Manual Chapter :
Configuring Intelligent Traffic Steering
Applies To:
Show VersionsBIG-IP LTM
- 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP PEM
- 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Configuring Intelligent Traffic Steering
Overview: Configuring intelligent traffic steering
You can use the Policy Enforcement Manager™ to set up the BIG-IP system to classify and intelligently steer traffic on the network. The system
automatically sets up virtual servers for TCP and UDP traffic so that the BIG-IP system can
classify the traffic and direct it to one or more steering endpoints based on traffic
characteristics.
Common Address Redundancy Protocol (CARP) persistence is supported with PEM forwarding
endpoints, for use with service chaining action, when forwarding traffic to a pool.
Task Summary
What is traffic steering?
Policy Enforcement Manager™ provides the ability to intelligently steer
traffic based on policy decision made using classification criteria, URL category, flow
information, or custom criteria (iRule events). Steering, also called
traffic
forwarding
, can help you police, control and optimize traffic. You can forward a particular type of traffic to a pool of one or more servers designed to
handle that type of traffic, or to a location closer to clients requesting a service. For
example, you can send HTTP video traffic to a pool of video delivery optimization servers. You
can have one policy option to classify each transaction which allows transaction aware steering.
The ability to classify traffic for every transaction is called
transactional policy
enforcement
. The classification per transaction is for HTTP traffic only.You set up steering by creating an enforcement policy that defines the traffic that you want to
send to a particular location or endpoint. Rules in the enforcement policy specify conditions
that the traffic must match, and actions for what to do with that traffic. One of the actions you
can take is to forward the traffic to a particular endpoint, called a
forwarding
endpoint
.You can create listeners to set up virtual servers and associate the enforcement policies with
the traffic that is sent to them. The system also creates a Policy Enforcement profile that
specifies the enforcement policy that the system uses, among other uses, for traffic
steering.
Create a pool
You can create a pool of servers that you can
group together to receive and process traffic.
- On the Main tab, click.The Pools list screen opens.
- ClickCreate.The New Pool screen opens.
- In theNamefield, type a name for the pool.Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.The pool name is limited to 63 characters.
- Using theNew Memberssetting, add each resource that you want to include in the pool:
- In theNode Namefield, type a name for the node portion of the pool member.
- In theAddressfield, type an IP address.
- In theService Portfield, type a port number, or select a service name from the list.
- In thePriorityfield, type a priority number.
- ClickAdd.
- ClickFinished.
- Repeat these steps for each pool you want to create.
Creating forwarding endpoints
Before you can create an endpoint, you need to create a pool that specifies where
you want to direct the classified traffic.
To set up traffic steering, you need to create a forwarding endpoint, which
specifies where to send the traffic. If you are configuring w-steering or service
chains, you need to create multiple endpoints.
- On the Main tab, click.The Endpoints screen opens.
- ClickCreate.The New Endpoint screen opens.
- In theNamefield, type a name for the endpoint.
- From thePoollist, select the pool to which you want to steer a particular type of traffic, for example, in a policy rule.
- If you want to translate the destination address of the virtual server to that of the pool, from theAddress Translationlist, selectEnabled. Otherwise, leave this setting disabled.
- If you want to translate the original destination port to another port, from thePort Translationlist, selectEnabled. Otherwise, leave this setting disabled.
- From theSource Portlist, select the appropriate option for the source port of the connection.OptionDescriptionPreserveMaintains the value configured for the source port, unless the source port from a particular SNAT is already in use.Preserve StrictMaintains the value configured for the source port. If the port is in use, the system does not process the connection. Use this setting only when (1) the port is configured for UDP traffic; (2) the system is configured for nPath routing or running in transparent mode; or (3) a one-to-one relationship exists between virtual IP addresses and node addresses, or clustered multi-processing (CMP) is disabled.ChangeSpecifies that the system changes the source port.
- To specify a SNAT pool for address translation, from theSNAT Poollist, select the name of an existing SNAT pool.The steering endpoint uses the SNAT pool to implement selective and intelligent SNATs.
- If you have multiple pool members and want specific traffic to go to the same pool member every time, from thePersistencelist, select the appropriate IP address type:OptionDescriptionHash SettingsMap the hash value to a specific pool member so that other traffic, with the same hash value, is directed to the same pool member.Source AddressMap the source IP address to a specific pool member so that subsequent traffic from this address is directed to the same pool member.Destination AddressMap the destination IP address to a specific pool member so that subsequent traffic from this address is directed to the same pool member.If you do not need to maintain persistence, leavePersistenceset toDisabled, the default value.
