Forum Discussion

igorzhuk's avatar
igorzhuk
Icon for Altostratus rankAltostratus
Oct 10, 2018

SSL Layer2 bridge in F5

Hi Can I define in a certain way SSL bridge in layer2 I need f5 to be inline traffic and ingress traffic from client side come to f5 and f5 egress this traffic with low ciphers without change Layer...
application delivery
LTM
Kevin_Stewart's avatar
Kevin_Stewart
Icon for Employee rankEmployee
Oct 10, 2018

You can pass traffic through the BIG-IP, without changing layer 3 addresses, and without being in a layer 2 mode. The primary difference here is whether or not traffic routes through the F5, or the F5 is layer 2 transparent between routing devices.

 

To do layer 3 (routed) mode without changing the IP addresses,

 

  • Create a wildcard VIP (0.0.0.0/0:443)
  • Disable address translation in the VIP
  • Don't use SNAT in the VIP

You can use a pool or simply define a gateway route. Your client-side route would then need to be the F5's client-side VLAN self-IP. So client-side traffic routes through the BIG-IP, and no addresses change.

 

It's also worth noting that a source address is always left untouched unless SNAT is applied. The above prevents changing the destination address.