F5 Logo MyF5
Search
  1. MyF5 Home
  2. BIG-IP Policy Enforcement Manager: Implementations
  3. Configuring Service Chains
Manual Chapter : Configuring Service Chains

Applies To:

Show Versions Show Versions

BIG-IP LTM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1

BIG-IP PEM

  • 17.1.2, 17.1.1, 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Manual Chapter

Configuring Service Chains

Overview: Configuring service chains

You can use the Policy Enforcement Manager to create service chains to route traffic to one or more value-added services on the way to its final destination. The
service chains
 define the path and order that you want traffic to take. There are several value-added services involved and after each endpoint the traffic comes back to the BIG-IP system. An
endpoint
 specifies each place you want to send the traffic, so the service chain is essentially between the value-added services endpoints for traffic to stop at on its way to the server it is headed to. For example, you can forward traffic sequentially for virus scanning, parental control, and caching.
You set up service chains by creating an enforcement policy that defines the traffic that you want to route to the service chain. Rules in the enforcement policy specify conditions that the traffic must match, and actions for what to do with that traffic. One of the actions you can take is to send the traffic to a service chain.
While a static service chain defines fixed value-added services, a dynamic service chain provides service chain action that can dynamically change depending on the flow of parameters and you can attach a steering policy that can override the decision of the next session. You can use dynamic service chain to insert or name header and steer different service. Internet Content Adaptation Protocol (ICAP) is one of the services possible to use in a service chain. Dynamic service chain makes the service chain intelligent and flexible by providing the following support:
  • Ability to add or skip different value-added services endpoints by selecting policy based forwarding endpoint.
  • Perform header insertion or removal per value-added service chain, depending on the policy.
  • Includes one sideband value-added service in the service chain using ICAP as the protocol.
You can create listeners to set up virtual servers and associate enforcement policies with the traffic that is sent to them. The system also creates a Policy Enforcement profile that specifies the enforcement policy that the system uses for the service chain.

Task Summary

About services profiles

You can configure the Internet Content Adaptation Protocol (ICAP) profile, request adaptation profile, and response adaptation profile for using the dynamic service chain feature in Policy Enforcement Manager.
The internal virtual server references the pool of content adaptation servers. The internal virtual server also references an ICAP profile, which includes specific instructions for how the BIG-IP system should modify each request or response. Once the request and response adapt profiles have been created, you can attach the profiles to the HTTP virtual server. The adapt profiles use multiple internal virtual servers for various content types.
The HTTP listener must have adapt profile set. The adapt profiles need to be configured as disabled and are enabled by PEM based on the policy action applied.

About service chain processing

The service chain endpoints that have steering policy attached, define the service chain. The dynamic service chain follows these processing strategies:
  • The initial subscriber flow start processing of the service chain starts from the first service.
  • The steering policy is evaluated before taking in account a default ICAP adaptation or the steering endpoint.
The steering policy changes the service chain in many ways:
  • Skips the part of the service chain.
  • Skips to different service of the ICAP or steering policy.
  • Skip the rest of the service chain and route traffic to the network.
  • Applies different services that are not on the chain. The steering policy can apply ICAP and skip the rest of the chain. It can also apply steering, skipping all ICAP on the VLAN. The service chain continues when the flow returns from the service.

Creating a ICAP profile for policy enforcement

You create this ICAP profile when you want to use an ICAP server to wrap an HTTP request in an ICAP message before the BIG-IP system sends the request to a pool of web servers. The profile specifies the HTTP request-header values that the ICAP server uses for the ICAP message.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Services
    ICAP
    .
  2. Click
    Create
    .
  3. In the
    Name
     field, type a unique name for the profile.
  4. Click
    Finished
    .
After you create the ICAP profile, you can assign it to an internal virtual server so that the HTTP request that the BIG-IP system sends to an ICAP server is wrapped in an ICAP message, according to the settings you specified in the ICAP profile.
Different services may require different ICAP profiles.

