쫑콩아빠의 지금 이 순간...

소요장비 :
- Gigamon HC2 1ea
- SSL VA 2ea
- WAF 2ea
- Switch 2ea

구성
- Gigamon에 1회선 수용을 위해 상하단 Switch 구성
- SSL VA는 복호화 구간, 암호화 구간 각각 이중화(LB) 구성
- WAF 이중화(LB) 구성

### SSL VA PoC를 위해 지원한 Gigamon 설정값 ###

port 1/3/x1..x6,1/4/x1..x6,1/4/x17..x18 param admin enable
port 1/3/x1..x6,1/4/x1..x6 type inline-tool

inline-tool alias SSL-1-1
  pair tool-a 1/3/x1 and tool-b 1/3/x2
  enable
  heart-beat
  shared true
  exit
inline-tool alias SSL-1-2
  pair tool-a 1/3/x3 and tool-b 1/3/x4
  enable
  heart-beat
  shared true
  exit
inline-tool alias SSL-2-1
  pair tool-a 1/4/x1 and tool-b 1/4/x2
  enable
  heart-beat
  shared true
  exit
inline-tool alias SSL-2-2
  pair tool-a 1/4/x3 and tool-b 1/4/x4
  enable
  heart-beat
  shared true
  exit
  
  
inline-tool alias WAF-1
  pair tool-a 1/3/x5 and tool-b 1/3/x6
  enable
  heart-beat
  shared true
  exit
inline-tool alias WAF-2
  pair tool-a 1/4/x5 and tool-b 1/4/x6
  enable
  heart-beat
  shared true
  exit
  
inline-tool-group alias SSL-DEC-LB
  tool-list SSL-1-1,SSL-2-1
  enable
  exit
inline-tool-group alias SSL-ENC-LB
  tool-list SSL-1-2,SSL-2-2
  enable
  exit
inline-tool-group alias WAF-LB-1
  tool-list WAF-1,WAF-2
  enable
  exit
  
  
map alias iN5_HTTPS_VLAN501
  type flexinline byRule
  roles replace admin to owner_roles
  rule add pass portdst 443 protocol tcp bidir
  from default_inline_net_1_4_1
  a-to-b SSL-DEC-LB,WAF-LB-1,SSL-ENC-LB
  b-to-a reverse
  tag 501
  exit
map alias iN5_HTTP_VLAN502
  type flexinline byRule
  roles replace admin to owner_roles
  rule add pass portdst 80 protocol tcp bidir
  from default_inline_net_1_4_1
  a-to-b WAF-LB-1
  b-to-a reverse
  tag 502
  exit
map alias iN5_Other_VLAN520
  type flexinline collector
  roles replace admin to owner_roles
  from default_inline_net_1_4_1
  a-to-b bypass
  b-to-a bypass
  tag 520
  exit
  
  inline-network alias default_inline_net_1_4_1 physical-bypass disable
  inline-network alias default_inline_net_1_4_1 traffic-path to-inline-tool
  inline-network alias default_inline_net_1_4_1 lfp enable

To set up GRIP successfully, it is advised that you check the inline functions of each HC2 separately.

https://gigamoncp.force.com/partnercommunity/s/article/HC2-GRIP-Configuration-example#loaded

A. Set up Primary without GRIP
a. ensure secondary is wire only (i.e physical bypass = enable)
b. take primary out of bypass, configure all ports and forward inline traffic to inline tool

On secondary: inline-network alias default_inline_net_1_1_4 physical-bypass en

On primary:
port 1/1/x23..x24 params admin enable
port 1/1/x8..x9 type inline-tool
port 1/1/x8..x9 params ad en

inline-network alias default_inline_net_1_1_4 traffic-path to-inline-tool

inline-tool alias IT-01 pair tool-a 1/1/x8 and tool-b 1/1/x9
inline-tool alias IT-01 failover-action tool-bypass
inline-tool alias IT-01 enable
c. Forward traffic to the inline tool for inspection:
map-passall alias IL-to-tool-Grip
from default_inline_net_1_1_4
to IT-01
exit

inline-network alias default_inline_net_1_1_4 physical-bypass disable

Confirm set up on primary using show port params and show port stats

B. Set up Secondary without GRIP
a. Set primary as wire only (i.e physical bypass = enable)
On primary: inline-network alias default_inline_net_1_1_4 physical-bypass en

On secondary:
port 1/1/x23..x24 params admin enable
inline-network alias default_inline_net_1_1_4 traffic-path to-inline-tool

port 1/1/x2..x3 type inline-tool
port 1/1/x2..x3 params ad en
inline-tool alias IT-02 pair tool-a 1/1/x2 and tool-b 1/1/x3
inline-tool alias IT-02 failover-action tool-bypass
inline-tool alias IT-02 enable

map-passall alias IL-to-tool-GripSecondary
from default_inline_net_1_1_4
to IT-02
exit

inline-network alias default_inline_net_1_1_4 physical-bypass disable

Again, confirm configuration by using show port params and show port stats

C. Configure redundancy profiles and signal links.

i. Enable bypass on both
[primary] inline-network alias default_inline_net_1_1_4 physical-bypass en
[secondary] inline-network alias default_inline_net_1_1_4 physical-bypass en

ii. Configure GRIP Redundancy profiles and check signal link
Note: signal link on primary is 1/x7, on secondary, it is x4

Primary:
port 1/1/x7 type stack
port 1/1/x7 params admin en

redundancy-profile alias RP-01
protection-role primary
signaling-port 1/1/x7
exit

Secondary:
port 1/1/x4 type stack
port 1/1/x4 params admin en

redundancy-profile alias RP-02
protection-role secondary
signaling-port 1/1/x4
exit

D. Turn off LFP, Assign Redundancy Profile (RP) to Inline Network ports on both chassis
[primary]
no inline-network alias default_inline_net_1_4_4 lfp en
inline-network alias default_inline_net_1_1_4 physical-bypass disable
inline-network alias default_inline_net_1_1_4 redundancy-profile RP-01
[secondary]
no inline-network alias default_inline_net_1_4_4 lfp en
inline-network alias default_inline_net_1_1_4 physical-bypass disable
inline-network alias default_inline_net_1_1_4 redundancy-profile RP-02
ADDITIONAL NOTES
Once the redundancy profile has been applied, the physical bypass state is controlled by software

Commands for checking status;
[Primary]
show inline-network alias default_inline_net_1_1_4
show port stats p 1/1/x23,1/1/x8,1/1/x9,1/1/x24
show port params p 1/1/x23,1/1/x8,1/1/x9,1/1/x24

[Secondary]
show inline-network alias default_inline_net_1_1_4
show port params p 1/1/x23,1/1/x2,1/1/x3,1/1/x24
show port stats p 1/1/x23,1/1/x2,1/1/x3,1/1/x24

Note: Note that in this example, link fail propagation (LFP) is disabled to reduce inlinennetwork recovery time after failover.
When GRIP is deployed with high availability networks where a second path is present, it is a best practice to leave LFP enabled.