Using the F5 as a L2 pass-thru or as a L3?

Question

Curious to hear the opinions of using the F5 as a Layer 2 pass thru instead of using it as a dedicated Layer 3 device.  Networks and LTMs should be fast enough to pass through the traffic without any problem but what are the caveats?&nbsp;
 &nbsp;
Im in a scenario where we may change our network architecture to everything (meaning all vlans) behind an ASA and only route the VS subnet to the LTMs.  This will give the ability for a cleaner N-Tier architecture design.  We are currently having the problem of "too many hands in the pot" syndrome and all of them are not using the vlan allow access list and this is causing too many security zones to speak to each other when they are in separate zones.&nbsp;

what_lies_bene1 · Answer

Hey Eric, the design you describe in your first paragraph doesn't seem to tally with the second paragraph. Could you clarify/be more explicit on what the intended design is please?

eric_radhik_123 · Answer

Our network infrastructure utilizes L3 interfaces in 3 different methods:&nbsp;
&nbsp;
1. L3 interface on the ASA (Vlan X)&nbsp;
&nbsp;
2. L3 interface as an SVI on a distribution switch (Vlan Y)&nbsp;
&nbsp;
3. L3 interface (self-IP/ Vlan Z) on the LTM  (which was the de facto standard for use of LTMs awhile back...)&nbsp;
&nbsp;
My intent/goal is to remove all L3/vlan interfaces off of the LTM and migrate them to the ASA.  (Layer 2 pass thru routing).  I wanted to inquire if anyone has performed this method?  Or are there any caveats to this architecture design?&nbsp;
 &nbsp;
Thank you for inquiring further and I hope this new info will keep the dialogue going...&nbsp;

what_lies_bene1 · Answer

As in most cases as LTM is an endpoint in IP communications (a proxy) I doubt this is feasible. However, that will depend on the type of Virtual Servers you require. If all you need is Layer 2 forwarding then this might work, otherwise, this is not a workable design. 
&nbsp;  
&nbsp; You could of course remove the SVI without issue as long as you plan appropriately. 
&nbsp;  
&nbsp; You also seem to be suggesting you have three VLANs in play (X, Y and Z); one would suffice.

Forum Discussion

Using the F5 as a L2 pass-thru or as a L3?

3 Replies

Recent Discussions

Geo Fence in ASM through irule for URI

Client certificate Authentication - open multiple tabs

google autenticator broken barcode

Chrome V 124+ on MacOS - Virtual Server Access Issue

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Related Content

SSL Orchestrator Advanced Use Cases: Detecting Generative AI

SSL Orchestrator Advanced Use Cases: DNS Sinkholing

SSLO in public cloud: Azure inbound L3 use case

Using ChatGPT for security and introduction of AI security

How to Secure GraphQL APIs using F5 NGINX