- If you selectHash Settings, configure the following fields:
- To specify a algorithm for the hash persistence method, from theHash Persistence Algorithmlist, select the name of an algorithm. The CARP algorithm is the only options available currently.
- In theHash Persistence Offsetfield, type the offset from start of the source string to calculate the hash value. The default value is0.
- In theHash Persistence Lengthfield, type the length of the source string used to calculate the hash value. The default value is1024.
- From theHash sourcelist, select the appropriate method to get the hash value.OptionDescriptionURISpecify the string value to calculate hash value.Execute ScriptSpecify the script for TCL script snippet. You can select theWrap AreaText check box to wrap the definition text, and select theExtend Areacheck box to increase the field space of format scripts.The results from this script are used to calculate the hash value.The URI option is for HTTP traffic only.
- If you want to apply fallback persistence method that is applied when default persistence fails, from theFallback Persistencelist, select the appropriate IP address type:OptionDescriptionDisabledDisables fallback persistence. The default value isDisabled.Source AddressMap the source IP address to a specific pool member so that subsequent traffic from this address is directed to the same pool member.Destination AddressMap the destination IP address to a specific pool member so that subsequent traffic from this address is directed to the same pool member.
- ClickFinished.
You can direct traffic to the endpoint you created in the policy rules of an
enforcement policy.
Creating an enforcement policy
If you want to classify and intelligently steer traffic, you need to create an
enforcement policy. The policy describes what to do with specific traffic, and how to
treat the traffic.
- On the Main tab, click.The Policies screen opens.
- ClickCreate.The New Policy screen opens.
- In theNamefield, type a name for the policy.When creating policies you plan to apply globally or to unknown subscribers, it is a good idea to include the wordglobalorunknownin the policy name to distinguish these from other subscriber policies.
- From the Transactional list, selectEnabledif you want the BIG-IP system to allow policy enforcement on each HTTP transaction.
- ClickFinished.The system performance is significantly affected, depending on complexity of the classification and the type of policy action.The new enforcement policy is added to the policy list.
Now you must add rules to the enforcement policy to define traffic filters and
actions.
Creating custom action policies
In an enforcement policy, custom
action can be defined by a Policy Enforcement Manager (PEM) iRule. The PEM TCL filter supports multiple line TCL scripts
and variables (global and iRule commands).
- On the Main tab, click.
- ClickCreate.The New iRule screen opens.
- In theNamefield, type a name for the new iRule.
- In theDescriptionfield, type a description of the new iRule.
- In theiRule Expressionfield, specify the TCL syntax that defines a custom iRule action, which can be later attached to a policy enforcement rule.when PEM_POLICY { if {[PEM::policy initial]} { /* Commands to run during the first time the policy is evaluated. */ } else { /* Commands to run during policy re-evaluation. */ } /* Commands to run during policy eval and re-eval time. */ }There can be two iRule events:
- PEM_POLICYis triggered when a policy evaluation occurs.
- RULE_INITruns the first time the iRule is loaded or has changed.
PEM::policy initialandPEM::policy name. You can select theWrap Textcheck box to wrap the definition text, and select theExtend Text Areacheck box to increase the field space of format scripts. - ClickFinished.The Policy Enforcement Manager creates a new iRule, and displays the iRule list.
- To attach a custom action to a specific iRule, follow these steps:
- Click.
- Select a policy name.
- Click a policy rule.
- From theCustom Actionlist, select an iRule created.
- ClickUpdate.
You have now created a custom action
in a policy, using
iRules.
The iRule actions are performed at
the end of all the other policy actions.
Adding rules to an
enforcement policy
Before you can add rules to an enforcement policy, you need to create the policy, then
reopen it.
You add rules to an enforcement policy to select
the traffic you want to affect, and the actions to take. A
rule
associates an action with a specific type of traffic. So you can, for
example, add a rule to select all audio-video traffic and send it to a pool of servers
that are optimized to handle that type of traffic. - On the Main tab, click.The Policies screen opens.
- Click the name of the enforcement policy you want to add rules to.The properties screen for the policy opens.
