Manual Chapter : Configuring Intelligent Traffic Steering

Applies To:

Show Versions Show Versions

BIG-IP PEM

  • 15.0.1, 15.0.0, 14.1.0
Manual Chapter

Configuring Intelligent Traffic Steering

Overview: Configuring intelligent traffic steering

You can use the Policy Enforcement Manager to set up the BIG-IP® system to classify and intelligently steer traffic on the network. The system automatically sets up virtual servers for TCP and UDP traffic so that the BIG-IP system can classify the traffic and direct it to one or more steering endpoints based on traffic characteristics.
Common Address Redundancy Protocol (CARP) persistence is supported with PEM forwarding endpoints, for use with service chaining action, when forwarding traffic to a pool.

Task Summary

What is traffic steering?

Policy Enforcement Manager provides the ability to intelligently steer traffic based on policy decision made using classification criteria, URL category, flow information, or custom criteria (iRule events). Steering, also called
traffic forwarding
, can help you police, control and optimize traffic.
You can forward a particular type of traffic to a pool of one or more servers designed to handle that type of traffic, or to a location closer to clients requesting a service. For example, you can send HTTP video traffic to a pool of video delivery optimization servers. You can have one policy option to classify each transaction which allows transaction aware steering. The ability to classify traffic for every transaction is called
transactional policy enforcement
. The classification per transaction is for HTTP traffic only.
You set up steering by creating an enforcement policy that defines the traffic that you want to send to a particular location or endpoint. Rules in the enforcement policy specify conditions that the traffic must match, and actions for what to do with that traffic. One of the actions you can take is to forward the traffic to a particular endpoint, called a
forwarding endpoint
.
You can create listeners to set up virtual servers and associate the enforcement policies with the traffic that is sent to them. The system also creates a Policy Enforcement profile that specifies the enforcement policy that the system uses, among other uses, for traffic steering.

Create a pool

You can create a pool of servers that you can group together to receive and process traffic.
  1. On the Main tab, click
    Local Traffic
    Pools
    .
    The Pools list screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the
    Name
    field, type a name for the pool.
    Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
    The pool name is limited to 63 characters.
  4. Using the
    New Members
    setting, add each resource that you want to include in the pool:
    1. In the
      Node Name
      field, type a name for the node portion of the pool member.
    2. In the
      Address
      field, type an IP address.
    3. In the
      Service Port
      field, type a port number, or select a service name from the list.
    4. In the
      Priority
      field, type a priority number.
    5. Click
      Add
      .
  5. Click
    Finished
    .
  6. Repeat these steps for each pool you want to create.

