing VLAN name to view its properties.
  3. In the Mirror Hash box, select Enabled.
  4. Click Done or Apply.

To set hash mode to Enabled from the command line

To set hash mode to Enabled when you configure VLAN mirroring, use this command syntax:

b vlan <vlan_name> mirror vlans <vlan1> <vlan2> hash enable

Figure 4.4 is an example of a VLAN mirroring configuration with hash mode enabled.

Figure 4.4 An example of VLAN mirroring with hash mode enabled


vlan external {
  interfaces add 1.1
  mirror vlans ids1 ids2
  mirror hash enable
}

Using hash port with VLAN mirroring

Hash port mode is the same as hash mode, but if the protocol is TCP or UDP, the ports are included in the computed hash. This provides for greater granularity in the load balancing of the connection across the mirror VLANs.

To set hash mode to Port Enabled using the Configuration utility

  1. In the navigation pane, click Network.
    The VLANs screen opens.
  2. Click the Add button, or click an existing VLAN name to view its properties.
  3. In the Mirror Hash box, select Port Enabled.
  4. Click Done or Apply.

To set hash mode to Port Enabled from the command line

The following command syntax shows how to set hash mode to Port Enabled when you configure VLAN mirroring.

b vlan <vlan_name> mirror vlans <vlan1> <vlan2> hash port enable

Figure 4.5 is an example where hash port mode is enabled for the mirrored VLANs ids1 and ids2.

Figure 4.5 An example of VLAN mirroring with hash port mode enabled


vlan external {
interfaces add 1.1
mirror vlans ids1 ids2
mirror hash port enable
}

Note


Hash port mode is a variation of hash mode. You cannot configure them both at the same time.

 

How the BIG-IP system handles traffic from the IDS with VLAN mirroring

Typically, you use VLAN mirroring to send packets to a passive intrusion detection system (IDS) that inspects the traffic and looks for threatening content. If the IDS detects that the traffic is part of a network attack, it may attempt to send a TCP reset or multiple TCP resets to the client and server in order to terminate the connection. In this situation, when the BIG-IP system is configured with VLAN mirroring, the system receives the packets from the IDS on the mirror-to VLAN, or target VLAN. The BIG-IP system mirrors any packets that originate from a mirror-to (mirror target) VLAN to all source VLANs in a VLAN mirroring configuration. This is controlled by the global variable mirror_vlan_forwarding. In order for all packets sent to the IDS to be mirrored to the source VLANs, this variable must be enabled.

The default setting for this global variable is enable. However, if the variable is set to disable, then packets received on a target of a VLAN mirror are discarded. For information about how to disable this variable, see the BIG-IP Reference Guide , Chapter 3, Post-Setup Tasks .

Configuring clone pools

You can use clone pools to replicate all traffic being handled by a pool to a clone pool that contains an IDS or probe device.

You can configure a clone pool for a standard load balancing pool. When a standard load balancing pool receives a connection, it picks a node for the regular connection using the regular pool, and then it also picks a clone node from the clone pool. The clone node is the device that receives a copy of all the traffic going through the regular pool.

Figure 4.6 shows an in-band configuration for clone pools.


Figure 4.6 An in-band configuration for clone pools

Another important aspect of configuring clone pools is deciding whether the packets should be replicated before or after translation. The client side of the connection is considered before translation and the server side is after translation. You can configure either or both of these at the same time.

To configure a clone pool using the Configuration utility

  1. In the navigation pane, click Pools.
  2. Click a pool name.
    The properties of the pool are displayed.
  3. In the Clone Pool box, select Before or After from the list.
  4. Click Apply.

To configure a clone pool from the command line

Use the following command syntax to configure a clone pool:

b pool [ clone before | clone after ] <pool_name>


How the BIG-IP system handles traffic from an IDS with clone pools configured

When you configure a clone pool on the BIG-IP system, the traffic sent to the system is handled in a specific manner. In the case of clone pools, the BIG-IP system handles resets from the IDS by deleting the connection and sending a reset to both the client and server. All other packets are discarded.


Additional configuration options

Whenever a BIG-IP system is configured, you have a number of options: