F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP LTM
  4. BIG-IP TMOS: Tunneling and IPsec
  5. Securing EtherIP Tunnel Traffic with IPsec
Manual Chapter : Securing EtherIP Tunnel Traffic with IPsec

Applies To:

Show Versions Show Versions

BIG-IP APM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP LTM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1

BIG-IP AFM

  • 11.6.5, 11.6.4, 11.6.3, 11.6.2, 11.6.1
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Overview: Securing EtherIP tunnel traffic with IPsec

You can use the IPsec protocol to secure EtherIP tunnel traffic that is undergoing live migration across a wide area network (WAN) using VMware vMotion. The EtherIP tunnel preserves any existing connections between the BIG-IP system and a virtual machine while the virtual machine migrates to another data center. Adding IPsec to this configuration involves adding an IPsec traffic selector on each side of the IPsec tunnel. Those traffic selectors have the same source and destination IP addresses as the EtherIP tunnel.

Important: Perform these tasks on the BIG-IP system in both the local data center and the remote data center.

Task List

Creating a VLAN

VLANs represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with that VLAN.

  1. On the Main tab, click Network > VLANs. The VLAN List screen opens.
  2. Click Create. The New VLAN screen opens.
  3. In the Name field, type a unique name for the VLAN.
  4. In the Tag field, type a numeric tag, from 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag. The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. From the Customer Tag list:
    1. Retain the default value of None or select Specify.
    2. If you chose Specify in the previous step, type a numeric tag, from 1-4094, for the VLAN.
    The customer tag specifies the inner tag of any frame passing through the VLAN.
  6. For the Interfaces setting:
    1. From the Interface list, select an interface number.
    2. From the Tagging list, select Tagged or Untagged. Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.
    3. If you specified a numeric value for the Customer Tag setting and from the Tagging list you selected Tagged, then from the Tag Mode list, select a value.
    4. Click Add.
    5. Repeat these steps for each interface that you want to assign to the VLAN.
  7. If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the Source Check check box.
  8. In the MTU field, retain the default number of bytes (1500).
  9. From the Configuration list, select Advanced.
  10. If you want to base redundant-system failover on VLAN-related events, select the Fail-safe check box.
  11. From the Auto Last Hop list, select a value.
  12. From the CMP Hash list, select a value.
  13. To enable the DAG Round Robin setting, select the check box.
  14. Configure the sFlow settings or retain the default values.
  15. Click Finished. The screen refreshes, and displays the new VLAN in the list.

Creating an EtherIP tunnel object

Before you perform this task, you must know the self IP address of the instance of the VLAN that exists, or will exist, on the BIG-IP system in the other data center.
The purpose of an EtherIP tunnel that contains an EtherIP type of profile is to enable the BIG-IP system to preserve any current connections to a server that is using VMware vMotion for migration to another data center.
  1. On the Main tab, click Network > Tunnels > Tunnel List > Create. The New Tunnel screen opens.
  2. In the Name field, type a unique name for the tunnel.
  3. From the Profile list, select etherip.
  4. In the Local Address field, type the self IP address of the local BIG-IP system.
  5. In the Remote Address field, type the self IP address of the remote BIG-IP system.
  6. Click Finished.

Creating a VLAN group

VLAN groups consolidate Layer 2 traffic from two or more separate VLANs.
  1. On the Main tab, click Network > VLANs > VLAN Groups. The VLAN Groups list screen opens.
  2. Click Create. The New VLAN Group screen opens.
  3. In then Name field, type a unique name for the VLAN group.
  4. For the VLANs setting, select the EtherIP tunnel that you created (which appears in the VLAN list) and the VLAN that connects to the host where the VMs exist, and using the Move button (<<), move your selections from the Available list to the Members list.
  5. From the Transparency Mode list, select Transparent.
  6. Select the Bridge All Traffic check box if you want the VLAN group to forward all frames, including non-IP traffic. The default setting is disabled (not selected).
  7. Retain the Bridge in Standby check box selection if you want the VLAN group to forward frames, even when the system is the standby unit of a redundant system.
  8. Click Finished.

Creating a self IP address

Before you create a self IP address, ensure that you have created a VLAN that you can associate with the self IP address.