Creating forwarding endpoints

Before you can create an endpoint, you need to create a pool that specifies where you want to direct the classified traffic.
To set up traffic steering, you need to create a forwarding endpoint, which specifies where to send the traffic. If you are configuring w-steering or service chains, you need to create multiple endpoints.
  1. On the Main tab, click
    Policy Enforcement
    Forwarding
    Endpoints
    .
    The Endpoints screen opens.
  2. Click
    Create
    .
    The New Endpoint screen opens.
  3. In the
    Name
    field, type a name for the endpoint.
  4. From the
    Pool
    list, select the pool to which you want to steer a particular type of traffic, for example, in a policy rule.
  5. If you want to translate the destination address of the virtual server to that of the pool, from the
    Address Translation
    list, select
    Enabled
    . Otherwise, leave this setting disabled.
  6. If you want to translate the original destination port to another port, from the
    Port Translation
    list, select
    Enabled
    . Otherwise, leave this setting disabled.
  7. From the
    Source Port
    list, select the appropriate option for the source port of the connection.
    Option
    Description
    Preserve
    Maintains the value configured for the source port, unless the source port from a particular SNAT is already in use.
    Preserve Strict
    Maintains the value configured for the source port. If the port is in use, the system does not process the connection. Use this setting only when (1) the port is configured for UDP traffic; (2) the system is configured for nPath routing or running in transparent mode; or (3) a one-to-one relationship exists between virtual IP addresses and node addresses, or clustered multi-processing (CMP) is disabled.
    Change
    Specifies that the system changes the source port.
  8. To specify a SNAT pool for address translation, from the
    SNAT Pool
    list, select the name of an existing SNAT pool.
    The steering endpoint uses the SNAT pool to implement selective and intelligent SNATs.
  9. If you have multiple pool members and want specific traffic to go to the same pool member every time, from the
    Persistence
    list, select the appropriate IP address type:
    Option
    Description
    Hash Settings
    Map the hash value to a specific pool member so that other traffic, with the same hash value, is directed to the same pool member.
    Source Address
    Map the source IP address to a specific pool member so that subsequent traffic from this address is directed to the same pool member.
    Destination Address
    Map the destination IP address to a specific pool member so that subsequent traffic from this address is directed to the same pool member.
    If you do not need to maintain persistence, leave
    Persistence
    set to
    Disabled
    , the default value.
  10. If you select
    Hash Settings
    , configure the following fields:
    • To specify a algorithm for the hash persistence method, from the
      Hash Persistence Algorithm
      list, select the name of an algorithm. The CARP algorithm is the only options available currently.
    • In the
      Hash Persistence Offset
      field, type the offset from start of the source string to calculate the hash value. The default value is
      0
      .
    • In the
      Hash Persistence Length
      field, type the length of the source string used to calculate the hash value. The default value is
      1024
      .
  11. From the
    Hash source
    list, select the appropriate method to get the hash value.
    Option
    Description
    URI
    Specify the string value to calculate hash value.
    Execute Script
    Specify the script for TCL script snippet. You can select the
    Wrap Area
    Text check box to wrap the definition text, and select the
    Extend Area
    check box to increase the field space of format scripts.
    The results from this script are used to calculate the hash value.
    The URI option is for HTTP traffic only.
  12. If you want to apply fallback persistence method that is applied when default persistence fails, from the
    Fallback Persistence
    list, select the appropriate IP address type:
    Option
    Description
    Disabled
    Disables fallback persistence. The default value is
    Disabled
    .
    Source Address
    Map the source IP address to a specific pool member so that subsequent traffic from this address is directed to the same pool member.
    Destination Address
    Map the destination IP address to a specific pool member so that subsequent traffic from this address is directed to the same pool member.
  13. Click
    Finished
    .
You can direct traffic to the endpoint you created in the policy rules of an enforcement policy.

Creating an enforcement policy

If you want to classify and intelligently steer traffic, you need to create an enforcement policy. The policy describes what to do with specific traffic, and how to treat the traffic.
  1. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  2. Click
    Create
    .
    The New Policy screen opens.
  3. In the
    Name
    field, type a name for the policy.
    When creating policies you plan to apply globally or to unknown subscribers, it is a good idea to include the word
    global
    or
    unknown
    in the policy name to distinguish these from other subscriber policies.
  4. From the Transactional list, select
    Enabled
    if you want the BIG-IP system to allow policy enforcement on each HTTP transaction.
  5. Click
    Finished
    .
    The system performance is significantly affected, depending on complexity of the classification and the type of policy action.
    The new enforcement policy is added to the policy list.
Now you must add rules to the enforcement policy to define traffic filters and actions.

