For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

igorzhuk's avatar
igorzhuk
Icon for Altostratus rankAltostratus
Oct 10, 2018

SSL Layer2 bridge in F5

Hi Can I define in a certain way SSL bridge in layer2 I need f5 to be inline traffic and ingress traffic from client side come to f5 and f5 egress this traffic with low ciphers without change Layer...
application delivery
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 10, 2018

You can pass traffic through the BIG-IP, without changing layer 3 addresses, and without being in a layer 2 mode. The primary difference here is whether or not traffic routes through the F5, or the F5 is layer 2 transparent between routing devices.

 

To do layer 3 (routed) mode without changing the IP addresses,

 

  • Create a wildcard VIP (0.0.0.0/0:443)
  • Disable address translation in the VIP
  • Don't use SNAT in the VIP

You can use a pool or simply define a gateway route. Your client-side route would then need to be the F5's client-side VLAN self-IP. So client-side traffic routes through the BIG-IP, and no addresses change.

 

It's also worth noting that a source address is always left untouched unless SNAT is applied. The above prevents changing the destination address.