SSLi question for Dynamic Port Intercept with Single-appliance architecture.

kwitaeh

Hi experts,

For dynamic port intercept, I know that I have to configure two vlans between the two adc's.

But when I deploy it with single appliance(using ADP), I couldn't configure same vlans with below error message.
"This VLAN or Port is owned by another partition."

Anyone can give me some idea or concept for the deployment?

diederik

It's not possible to re-use VLAN's within different ADP's.

So, when doing this on a single ADC within different ADP's, you have to use different VLAN's.
Something in between the ADP's needs to alter the VLAN's used.

Your config tell the ADC how to recognise what VLAN transports what kind of traffic, so you are completely free to select these.

dshin

We have simplified/detailed configuration sample based on a single-box solution and it can be downloaded from our DG site: https://www.a10networks.com/sites/default/files/A10-DG-16153-EN.pdf. This is based on 4.0.1 SP9 so make sure you have this build loaded on your A10 box.

kwitaeh

Thank you for your reply.

If a security device located between ADP's works L2 mode only(like a bridge), should i need to use two box?

dshin

Two box deployment for L2 mode is not required. This is an option to the customer. With SSli, you have the option to deploy the solution on a single-box solution using ADPs or you can deploy them in multiple A10 devices.

Genard

kwitaeh

Thank you Genard,

I don't have a idea how to deploy single-box for dynamic port intercept with L2 security device, because it is necessary to configure multiple tagged vlans for dynamic port intercept.

Two ADP's must have different vlans.

Could you give me your detailed idea?


Clients ---- ADP1 ---- L2 firewall ----- ADP2 ----- Router---- Internet

dshin

From your requirements on a single box appliance to support Dynamic Port Intercept(DPI), this capability will be available in later release. For now this option is not supported.