Creating custom action policies

In an enforcement policy, custom action can be defined by a Policy Enforcement Manager (PEM) iRule. The PEM TCL filter supports multiple line TCL scripts and variables (global and iRule commands).
  1. On the Main tab, click
    Policy Enforcement
    Policies
    iRules
    .
  2. Click
    Create
    .
    The New iRule screen opens.
  3. In the
    Name
    field, type a name for the new iRule.
  4. In the
    Description
    field, type a description of the new iRule.
  5. In the
    iRule Expression
    field, specify the TCL syntax that defines a custom iRule action, which can be later attached to a policy enforcement rule.
    when PEM_POLICY { if {[PEM::policy initial]} { /* Commands to run during the first time the policy is evaluated. */ } else { /* Commands to run during policy re-evaluation. */ } /* Commands to run during policy eval and re-eval time. */ }
    There can be two iRule events:
    • PEM_POLICY
      is triggered when a policy evaluation occurs.
    • RULE_INIT
      runs the first time the iRule is loaded or has changed.
    The two new PEM iRule commands are
    PEM::policy initial
    and
    PEM::policy name
    . You can select the
    Wrap Text
    check box to wrap the definition text, and select the
    Extend Text Area
    check box to increase the field space of format scripts.
  6. Click
    Finished
    .
    The Policy Enforcement Manager creates a new iRule, and displays the iRule list.
  7. To attach a custom action to a specific iRule, follow these steps:
    1. Click
      Policy Enforcement
      Policies
      .
    2. Select a policy name.
    3. Click a policy rule.
    4. From the
      Custom Action
      list, select an iRule created.
  8. Click
    Update
    .
You have now created a custom action in a policy, using iRules.
The iRule actions are performed at the end of all the other policy actions.

Adding rules to an enforcement policy

Before you can add rules to an enforcement policy, you need to create the policy, then reopen it.
You add rules to an enforcement policy to select the traffic you want to affect, and the actions to take. A
rule
associates an action with a specific type of traffic. So you can, for example, add a rule to select all audio-video traffic and send it to a pool of servers that are optimized to handle that type of traffic.
  1. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click
    Add
    .
    The New Rule screen opens.
  4. In the
    Name
    field, type a name for the rule.
  5. In the
    Precedence
    field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and
    Gate Status
    disabled for a search engine, and you have rule 2 with precedence 11 and
    Gate Status
    enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
  7. From the
    Modify Header
    list, select
    Enabled
    , to modify the HTTP request header.
    More modify header configuration options display.
  8. Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic.
    Other tasks describe how to do this in detail.
    If you leave
    Gate Status
    enabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
  9. From the
    Congestion Detection
    list, select
    Enable
    , to congestion detection in the Radio Access Network.
    1. In the
      Threshold
      field, type the lower threshold bandwidth for a session. The default value is
      1000kbs
      .
    2. For
      Destination
      list, select the publisher name from the HSL publisher drop-down list.
    The state of congestion detection is now controlled by policy application, and different subsets of subscribers can have different settings. This enables congestion-detection for specific types of applications as it pairs with specific policy rule conditions.
  10. Click
    Finished
    .
  11. Repeat steps 3-8 to create as many rules as needed to handle the traffic you are interested in.
The enforcement policy includes the rules with the conditions and actions you added.
Now you need to associate the enforcement policy with the virtual server (or servers) to which traffic is directed.

Creating a rule using classification criteria

You can use Layer 7 classification criteria to define conditions that the traffic must meet (or not meet) for an enforcement policy rule to apply.
  1. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click
    Add
    .
    The New Rule screen opens.
  4. In the
    Name
    field, type a name for the rule.
  5. In the
    Precedence
    field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and
    Gate Status
    disabled for a search engine, and you have rule 2 with precedence 11 and
    Gate Status
    enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. On the Classification tab, in the
    Classification
    setting, specify Layer 7 matching criteria for the rule:
    1. From the
      Match Criteria
      list, select whether you want perform actions on traffic that matches (select
      Match
      ), or does not match (select
      No Match
      ) the criteria specified.
    2. From the
      Category
      list, select the type of traffic this rule applies to, or select
      Any
      for all traffic.
    3. Some categories have specific applications associated with them. If this one does, from the
      Application
      list select the application this rule applies to, or select
      Any
      for all traffic in this category.
    4. Click
      Add
      to add this match criteria to the classification.
      Add as many matching criteria as are relevant to this rule.
  7. Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic.
    Other tasks describe how to do this in detail.
    If you leave
    Gate Status
    enabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
  8. Click
    Finished
    .
You have created a rule that applies to traffic based on classification criteria.