- In the Policy Rules area, clickAdd.The New Rule screen opens.
- In theNamefield, type a name for the rule.
- In thePrecedencefield, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 andGate Statusdisabled for a search engine, and you have rule 2 with precedence 11 andGate Statusenabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
- Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
- From theModify Headerlist, selectEnabled, to modify the HTTP request header.More modify header configuration options display.
- Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic.Other tasks describe how to do this in detail.If you leaveGate Statusenabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
- From theCongestion Detectionlist, selectEnable, to congestion detection in the Radio Access Network.
- In theThresholdfield, type the lower threshold bandwidth for a session. The default value is1000kbs.
- ForDestinationlist, select the publisher name from the HSL publisher drop-down list.
The state of congestion detection is now controlled by policy application, and different subsets of subscribers can have different settings. This enables congestion-detection for specific types of applications as it pairs with specific policy rule conditions. - ClickFinished.
- Repeat steps 3-8 to create as many rules as needed to handle the traffic you are interested in.
The enforcement policy includes the rules with the conditions and actions you
added.
Now you need to associate the enforcement policy
with the virtual server (or servers) to which traffic is directed.
Creating a rule using classification criteria
You can use Layer 7 classification criteria to define conditions that the traffic must meet
(or not meet) for an enforcement policy rule to apply.
- On the Main tab, click.The Policies screen opens.
- Click the name of the enforcement policy you want to add rules to.The properties screen for the policy opens.
- In the Policy Rules area, clickAdd.The New Rule screen opens.
- In theNamefield, type a name for the rule.
- In thePrecedencefield, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 andGate Statusdisabled for a search engine, and you have rule 2 with precedence 11 andGate Statusenabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
- On the Classification tab, in theClassificationsetting, specify Layer 7 matching criteria for the rule:
- From theMatch Criterialist, select whether you want perform actions on traffic that matches (selectMatch), or does not match (selectNo Match) the criteria specified.
- From theCategorylist, select the type of traffic this rule applies to, or selectAnyfor all traffic.
- Some categories have specific applications associated with them. If this one does, from theApplicationlist select the application this rule applies to, or selectAnyfor all traffic in this category.
- ClickAddto add this match criteria to the classification.Add as many matching criteria as are relevant to this rule.
- Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic.Other tasks describe how to do this in detail.If you leaveGate Statusenabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
- ClickFinished.
You have created a rule that applies to traffic based on classification criteria.
Creating a rule using URL categorization
You have the ability to enforce policies that are configured as part of the
subscriber profile, based on the URL category type. Use Layer 7 criteria to define
conditions that the traffic must meet (or not meet) for an enforcement policy rule to
apply.
- On the Main tab, click.The Policies screen opens.
- Click the name of the enforcement policy you want to add rules to.The properties screen for the policy opens.
- In the Policy Rules area, clickAdd.The New Rule screen opens.
- In theNamefield, type a name for the rule.
- In thePrecedencefield, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 andGate Statusdisabled for a search engine, and you have rule 2 with precedence 11 andGate Statusenabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
- On the URL tab, in theURLsetting, specify Layer 7 matching criteria for the rule :
- From theMatch Criterialist, select whether you want perform actions on traffic that matches (selectMatch), or does not match (selectNo Match) the criteria specified.
- From theURL Categorylist, select the type of traffic this rule applies to.
- ClickAddto add this match criteria to the classification.Add as many matching criteria as are relevant to this rule.
- Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic.Other tasks describe how to do this in detail.If you leaveGate Statusenabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
- ClickFinished.
You have created a rule that applies to traffic based on URL Category.
Modifying iRule event for URL
categories
On the BIG-IP
system, you can modify iRules Event settings for URL
categories.
- On the Main tab, click.
- Select a URL category.The URL Properties screen opens.
- In theNamefield, type a unique name for the URL category policy.
- In theDescriptionfield, type optional descriptive text for the classification presets.
- In theCategory IDfield, type an identifier for this category, a unique number.
- For theApplication Listsetting, move applications that you want to associate with this category from theUnknownlist to theSelectedlist.If the applications are not listed yet, you can associate the applications with the category when you create them.
- ClickFinished.
- On the Main tab, click.The Classification screen opens.
- Select a classification profile or create one.
- From theURL Categorizationfield, selectEnabledfrom the drop-down list.
