You can use the IPsec protocol to secure EtherIP tunnel traffic that is undergoing live migration across a wide area network (WAN) using VMware vMotion. The EtherIP tunnel preserves any existing connections between the BIG-IP® system and a virtual machine while the virtual machine migrates to another data center. Adding IPsec to this configuration involves adding an IPsec traffic selector on each side of the IPsec tunnel. Those traffic selectors have the same source and destination IP addresses as the EtherIP tunnel.
VLANs represent a logical collection of hosts that can share network resources, regardless of their physical location on the network. You create a VLAN to associate physical interfaces with traffic destined for a specific address space. For the most basic BIG-IP® system configuration with redundancy enabled, you typically create multiple VLANs. That is, you create a VLAN for each of the internal and external networks, as well as a VLAN for high availability communications. If your hardware platform supports ePVA, you have the additional option of configuring double tagging (also known as Q-in-Q tagging) for a VLAN.
When the Hardware SYN Cookie setting is enabled, the BIG-IP system triggers SYN cookie protection in either of these cases, whichever occurs first:
A self IP address enables the BIG-IP® system and other devices on the network to route application traffic through the associated VLAN or VLAN group. When you do not intend to provision the vCMP® feature, you typically create self IP addresses when you initially configure the BIG-IP system on the VIPRION® platform.
If you plan to provision vCMP, however, you do not need to create self IP addresses during initial BIG-IP system configuration. Instead, the host administrator creates VLANs for use by guests, and the guest administrators create self IP addresses to associate with those VLANs.
After you configure EtherIP tunneling on the BIG-IP system, you must perform the same configuration procedure on the BIG-IP system in the remote data center to fully establish the EtherIP tunnel.
After the tunnel is established, the BIG-IP system preserves any open connections to migrating (or migrated) virtual machine servers.