Manual Chapter :
Configuring Service Chains
Applies To:
Show VersionsBIG-IP LTM
- 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
BIG-IP PEM
- 16.0.1, 16.0.0, 15.1.8, 15.1.7, 15.1.6, 15.1.5, 15.1.4, 15.1.3, 15.1.2, 15.1.1, 15.1.0, 15.0.1, 15.0.0
Configuring Service Chains
Overview: Configuring service chains
You can use the Policy Enforcement Manager™ to create service chains to
route traffic to one or more value-added services on the way to its final destination. The
service chains
define the path and order that you want traffic to take. There are
several value-added services involved and after each endpoint the traffic comes back to the
BIG-IP system. An endpoint
specifies each place you want to send the traffic, so the
service chain is essentially between the value-added services endpoints for traffic to stop at on
its way to the server it is headed to. For example, you can forward traffic sequentially for
virus scanning, parental control, and caching. You set up service chains by creating an enforcement policy that defines the traffic that you
want to route to the service chain. Rules in the enforcement policy specify conditions that the
traffic must match, and actions for what to do with that traffic. One of the actions you can take
is to send the traffic to a service chain.
While a static service chain defines fixed value-added services, a dynamic service chain
provides service chain action that can dynamically change depending on the flow of parameters and
you can attach a steering policy that can override the decision of the next session. You can use
dynamic service chain to insert or name header and steer different service. Internet Content
Adaptation Protocol (ICAP) is one of the services possible to use in a service chain. Dynamic
service chain makes the service chain intelligent and flexible by providing the following
support:
- Ability to add or skip different value-added services endpoints by selecting policy based forwarding endpoint.
- Perform header insertion or removal per value-added service chain, depending on the policy.
- Includes one sideband value-added service in the service chain using ICAP as the protocol.
You can create listeners to set up virtual servers and associate enforcement policies with the
traffic that is sent to them. The system also creates a Policy Enforcement profile that specifies
the enforcement policy that the system uses for the service chain.
Task Summary
About services profiles
You can configure the Internet Content Adaptation Protocol (ICAP) profile, request adaptation
profile, and response adaptation profile for using the dynamic service chain feature in Policy Enforcement Manager™.
The internal virtual server references the pool of content adaptation servers. The internal
virtual server also references an ICAP profile, which includes specific instructions for how the
BIG-IP system should modify each request or response. Once the request and
response adapt profiles have been created, you can attach the profiles to the HTTP virtual
server. The adapt profiles use multiple internal virtual servers for various content types.
The HTTP listener must have adapt profile set. The adapt profiles need to be configured as
disabled and are enabled by PEM based on the policy action applied.
About service chain processing
The service chain endpoints that have steering policy attached, define the service chain. The
dynamic service chain follows these processing strategies:
- The initial subscriber flow start processing of the service chain starts from the first service.
- The steering policy is evaluated before taking in account a default ICAP adaptation or the steering endpoint.
The steering policy changes the service chain in many ways:
- Skips the part of the service chain.
- Skips to different service of the ICAP or steering policy.
- Skip the rest of the service chain and route traffic to the network.
- Applies different services that are not on the chain. The steering policy can apply ICAP and skip the rest of the chain. It can also apply steering, skipping all ICAP on the VLAN. The service chain continues when the flow returns from the service.
Creating a ICAP profile for policy enforcement
You create this ICAP profile when you want to use an ICAP server to wrap an HTTP
request in an ICAP message before the BIG-IP system sends the
request to a pool of web servers. The profile specifies the HTTP request-header
values that the ICAP server uses for the ICAP message.
- On the Main tab, click.
- ClickCreate.
- In theNamefield, type a unique name for the profile.
- ClickFinished.
After you create the ICAP profile, you can assign it to an internal virtual server
so that the HTTP request that the BIG-IP system sends to an ICAP server is wrapped in an
ICAP message, according to the settings you specified in the ICAP profile.
Different services may require different ICAP profiles.