- In theiRule Eventfield, select the appropriate setting.
- To trigger an iRule event for this category of traffic, selectEnabled. You can then create an iRule that performs an action on this type of traffic.
- If you do not need to trigger an iRule event for this category of traffic, selectDisabled.
CLASSIFICATION::DETECTEDis the only event that is supported.
You have modified an iRule event
setting for an existing URL category.
Creating a rule using flow conditions
You can use flow information to define conditions that the traffic must meet
(or not meet) for an enforcement policy rule to apply.
- On the Main tab, click.The Policies screen opens.
- Click the name of the enforcement policy you want to add rules to.The properties screen for the policy opens.
- In the Policy Rules area, clickAdd.The New Rule screen opens.
- In theNamefield, type a name for the rule.
- In thePrecedencefield, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 andGate Statusdisabled for a search engine, and you have rule 2 with precedence 11 andGate Statusenabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
- On the Flow tab, in theFlowsetting, specify Layer 4 conditions that the traffic must meet (or not meet) for this rule to apply.OptionDescriptionMatchSelect whether you want to perform actions on traffic that matches (selectMatch) or does not match (selectNo Match) the criteria specified.DSCP MarkingTo match incoming traffic based on a DSCP value, type an integer from0to63.ProtocolTo specify the applicable traffic by protocol, selectUDP,TCP, or leave the default value ofAny.IP TypeTo specify the IP address type that this rule applies to, selectIPv4,IPv6, or leave the default value ofAny.Source Address/MaskTo match incoming traffic based on the address or network it is coming from, type the source IP address/netmask of the network you want the rule to affect. The default value is0.0.0.0/32.Source PortTo match incoming traffic based on the port it is coming from, type the port number you want the rule to affect. The default value (empty) matches traffic from all ports.Source VLANTo match incoming traffic based on the VLAN, select a previously configured VLAN.Destination Address/MaskTo match traffic based on the address or network it is directed to, type the source IP address/netmask of the network you want the rule to affect. The default value is0.0.0.0/32.Destination PortTo match incoming traffic based on the port it is directed to, type the port number you want the rule to affect. The default value (empty) matches traffic headed to all ports.
- ClickAddto add this match criteria to the classification.F5 recommends that you keep the matching criteria in a rule simple, adding more rules to specify additional conditions rather than including too many in one rule.
- Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic.Other tasks describe how to do this in detail.If you leaveGate Statusenabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
- ClickFinished.
You have created a rule that classifies traffic.
Creating a rule for forwarding traffic
You can create a rule that forwards traffic to an endpoint. For example, you might
want to direct video traffic to a server that is optimized for video viewing.
- On the Main tab, click.The Policies screen opens.
- Click the name of the enforcement policy you want to add rules to.The properties screen for the policy opens.
- In the Policy Rules area, clickAdd.The New Rule screen opens.
- In theNamefield, type a name for the rule.
- In thePrecedencefield, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 andGate Statusdisabled for a search engine, and you have rule 2 with precedence 11 andGate Statusenabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
- Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
- In the Gate area, forGate Status, selectEnabled.Options provide several ways to forward the traffic.
- In the Forwarding area, forHTTP Redirect, selectEnabled, and type the URL.
- From the Forwarding list, select an option where you would like to forward the traffic.OptionsDescriptionRoute to NetworkThe traffic flow is forwarded to the default destination.Forwarding to EndpointThe flow is steered to a different destination and you can select one of the endpoints.Forward to ICAP virtual ServerThe flow is forwarded to the ICAP virtual server.
- From theForwarding Fallback Actionlist, selectDroporContinueto specify if the connection can remain unchanged or should be dropped if the forwarding action fails.
- From theICAP Virtual Serverlist, select an internal virtual server that you have created, or clickCreateto create a new internal virtual server.
- From theICAP Typelist, select an ICAP adaptation type.
- SelectRequestto send a portion of the request to the ICAP server.
- SelectResponseto receive a portion of the response from the ICAP server.
- SelectRequestandResponseto have both types of adaptation.
- From theService Chainlist, selectCreateto direct traffic to more than one location (such as value-added services).
- ClickFinished.
You have created a rule that forwards traffic.
Creating a rule for QoS
Before you can create a rule for Quality of Service (QoS), you need to create a
bandwidth controller to use rate control.
