Manual Chapter : Securing EtherIP Tunnel Traffic with IPsec

Applies To:

Show Versions Show Versions

BIG-IP AAM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP APM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP LTM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP AFM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0

BIG-IP ASM

  • 14.0.1, 14.0.0, 13.1.5, 13.1.4, 13.1.3, 13.1.1, 13.1.0
Manual Chapter

Overview: Securing EtherIP tunnel traffic with IPsec

You can use the IPsec protocol to secure EtherIP tunnel traffic that is undergoing live migration across a wide area network (WAN) using VMware vMotion. The EtherIP tunnel preserves any existing connections between the BIG-IP® system and a virtual machine while the virtual machine migrates to another data center. Adding IPsec to this configuration involves adding an IPsec traffic selector on each side of the IPsec tunnel. Those traffic selectors have the same source and destination IP addresses as the EtherIP tunnel.

Important: Perform these tasks on the BIG-IP system in both the local data center and the remote data center.

Task List

Creating a VLAN

VLANs represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with traffic destined for a specific address space. For the most basic BIG-IP® system configuration with redundancy enabled, you typically create multiple VLANs. That is, you create a VLAN for each of the internal and external networks, as well as a VLAN for high availability communications. If your hardware platform supports ePVA, you have the additional option of configuring double tagging (also known as Q-in-Q tagging) for a VLAN.

  1. On the Main tab, click Network > VLANs .
    The VLAN List screen opens.
  2. Click Create.
    The New VLAN screen opens.
  3. In the Name field, type a unique name for the VLAN.
  4. In the Tag field, type a numeric tag, between 1-4094, for the VLAN, or leave the field blank if you want the BIG-IP system to automatically assign a VLAN tag.
    The VLAN tag identifies the traffic from hosts in the associated VLAN.
  5. From the Customer Tag list:
    1. Retain the default value of None or select Specify.
    2. If you chose Specify in the previous step, type a numeric tag, between 1-4094, for the VLAN.
    The customer tag specifies the inner tag of any frame passing through the VLAN.
  6. For the Interfaces setting:
    1. From the Interface list, select an interface number or trunk name.
    2. From the Tagging list, select Tagged or Untagged.
      Select Tagged when you want traffic for that interface to be tagged with a VLAN ID.
    3. If you specified a numeric value for the Customer Tag setting and from the Tagging list you selected Tagged, then from the Tag Mode list, select a value.
    4. Click Add.
    5. Repeat these steps for each interface or trunk that you want to assign to the VLAN.
  7. If you want the system to verify that the return route to an initial packet is the same VLAN from which the packet originated, select the Source Check check box.
  8. In the MTU field, retain the default number of bytes (1500).
  9. From the Configuration list, select Advanced.
  10. If you want to base redundant-system failover on VLAN-related events, select the Fail-safe check box.
  11. From the Auto Last Hop list, select a value.
  12. From the CMP Hash list, select a value.
  13. To enable the DAG Round Robin setting, select the check box.
  14. For the Hardware SYN Cookie setting, select or clear the check box.
    When you enable this setting, the BIG-IP system triggers hardware SYN cookie protection for this VLAN.
    Enabling this setting causes additional settings to appear. These settings appear on specific BIG-IP platforms only.
  15. For the Syncache Threshold setting, retain the default value or change it to suit your needs.
    The Syncache Threshold value represents the number of outstanding SYN flood packets on the VLAN that will trigger the hardware SYN cookie protection feature.

    When the Hardware SYN Cookie setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:

    • The number of TCP half-open connections defined in the LTM® setting Global SYN Check Threshold is reached.
    • The number of SYN flood packets defined in this Syncache Threshold setting is reached.
  16. For the SYN Flood Rate Limit setting, retain the default value or change it to suit your needs.
    The SYN Flood Rate Limit value represents the maximum number of SYN flood packets per second received on this VLAN before the BIG-IP system triggers hardware SYN cookie protection for the VLAN.
  17. Configure the sFlow settings or retain the default values.
  18. Click Finished.
    The screen refreshes, and displays the new VLAN in the list.
After you create the VLAN, you can assign the VLAN to a self IP address.
After creating the VLAN, ensure that you repeat this task to create as many VLANs as needed.

Creating an EtherIP tunnel object

Before you perform this task, you must know the self IP address of the instance of the VLAN that exists, or will exist, on the BIG-IP® system in the other data center.
The purpose of an EtherIP tunnel that contains an EtherIP type of profile is to enable the BIG-IP system to preserve any current connections to a server that is using VMware vMotion for migration to another data center.
  1. On the Main tab, click Network > Tunnels > Tunnel List > Create .
    The New Tunnel screen opens.
  2. In the Name field, type a unique name for the tunnel.
  3. From the Profile list, select etherip.
  4. In the Local Address field, type the self IP address of the local BIG-IP system.
  5. In the Remote Address field, type the self IP address of the remote BIG-IP system.
  6. If the BIG-IP system is part of an HA cluster, select the corresponding traffic group from the Traffic Group list.
  7. Click Finished.

Creating a VLAN group

VLAN groups consolidate Layer 2 traffic from two or more separate VLANs.
  1. On the Main tab, click Network > VLANs > VLAN Groups .
    The VLAN Groups list screen opens.
  2. Click Create.
    The New VLAN Group screen opens.
  3. In the Name field, type a unique name for the VLAN group.
  4. For the VLANs setting, select the EtherIP tunnel that you created (which appears in the VLAN list) and the VLAN that connects to the host where the VMs exist, and using the Move button (<<), move your selections from the Available list to the Members list.
  5. From the Transparency Mode list, select Transparent.
  6. Select the Bridge All Traffic check box if you want the VLAN group to forward all frames, including non-IP traffic.
    The default setting is disabled (not selected).
  7. Select the Bridge in Standby check box if you want the VLAN group to forward frames, even when the system is the standby unit of a redundant system.
  8. Click Finished.