Creating a Request Adapt profile
You create a Request Adapt type of profile when you want a standard HTTP virtual
server to forward HTTP requests to an internal virtual server that references a pool of
ICAP servers. A Request Adapt type of profile instructs the HTTP virtual server to send
an HTTP request to a named internal virtual server for possible request modification.
- On the Main tab, click.
- ClickCreate.
- In theNamefield, type a unique name for the profile.
- For theParent Profilesetting, retain the default value,requestadapt.
- On the right-side of the screen, select theCustomcheck box.
- Disable the setting by clearing theEnabledcheck box.When you clear theEnabledcheck box, Policy Enforcement Manager controls this based on the policy.
- In thePreview Sizefield, type a numeric value.This specifies the maximum size of the preview buffer. This buffer holds a copy of the HTTP request header and the data sent to the internal virtual server, in case the adaptation server reports that no adaptation is needed. Setting the preview size to0disables buffering of the request and should only be done if the adaptation server always returns a modified HTTP request or the original HTTP request.
- For theAllow HTTP 1.0setting, select theEnabledcheck box.
- ClickFinished.
After you perform this task, the BIG-IP system contains a
Request Adapt profile that a standard HTTP virtual server can use to forward an HTTP
request to an internal virtual server for ICAP traffic.
You need to attach a Request Adapt profile to a standard HTTP
virtual server to forward the HTTP requests.
Creating a Response Adapt profile
You create a Response Adapt type of profile when you want a standard HTTP virtual
server to forward HTTP responses to an internal virtual server that references a pool of
ICAP servers. A Response Adapt type of profile instructs the HTTP virtual server to send
an HTTP response to a named internal virtual server for possible response modification.
- On the Main tab, click.
- ClickCreate.
- In theNamefield, type a unique name for the profile.
- For theParent Profilesetting, retain the default value,responseadapt.
- On the right-side of the screen, select theCustomcheck box.
- Disable the setting by clearing theEnabledcheck box.When you clear theEnabledcheck box, Policy Enforcement Manager controls the profile based on the policy.
- In thePreview Sizefield, type a numeric value.This specifies the maximum size of the preview buffer. This buffer holds a copy of the HTTP response header and the data sent to the internal virtual server, in case the adaptation server reports that no adaptation is needed. Setting the preview size to0disables buffering of the response and should only be done if the adaptation server always returns a modified HTTP response or the original HTTP response.
- For theAllow HTTP 1.0setting, check theEnabledcheck box.
After you perform this task, the BIG-IP system contains a
Response Adapt profile that a standard HTTP virtual server can use to forward an HTTP
response to an internal virtual server for ICAP traffic. You need to attach a Response
Adapt profile to a standard HTTP virtual server to forward the HTTP responses.
Creating an internal virtual server for ICAP server
You perform this task to create a standard virtual server that can forward an HTTP
request or response to an internal virtual server. The internal virtual server then
sends the request or response to a pool of ICAP servers before the BIG-IP system sends the request or response to the client or web
server.
- On the Main tab, click.The Virtual Server List screen opens.
- ClickCreate.The New Virtual Server screen opens.
- In theNamefield, type a unique name for the virtual server.
- From theTypelist, selectInternal.
- For theStatesetting, verify that the value is set toEnabled.
- From theConfigurationlist, selectAdvanced.
- From theICAP Profilelist, select the name of the HTTP profile that you created previously.
- From theSource Address Translationlist, selectAuto Map.The BIG-IP system uses all of the self IP addresses as the translation addresses for the pool.
- Optionally, from theOneConnect Profilelist, select a custom OneConnect profile.
- SettingOneConnect Profileto ICAP virtual server, is highly recomended when configuring ICAP virtual.
- From theDefault Poollist, select the pool of ICAP servers that you previously created.
- ClickFinished.
After you create the virtual server, the BIG-IP system can
forward an HTTP request or response to a pool of ICAP servers before sending the request
or response to the client or web server, respectively.
Creating a pool
Ensure that at least one virtual server exists in the configuration before you start to create a load balancing pool.
Create a pool to which the system can load balance global traffic.
- On the Main tab, click.The Pools list screen opens.
- ClickCreate.The New Pool screen opens.