You can create a rule that results in a QoS action such as DSCP marking, link QoS,
or rate limiting.
In the mobile market, uplink and downlink is
sometimes known as forward and reverse respectively.
- On the Main tab, click.The Policies screen opens.
- Click the name of the enforcement policy you want to add rules to.The properties screen for the policy opens.
- In the Policy Rules area, clickAdd.The New Rule screen opens.
- In theNamefield, type a name for the rule.
- In thePrecedencefield, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 andGate Statusdisabled for a search engine, and you have rule 2 with precedence 11 andGate Statusenabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
- Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
- ForGate Status, selectEnabled.If you selectDisabled, then the corresponding traffic will be dropped.Forwarding and QoS options are displayed.
- To set DSCP bits on the downlink traffic, forIP Marking (DSCP), selectSpecify, and type a value between0and63, inclusive.The traffic that matches this rule is marked with this value.
- To set DSCP bits on the uplink traffic, forIP Marking (DSCP), selectSpecify, and type a value between0and63, inclusive.The traffic that matches this rule is marked with this value.
- To set a Layer 2 Quality of Service (QoS) level in downlink packets, forL2 Marking (802.1p), selectSpecify, and type a value between0and7, inclusive.Setting a QoS level affects the packet delivery priority.
- To set a Layer 2 Quality of Service (QoS) level in uplink packets, forL2 Marking (802.1p), selectSpecify, and type a value between0and7, inclusive.Setting a QoS level affects the packet delivery priority.
- To apply rate control to downlink traffic, in theBandwidth Controllersetting, select the name of a bandwidth control policy.You can assign any previously created static or dynamic bandwidth control policies. However, F5 does not recommend using thedefault-bwc-policy, which the system provides, nor thedynamic_spm_bwc_policy, which you can create to enforce dynamic QoS settings provisioned by the PCRF.Depending on the bandwidth control policy, PEM restricts bandwidth usage per subscriber, group of subscribers, per application, per network egress link, or any combination of these.
- To apply rate control to uplink traffic and per category of application, in theBandwidth Controllersetting, select the name of a bandwidth control policy.You can assign any previously created static or dynamic bandwidth control policies. However, we do not recommend using thedefault-bwc-policy, which the system provides, nor thedynamic_spm_bwc_policy, which you can create for communicating with the PCRF.Depending on the bandwidth control policy, PEM restricts bandwidth usage per subscriber, group of subscribers, per application, per network egress link, per category of applications or any combination of these.
- ClickFinished.
You have created a rule that manages QoS traffic.
Creating a data plane virtual group
If you want to steer specific traffic (or otherwise regulate certain types of
traffic) you must first develop appropriate enforcement policies. If using a Gx
interface to a PCRF, you need to create a new virtual group in listeners that connect to
a PCRF.
You can create listeners that specify how to handle traffic for policy enforcement.
Creating a listener performs preliminary setup on the BIG-IP
system for application visibility, intelligent steering, bandwidth management, and
reporting.
- On the Main tab, click.The Date Plane Listeners screen opens.
- ClickAdd Group.The New Virtual Group screen opens.
- In theNamefield, type a unique name for the listener.
- In theDestination Addressfield, type the IP address of the virtual server. For example,10.0.0.1or10.0.0.0/24.When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.You can use a catch-all virtual server (0.0.0.0) to specify all traffic that is delivered to the BIG-IP system. Configure the source and destination setting, during forwarding mode only. In the relay mode, the client does not have an IP address and the DHCP provides the client with an IP address.The system will create a virtual server using the address or network you specify.
- For theService Portsetting, type or select the service port for the virtual server.
- From theVLAN and Tunnel Trafficlist, selectEnabled on. Then, for theVLANs and Tunnelssetting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from theAvailablelist to theSelectedlist.
- For theVLANs and Tunnelssetting, move the VLANs and tunnels that you want to monitor from theAvailablelist to theSelectedlist.
- In the Policy Provisioning area, select enforcement policies to apply to the traffic.
- ForGlobal Policy, move policies to apply to all subscribers toHigh PrecedenceorLow Precedence.For URL categorization to take effect, you need to associate the enforcement policy with a classification profile.
- ForUnknown Subscriber Policy, move policies to use if the subscriber is unknown toSelected.