Creating a Request Adapt profile

You create a Request Adapt type of profile when you want a standard HTTP virtual server to forward HTTP requests to an internal virtual server that references a pool of ICAP servers. A Request Adapt type of profile instructs the HTTP virtual server to send an HTTP request to a named internal virtual server for possible request modification.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Request Adapt
    .
  2. Click
    Create
    .
  3. In the
    Name
     field, type a unique name for the profile.
  4. For the
    Parent Profile
     setting, retain the default value,
    requestadapt
    .
  5. On the right-side of the screen, select the
    Custom
     check box.
  6. Disable the setting by clearing the
    Enabled
     check box.
    When you clear the
    Enabled
     check box, Policy Enforcement Manager controls this based on the policy.
  7. In the
    Preview Size
     field, type a numeric value.
    This specifies the maximum size of the preview buffer. This buffer holds a copy of the HTTP request header and the data sent to the internal virtual server, in case the adaptation server reports that no adaptation is needed. Setting the preview size to
    0
     disables buffering of the request and should only be done if the adaptation server always returns a modified HTTP request or the original HTTP request.
  8. For the
    Allow HTTP 1.0
     setting, select the
    Enabled
     check box.
  9. Click
    Finished
    .
After you perform this task, the BIG-IP system contains a Request Adapt profile that a standard HTTP virtual server can use to forward an HTTP request to an internal virtual server for ICAP traffic. You need to attach a Request Adapt profile to a standard HTTP virtual server to forward the HTTP requests.

Creating a Response Adapt profile

You create a Response Adapt type of profile when you want a standard HTTP virtual server to forward HTTP responses to an internal virtual server that references a pool of ICAP servers. A Response Adapt type of profile instructs the HTTP virtual server to send an HTTP response to a named internal virtual server for possible response modification.
  1. On the Main tab, click
    Local Traffic
    Profiles
    Services
    Response Adapt
    .
  2. Click
    Create
    .
  3. In the
    Name
     field, type a unique name for the profile.
  4. For the
    Parent Profile
     setting, retain the default value,
    responseadapt
    .
  5. On the right-side of the screen, select the
    Custom
     check box.
  6. Disable the setting by clearing the
    Enabled
     check box.
    When you clear the
    Enabled
     check box, Policy Enforcement Manager controls the profile based on the policy.
  7. In the
    Preview Size
     field, type a numeric value.
    This specifies the maximum size of the preview buffer. This buffer holds a copy of the HTTP response header and the data sent to the internal virtual server, in case the adaptation server reports that no adaptation is needed. Setting the preview size to
    0
     disables buffering of the response and should only be done if the adaptation server always returns a modified HTTP response or the original HTTP response.
  8. For the
    Allow HTTP 1.0
     setting, check the
    Enabled
     check box.
After you perform this task, the BIG-IP system contains a Response Adapt profile that a standard HTTP virtual server can use to forward an HTTP response to an internal virtual server for ICAP traffic. You need to attach a Response Adapt profile to a standard HTTP virtual server to forward the HTTP responses.

Creating an internal virtual server for ICAP server

You perform this task to create a standard virtual server that can forward an HTTP request or response to an internal virtual server. The internal virtual server then sends the request or response to a pool of ICAP servers before the BIG-IP system sends the request or response to the client or web server.
  1. On the Main tab, click
    Local Traffic
    Virtual Servers
    .
    The Virtual Server List screen opens.
  2. Click
    Create
    .
    The New Virtual Server screen opens.
  3. In the
    Name
     field, type a unique name for the virtual server.
  4. From the
    Type
     list, select
    Internal
    .
  5. For the
    State
     setting, verify that the value is set to
    Enabled
    .
  6. From the
    Configuration
     list, select
    Advanced
    .
  7. From the
    ICAP Profile
     list, select the name of the HTTP profile that you created previously.
  8. From the
    Source Address Translation
     list, select
    Auto Map
    .
    The BIG-IP system uses all of the self IP addresses as the translation addresses for the pool.
  9. Optionally, from the
    OneConnect Profile
     list, select a custom OneConnect profile.
  10. Setting
    OneConnect Profile
     to ICAP virtual server, is highly recomended when configuring ICAP virtual.
  11. From the
    Default Pool
     list, select the pool of ICAP servers that you previously created.
  12. Click
    Finished
    .
After you create the virtual server, the BIG-IP system can forward an HTTP request or response to a pool of ICAP servers before sending the request or response to the client or web server, respectively.

