쫑콩아빠의 지금 이 순간...

소요장비 :
- Gigamon HC2 1ea
- SSL VA 2ea
- WAF 2ea
- Switch 2ea

구성
- Gigamon에 1회선 수용을 위해 상하단 Switch 구성
- SSL VA는 복호화 구간, 암호화 구간 각각 이중화(LB) 구성
- WAF 이중화(LB) 구성

### SSL VA PoC를 위해 지원한 Gigamon 설정값 ###

port 1/3/x1..x6,1/4/x1..x6,1/4/x17..x18 param admin enable
port 1/3/x1..x6,1/4/x1..x6 type inline-tool

inline-tool alias SSL-1-1
  pair tool-a 1/3/x1 and tool-b 1/3/x2
  enable
  heart-beat
  shared true
  exit
inline-tool alias SSL-1-2
  pair tool-a 1/3/x3 and tool-b 1/3/x4
  enable
  heart-beat
  shared true
  exit
inline-tool alias SSL-2-1
  pair tool-a 1/4/x1 and tool-b 1/4/x2
  enable
  heart-beat
  shared true
  exit
inline-tool alias SSL-2-2
  pair tool-a 1/4/x3 and tool-b 1/4/x4
  enable
  heart-beat
  shared true
  exit
  
  
inline-tool alias WAF-1
  pair tool-a 1/3/x5 and tool-b 1/3/x6
  enable
  heart-beat
  shared true
  exit
inline-tool alias WAF-2
  pair tool-a 1/4/x5 and tool-b 1/4/x6
  enable
  heart-beat
  shared true
  exit
  
inline-tool-group alias SSL-DEC-LB
  tool-list SSL-1-1,SSL-2-1
  enable
  exit
inline-tool-group alias SSL-ENC-LB
  tool-list SSL-1-2,SSL-2-2
  enable
  exit
inline-tool-group alias WAF-LB-1
  tool-list WAF-1,WAF-2
  enable
  exit
  
  
map alias iN5_HTTPS_VLAN501
  type flexinline byRule
  roles replace admin to owner_roles
  rule add pass portdst 443 protocol tcp bidir
  from default_inline_net_1_4_1
  a-to-b SSL-DEC-LB,WAF-LB-1,SSL-ENC-LB
  b-to-a reverse
  tag 501
  exit
map alias iN5_HTTP_VLAN502
  type flexinline byRule
  roles replace admin to owner_roles
  rule add pass portdst 80 protocol tcp bidir
  from default_inline_net_1_4_1
  a-to-b WAF-LB-1
  b-to-a reverse
  tag 502
  exit
map alias iN5_Other_VLAN520
  type flexinline collector
  roles replace admin to owner_roles
  from default_inline_net_1_4_1
  a-to-b bypass
  b-to-a bypass
  tag 520
  exit
  
  inline-network alias default_inline_net_1_4_1 physical-bypass disable
  inline-network alias default_inline_net_1_4_1 traffic-path to-inline-tool
  inline-network alias default_inline_net_1_4_1 lfp enable

https://www.gigamon.com/products/optimize-traffic/traffic-intelligence/gigasmart/load-balancing.html

Logically divide traffic among ports

The Load Balancing feature is a licensable addition to the GigaSMART® engine that divides and distributes traffic among multiple tools, so network and security visibility can scale beyond the capacity a single tool can provide. Using effective load balancing techniques, traffic and requests can be distributed based on a variety of options: bandwidth, cumulative traffic, packet rate, connections, round robin, and stateless hashing.

Load Balancing allows operators to include any port in the node as a member of the tool group, as well as ports operating at different speeds. Operators can also use load balancing to weight server-traffic delivery on a per-port basis, to accommodate bandwidth differences or processing capabilities of attached tools, or match and load balance based on inner addressing within encapsulated and tunneled packets.

Benefits of the Load Balancing feature

• Helps scale network infrastructure by dividing traffic between two or more tools when volume exceeds a single tool or port's capacity.
• Improves efficiency by weighting traffic application delivery to match tool processing capabilities or port bandwidth capacity.
• Automatically redistributes traffic to remaining tools in case of tool failure. Automatically restores tool availability for new traffic upon failed tool recovery.
• Enables load balancing of encapsulated or tunneled traffic (GTP, GRE, or ERSPAN).
• GTP-aware load balancing helps mobile service providers ensure improved response time and performance for individual subscribers or groups.