- In the General Properties area, in theNamefield, type a name for the pool.Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.The pool name is limited to 63 characters.
- From theTypelist, depending on the type of the system (IPv4 or IPv6), select either anAorAAAApool type.
- In the Configuration area, for theHealth Monitorssetting, in theAvailablelist, select a monitor type, and move the monitor to theSelectedlist.Hold the Shift or Ctrl key to select more than one monitor at a time.
- In the Members area, for theMember Listsetting, add virtual servers as members of this load balancing pool.The system evaluates the virtual servers (pool members) in the order in which they are listed. A virtual server can belong to more than one pool.
- Select a virtual server from theVirtual Serverlist.
- ClickAdd.
- ClickFinished.
Creating endpoints for service chains
Before you can create an endpoint, you need to create a pool that specifies where
you want to direct the classified traffic.
If you plan to set up a service chain, you need to create one or more endpoints that specify the locations of the value-added services to which to send the traffic.
- On the Main tab, click.The Endpoints screen opens.
- ClickCreate.The New Endpoint screen opens.
- In theNamefield, type a name for the endpoint.
- From thePoollist, select the pool to which you want to steer a particular type of traffic.
- Use the default values for the other fields.
- ClickFinished.The endpoint you created is on the endpoint list.
You link the endpoints together by creating a service chain.
Creating dynamic service chains
Before you can create a service chain, you need to have created endpoints for every
service that you want the traffic to be directed to. Set up the servers at those
endpoints to handle the traffic and (if conditions are right), return it to the BIG-IP system. You should have attached the HTTP virtual server to
the request adapt profile and response adapt profile. You also need to create VLANs for
every traffic entry point.
To send traffic to multiple endpoints, including value-added services, you create
service chains that define where to send traffic on the way to its final destination.
This way, the system can route traffic to other servers that can handle additional
functions. Additionally, you can attach a steering action policy, such as modify
headers, when you create a service chain which can be later modified at the other end.
If you want to use steering policy, you must define endpoint in
service chain.
- On the Main tab, click.The Service Chains screen opens.
- ClickCreateThe New Service Chains screen opens.
- In theNamefield, type a name for the service chain.
- In theService Chain Listsetting, add the endpoints to the service chain. For each place you want to send the traffic, specify the following information:
- From theService Endpoint Namelist, type the name of the service endpoint where the traffic is going to.
- From theVLANlist, select the name of the VLAN where the traffic is coming from.Your first service chain should have subscriber VLAN in the VLAN field.
- From thePolicylist, select the name of the steering policy.If all the service endpoints do not have a steering policy, the service chain is static.If the policy defining the steering does not match the policy set in the service chain, then the service chain is not processed.
- From theForwarding Endpointlist, select the name of the endpoint to which you send traffic.When you configure a new forwarding endpoint (), setAddress TranslationandPort TranslationasDisabled.You need to always configure a default forwarding endpoint or else the flow will exit the service chain and get skipped. If you are in the final leg, then configure without default.When you use ICAP service, you cannot have a ICAP and a forwarding endpoint on the same service endpoint.
- From theService Optionlist, select the service option in case the service endpoint is not reachable. SelectOptionalif you want to skip the service endpoint. SelectMandatoryif you want all traffic flows dropped.To use dynamic service chain, selectOptional. If service endpoint is not available and set to mandatory, you cannot steer policies.TheService Optionparameter works only if the right endpoint has a monitor set in the pool. For example, set gateway ICMP to the pool. Otherwise, traffic is dropped even ifOptionalis set.
- From theInternal Virtuallist, select the internal ICAP virtual server.You cannot have consecutive ICAP on the same VLAN.
- ClickAdd.
- From theICAP Typelist, select the action you want to implement. Select Request to send only HTTP requests to ICAP server. Select Response to send only HTTP responses to ICAP server. Select Request and Response to have both requests and responses.
- SelectResponseto send only HTTP responses to ICAP server.
- SelectRequest and Responseto have both requests and responses.
