Forum Discussion

Altostratus

Oct 10, 2018

SSL Layer2 bridge in F5

Hi Can I define in a certain way SSL bridge in layer2 I need f5 to be inline traffic and ingress traffic from client side come to f5 and f5 egress this traffic with low ciphers without change Layer...

application delivery

LTM

spalande

Nacreous

Oct 20, 2022

Kevin_Stewart - Is this possible to use advanced WAF for TLS applications for layer 2 deployment (with no selfIP at all)? F5 is deployment at edge inline to pass all traffic without any selfIP.

Unfortunately, documents are not clear on how this will work as F5 needs to act as a proxy and should decrypt the traffic to use WAF, and also we would need to have application specific VIP and not wildcard

Kevin_Stewart

Employee

Oct 20, 2022

Yes. vWire essentially sits underneath a fully proxy configuration to create layer 2 transparency. You would create a standard wildcard VIP with no address/port translation and no pool, then apply the vWire VLAN configuration. Add client/server SSL profiles if you need to handle encryption.

https://community.f5.com/t5/technical-articles/virtual-wire-configuration-and-troubleshooting/ta-p/291263

spalande
Nacreous
Oct 22, 2022
Thanks. we don't need to use transparent next hop? We have 3 diff ISPs and want to select all of them for ingress and egress traffic. How this can be achieved?

I assume wildcard VIP would have some risks to configure, maintain and would be prone to some outages if mistakes are done in configuring.

In my opinion we can configure app specific VIPs with destination same as application/server IP and would work as well.
- Kevin_Stewart
  Employee
  Oct 24, 2022
  Transparent and virtual wire are two different solutions to the same problem. BIG-IP is indeed a full proxy, so to perform layer 2 "bump-in-the-wire" processing, either of the two techniques is essentially used to copy the layer 2 headers from one side of the proxy to the other. Inside the proxy, above layer 2, you can still do TLS termination. The only things you really should not do in a layer 2 configuration is IP and port translation. So basically, you create a wildcard virtual server (0.0.0.0/0) with address and port translation disables, no pool, no SNAT, and apply a virtual wire VLAN group to that virtual server. You can, however, apply a source, destination, and/or port value to the virtual server, as these will act as filters for the traffic (vs. a termination point). So a virtual wire VIP with a source of 192.168.0.0/16, for example, would only accept traffic coming from that IP range.

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

SSL Layer2 bridge in F5

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

CPU load when Prometheus is scraping metrics from F5 BIG-IP LTM

Problem with sending BotDefense logs to remote server

ASM/AWAF declarative policy

Managing iRules configuration

Changes to DO and AS3 GitHub - no longer monitored

Related Content

SSL Bridging verification

Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)

SSL bridging without SSL proxy forward

F5 LTM SSL Bridging - send decrypted traffic to clone pool

SSL Profiles Part 6: SSL Renegotiation

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS