Packet Basis VS Full Proxy With F5 BIG-IP and Cisco ISE integration

Integrating an ISE Cluster with F5 BIG-IP Load Balancer where the PAN and MnT Nodes are located in one segment and the PSNs nodes in another segment, let’s say the PAN/MnT in the external Network while the PSNs in the internal network from the BIG-IP ‘s perspective, provides a challenge.

The F5 BIG-IP has a reputation of the one of the best Load Balancer solution in the market, to performs an intelligence load balancing to the backend servers, it operates as Full Proxy, what does it mean?, full proxy technically is the possibility for the BIG-IP to split a TCP connection into two TCP connection.

In the Client-side connection, the user initiates a TCP 3 way handshake with the BIG-IP (it acts as a server) and the BIG-IP (it acts as a client) initiates a TCP 3 way handshake with the backend servers. this is what what we call “Full Proxy”, this is the opposite to the Packet based solution which is similar to our Router/Firewall. Packet based designs have a single TCP/IP connection between client and server. The Router basically forwards the packet based on the Destination IP of the server. In other words there is a direct connection between the client and the server.

In the BIG-IP language, the concept of Virtual Server Type Standard is the object that performs the Full Proxy process.

But what if we have a need of Packet Based solution with a BIG-IP in our design?

Let’s take an example in this topology, we have two PAN nodes and two MnT nodes located in the external segment, and two PSNs located in the internal segment.

The first purpose by putting the PSNs behind the BIG-IP is to ensure intelligent load balancing for Radius 802.1X authentication, this is done by using a virtual server Type “Standard”. Therefore the NAD or the switch should sent the Radius request to Virtual Server instead to the ISE (PSNs in this case).

But for the the communication between the ISE nodes (PAN/MnT and PSNs), it should not be load balanced, instead this traffic should be direct and the TCP connection should not be splitted, but the BIG-IP blocks all traffic that does not match any explicit virtual server.

For direct communications between PAN/MnT and PSNs, the virtual server Type Standard is not the solution, as mentioned previously this type of virtual server is used for load balancing to the backend servers.

Here comes the Virtual Server Type “Forwarding IP” for help, the idea for this Type of virtual server is to perfoms the Packet Based for the BIG-IP, in other words, for some traffic, you play a role of router, you have to route the packet based on the destination IP.

Finally there are two key points in this design:

1-The BIG-IP plays a role of Full Proxy to load balance the Radius Packet (802.1X based authentication) to the PSNs. This is done by using a Virtual Server called “Standard”.

2-The BIG-IP plays a role of router to route and to forward the packet coming from PAN/MnT to PSN and vice versa.This is done by using a Virtual Server Called “Forwarding IP”

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s