Forum Discussion
Tabish_Mirza_12
Nimbostratus
As per my knowledge X-forwarded-for method only work for HTTP & SMTP traffic. It won't work for HTTPS traffic. As you said we can use same IP subnets on both interfaces (external & internal) of BIG-IP if we are deploying in Inline-Routed Mode. What is the pros & cons of using BIG-IP with same IP subnets or different ?
Jason_40733
Oct 07, 2013Cirrocumulus
You are correct if you're not terminating the SSL with the F5. However, If the F5 terminates the SSL connection from the client, it can insert the XFF header.
This solution document gives some specifics. http://support.f5.com/kb/en-us/solutions/public/4000/800/sol4816.html
There are no set pros or cons of keeping the F5 in the same subnet. It all depends on your specific environment. Since the web servers are already in the DMZ in this case, it saves IPs, subnets and VLANs to have it in the same subnet doing the inline. Simpler config, fewer problems is my standard goal. Other people may have more information, but this has worked well for us over many years. No problems thus far.
Keep in mind, the F5 doesn't treat traffic any different when it sends it out on the wire. An IP is an IP and an interface is an interface to the F5.