A self IP address enables the BIG-IP system and other devices on the network to route application traffic through the associated VLAN or VLAN group.

  1. On the Main tab, click Network > Self IPs.
  2. Click Create. The New Self IP screen opens.
  3. In the Name field, type a unique name for the self IP address.
  4. In the IP Address field, type an IPv4 or IPv6 address. This IP address should represent the address space of the VLAN that you specify with the VLAN/Tunnel setting.
  5. In the Netmask field, type the full network mask for the specified IP address.
  6. From the VLAN/Tunnel list, select the VLAN to associate with this self IP address.
    • On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
    • On the external network, select the external VLAN that is associated with an external interface or trunk.
  7. From the Port Lockdown list, select Allow Default.
  8. Click Finished. The screen refreshes, and displays the new self IP address.
After you perform this task, the BIG-IP system can send and receive traffic through the specified VLAN or VLAN group.

Creating a self IP for a VLAN group

Before you create a self IP address, ensure that you have created at least one VLAN group.
You perform this task to create a self IP address for a VLAN group. The self IP address for the VLAN group provides a route for packets destined for the network. With the BIG-IP system, the path to an IP network is a VLAN. However, with the VLAN group feature used in this procedure, the path to the IP network 10.0.0.0 is actually through more than one VLAN. As IP routers are designed to have only one physical route to a network, a routing conflict can occur. With a self IP address on the BIG-IP system, you can resolve the routing conflict by associating a self IP address with the VLAN group.
  1. On the Main tab, click Network > Self IPs.
  2. Click Create. The New Self IP screen opens.
  3. In the Name field, type a unique name for the self IP address.
  4. In the IP Address field, type an IPv4 address. This IP address should represent the address space of the VLAN group that you specify with the VLAN/Tunnel setting.
  5. In the Netmask field, type the network mask for the specified IP address. For this example, type 255.255.255.0.
  6. From the VLAN/Tunnel list, select the VLAN group with which to associate this self IP address.
  7. From the Port Lockdown list, select Allow Default.
  8. Click Finished.

Creating a custom IPsec policy for EtherIP tunnel traffic

When you use IPsec to secure EtherIP tunnel traffic, you must create a custom IPsec policy for the traffic selector to use.
  1. On the Main tab, click Network > IPsec > IPsec Policies.
  2. Click the Create button. The New Policy screen opens.
  3. In the Name field, type a unique name for the policy.
  4. From the Mode list, select Tunnel. The screen refreshes to show additional related settings.
  5. In the Tunnel Local Address field, type an IP address. This IP address must match the local address of the EtherIP tunnel and the source IP address of the associated traffic selector.
  6. In the Tunnel Remote Address field, type an IP address. This IP address must match the remote address of the EtherIP tunnel and the destination IP address of the associated traffic selector.
  7. Click Finished. The screen refreshes and displays the new IPsec policy in the list.

Creating an IPsec traffic selector for EtherIP traffic

Before you start this task, make sure that you have created a custom IPsec policy to use with this traffic selector.
When you use IPsec to secure EtherIP tunnel traffic, you must create an IPsec traffic selector at each end of the IPsec tunnel to capture the EtherIP traffic.
  1. On the Main tab, click Network > IPsec > Traffic Selectors.
  2. Click Create. The New Traffic Selector screen opens.
  3. In the Name field, type a unique name for the traffic selector.
  4. For the Source IP Address or CIDR setting, type an IP address. This IP address must match the IP address specified for the Tunnel Local Address in the selected IPsec policy.
  5. For the Destination IP Address or CIDR setting, type an IP address. This IP address must match the IP address specified for the Tunnel Remote Address in the selected IPsec policy.
  6. From the Protocol list, select Other, and type 97 the EtherIP protocol number.
  7. From the IPsec Policy Name list, select the name of the custom IPsec policy that you created.
  8. Click Finished. The screen refreshes and displays the new IPsec traffic selector in the list.

Implementation result

After you configure EtherIP tunneling on the BIG-IP system, you must perform the same configuration procedure on the BIG-IP system in the remote data center to fully establish the EtherIP tunnel.

After the tunnel is established, the BIG-IP system preserves any open connections to migrating (or migrated) virtual machine servers.

Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information