Creating a rule using URL categorization

You have the ability to enforce policies that are configured as part of the subscriber profile, based on the URL category type. Use Layer 7 criteria to define conditions that the traffic must meet (or not meet) for an enforcement policy rule to apply.
  1. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click
    Add
    .
    The New Rule screen opens.
  4. In the
    Name
    field, type a name for the rule.
  5. In the
    Precedence
    field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and
    Gate Status
    disabled for a search engine, and you have rule 2 with precedence 11 and
    Gate Status
    enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. On the URL tab, in the
    URL
    setting, specify Layer 7 matching criteria for the rule :
    1. From the
      Match Criteria
      list, select whether you want perform actions on traffic that matches (select
      Match
      ), or does not match (select
      No Match
      ) the criteria specified.
    2. From the
      URL Category
      list, select the type of traffic this rule applies to.
    3. Click
      Add
      to add this match criteria to the classification.
      Add as many matching criteria as are relevant to this rule.
  7. Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic.
    Other tasks describe how to do this in detail.
    If you leave
    Gate Status
    enabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
  8. Click
    Finished
    .
You have created a rule that applies to traffic based on URL Category.

Modifying iRule event for URL categories

On the BIG-IP system, you can modify iRules Event settings for URL categories.
  1. On the Main tab, click
    Traffic Intelligence
    Categories
    Category List
    .
  2. Select a URL category.
    The URL Properties screen opens.
  3. In the
    Name
    field, type a unique name for the URL category policy.
  4. In the
    Description
    field, type optional descriptive text for the classification presets.
  5. In the
    Category ID
    field, type an identifier for this category, a unique number.
  6. For the
    Application List
    setting, move applications that you want to associate with this category from the
    Unknown
    list to the
    Selected
    list.
    If the applications are not listed yet, you can associate the applications with the category when you create them.
  7. Click
    Finished
    .
  8. On the Main tab, click
    Local Traffic
    Profiles
    Classification
    .
    The Classification screen opens.
  9. Select a classification profile or create one.
  10. From the
    URL Categorization
    field, select
    Enabled
    from the drop-down list.
  11. In the
    iRule Event
    field, select the appropriate setting.
    • To trigger an iRule event for this category of traffic, select
      Enabled
      . You can then create an iRule that performs an action on this type of traffic.
    • If you do not need to trigger an iRule event for this category of traffic, select
      Disabled
      .
    CLASSIFICATION::DETECTED
    is the only event that is supported.
You have modified an iRule event setting for an existing URL category.

Creating a rule using flow conditions

You can use flow information to define conditions that the traffic must meet (or not meet) for an enforcement policy rule to apply.
  1. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click
    Add
    .
    The New Rule screen opens.
  4. In the
    Name
    field, type a name for the rule.
  5. In the
    Precedence
    field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and
    Gate Status
    disabled for a search engine, and you have rule 2 with precedence 11 and
    Gate Status
    enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. On the Flow tab, in the
    Flow
    setting, specify Layer 4 conditions that the traffic must meet (or not meet) for this rule to apply.
    Option
    Description
    Match
    Select whether you want to perform actions on traffic that matches (select
    Match
    ) or does not match (select
    No Match
    ) the criteria specified.
    DSCP Marking
    To match incoming traffic based on a DSCP value, type an integer from
    0
    to
    63
    .
    Protocol
    To specify the applicable traffic by protocol, select
    UDP
    ,
    TCP
    , or leave the default value of
    Any
    .
    IP Type
    To specify the IP address type that this rule applies to, select
    IPv4
    ,
    IPv6
    , or leave the default value of
    Any
    .
    Source Address/Mask
    To match incoming traffic based on the address or network it is coming from, type the source IP address/netmask of the network you want the rule to affect. The default value is
    0.0.0.0/32
    .
    Source Port
    To match incoming traffic based on the port it is coming from, type the port number you want the rule to affect. The default value (empty) matches traffic from all ports.
    Source VLAN
    To match incoming traffic based on the VLAN, select a previously configured VLAN.
    Destination Address/Mask
    To match traffic based on the address or network it is directed to, type the source IP address/netmask of the network you want the rule to affect. The default value is
    0.0.0.0/32
    .
    Destination Port
    To match incoming traffic based on the port it is directed to, type the port number you want the rule to affect. The default value (empty) matches traffic headed to all ports.
    1. Click
      Add
      to add this match criteria to the classification.
      F5 recommends that you keep the matching criteria in a rule simple, adding more rules to specify additional conditions rather than including too many in one rule.
  7. Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic.
    Other tasks describe how to do this in detail.
    If you leave
    Gate Status
    enabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
  8. Click
    Finished
    .
You have created a rule that classifies traffic.

