For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

F5 BIG-IP SSL Orchestrator Layer 2 Services with rSeries & VELOS

F5 rSeries & VELOS are rearchitected, next-generation hardware platforms that scale application delivery performance and automate application services to address many of today’s most critical business challenges.


Table of Contents

 

Introduction

F5 rSeries & VELOS are rearchitected, next-generation hardware platforms that scale application delivery performance and automate application services to address many of today’s most critical business challenges.  F5 rSeries & VELOS are key components of the F5 Application Delivery and Security Platform (ADSP)

rSeries & VELOS rely on a Kubernetes-based platform layer (F5OS) that is tightly integrated with F5 TMOS software. Going to a microservice-based platform layer allows rSeries & VELOS to provide additional functionality that was not possible in previous generations of F5 BIG-IP platforms. 

The introduction of a new tenant-based architecture changes many things, including how you configure BIG-IP.  Some of these changes affect the network configuration for Inline Layer 2 Services.  By default, BIG-IP tenants only have a small set of internal MAC addresses available to them.  However, Layer 2 Services (or Bridging) require additional MAC addresses.  You must assign an adequate number of MAC addresses to what is called a “MAC pool”.  A single Layer 2 Service requires two unique MAC addresses.  The MAC Pool must have sufficient MAC addresses based on the number of Layer 2 Services you need.

The following KB articles contain additional information on configuring MAC Pools on a BIG-IP rSeries or VELOS platform:

K000133655: MAC address assignment in VELOS and rSeries systems

K000135389: Configure the MAC Block Size for an existing BIG-IP tenant on the VELOS and rSeries systems

 

F5OS Configuration

Let’s review the Network configuration on F5OS for a BIG-IP Tenant.  From Network Settings select VLANs.

Here you can see I have 6 Interfaces configured with VLANs.  There’s a Lan VLAN for connectivity from the internal network to the BIG-IP.  A Wan VLAN for connectivity from the BIG-IP to the internet.  Then there are 4 “L2” VLANs configured to support two Inline Layer 2 Services with SSL Orchestrator.

From the Interfaces screen you can associate the VLANs with the physical Interfaces.

Next, allocate the VLANs to your BIG-IP Tenant.  This is also where you configure the MAC Pool Size for your current BIG-IP Tenant.  The MAC Pool can only be changed when the Tenant is not running.

From Tenant Management > Tenant Deployments, you can stop the current Tenant if it is already running.  Do this with caution during a change window or prior to deployment.  Check the box next to the name of the Tenant you wish to configure, “big-ip-kevin” in this example.  Then click Configure.

Click OK to stop the Tenant

When it’s stopped click the name of the Tenant to edit the configuration.

Note the VLANs that are allocated to this BIG-IP Tenant:

Find the section on MAC Data/MAC Block Size.  Set the allocation to Small (8), Medium (16), or Large (32) depending upon your needs.

I set mine to Medium.  A Small allocation would be sufficient for this deployment but I want to leave room to add more Layer 2 Services in the future.

Click Save & Close

Click OK to update the configuration

You can Deploy the Tenant now that the changes have been made

Click OK to Deploy

 

F5 BIG-IP Configuration

Minimal configuration is needed on the BIG-IP since F5OS handles the underlying physical interfaces and VLANs.

Check the status of the VLANs from Network > VLANs.  From here we can see the VLAN configuration from F5OS is reflected in the BIG-IP.

Define any Self IPs from Network > Self IPs

Now we’re ready to configure SSL Orchestrator.  In the interest of time, I will skip to the Network and Services configuration.

From Services List click Add Service

Double-click on Generic Inline Layer 2

Under Network Configuration click Add

Select the L2 VLANs for this Inline L2 Service.  Click Done.

Click Add again and select the L2 VLANs for this Inline L2 Service.  Click Done.

It should look like the following:

Click Save at the bottom

For the Interception Rule select the Lan VLAN under Ingress Network and move it to the right.

Click Save & Next at the bottom

The Network configuration is now complete.  SSL Orchestrator is configured with a Generic Inline Layer 2 Service that contains two Layer 2 “servers”

 

Conclusion

F5 rSeries & VELOS are hardware platforms that scale application delivery performance and automate application services to address many of today’s most critical business challenges.  They are key components of the F5 Application Delivery and Security Platform (ADSP)

In this article, you learned how to configure MAC Pools on rSeries and VELOS in order to create Layer 2 Inline Services with SSL orchestrator.

 

Related Content

K000133655: MAC address assignment in VELOS and rSeries systems

K000135389: Configure the MAC Block Size for an existing BIG-IP tenant on the VELOS and rSeries systems

SSL Orchestrator CloudDocs: Creating an Inline Layer 2 Service

F5 rSeries: Next-Generation Fully Automatable Hardware

F5 VELOS: A Next-Generation Fully Automatable Platform

Published Dec 18, 2025
Version 1.0
ADSP
F5OS
rseries
security
sslo
VELOS
KevinGallaugher's avatar
Icon for Employee rankEmployee
Technical Marketing Engineer for SSL Orchestrator. I have over 25 years experience in Cybersecurity, with over 15 years spent as a Technical Marketing Engineer. Prior to F5 I worked at Blue Coat, Gigamon and Fortinet.
View Profile
No CommentsBe the first to comment