Hi
Can I define in a certain way SSL bridge in layer2
I need f5 to be inline traffic and ingress traffic from client side come to f5 and f5 egress this traffic with low ciphers without change Layer3 IP?
You can pass traffic through the BIG-IP, without changing layer 3 addresses, and without being in a layer 2 mode. The primary difference here is whether or not traffic routes through the F5, or the F5 is layer 2 transparent between routing devices.
To do layer 3 (routed) mode without changing the IP addresses,
Create a wildcard VIP (0.0.0.0/0:443)
Disable address translation in the VIP
Don't use SNAT in the VIP
You can use a pool or simply define a gateway route. Your client-side route would then need to be the F5's client-side VLAN self-IP. So client-side traffic routes through the BIG-IP, and no addresses change.
It's also worth noting that a source address is always left untouched unless SNAT is applied. The above prevents changing the destination address.
Or you can use a combination VLAN group and nexthop command in an iRule.
In the first and third options, F5 is still a full proxy, but the nexthop allows it to mirror L2 headers on both sides. But perhaps the most robust option would be to deploy SSL Orchestrator, which would configure and L2 solution for you.
Virtual Wire doesn't work in a vCMP guest, so that option is out. So transparent nexthop is probably you're best bet when you get to 13.0, and the above link shows you how to set it up with an inspection device in the middle. This also assumes that the F5 is doing explicit decryption and re-encryption, and can therefore manage the TLS properties on each side.
@Kevin_Stewart - Is this possible to use advanced WAF for TLS applications for layer 2 deployment (with no selfIP at all)? F5 is deployment at edge inline to pass all traffic without any selfIP.
Unfortunately, documents are not clear on how this will work as F5 needs to act as a proxy and should decrypt the traffic to use WAF, and also we would need to have application specific VIP and not wildcard
Yes. vWire essentially sits underneath a fully proxy configuration to create layer 2 transparency. You would create a standard wildcard VIP with no address/port translation and no pool, then apply the vWire VLAN configuration. Add client/server SSL profiles if you need to handle encryption.
Thanks. we don't need to use transparent next hop? We have 3 diff ISPs and want to select all of them for ingress and egress traffic. How this can be achieved?
I assume wildcard VIP would have some risks to configure, maintain and would be prone to some outages if mistakes are done in configuring.
In my opinion we can configure app specific VIPs with destination same as application/server IP and would work as well.
Transparent and virtual wire are two different solutions to the same problem. BIG-IP is indeed a full proxy, so to perform layer 2 "bump-in-the-wire" processing, either of the two techniques is essentially used to copy the layer 2 headers from one side of the proxy to the other. Inside the proxy, above layer 2, you can still do TLS termination. The only things you really should not do in a layer 2 configuration is IP and port translation. So basically, you create a wildcard virtual server (0.0.0.0/0) with address and port translation disables, no pool, no SNAT, and apply a virtual wire VLAN group to that virtual server. You can, however, apply a source, destination, and/or port value to the virtual server, as these will act as filters for the traffic (vs. a termination point). So a virtual wire VIP with a source of 192.168.0.0/16, for example, would only accept traffic coming from that IP range.