Creating a rule for forwarding traffic

You can create a rule that forwards traffic to an endpoint. For example, you might want to direct video traffic to a server that is optimized for video viewing.
  1. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click
    Add
    .
    The New Rule screen opens.
  4. In the
    Name
    field, type a name for the rule.
  5. In the
    Precedence
    field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and
    Gate Status
    disabled for a search engine, and you have rule 2 with precedence 11 and
    Gate Status
    enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
  7. In the Gate area, for
    Gate Status
    , select
    Enabled
    .
    Options provide several ways to forward the traffic.
  8. In the Forwarding area, for
    HTTP Redirect
    , select
    Enabled
    , and type the URL.
  9. From the Forwarding list, select an option where you would like to forward the traffic.
    Options
    Description
    Route to Network
    The traffic flow is forwarded to the default destination.
    Forwarding to Endpoint
    The flow is steered to a different destination and you can select one of the endpoints.
    Forward to ICAP virtual Server
    The flow is forwarded to the ICAP virtual server.
  10. From the
    Forwarding Fallback Action
    list, select
    Drop
    or
    Continue
    to specify if the connection can remain unchanged or should be dropped if the forwarding action fails.
  11. From the
    ICAP Virtual Server
    list, select an internal virtual server that you have created, or click
    Create
    to create a new internal virtual server.
  12. From the
    ICAP Type
    list, select an ICAP adaptation type.
    • Select
      Request
      to send a portion of the request to the ICAP server.
    • Select
      Response
      to receive a portion of the response from the ICAP server.
    • Select
      Request
      and
      Response
      to have both types of adaptation.
  13. From the
    Service Chain
    list, select
    Create
    to direct traffic to more than one location (such as value-added services).
  14. Click
    Finished
    .
You have created a rule that forwards traffic.

Creating a rule for QoS

Before you can create a rule for Quality of Service (QoS), you need to create a bandwidth controller to use rate control.
You can create a rule that results in a QoS action such as DSCP marking, link QoS, or rate limiting.
In the mobile market, uplink and downlink is sometimes known as forward and reverse respectively.
  1. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click
    Add
    .
    The New Rule screen opens.
  4. In the
    Name
    field, type a name for the rule.
  5. In the
    Precedence
    field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and
    Gate Status
    disabled for a search engine, and you have rule 2 with precedence 11 and
    Gate Status
    enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
  7. For
    Gate Status
    , select
    Enabled
    .
    If you select
    Disabled
    , then the corresponding traffic will be dropped.
    Forwarding and QoS options are displayed.
  8. To set DSCP bits on the downlink traffic, for
    IP Marking (DSCP)
    , select
    Specify
    , and type a value between
    0
    and
    63
    , inclusive.
    The traffic that matches this rule is marked with this value.
  9. To set DSCP bits on the uplink traffic, for
    IP Marking (DSCP)
    , select
    Specify
    , and type a value between
    0
    and
    63
    , inclusive.
    The traffic that matches this rule is marked with this value.
  10. To set a Layer 2 Quality of Service (QoS) level in downlink packets, for
    L2 Marking (802.1p)
    , select
    Specify
    , and type a value between
    0
    and
    7
    , inclusive.
    Setting a QoS level affects the packet delivery priority.
  11. To set a Layer 2 Quality of Service (QoS) level in uplink packets, for
    L2 Marking (802.1p)
    , select
    Specify
    , and type a value between
    0
    and
    7
    , inclusive.
    Setting a QoS level affects the packet delivery priority.
  12. To apply rate control to downlink traffic, in the
    Bandwidth Controller
    setting, select the name of a bandwidth control policy.
    You can assign any previously created static or dynamic bandwidth control policies. However, F5 does not recommend using the
    default-bwc-policy
    , which the system provides, nor the
    dynamic_spm_bwc_policy
    , which you can create to enforce dynamic QoS settings provisioned by the PCRF.
    Depending on the bandwidth control policy, PEM restricts bandwidth usage per subscriber, group of subscribers, per application, per network egress link, or any combination of these.
  13. To apply rate control to uplink traffic and per category of application, in the
    Bandwidth Controller
    setting, select the name of a bandwidth control policy.
    You can assign any previously created static or dynamic bandwidth control policies. However, we do not recommend using the
    default-bwc-policy
    , which the system provides, nor the
    dynamic_spm_bwc_policy
    , which you can create for communicating with the PCRF.
    Depending on the bandwidth control policy, PEM restricts bandwidth usage per subscriber, group of subscribers, per application, per network egress link, per category of applications or any combination of these.
  14. Click
    Finished
    .
You have created a rule that manages QoS traffic.

