Manual Chapter : Creating IP Tunnels

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP APM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP LTM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP AFM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP ASM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

About IP tunnels

Using F5® tunneling technologies, you can set up tunneling from devices on different Layer 2 networks, or scale multi-site data centers over Layer 3 pathways. When you know the IP address of the devices at both ends of the tunnel, you can create a point-to-point encapsulation tunnel between a BIG-IP® system and another device. When multiple devices feed into a BIG-IP system, you can create a tunnel by specifying only the IP address on the BIG-IP device.

The BIG-IP system provides the following tunneling types, available using the browser-based Configuration utility or the Traffic Management shell (tmsh) command-line utility, and iControl®.

  • EtherIP
  • FEC
  • Geneve
    Note: IPv4 multicast addresses in the local network control block (224.0.0/24) [RFC 5771] should not be used for configuring the remote address of the VXLAN/Geneve tunnels with multicast flooding.
  • GRE
  • IPIP
    • DS-Lite
    • IPv4IPv4
    • IPv4IPv6
    • IPv6IPv4
    • IPv6IPv6
  • NVGRE
  • PPP
  • Transparent Ethernet Bridging
  • VXLAN
    Note: IPv4 multicast addresses in the local network control block (224.0.0/24) [RFC 5771] should not be used for configuring the remote address of the VXLAN/Geneve tunnels with multicast flooding.
  • WCCPGRE

For information about deploying some of these tunneling types, consult additional F5 Networks documentation, including CGNAT (DS-Lite), acceleration (FEC), and TMOS (VXLAN). Licensing restrictions apply.

About point-to-point tunnels

Point-to-point IP encapsulation tunnels carry traffic through a routed network between known devices. For example, you can create a GRE tunnel to connect a BIG-IP system to a remotely located pool member.

Illustration of a point-to-point GRE tunnel

Illustration of a point-to-point GRE tunnel

Task summary

Creating a point-to-point IP tunnel

To create a point-to-point tunnel, you specify the encapsulation protocol and the IP addresses of the devices at both ends of the tunnel.
  1. On the Main tab, click Network > Tunnels > Tunnel List > Create or Carrier Grade NAT > Tunnels > Create .
    The New Tunnel screen opens.
  2. In the Name field, type a unique name for the tunnel.
  3. From the Profile list, select the type that corresponds to the encapsulation protocol you want to use.
    The selection ipip is the same as ip4ip4, but ipip is compatible with configurations from an earlier release.
  4. In the Local Address field, type the IP address of the BIG-IP system.
  5. From the Remote Address list, select Specify, and type the IP address of the device at the other end of the tunnel.
  6. Click Finished.
After you complete this task, traffic is encapsulated using the protocol you specified between the BIG-IP system and the remote device you specified.
The BIG-IPsystem requires that tunnels used as routes have a self IP address associated with the tunnel itself, distinct from the self IP address configured as a tunnel endpoint. After configuring a self IP address, you can configure routes that use the tunnel as a resource.

Assigning a self IP address to an IP tunnel endpoint

Ensure that you have created an IP tunnel before starting this task.
Self IP addresses can enable the BIG-IP system, and other devices on the network, to route application traffic through the associated tunnel, similar to routing through VLANs and VLAN groups.
Note: If the other side of the tunnel needs to be reachable, make sure the self IP addresses that you assign to both sides of the tunnel are in the same subnet.
  1. On the Main tab, click Network > Self IPs .
  2. Click Create.
    The New Self IP screen opens.
  3. In the Name field, type a unique name for the self IP address.
  4. In the IP Address field, type the IP address of the tunnel.
    The system accepts IPv4 and IPv6 addresses.
    Note: This is not the same as the IP address of the tunnel local endpoint.
  5. In the Netmask field, type the network mask for the specified IP address.

    For example, you can type 255.255.255.0.

  6. From the VLAN/Tunnel list, select the tunnel with which to associate this self IP address.
  7. Click Finished.
    The screen refreshes, and displays the new self IP address.
Assigning a self IP to a tunnel ensures that the tunnel appears as a resource for routing traffic.
To direct traffic through the tunnel, add a route for which you specify the tunnel as the resource.

Routing traffic through an IP tunnel interface

Before starting this task, ensure that you have created an IP tunnel, and have assigned a self IP address to the tunnel.
You can route traffic through a tunnel interface, much like you use a VLAN or VLAN group.
  1. On the Main tab, click Network > Routes .
  2. Click Add.
    The New Route screen opens.
  3. In the Name field, type a unique user name.
    This name can be any combination of alphanumeric characters, including an IP address.
  4. In the Destination field, type the destination IP address for the route.
  5. In the Netmask field, type the network mask for the destination IP address.
  6. From the Resource list, select Use VLAN/Tunnel.
  7. From the VLAN/Tunnel list, select a tunnel name.
  8. Click Finished.
The system now routes traffic destined for the IP address you specified through the tunnel you selected.

Example of a point-to-point IP tunnel configuration

This illustration is an example of a point-to-point IP tunnel configuration showing IP addresses. Note that the tunnel local endpoint address is different from the tunnel self IP address.

