For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

balleste_156980's avatar
balleste_156980
Icon for Nimbostratus rankNimbostratus
Mar 16, 2015

GRE Tunnel...

Not much information on the Internet on how GRE tunneling works on the F5. I seen this one (https://support.f5.com/kb/en-us/products/big-ip_ltm/manuals/product/ltm-implementations-11-2-0/5.html)) but I don't think it is detailed enough.

 

Anyway, has anyone successfully configured either GRE termination on the F5 or GRE transparent tunneling on the F5? Does anyone have any other information on how it works and it should be configured? I understand GRE tunnels and how they work (I've configured a ton of them on a Cisco router), I'm just trying to figure out how to configure it on an F5.

 

Consider the example diagram (see attached). I would like R1 to establish a GRE tunnel to either R2 or 3 (which of course is load balanced by the F5). This means, the F5 (would be inline and would be able to manipulate traffic over GRE.

 

I guess my question(s) are:

 

a. any further detailed information about F5 GRE configuration and or transparent GRE tunneling b. can this be done? c. i've got the networking configuration down (in the diagram), i just need to know if we can loadbalance GRE this way.

 

3 Replies

  • Jorjjj's avatar
    Jorjjj
    Icon for Nimbostratus rankNimbostratus
    Jun 30, 2015

    Hello there

     

    Did you manage to do that? Terminate GRE Tunnel on F5, or load balance traffic between the 2 Cisco router where the GRE is terminated on them?

     

    Thanks

     

    Regards,

     

    Georges

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Jun 30, 2015

    i haven't seen anything about load balancing GRE tunnels. if you google that in general you find load balancing over two tunnel (so spreading traffic over two (or more) tunnels) but never about load balancing the actual tunnel. i kinda doubt it is possible.

     

    the termination is explained in the link in the first post.

     

  • balleste_156980's avatar
    balleste_156980
    Icon for Nimbostratus rankNimbostratus
    Jul 01, 2015

    Wow...this has been awhile. Anyway, this was just an experiment as I working on a side project and wanted to lab out different scenarios. For each setup I had specific network requirements for each test and let's just say that yes, they actually work (to some degree). I tested the following:

     

    a. GRE termination on edge FW b. GRE termination on F5 (having remote clients terminate the GRE on the F5) c. Load balancing GRE on Cisco routers (load balancing GRE termination)

     

    But since the question here is on GRE termination on F5 or load balancing GRE on Cisco routers, here is my response. Can they be done? Yes...are they effective? scalable? Let's just say they each have their own advantages/disadvantages.

     

    a. GRE termination on edge FW: this is a given and very easy to do (so I won't explain it here)

     

    b. GRE termination on F5: also possible. though not scalable in my opinion. have you ever seen any published documentation of f5's GRE and IPSEC tunnel capacity? This will also impact performance on the f5 especially if you're setting up IPSEC (and have lots of terminations). Even F5 engineers said although this is a supported feature, they don't recommend it.

     

    c. Load balancing GRE on Cisco routers: also doable using NAT and IP forwarding on the F5. For this, your Cisco routers will need to have the same exact GRE configuration (which means for every GRE tunnel you have, each Cisco router will need to have the same exact configuration (with the exception of the tunnel IP)).