Create a load balancing pool

Ensure that at least one virtual server exists in the configuration before you start to create a load balancing pool for global traffic.
  1. On the Main tab, click
    DNS
    GSLB
    Pools
    .
    The Pools list screen opens.
  2. Click
    Create
    .
    The New Pool screen opens.
  3. In the General Properties area, in the
    Name
     field, type a name for the pool.
    Names must begin with a letter, and can contain only letters, numbers, and the underscore (_) character.
    The pool name is limited to 63 characters.
  4. From the
    Type
     list, depending on the type of the system (IPv4 or IPv6), select either an
    A
     or
    AAAA
     pool type.
  5. In the Configuration area, for the
    Health Monitors
     setting, in the
    Available
     list, select a monitor type, and move the monitor to the
    Selected
     list.
    Hold the Shift or Ctrl key to select more than one monitor at a time.
  6. In the Members area, for the
    Member List
     setting, add virtual servers as members of this load balancing pool.
    The system evaluates the virtual servers (pool members) in the order in which they are listed. A virtual server can belong to more than one pool.
    1. Select a virtual server from the
      Virtual Server
       list.
    2. Click
      Add
      .
  7. Click
    Finished
    .

Creating endpoints for service chains

Before you can create an endpoint, you need to create a pool that specifies where you want to direct the classified traffic.
If you plan to set up a service chain, you need to create one or more endpoints that specify the locations of the value-added services to which to send the traffic.
  1. On the Main tab, click
    Policy Enforcement
    Forwarding
    Endpoints
    .
    The Endpoints screen opens.
  2. Click
    Create
    .
    The New Endpoint screen opens.
  3. In the
    Name
     field, type a name for the endpoint.
  4. From the
    Pool
     list, select the pool to which you want to steer a particular type of traffic.
  5. Use the default values for the other fields.
  6. Click
    Finished
    .
    The endpoint you created is on the endpoint list.
You link the endpoints together by creating a service chain.

Creating dynamic service chains

Before you can create a service chain, you need to have created endpoints for every service that you want the traffic to be directed to. Set up the servers at those endpoints to handle the traffic and (if conditions are right), return it to the BIG-IP system. You should have attached the HTTP virtual server to the request adapt profile and response adapt profile. You also need to create VLANs for every traffic entry point.
To send traffic to multiple endpoints, including value-added services, you create service chains that define where to send traffic on the way to its final destination. This way, the system can route traffic to other servers that can handle additional functions. Additionally, you can attach a steering action policy, such as modify headers, when you create a service chain which can be later modified at the other end.
If you want to use steering policy, you must define endpoint in service chain.
  1. On the Main tab, click
    Policy Enforcement
    Forwarding
    Service Chains
    .
    The Service Chains screen opens.
  2. Click
    Create
    The New Service Chains screen opens.
  3. In the
    Name
     field, type a name for the service chain.
  4. In the
    Service Chain List
     setting, add the endpoints to the service chain. For each place you want to send the traffic, specify the following information:
    1. From the
      Service Endpoint Name
       list, type the name of the service endpoint where the traffic is going to.
    2. From the
      VLAN
       list, select the name of the VLAN where the traffic is coming from.
      Your first service chain should have subscriber VLAN in the VLAN field.
    3. From the
      Policy
       list, select the name of the steering policy.
      If all the service endpoints do not have a steering policy, the service chain is static.
      If the policy defining the steering does not match the policy set in the service chain, then the service chain is not processed.
    4. From the
      Forwarding Endpoint
       list, select the name of the endpoint to which you send traffic.
      When you configure a new forwarding endpoint (
      Policy Enforcement
      Forwarding
      Endpoints
      ), set
      Address Translation
       and
      Port Translation
       as
      Disabled
      .
      You need to always configure a default forwarding endpoint or else the flow will exit the service chain and get skipped. If you are in the final leg, then configure without default.
      When you use ICAP service, you cannot have a ICAP and a forwarding endpoint on the same service endpoint.
    5. From the
      Service Option
       list, select the service option in case the service endpoint is not reachable. Select
      Optional
       if you want to skip the service endpoint. Select
      Mandatory
       if you want all traffic flows dropped.
      To use dynamic service chain, select
      Optional
      . If service endpoint is not available and set to mandatory, you cannot steer policies.
      The
      Service Option
       parameter works only if the right endpoint has a monitor set in the pool. For example, set gateway ICMP to the pool. Otherwise, traffic is dropped even if
      Optional
       is set.
    6. From the
      Internal Virtual
       list, select the internal ICAP virtual server.
      You cannot have consecutive ICAP on the same VLAN.
    7. Click
      Add
      .
  5. From the
    ICAP Type
     list, select the action you want to implement. Select Request to send only HTTP requests to ICAP server. Select Response to send only HTTP responses to ICAP server. Select Request and Response to have both requests and responses.
    • Select
      Response
       to send only HTTP responses to ICAP server.
    • Select
      Request and Response
      to have both requests and responses.
    Select the
    Internal Virtual
     to configure the
    ICAP Type
     setting.
  6. Click
    Finished
    .
    If steering action is applied after the ICAP request, service endpoint with forwarding endpoint should have the same VLAN configured as the service endpoint with ICAP enabled.
You can direct traffic to the service chain you created in the policy rules in an enforcement policy.