Creating a self IP address

Before you create a self IP address, ensure that you have created a VLAN that you can associate with the self IP address.

A self IP address enables the BIG-IP® system and other devices on the network to route application traffic through the associated VLAN or VLAN group. When you do not intend to provision the vCMP® feature, you typically create self IP addresses when you initially configure the BIG-IP system on the VIPRION® platform.

If you plan to provision vCMP, however, you do not need to create self IP addresses during initial BIG-IP system configuration. Instead, the host administrator creates VLANs for use by guests, and the guest administrators create self IP addresses to associate with those VLANs.

  1. On the Main tab, click Network > Self IPs .
  2. Click Create.
    The New Self IP screen opens.
  3. In the Name field, type a unique name for the self IP address.
  4. In the IP Address field, type an IPv4 or IPv6 address.
    This IP address should represent the address space of the VLAN that you specify with the VLAN/Tunnel setting.
  5. In the Netmask field, type the full network mask for the specified IP address.
  6. From the VLAN/Tunnel list, select the VLAN to associate with this self IP address.
    • On the internal network, select the internal or high availability VLAN that is associated with an internal interface or trunk.
    • On the external network, select the external VLAN that is associated with an external interface or trunk.
  7. From the Port Lockdown list, select Allow Default.
  8. If the BIG-IP system is part of a redundant system configuration, select the corresponding traffic group from the Traffic Group list.
  9. Click Finished.
    The screen refreshes, and displays the new self IP address.
After you perform this task, the BIG-IP system can send and receive traffic through the specified VLAN or VLAN group. If the self IP address is member of a floating traffic group and you configure the system for redundancy, the self IP address can fail over to another device group member if necessary.

Creating a self IP for a VLAN group

Before you create a self IP address, ensure that you have created at least one VLAN group.
You perform this task to create a self IP address for a VLAN group. The self IP address for the VLAN group provides a route for packets destined for the network. With the BIG-IP® system, the path to an IP network is a VLAN. However, with the VLAN group feature used in this procedure, the path to the IP network 10.0.0.0 is actually through more than one VLAN. As IP routers are designed to have only one physical route to a network, a routing conflict can occur. With a self IP address on the BIG-IP system, you can resolve the routing conflict by associating a self IP address with the VLAN group.
  1. On the Main tab, click Network > Self IPs .
  2. Click Create.
    The New Self IP screen opens.
  3. In the Name field, type a unique name for the self IP address.
  4. In the IP Address field, type an IPv4 address.
    This IP address should represent the address space of the VLAN group that you specify with the VLAN/Tunnel setting.
  5. In the Netmask field, type the network mask for the specified IP address.
    For this example, type 255.255.255.0.
  6. From the VLAN/Tunnel list, select the VLAN group with which to associate this self IP address.
  7. From the Port Lockdown list, select Allow Default.
  8. If the BIG-IP system is part of a redundant system configuration, select the corresponding traffic group from the Traffic Group list.
  9. Click Finished.

Creating a custom IPsec policy for EtherIP tunnel traffic

When you use IPsec to secure EtherIP tunnel traffic, you must create a custom IPsec policy for the traffic selector to use.
  1. On the Main tab, click Network > IPsec > IPsec Policies .
  2. Click the Create button.
    The New Policy screen opens.
  3. In the Name field, type a unique name for the policy.
  4. From the Mode list, select Tunnel.
    The screen refreshes to show additional related settings.
  5. In the Tunnel Local Address field, type an IP address.
    This IP address must match the local address of the EtherIP tunnel and the source IP address of the associated traffic selector.
  6. In the Tunnel Remote Address field, type an IP address.
    This IP address must match the remote address of the EtherIP tunnel and the destination IP address of the associated traffic selector.
  7. Click Finished.
    The screen refreshes and displays the new IPsec policy in the list.

Creating an IPsec traffic selector for EtherIP traffic

Before you start this task, make sure that you have created a custom IPsec policy to use with this traffic selector.
When you use IPsec to secure EtherIP tunnel traffic, you must create an IPsec traffic selector at each end of the IPsec tunnel to capture the EtherIP traffic.
  1. On the Main tab, click Network > IPsec > Traffic Selectors .
  2. Click Create.
    The New Traffic Selector screen opens.
  3. In the Name field, type a unique name for the traffic selector.
  4. For the Source IP Address or CIDR setting, type an IP address.
    This IP address must match the IP address specified for the Tunnel Local Address in the selected IPsec policy.
  5. For the Destination IP Address or CIDR setting, type an IP address.
    This IP address must match the IP address specified for the Tunnel Remote Address in the selected IPsec policy.
  6. From the Protocol list, select Other, and type 97 the EtherIP protocol number.
  7. From the IPsec Policy Name list, select the name of the custom IPsec policy that you created.
  8. Click Finished.
    The screen refreshes and displays the new IPsec traffic selector in the list.

Implementation result

After you configure EtherIP tunneling on the BIG-IP system, you must perform the same configuration procedure on the BIG-IP system in the remote data center to fully establish the EtherIP tunnel.

After the tunnel is established, the BIG-IP system preserves any open connections to migrating (or migrated) virtual machine servers.