F5 is upgrading its customer support chat feature on My.F5.com. Chat support will be unavailable from 6am-10am PST on 1/20/26. Refer to K000159584 for details.

Forum Discussion

rosbor1_185584's avatar
rosbor1_185584
Icon for Nimbostratus rankNimbostratus
Mar 03, 2017

F5-LTM 11.5.4 mac-masquerade

I have 2ea BIG-IP F5 vCMPs in an HA setup running version 11.5.4. The F5 is in routed mode where the server farms behind it are on different network segments/vlans with their default gateway residing on the F5 itself. The security folks want to mitigate a man-in-the-middle attack by setting up mac-masquerading but I think this will do more harm than good. If the masqueraded mac is on the traffic group now all vlans have the same mac-address and if that mac is compromised the attack surface is larger now than when each vlan had it's own unique mac (without mac masquerade). I understand that mac masquerade is good for arp/failover reasons, but I don't believe it is a man-in-the-middle preventative measure? Any guidance would assist us in our design.

 

LTM
security

1 Reply

  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Mar 03, 2017

    I see no obvious security advantages of using MAC Masquerade either. Perhaps they want it to reduce L2 noise instead? When Masquerade is used, multiple originating BigIP (L2 Server-Side) MAC addresses will be contracted to just one. This adds to clarity on the wire as a BigIP middle-ware device is easily distinguishable from the other addresses, possible clients. To some extent, this will contribute to ease of sniffing, monitoring/surveillance. As a security enhancement, I don't buy the idea. As a security enhancement through added clarity, it might be a valid thing to ask for.