Applies To:

Show Versions Show Versions

Manual Chapter: Creating IP Tunnels
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

About IP tunnels

Using F5 tunneling technologies, you can set up tunneling from devices on different Layer 2 networks, or scale multi-site data centers over Layer 3 pathways. When you know the IP address of the devices at both ends of the tunnel, you can create a point-to-point encapsulation tunnel between a BIG-IP system and another device. When multiple devices feed into a BIG-IP system, you can create a tunnel by specifying only the IP address on the BIG-IP device.

The BIG-IP system provides the following tunneling protocols, available using the browser-based Configuration utility or the Traffic Management shell (tmsh) command-line utility, and iControl.

  • EtherIP
  • GRE
  • IPIP
    • dslite
    • IPv4IPv4
    • IPv4IPv6
    • IPv6IPv4
    • IPv6IPv6
  • PPP
  • WCCPGRE

About point-to-point tunnels

Point-to-point IP encapsulation tunnels carry traffic through a routed network between known devices. For example, you can create a GRE tunnel to connect a BIG-IP system to a remotely located pool member.

Illustration of a point-to-point GRE tunnel Illustration of a point-to-point GRE tunnel

Creating a point-to-point IP tunnel

To create a point-to-point tunnel, you specify the encapsulation protocol and the IP addresses of the devices at both ends of the tunnel.
  1. On the Main tab, click Network > Tunnels > Tunnel List > Create. The New Tunnel screen opens.
  2. In the Name field, type a unique name for the tunnel.
  3. From the Encapsulation Type list, select the type that corresponds to the encapsulation protocol you want to use. The selection ipip is the same as ip4ip4, but ipip is compatible with configurations from an earlier release.
  4. In the Local Address field, type the IP address of the BIG-IP system.
  5. In the Remote Address field, type the IP address of the device at the other end of the tunnel.
  6. Click Finished.
After you complete this task, traffic is encapsulated using the protocol you specified between the BIG-IP system and the remote device you specified.

About tunnels between the BIG-IP system and other devices

In a network that has multiple devices connected to a BIG-IP system, you can create an IPIP or GRE encapsulation tunnel between the BIG-IP system and the remote devices without having to specify a remote (or source) IP address for every device. The use cases include situations where the source IP address is unknown or difficult to discover.

IPIP tunnel between a BIG-IP system and multiple unspecified devices Illustration of an IPIP tunnel between a BIG-IP system and multiple unspecified devices

Creating an encapsulation tunnel between a BIG-IP device and multiple devices

You can create a tunnel between a BIG-IP system and multiple remote devices without having to specify a remote (or source) IP address for every device.
  1. On the Main tab, click Network > Tunnels > Tunnel List > Create. The New Tunnel screen opens.
  2. In the Name field, type a unique name for the tunnel.
  3. From the Encapsulation Type list, select the type that corresponds to the encapsulation protocol you want to use. The selection ipip is the same as ip4ip4, but ipip is compatible with configurations from an earlier release.
  4. In the Local Address field, type the IP address of the BIG-IP system.
  5. In the Remote Address field, type 0.0.0.0 or ::. This entry means that you do not have to specify the IP address of the remote end of the tunnel, which allows multiple devices to use the same tunnel.
  6. Click Finished.
When the BIG-IP system receives an encapsulated packet, the system decapsulates the packet, regardless of the source address, and re-injects it into the IP stack, thus allowing the inner IP address to be associated with a virtual server.

About transparent tunnels

You can create transparent tunnels when you want to inspect and/or manipulate encapsulated traffic that is flowing through a BIG-IP system. The BIG-IP system terminates the tunnel, while presenting the illusion that the traffic flows through the device unperturbed. In this case, the BIG-IP device appears as if it were an intermediate router that simply routes IP traffic through the device.

The transparent tunnel feature enables redirection of traffic based on policies. For example, service providers can redirect traffic with transparent tunnels to apply classification and bandwidth management policies using Policy Enforcement Manager. To handle payload inspection and manipulation, you can create a policy in the form of a virtual server that accepts encapsulated packets. In the absence of a policy, the tunnel simply traverses the BIG-IP device.

Transparent tunnels are available for IPIP and GRE encapsulation types, with only one level of encapsulation.

Illustration of a transparent tunnel Illustration of a transparent tunnel

When the BIG-IP system receives an encapsulated packet from a transparent tunnel, the system decapsulates the packet, and re-injects it into the IP stack, where a virtual server can pick up the packet to apply a policy or rule. After applying the policy or rule, the BIG-IP can re-encapsulate the packet and route it, as if the packet had transited the BIG-IP unperturbed.

Creating a transparent tunnel

You can create transparent tunnels to inspect and modify tunneled traffic flowing through a BIG-IP system.
  1. On the Main tab, click Network > Tunnels > Tunnel List > Create. The New Tunnel screen opens.
  2. In the Name field, type a unique name for the tunnel.
  3. From the Encapsulation Type list, select ipip or gre. The ipip selection can also be one of the IPIP variations: ip4ip4, ip4ip6, ip6ip4, or ip6ip6.
  4. In the Local Address field, type the IP address of the BIG-IP system.
  5. In the Remote Address field, type a wildcard address (:: or 0.0.0.0) as the other end of the tunnel.
  6. Select the Transparent check box.
  7. Click Finished.
Traffic flowing through the transparent tunnel you created is available for inspection and modification, before continuing to its destination.
After you create a transparent tunnel, additional configuration is required to process the traffic, such as creating a virtual server to intercept the traffic, and using Policy Enforcement Manager to apply classification and bandwidth management policies.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)