Creating an enforcement policy

If you want to classify and intelligently steer traffic, you need to create an enforcement policy. The policy describes what to do with specific traffic, and how to treat the traffic.
  1. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  2. Click
    Create
    .
    The New Policy screen opens.
  3. In the
    Name
     field, type a name for the policy.
    When creating policies you plan to apply globally or to unknown subscribers, it is a good idea to include the word
    global
     or
    unknown
     in the policy name to distinguish these from other subscriber policies.
  4. From the Transactional list, select
    Enabled
     if you want the BIG-IP system to allow policy enforcement on each HTTP transaction.
  5. Click
    Finished
    .
    The system performance is significantly affected, depending on complexity of the classification and the type of policy action.
    The new enforcement policy is added to the policy list.
Now you must add rules to the enforcement policy to define traffic filters and actions.

Configuring steering action policy

You can configure HTTP headers of the steering policy in the BIG-IP system.
If the steering action is enabled, steering policy is evaluated based on the VLAN flow. If no steering policy is configured, then the default endpoint is the next service endpoint.
  1. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click
    Add
    .
    The New Rule screen opens.
  4. In the
    Name
     field, type a name for the rule.
  5. In the
    Precedence
     field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and
    Gate Status
     disabled for a search engine, and you have rule 2 with precedence 11 and
    Gate Status
     enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. From the
    Modify Header
     list, select
    Enabled
    , to modify the HTTP request header.
    More modify header configuration options display.
  7. To modify the HTTP request header, select the action you want to implement.
    • Select
      Insert String Value
       to insert a stringvalue that you have specified before.
    • Select
      Insert Value from Script
      to specify that the BIG-IP system can insert value received from the TCL expression.
    • Select
      Remove
       to remove the string value that you previously created.
  8. In the
    Header Name
     field, type a header name.
  9. In the
    String Value
     field, type a string value for the header.
  10. Click
    Finished
    .
You can add more rules to an enforcement policy in addition to configuring HTTP header action.

Adding rules to an enforcement policy

Before you can add rules to an enforcement policy, you need to create the policy, then reopen it.
You add rules to an enforcement policy to select the traffic you want to affect, and the actions to take. A
rule
 associates an action with a specific type of traffic. So you can, for example, add a rule to select all audio-video traffic and send it to a pool of servers that are optimized to handle that type of traffic.
  1. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click
    Add
    .
    The New Rule screen opens.
  4. In the
    Name
     field, type a name for the rule.
  5. In the
    Precedence
     field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and
    Gate Status
     disabled for a search engine, and you have rule 2 with precedence 11 and
    Gate Status
     enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
  7. From the
    Modify Header
     list, select
    Enabled
    , to modify the HTTP request header.
    More modify header configuration options display.
  8. Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic.
    Other tasks describe how to do this in detail.
    If you leave
    Gate Status
     enabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
  9. From the
    Congestion Detection
     list, select
    Enable
    , to congestion detection in the Radio Access Network.
    1. In the
      Threshold
       field, type the lower threshold bandwidth for a session. The default value is
      1000kbs
      .
    2. For
      Destination
       list, select the publisher name from the HSL publisher drop-down list.
    The state of congestion detection is now controlled by policy application, and different subsets of subscribers can have different settings. This enables congestion-detection for specific types of applications as it pairs with specific policy rule conditions.
  10. Click
    Finished
    .
  11. Repeat steps 3-8 to create as many rules as needed to handle the traffic you are interested in.
The enforcement policy includes the rules with the conditions and actions you added.
Now you need to associate the enforcement policy with the virtual server (or servers) to which traffic is directed.