The system applies the global policy to all subscribers in parallel with the subscriber policies, and must be configured with unknown subscriber policy. High-precedence global policies override conflicting subscriber policies, and low-precedence policies are overridden by conflicting subscriber policies. - ClickFinished.The Policy Enforcement Manager creates a listener.
When you create a listener, Policy Enforcement Manager also
creates virtual servers for each type of traffic (TCP, UDP, or both and IP), and a
virtual server for HTTP traffic. The system sets up classification and assigns the
appropriate policy enforcement profile to the virtual servers. If you are connecting to
a RADIUS authentication server, a virtual server for RADIUS is also added.
Now you can send traffic through the network. As network traffic moves through the
BIG-IP system, the system classifies the traffic, and if you
have developed policies, the system performs the actions specified by the enforcement
policy rules.
Configuring TCP
optimization as a PEM policy action
Before you start this task, you need to create a PEM Policy to which TCP optimization
can be applied.
On the BIG-IP system, you can apply TCP
Optimization as a PEM policy action, which then can be applied to subscriber traffic.
TCP optimization supports many optimization parameters which can be catered to a
specific network type.
- On the Main tab, click.The TCP profile list screen opens.
- ClickCreate.The New TCP Profile screen opens, inheriting values from the system-supplied TCP profile.
- ForName, type a name for the profile.
- To make the fields editable, select theCustomcheck box at the right of each area.There are five parameters that need to configured for creating a TCP profile for a PEM policy. The first four are in the Memory Management area, the last one is in the Congestion Control area of the screen.Proxy Buffer HighSpecifies the highest level at which the receive window is closed. The default value is49152.Proxy Buffer LowSpecifies the proxy buffer level, in bytes, at which the receive window is opened. The default is32768.Receive WindowSpecifies the maximum advertised RECEIVE window size. The default is65535bytes.Send BufferSpecifies the SEND window size. The default is65535bytes.Congestion ControlSpecifies the algorithm to use to share network resources among competing users to reduce congestion.
- ClickFinished.
- On the Main tab, click.The Policies screen opens.
- Click the name of the enforcement policy you want to add rules to.The properties screen for the policy opens.
- In the Policy Rules area, clickAdd.The New Rule screen opens.
- In theNamefield, type a name for the rule.
- In thePrecedencefield, type an integer that indicates the high precedence for the rule in relation to the other rules. Number1has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.TCL filter creation action should have high precedence.
- From theTCP Optimizationsetting, inProfilearea, select a previously configured TCP profile. SelectDownlinkto apply to traffic that matches this rule on downlink traffic andUplinkto apply to traffic that matches this rule on uplink traffic.
You have now configured TCP optimization for a PEM policy.
Enabling TCP Analytics
In Policy
Enforcement Manager, you can conditionally enable TCP analytics for
flows.
- On the Main tab, clickThe TCP Analytics screen opens.
- ClickCreate.The New TCP Analytics Profile screen opens.
- In theProfile Namefield, type a name for the TCP profile.
- In theStatistics Collectionsetting, ensure that theClient sideandServer sidecheck boxes are cleared. .Both check boxes should remain cleared when you are creating a new TCP Analytics profile, or if they are enabled on an existing profile.
- From the Statistics Gathering Configuration area, select all the check boxes forCollected Entities.
- ClickFinished.The system configures a new TCP Analytics profile.
- On the Main tab, clickThe Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a name for the virtual server.
- In theDestination Address/Maskfield, type the destination IP address to which the virtual server sends traffic.
- In theService Portfield, type a service port or select a type from the list.
- From theConfigurationsetting, selectAdvanced, and then scroll down to theTCP Analytics Profilesetting and select the TCP analytics profile that you created.
- In thePolicy Enforcement Profilesetting, selectspm.
- ClickFinished.The PEM profile is now attached to the virtual server.
- On the Main tab, click
- ClickCreate.The New Policy screen opens.
- In theNamefield, type a name for policy.
- ClickFinished.
- On the policies list screen, click the name of the policy you created.
- In the Policy Rules area, clickAdd.The New Rule screen opens.
- In theNamefield, type a name for the rule.
- In thePrecedencefield, type an integer that indicates the high precedence for the rule in relation to the other rules. Number1has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.TCL filter creation action should have high precedence.
- In the Reporting area, from theTCP Analyticslist, selectEnabled.
- ClickFinished.
You have enabled TCP Analytics for a
selected PEM policy.