Illustration of a point-to-point IP tunnel

Illustration of a point-to-point IP tunnel configuration

About tunnels between the BIG-IP system and other devices

In a network that has multiple devices connected to a BIG-IP system, you can create an IPIP or GRE encapsulation tunnel between the BIG-IP system and the remote devices without having to specify a remote (or source) IP address for every device. The use cases include situations where the source IP address is unknown or difficult to discover.

IPIP tunnel between a BIG-IP system and multiple unspecified devices

Illustration of an IPIP tunnel between a BIG-IP system and multiple unspecified devices

Creating an encapsulation tunnel between a BIG-IP device and multiple devices

You can create a tunnel between a BIG-IP system and multiple remote devices without having to specify a remote (or source) IP address for every device.
  1. On the Main tab, click Network > Tunnels > Tunnel List > Create or Carrier Grade NAT > Tunnels > Create .
    The New Tunnel screen opens.
  2. In the Name field, type a unique name for the tunnel.
  3. From the Profile list, select the type that corresponds to the encapsulation protocol you want to use.
    The selection ipip is the same as ip4ip4, but ipip is compatible with configurations from an earlier release.
  4. In the Local Address field, type the IP address of the BIG-IP system.
  5. From the Remote Address list, retain the default selection, Any.
    This entry means that you do not have to specify the IP address of the remote end of the tunnel, which allows multiple devices to use the same tunnel.
  6. Click Finished.
When the BIG-IP system receives an encapsulated packet, the system decapsulates the packet, regardless of the source address, and re-injects it into the IP stack, thus allowing the inner IP address to be associated with a virtual server.
If you are configuring routes that use the tunnel as a resource, you must also assign a self IP address to the tunnel itself, which is different from the tunnel local endpoint IP address.

About transparent tunnels

You can create transparent tunnels when you want to inspect and/or manipulate encapsulated traffic that is flowing through a BIG-IP system. The BIG-IP system terminates the tunnel, while presenting the illusion that the traffic flows through the device unchanged. In this case, the BIG-IP device appears as if it were an intermediate router that simply routes IP traffic through the device.

The transparent tunnel feature enables redirection of traffic based on policies. For example, service providers can redirect traffic with transparent tunnels to apply classification and bandwidth management policies using Policy Enforcement Manager™. To handle payload inspection and manipulation, you can create a policy in the form of a virtual server that accepts encapsulated packets. In the absence of a policy, the tunnel simply traverses the BIG-IP device.

Transparent tunnels are available for IPIP and GRE encapsulation types, with only one level of encapsulation.

Illustration of a transparent tunnel

Illustration of a transparent tunnel

When the BIG-IP system receives an encapsulated packet from a transparent tunnel, the system decapsulates the packet, and re-injects it into the IP stack, where a virtual server can pick up the packet to apply a policy or rule. After applying the policy or rule, the BIG-IP can re-encapsulate the packet and route it, as if the packet had transited the BIG-IP unperturbed.

Creating a transparent tunnel

You can create transparent tunnels to inspect and modify tunneled traffic flowing through a BIG-IP system.
  1. On the Main tab, click Network > Tunnels > Tunnel List > Create or Carrier Grade NAT > Tunnels > Create .
    The New Tunnel screen opens.
  2. In the Name field, type a unique name for the tunnel.
  3. From the Profile list, select ipip or gre.
    The ipip selection can also be one of the IPIP variations: ip4ip4, ip4ip6, ip6ip4, or ip6ip6.
  4. In the Local Address field, type 0.0.0.0 for an IPv4 network or :: for an IPv6 network.
  5. From the Remote Address list, retain the default selection, Any.
    This entry means that you do not have to specify the IP address of the remote end of the tunnel, which allows multiple devices to use the same tunnel.
  6. Select the Transparent check box.
  7. Click Finished.
Traffic flowing through the transparent tunnel you created is available for inspection and modification, before continuing to its destination.
After you create a transparent tunnel, additional configuration is required to process the traffic, such as creating a virtual server to intercept the traffic, and using Policy Enforcement Manager to apply classification and bandwidth management policies.

About the traffic group setting for tunnels

When you create a tunnel, you can use the traffic group setting to control the availability of the tunnel in a BIG-IP HA configuration. For example, selecting traffic-group-local-only makes the tunnel always available on the BIG-IP system, regardless of its HA status. This setting also controls how config sync operates on the tunnel. Also, this setting can be useful for tunnel types that require the use of non-floating IP addresses, such as some configurations of VXLAN.

The Traffic Group setting on the Tunnel screen specifies the traffic group associated with the tunnel's local IP address.

  • None: This setting maintains the HA behavior of tunnels in releases prior to v12.0.0. When you are using config sync, the tunnel object is always synchronized across the device cluster.
  • traffic-group-local-only: If you want to use a non-floating tunnel IP address, select this group. The tunnel is excluded from the config sync operation.
  • traffic-group-1 (pre-configured) or other custom group: This setting makes the tunnel always available on the BIG-IP system. If you want to use a floating IP address, select the traffic group that is associated with the tunnel self IP address, which is specified in the Local Address field.

If you are specifying a secondary address for the tunnel, such as for NVGRE, it must be a non-floating self IP address. When a secondary address is specified, synchronization is automatically disabled for the tunnel, regardless of the traffic group specified.