Select theInternal Virtualto configure theICAP Typesetting. - ClickFinished.If steering action is applied after the ICAP request, service endpoint with forwarding endpoint should have the same VLAN configured as the service endpoint with ICAP enabled.
You can direct traffic to the service chain you created in the policy rules in an
enforcement policy.
Creating an enforcement policy
If you want to classify and intelligently steer traffic, you need to create an
enforcement policy. The policy describes what to do with specific traffic, and how to
treat the traffic.
- On the Main tab, click.The Policies screen opens.
- ClickCreate.The New Policy screen opens.
- In theNamefield, type a name for the policy.When creating policies you plan to apply globally or to unknown subscribers, it is a good idea to include the wordglobalorunknownin the policy name to distinguish these from other subscriber policies.
- From the Transactional list, selectEnabledif you want the BIG-IP system to allow policy enforcement on each HTTP transaction.
- ClickFinished.The system performance is significantly affected, depending on complexity of the classification and the type of policy action.The new enforcement policy is added to the policy list.
Now you must add rules to the enforcement policy to define traffic filters and
actions.
Configuring
steering action policy
You can configure HTTP headers of the steering
policy in the BIG-IP system.
If the steering
action is enabled, steering policy is evaluated based on the VLAN flow. If no
steering policy is configured, then the default endpoint is the next service
endpoint.
- On the Main tab, click.The Policies screen opens.
- Click the name of the enforcement policy you want to add rules to.The properties screen for the policy opens.
- In the Policy Rules area, clickAdd.The New Rule screen opens.
- In theNamefield, type a name for the rule.
- In thePrecedencefield, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 andGate Statusdisabled for a search engine, and you have rule 2 with precedence 11 andGate Statusenabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
- From theModify Headerlist, selectEnabled, to modify the HTTP request header.More modify header configuration options display.
- To modify the HTTP request header, select the action you want to implement.
- SelectInsert String Valueto insert a stringvalue that you have specified before.
- SelectInsert Value from Scriptto specify that the BIG-IP system can insert value received from the TCL expression.
- SelectRemoveto remove the string value that you previously created.
- In theHeader Namefield, type a header name.
- In theString Valuefield, type a string value for the header.
- ClickFinished.
You can add more rules to an enforcement policy in
addition to configuring HTTP header action.
Adding rules to an
enforcement policy
Before you can add rules to an enforcement policy, you need to create the policy, then
reopen it.
You add rules to an enforcement policy to select
the traffic you want to affect, and the actions to take. A
rule
associates an action with a specific type of traffic. So you can, for
example, add a rule to select all audio-video traffic and send it to a pool of servers
that are optimized to handle that type of traffic. - On the Main tab, click.The Policies screen opens.
- Click the name of the enforcement policy you want to add rules to.The properties screen for the policy opens.
- In the Policy Rules area, clickAdd.The New Rule screen opens.
- In theNamefield, type a name for the rule.
- In thePrecedencefield, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 andGate Statusdisabled for a search engine, and you have rule 2 with precedence 11 andGate Statusenabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
- Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
- From theModify Headerlist, selectEnabled, to modify the HTTP request header.More modify header configuration options display.
- Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic.Other tasks describe how to do this in detail.If you leaveGate Statusenabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
- From theCongestion Detectionlist, selectEnable, to congestion detection in the Radio Access Network.
- In theThresholdfield, type the lower threshold bandwidth for a session. The default value is1000kbs.
- ForDestinationlist, select the publisher name from the HSL publisher drop-down list.
The state of congestion detection is now controlled by policy application, and different subsets of subscribers can have different settings. This enables congestion-detection for specific types of applications as it pairs with specific policy rule conditions. - ClickFinished.
- Repeat steps 3-8 to create as many rules as needed to handle the traffic you are interested in.
The enforcement policy includes the rules with the conditions and actions you
added.
Now you need to associate the enforcement policy
with the virtual server (or servers) to which traffic is directed.
Creating a rule for forwarding traffic
You can create a rule that forwards traffic to an endpoint. For example, you might
want to direct video traffic to a server that is optimized for video viewing.
- On the Main tab, click.The Policies screen opens.