Creating a rule for forwarding traffic

You can create a rule that forwards traffic to an endpoint. For example, you might want to direct video traffic to a server that is optimized for video viewing.
  1. On the Main tab, click
    Policy Enforcement
    Policies
    .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click
    Add
    .
    The New Rule screen opens.
  4. In the
    Name
     field, type a name for the rule.
  5. In the
    Precedence
     field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and
    Gate Status
     disabled for a search engine, and you have rule 2 with precedence 11 and
    Gate Status
     enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
  7. In the Gate area, for
    Gate Status
    , select
    Enabled
    .
    Options provide several ways to forward the traffic.
  8. In the Forwarding area, for
    HTTP Redirect
    , select
    Enabled
    , and type the URL.
  9. From the Forwarding list, select an option where you would like to forward the traffic.
    Options
    Description
    Route to Network
    The traffic flow is forwarded to the default destination.
    Forwarding to Endpoint
    The flow is steered to a different destination and you can select one of the endpoints.
    Forward to ICAP virtual Server
    The flow is forwarded to the ICAP virtual server.
  10. From the
    Forwarding Fallback Action
     list, select
    Drop
     or
    Continue
     to specify if the connection can remain unchanged or should be dropped if the forwarding action fails.
  11. From the
    ICAP Virtual Server
     list, select an internal virtual server that you have created, or click
    Create
     to create a new internal virtual server.
  12. From the
    ICAP Type
     list, select an ICAP adaptation type.
    • Select
      Request
       to send a portion of the request to the ICAP server.
    • Select
      Response
       to receive a portion of the response from the ICAP server.
    • Select
      Request
       and
      Response
       to have both types of adaptation.
  13. From the
    Service Chain
     list, select
    Create
     to direct traffic to more than one location (such as value-added services).
  14. Click
    Finished
    .
You have created a rule that forwards traffic.

Creating a data plane virtual group

If you want to steer specific traffic (or otherwise regulate certain types of traffic) you must first develop appropriate enforcement policies. If using a Gx interface to a PCRF, you need to create a new virtual group in listeners that connect to a PCRF.
You can create listeners that specify how to handle traffic for policy enforcement. Creating a listener performs preliminary setup on the BIG-IP system for application visibility, intelligent steering, bandwidth management, and reporting.
  1. On the Main tab, click
    Policy Enforcement
    Data Plane Listeners
    .
    The Date Plane Listeners screen opens.
  2. Click
    Add Group
    .
    The New Virtual Group screen opens.
  3. In the
    Name
     field, type a unique name for the listener.
  4. In the
    Destination Address
     field, type the IP address of the virtual server. For example,
    10.0.0.1
     or
    10.0.0.0/24
    .
    When you use an IPv4 address without specifying a prefix, the BIG-IP system automatically uses a
    /32
     prefix.
    You can use a catch-all virtual server (
    0.0.0.0
    ) to specify all traffic that is delivered to the BIG-IP system. Configure the source and destination setting, during forwarding mode only. In the relay mode, the client does not have an IP address and the DHCP provides the client with an IP address.
    The system will create a virtual server using the address or network you specify.
  5. For the
    Service Port
     setting, type or select the service port for the virtual server.
  6. From the
    VLAN and Tunnel Traffic
     list, select
    Enabled on
    . Then, for the
    VLANs and Tunnels
     setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the
    Available
     list to the
    Selected
     list.
  7. For the
    VLANs and Tunnels
     setting, move the VLANs and tunnels that you want to monitor from the
    Available
     list to the
    Selected
     list.
  8. In the Policy Provisioning area, select enforcement policies to apply to the traffic.
    1. For
      Global Policy
      , move policies to apply to all subscribers to
      High Precedence
       or
      Low Precedence
      .
      For URL categorization to take effect, you need to associate the enforcement policy with a classification profile.
    2. For
      Unknown Subscriber Policy
      , move policies to use if the subscriber is unknown to
      Selected
      .
    The system applies the global policy to all subscribers in parallel with the subscriber policies, and must be configured with unknown subscriber policy. High-precedence global policies override conflicting subscriber policies, and low-precedence policies are overridden by conflicting subscriber policies.
  9. Click
    Finished
    .
    The Policy Enforcement Manager creates a listener.
When you create a listener, Policy Enforcement Manager also creates virtual servers for each type of traffic (TCP, UDP, or both and IP), and a virtual server for HTTP traffic. The system sets up classification and assigns the appropriate policy enforcement profile to the virtual servers. If you are connecting to a RADIUS authentication server, a virtual server for RADIUS is also added.
Now you can send traffic through the network. As network traffic moves through the BIG-IP system, the system classifies the traffic, and if you have developed policies, the system performs the actions specified by the enforcement policy rules.
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information