Creating a data plane virtual group

If you want to steer specific traffic (or otherwise regulate certain types of traffic) you must first develop appropriate enforcement policies. If using a Gx interface to a PCRF, you need to create a new virtual group in listeners that connect to a PCRF.
You can create listeners that specify how to handle traffic for policy enforcement. Creating a listener performs preliminary setup on the BIG-IP system for application visibility, intelligent steering, bandwidth management, and reporting.
  1. On the Main tab, click
    Policy Enforcement
    Data Plane Listeners
    .
    The Date Plane Listeners screen opens.
  2. Click
    Add Group
    .
    The New Virtual Group screen opens.
  3. In the
    Name
    field, type a unique name for the listener.
  4. In the
    Destination Address
    field, type the IP address of the virtual server. For example,
    10.0.0.1
    or
    10.0.0.0/24
    .
    When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
    prefix.
    You can use a catch-all virtual server (
    0.0.0.0
    ) to specify all traffic that is delivered to the BIG-IP system. Configure the source and destination setting, during forwarding mode only. In the relay mode, the client does not have an IP address and the DHCP provides the client with an IP address.
    The system will create a virtual server using the address or network you specify.
  5. For the
    Service Port
    setting, type or select the service port for the virtual server.
  6. From the
    VLAN and Tunnel Traffic
    list, select
    Enabled on
    . Then, for the
    VLANs and Tunnels
    setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the
    Available
    list to the
    Selected
    list.
  7. For the
    VLANs and Tunnels
    setting, move the VLANs and tunnels that you want to monitor from the
    Available
    list to the
    Selected
    list.
  8. In the Policy Provisioning area, select enforcement policies to apply to the traffic.
    1. For
      Global Policy
      , move policies to apply to all subscribers to
      High Precedence
      or
      Low Precedence
      .
      For URL categorization to take effect, you need to associate the enforcement policy with a classification profile.
    2. For
      Unknown Subscriber Policy
      , move policies to use if the subscriber is unknown to
      Selected
      .
    The system applies the global policy to all subscribers in parallel with the subscriber policies, and must be configured with unknown subscriber policy. High-precedence global policies override conflicting subscriber policies, and low-precedence policies are overridden by conflicting subscriber policies.
  9. Click
    Finished
    .
    The Policy Enforcement Manager creates a listener.
When you create a listener, Policy Enforcement Manager also creates virtual servers for each type of traffic (TCP, UDP, or both and IP), and a virtual server for HTTP traffic. The system sets up classification and assigns the appropriate policy enforcement profile to the virtual servers. If you are connecting to a RADIUS authentication server, a virtual server for RADIUS is also added.
Now you can send traffic through the network. As network traffic moves through the BIG-IP system, the system classifies the traffic, and if you have developed policies, the system performs the actions specified by the enforcement policy rules.