- Click the name of the enforcement policy you want to add rules to.The properties screen for the policy opens.
- In the Policy Rules area, clickAdd.The New Rule screen opens.
- In theNamefield, type a name for the rule.
- In thePrecedencefield, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 andGate Statusdisabled for a search engine, and you have rule 2 with precedence 11 andGate Statusenabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
- Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
- In the Gate area, forGate Status, selectEnabled.Options provide several ways to forward the traffic.
- In the Forwarding area, forHTTP Redirect, selectEnabled, and type the URL.
- From the Forwarding list, select an option where you would like to forward the traffic.OptionsDescriptionRoute to NetworkThe traffic flow is forwarded to the default destination.Forwarding to EndpointThe flow is steered to a different destination and you can select one of the endpoints.Forward to ICAP virtual ServerThe flow is forwarded to the ICAP virtual server.
- From theForwarding Fallback Actionlist, selectDroporContinueto specify if the connection can remain unchanged or should be dropped if the forwarding action fails.
- From theICAP Virtual Serverlist, select an internal virtual server that you have created, or clickCreateto create a new internal virtual server.
- From theICAP Typelist, select an ICAP adaptation type.
- SelectRequestto send a portion of the request to the ICAP server.
- SelectResponseto receive a portion of the response from the ICAP server.
- SelectRequestandResponseto have both types of adaptation.
- From theService Chainlist, selectCreateto direct traffic to more than one location (such as value-added services).
- ClickFinished.
You have created a rule that forwards traffic.
Creating a data plane virtual group
If you want to steer specific traffic (or otherwise regulate certain types of
traffic) you must first develop appropriate enforcement policies. If using a Gx
interface to a PCRF, you need to create a new virtual group in listeners that connect to
a PCRF.
You can create listeners that specify how to handle traffic for policy enforcement.
Creating a listener performs preliminary setup on the BIG-IP
system for application visibility, intelligent steering, bandwidth management, and
reporting.
- On the Main tab, click.The Date Plane Listeners screen opens.
- ClickAdd Group.The New Virtual Group screen opens.
- In theNamefield, type a unique name for the listener.
- In theDestination Addressfield, type the IP address of the virtual server. For example,10.0.0.1or10.0.0.0/24.When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a/32prefix.You can use a catch-all virtual server (0.0.0.0) to specify all traffic that is delivered to the BIG-IP system. Configure the source and destination setting, during forwarding mode only. In the relay mode, the client does not have an IP address and the DHCP provides the client with an IP address.The system will create a virtual server using the address or network you specify.
- For theService Portsetting, type or select the service port for the virtual server.
- From theVLAN and Tunnel Trafficlist, selectEnabled on. Then, for theVLANs and Tunnelssetting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from theAvailablelist to theSelectedlist.
- For theVLANs and Tunnelssetting, move the VLANs and tunnels that you want to monitor from theAvailablelist to theSelectedlist.
- In the Policy Provisioning area, select enforcement policies to apply to the traffic.
- ForGlobal Policy, move policies to apply to all subscribers toHigh PrecedenceorLow Precedence.For URL categorization to take effect, you need to associate the enforcement policy with a classification profile.
- ForUnknown Subscriber Policy, move policies to use if the subscriber is unknown toSelected.
The system applies the global policy to all subscribers in parallel with the subscriber policies, and must be configured with unknown subscriber policy. High-precedence global policies override conflicting subscriber policies, and low-precedence policies are overridden by conflicting subscriber policies. - ClickFinished.The Policy Enforcement Manager creates a listener.
When you create a listener, Policy Enforcement Manager also
creates virtual servers for each type of traffic (TCP, UDP, or both and IP), and a
virtual server for HTTP traffic. The system sets up classification and assigns the
appropriate policy enforcement profile to the virtual servers. If you are connecting to
a RADIUS authentication server, a virtual server for RADIUS is also added.
Now you can send traffic through the network. As network traffic moves through the
BIG-IP system, the system classifies the traffic, and if you
have developed policies, the system performs the actions specified by the enforcement
policy rules.