Forum Discussion
igorzhuk
Altostratus
AltostratusSSL Layer2 bridge in F5
Hi Can I define in a certain way SSL bridge in layer2 I need f5 to be inline traffic and ingress traffic from client side come to f5 and f5 egress this traffic with low ciphers without change Layer3 IP?
- Kevin_Stewart
Employee
You can pass traffic through the BIG-IP, without changing layer 3 addresses, and without being in a layer 2 mode. The primary difference here is whether or not traffic routes through the F5, or the F5 is layer 2 transparent between routing devices.
To do layer 3 (routed) mode without changing the IP addresses,
- Create a wildcard VIP (0.0.0.0/0:443)
- Disable address translation in the VIP
- Don't use SNAT in the VIP
You can use a pool or simply define a gateway route. Your client-side route would then need to be the F5's client-side VLAN self-IP. So client-side traffic routes through the BIG-IP, and no addresses change.
It's also worth noting that a source address is always left untouched unless SNAT is applied. The above prevents changing the destination address.
- Kevin_Stewart
And if i want to create a layer2 transparent between routing devices how i can do that ?
Sure, and you have a few options.
- You can use Transparent Nexthop in v13.0: https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-13-1-0/41.html
- You can use virtual wire on an i5800 series platform and above (v14.0) https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/big-ip-tmos-routing-administration-14-0-0/02.html
- Or you can use a combination VLAN group and nexthop command in an iRule.
In the first and third options, F5 is still a full proxy, but the nexthop allows it to mirror L2 headers on both sides. But perhaps the most robust option would be to deploy SSL Orchestrator, which would configure and L2 solution for you.
- Kevin_Stewart
Virtual Wire doesn't work in a vCMP guest, so that option is out. So transparent nexthop is probably you're best bet when you get to 13.0, and the above link shows you how to set it up with an inspection device in the middle. This also assumes that the F5 is doing explicit decryption and re-encryption, and can therefore manage the TLS properties on each side.
- Saravanan_M_K
Hi Kevin,
Virtual Wire doesn't work in a vCMP guest
Is it still true with v14.1.0.2?
- Kevin_Stewart
Yes. It’s less a function of the software version and more to do with the underlying hardware that supports vWire.
spalandeNacreous
Kevin_Stewart - Is this possible to use advanced WAF for TLS applications for layer 2 deployment (with no selfIP at all)? F5 is deployment at edge inline to pass all traffic without any selfIP.
Unfortunately, documents are not clear on how this will work as F5 needs to act as a proxy and should decrypt the traffic to use WAF, and also we would need to have application specific VIP and not wildcard
- Kevin_Stewart
Yes. vWire essentially sits underneath a fully proxy configuration to create layer 2 transparency. You would create a standard wildcard VIP with no address/port translation and no pool, then apply the vWire VLAN configuration. Add client/server SSL profiles if you need to handle encryption.
- spalande
Thanks. we don't need to use transparent next hop? We have 3 diff ISPs and want to select all of them for ingress and egress traffic. How this can be achieved?
I assume wildcard VIP would have some risks to configure, maintain and would be prone to some outages if mistakes are done in configuring.
In my opinion we can configure app specific VIPs with destination same as application/server IP and would work as well.
