Forum Discussion

igorzhuk's avatar
igorzhuk
Icon for Altostratus rankAltostratus
Oct 10, 2018

SSL Layer2 bridge in F5

Hi Can I define in a certain way SSL bridge in layer2 I need f5 to be inline traffic and ingress traffic from client side come to f5 and f5 egress this traffic with low ciphers without change Layer3 IP?

 

  • You can pass traffic through the BIG-IP, without changing layer 3 addresses, and without being in a layer 2 mode. The primary difference here is whether or not traffic routes through the F5, or the F5 is layer 2 transparent between routing devices.

     

    To do layer 3 (routed) mode without changing the IP addresses,

     

    • Create a wildcard VIP (0.0.0.0/0:443)
    • Disable address translation in the VIP
    • Don't use SNAT in the VIP

    You can use a pool or simply define a gateway route. Your client-side route would then need to be the F5's client-side VLAN self-IP. So client-side traffic routes through the BIG-IP, and no addresses change.

     

    It's also worth noting that a source address is always left untouched unless SNAT is applied. The above prevents changing the destination address.

     

  • And if i want to create a layer2 transparent between routing devices how i can do that ?

     

    Sure, and you have a few options.

     

    In the first and third options, F5 is still a full proxy, but the nexthop allows it to mirror L2 headers on both sides. But perhaps the most robust option would be to deploy SSL Orchestrator, which would configure and L2 solution for you.

     

  • Virtual Wire doesn't work in a vCMP guest, so that option is out. So transparent nexthop is probably you're best bet when you get to 13.0, and the above link shows you how to set it up with an inspection device in the middle. This also assumes that the F5 is doing explicit decryption and re-encryption, and can therefore manage the TLS properties on each side.

     

  • Hi Kevin,

     

    Virtual Wire doesn't work in a vCMP guest

     

    Is it still true with v14.1.0.2?

     

  • Yes. It’s less a function of the software version and more to do with the underlying hardware that supports vWire.

     

  • Kevin_Stewart - Is this possible to use advanced WAF for TLS applications for layer 2 deployment (with no selfIP at all)? F5 is deployment at edge inline to pass all traffic without any selfIP. 

    Unfortunately, documents are not clear on how this will work as F5 needs to act as a proxy and should decrypt the traffic to use WAF, and also we would need to have application specific VIP and not wildcard

      • spalande's avatar
        spalande
        Icon for Nacreous rankNacreous

        Thanks. we don't need to use transparent next hop?  We have 3 diff ISPs and want to select all of them for ingress and egress traffic. How this can be achieved?

        I assume wildcard VIP would have some risks to configure, maintain and would be prone to some outages if mistakes are done in configuring. 

        In my opinion we can configure app specific VIPs with destination same as application/server IP and would work as well.