SSL Visibility Appliance

 View Only
Expand all | Collapse all

SSLV and link aggregation

  • 1.  SSLV and link aggregation

    Posted Jun 09, 2021 05:03 AM
    Dear experts,

    we are running two linkes from the Switch to the firewall. there is LACP configured between the two devices. 

    We want to add SSLV appliane for inboud traffic inspection in between these two devices. We want to know can SSLV support below things?..

    * Creation of LACP connection?.
    * Can device get input traffic on two differnet netwrok connection and output it to the upstream device.
    * is there vlan creation support for traffic on the appliance?.


  • 2.  RE: SSLV and link aggregation

    Posted Jun 10, 2021 01:00 AM
    Dear support,

    Any suggestions on that ?


  • 3.  RE: SSLV and link aggregation

    Broadcom Employee
    Posted Jun 10, 2021 10:56 AM
    SSLV is a bump on the wire, essentially acting like a L2 bridge, so we pass LACP through the appliance. 

    We support Asymmetric routes over different network connections

    We can apply policy for VLAN Tags

    All your questions can be found in the 4.5 Administration Guide

    Kevin H


  • 4.  RE: SSLV and link aggregation

    Posted Jun 14, 2021 06:14 AM
    Thanks for the respnose.

     I have already gone through the admin guide. It does not mentions the creation of vlans on the box.

    Nor does it menitons how to create segment with LACP based connection on the Appliance.

    I am worried as how we would be able to create a inspection segment with 2 links(LACP bundle) as input link to the segment and 2 output links to the destination device.

           _________LACP link1__________
    FW |                                                      Switch
           _________LACP link2_________

    Please note fFW is not our inspection device for ssl traffic inspection. its just another device that is making LACP with switch.
    we wana deploy SSLV3800 inbetween those running links. Will SSL support this sort of deployment?.

    I know one  in/out (network) link is easy deployment which are reffered by guide. But doccumentatoin does not say any thing about double link with traffic being load balanced on both links. Can you refer does the product support such links in segment?.

    Also i saw in guide they mentioned passive tap mode has been removed in version 4.x and above. Is there any other option available if we dont wana go with passive inline mode of deployment?.


  • 5.  RE: SSLV and link aggregation

    Broadcom Employee
    Posted Jun 15, 2021 09:17 AM
    As mentioned earlier, the SSLV will recognize VLAN tags in a policy, you dont configure VLANs on the appliance. 

    The SSLV is a bump on the wire layer 2 device and acts like a transparent bridge with regards to LACP. LACP is passed through the device. 

    Kevin


  • 6.  RE: SSLV and link aggregation

    Posted Jun 16, 2021 01:58 AM
    Thanks kevin for responding.

    So you suggest i may create two segments  with
    LACP link 1 in segment 1 
    and LACP  link 2 in segment 2.

    Any suggestion on how SSLV will establish context and consider the two segment traffic as part of one talk happening on two links in loadbalancing manner?.


  • 7.  RE: SSLV and link aggregation

    Broadcom Employee
    Posted Jun 16, 2021 10:34 AM

    As Kevin pointed out the SSLV does not participate in the LACP negotiations. The SSLV would need to see all packets within a flow on a single segment, so splitting the links across 2 segments would not be ideal.

    That being said the way you would want to deploy this is with an Asymmetric segment. Be advised that this will only work with a maximum of 2 ports in the LACP group. Here is an example of a Passive Inline Asymmetric segment and be aware that the internal failure mechanism on the SSLV requires that the physical wire shares the same port pair.

           _______1__LACP link1__2_______
    FW               | SSLV PI_Asym |               Switch
           _______3__LACP link2_4_______




  • 8.  RE: SSLV and link aggregation

    Posted Jun 17, 2021 02:14 AM
    Thanks Sean and Kevin for clarifications. 

    I can understand the port paring has to be consistnat for the traffic flow for the device failure senario coverage.

    Regarding Asymantric, i found out that the asymantric sub mode of deployment will cover the load balancing part , however dont you think the asymantric sub mode is made to deal with the traffic flow senario in which there is network segmentation such that inbound traffic is on one link while the response/outbound is on another link?.


  • 9.  RE: SSLV and link aggregation

    Broadcom Employee
    Posted Jun 17, 2021 09:02 AM
    Sure, asymmetric segments will cover the scenario you mention, but it also covers other scenarios where all packets within a flow are not guaranteed to be on the same link. Since all packets within a flow are required to be seen on the same segment for proper detection and decryption, the asymmetric deployment is recommended.


  • 10.  RE: SSLV and link aggregation

    Posted Jun 23, 2021 02:02 AM
    Thanks Kevin & Sean for the clarifications. The discussion pretty much clears the query being put.

    Appricate your time and effort on that.

    I was trying to respond you earlier on this but was not able to login to braodcom support due to delayed login process casued by inability to receive the login confirmation password via email from broadcom.


  • 11.  RE: SSLV and link aggregation

    Posted Jul 07, 2022 09:55 AM
    HI, 
    How can i deploy SSVL on link aggregation on one segment or two segment on inline topology?

           _________LACP link1__________
    FW |                                                      Switch
           _________LACP link2_________


    Nicholas