Configuring TCP optimization as a PEM policy action

Before you start this task, you need to create a PEM Policy to which TCP optimization can be applied.
On the BIG-IP system, you can apply TCP Optimization as a PEM policy action, which then can be applied to subscriber traffic. TCP optimization supports many optimization parameters which can be catered to a specific network type.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Protocol
    TCP
    .
    The TCP profile list screen opens.
  2. Click
    Create
    .
    The New TCP Profile screen opens, inheriting values from the system-supplied TCP profile.
  3. For
    Name
    , type a name for the profile.
  4. To make the fields editable, select the
    Custom
    check box at the right of each area.
    There are five parameters that need to configured for creating a TCP profile for a PEM policy. The first four are in the Memory Management area, the last one is in the Congestion Control area of the screen.
    Proxy Buffer High
    Specifies the highest level at which the receive window is closed. The default value is
    49152
    .
    Proxy Buffer Low
    Specifies the proxy buffer level, in bytes, at which the receive window is opened. The default is
    32768
    .
    Receive Window
    Specifies the maximum advertised RECEIVE window size. The default is
    65535
    bytes.
    Send Buffer
    Specifies the SEND window size. The default is
    65535
    bytes.
    Congestion Control
    Specifies the algorithm to use to share network resources among competing users to reduce congestion.
  5. Click
    Finished
    .
  6. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  7. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  8. In the Policy Rules area, click
    Add
    .
    The New Rule screen opens.
  9. In the
    Name
    field, type a name for the rule.
  10. In the
    Precedence
    field, type an integer that indicates the high precedence for the rule in relation to the other rules. Number
    1
    has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    TCL filter creation action should have high precedence.
  11. From the
    TCP Optimization
    setting, in
    Profile
    area, select a previously configured TCP profile. Select
    Downlink
    to apply to traffic that matches this rule on downlink traffic and
    Uplink
    to apply to traffic that matches this rule on uplink traffic.
You have now configured TCP optimization for a PEM policy.

Enabling TCP Analytics

In Policy Enforcement Manager, you can conditionally enable TCP analytics for flows.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Analytics
    TCP Analytics
    The TCP Analytics screen opens.
  2. Click
    Create
    .
    The New TCP Analytics Profile screen opens.
  3. In the
    Profile Name
    field, type a name for the TCP profile.
  4. In the
    Statistics Collection
    setting, ensure that the
    Client side
    and
    Server side
    check boxes are cleared. .
    Both check boxes should remain cleared when you are creating a new TCP Analytics profile, or if they are enabled on an existing profile.
  5. From the Statistics Gathering Configuration area, select all the check boxes for
    Collected Entities
    .
  6. Click
    Finished
    .
    The system configures a new TCP Analytics profile.
  7. On the Main tab, click
    Local Traffic
    Virtual Servers
    The Virtual Server List screen opens.
  8. Click
    Create
    .
    The New Virtual Server screen opens.
  9. In the
    Name
    field, type a name for the virtual server.
  10. In the
    Destination Address/Mask
    field, type the destination IP address to which the virtual server sends traffic.
  11. In the
    Service Port
    field, type a service port or select a type from the list.
  12. From the
    Configuration
    setting, select
    Advanced
    , and then scroll down to the
    TCP Analytics Profile
    setting and select the TCP analytics profile that you created.
  13. In the
    Policy Enforcement Profile
    setting, select
    spm
    .
  14. Click
    Finished
    .
    The PEM profile is now attached to the virtual server.
  15. On the Main tab, click
    Policy Enforcement
    Policies
  16. Click
    Create
    .
    The New Policy screen opens.
  17. In the
    Name
    field, type a name for policy.
  18. Click
    Finished
    .
  19. On the policies list screen, click the name of the policy you created.
  20. In the Policy Rules area, click
    Add
    .
    The New Rule screen opens.
  21. In the
    Name
    field, type a name for the rule.
  22. In the
    Precedence
    field, type an integer that indicates the high precedence for the rule in relation to the other rules. Number
    1
    has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    TCL filter creation action should have high precedence.
  23. In the Reporting area, from the
    TCP Analytics
    list, select
    Enabled
    .
  24. Click
    Finished
    .
You have enabled TCP Analytics for a selected PEM policy.