Forum Discussion
igorzhuk
Altostratus
AltostratusSSL Layer2 bridge in F5
Hi
Can I define in a certain way SSL bridge in layer2
I need f5 to be inline traffic and ingress traffic from client side come to f5 and f5 egress this traffic with low ciphers without change Layer...
spalande
Nacreous
NacreousKevin_Stewart - Is this possible to use advanced WAF for TLS applications for layer 2 deployment (with no selfIP at all)? F5 is deployment at edge inline to pass all traffic without any selfIP.
Unfortunately, documents are not clear on how this will work as F5 needs to act as a proxy and should decrypt the traffic to use WAF, and also we would need to have application specific VIP and not wildcard
- Kevin_Stewart
Employee
Yes. vWire essentially sits underneath a fully proxy configuration to create layer 2 transparency. You would create a standard wildcard VIP with no address/port translation and no pool, then apply the vWire VLAN configuration. Add client/server SSL profiles if you need to handle encryption.
- spalande
Thanks. we don't need to use transparent next hop? We have 3 diff ISPs and want to select all of them for ingress and egress traffic. How this can be achieved?
I assume wildcard VIP would have some risks to configure, maintain and would be prone to some outages if mistakes are done in configuring.
In my opinion we can configure app specific VIPs with destination same as application/server IP and would work as well.
- Kevin_Stewart
Transparent and virtual wire are two different solutions to the same problem. BIG-IP is indeed a full proxy, so to perform layer 2 "bump-in-the-wire" processing, either of the two techniques is essentially used to copy the layer 2 headers from one side of the proxy to the other. Inside the proxy, above layer 2, you can still do TLS termination. The only things you really should not do in a layer 2 configuration is IP and port translation. So basically, you create a wildcard virtual server (0.0.0.0/0) with address and port translation disables, no pool, no SNAT, and apply a virtual wire VLAN group to that virtual server. You can, however, apply a source, destination, and/or port value to the virtual server, as these will act as filters for the traffic (vs. a termination point). So a virtual wire VIP with a source of 192.168.0.0/16, for example, would only accept traffic coming from that IP range.
