SSL Visibility Appliance

Expand all | Collapse all

SSLV and link aggregation

  • 1.  SSLV and link aggregation

    Posted 7 days ago
    Dear experts,

    we are running two linkes from the Switch to the firewall. there is LACP configured between the two devices.

    We want to add SSLV appliane for inboud traffic inspection in between these two devices. We want to know can SSLV support below things?..

    * Creation of LACP connection?.
    * Can device get input traffic on two differnet netwrok connection and output it to the upstream device.
    * is there vlan creation support for traffic on the appliance?.


  • 2.  RE: SSLV and link aggregation

    Posted 7 days ago
    Dear support,

    Any suggestions on that ?


  • 3.  RE: SSLV and link aggregation

    Broadcom Employee
    Posted 6 days ago
    SSLV is a bump on the wire, essentially acting like a L2 bridge, so we pass LACP through the appliance.

    We support Asymmetric routes over different network connections

    We can apply policy for VLAN Tags

    All your questions can be found in the 4.5 Administration Guide

    Kevin H


  • 4.  RE: SSLV and link aggregation

    Posted 2 days ago
    Thanks for the respnose.

     I have already gone through the admin guide. It does not mentions the creation of vlans on the box.

    Nor does it menitons how to create segment with LACP based connection on the Appliance.

    I am worried as how we would be able to create a inspection segment with 2 links(LACP bundle) as input link to the segment and 2 output links to the destination device.

           _________LACP link1__________
    FW |                                                      Switch
           _________LACP link2_________

    Please note fFW is not our inspection device for ssl traffic inspection. its just another device that is making LACP with switch.
    we wana deploy SSLV3800 inbetween those running links. Will SSL support this sort of deployment?.

    I know one  in/out (network) link is easy deployment which are reffered by guide. But doccumentatoin does not say any thing about double link with traffic being load balanced on both links. Can you refer does the product support such links in segment?.

    Also i saw in guide they mentioned passive tap mode has been removed in version 4.x and above. Is there any other option available if we dont wana go with passive inline mode of deployment?.


  • 5.  RE: SSLV and link aggregation

    Broadcom Employee
    Posted 2 days ago
    As mentioned earlier, the SSLV will recognize VLAN tags in a policy, you dont configure VLANs on the appliance.

    The SSLV is a bump on the wire layer 2 device and acts like a transparent bridge with regards to LACP. LACP is passed through the device.

    Kevin


  • 6.  RE: SSLV and link aggregation

    Posted 23 hours ago
    Thanks kevin for responding.

    So you suggest i may create two segments  with
    LACP link 1 in segment 1
    and LACP  link 2 in segment 2.

    Any suggestion on how SSLV will establish context and consider the two segment traffic as part of one talk happening on two links in loadbalancing manner?.


  • 7.  RE: SSLV and link aggregation

    Broadcom Employee
    Posted 15 hours ago

    As Kevin pointed out the SSLV does not participate in the LACP negotiations. The SSLV would need to see all packets within a flow on a single segment, so splitting the links across 2 segments would not be ideal.

    That being said the way you would want to deploy this is with an Asymmetric segment. Be advised that this will only work with a maximum of 2 ports in the LACP group. Here is an example of a Passive Inline Asymmetric segment and be aware that the internal failure mechanism on the SSLV requires that the physical wire shares the same port pair.

           _______1__LACP link1__2_______
    FW               | SSLV PI_Asym |               Switch
           _______3__LACP link2_4_______