Manual Chapter :
Enforcing Policy and Classification on IP Protocols
Applies To:
Show VersionsBIG-IP LTM
- 17.1.0, 17.0.0, 16.1.4, 16.1.3, 16.1.2, 16.1.1
BIG-IP PEM
- 17.1.0, 17.0.0, 16.1.5, 16.1.4, 16.1.3, 16.1.2, 16.1.1, 16.1.0
Enforcing Policy and Classification on IP Protocols
About enforcing policy
and classification on IP protocols
The BIG-IP system now provides
classification and policy enforcement on all non-TCP and non-UDP traffic, which includes IPsec
traffic. The Policy Enforcement Manager is able to
classify and enforce any action on virtually any type of IP traffic. This enables detection of
IPsec, ICMP, GRE, and other IP protocols (especially tunneling) for the service providers. For
IPsec, Encapsulating Security Payloads (ESP) and Authentication Headers (AH) protocols are used,
in both tunnel and transport modes.
A bottom hudfilter forwards non-TCP and non-UDP traffic for both
classification and policy enforcement.
HTTP
redirect is not supported. Based on the protocol, not all actions work and some traffic is not
steered.
You
can use SNAT, only when you forward ICMP and ICMPv6 traffic.
Creating Any IP profiles for PEM
Before you create multiple Any IP profiles, you must create a listener in Policy Enforcement
Manager (PEM), which creates a virtual server with Any IP profile.
You can create a new Any IP profile through local traffic management in PEM.
- On the Main tab, click.The Any IP screen opens.
- ClickCreate.The New Any IP Profile screen opens.
- From theParent Profilelist, select the defaultipotheror any other Any IP profile, from where the new profile can inherit the settings.You will see multiple Any IP profiles in the list only if you have created the profiles earlier.
- To specify the idle timeout, clickCustom, selectSpecify, and type a value (in seconds). The idle time out specifies the number of seconds for which a connection is idle before the connection is eligible for deletion.
- ClickFinished.
Now you have created a new Any IP profile. You can view non-TCP and UDP traffic that
passes through the BIG-IP system (
).Updating Any IP profile
If you have created other Any IP profile and you want to attach this profile to the
Any IP traffic, then you can attach the profile through local traffic management in Policy Enforcement Manager (PEM).
- On the Main tab, click.The Virtual Server List screen opens.
- Select any virtual server.The virtual server properties screen opens.
- From theProtocollist, select*All Protocols.Any IP profile settings displays.
- From theAny IP Profilelist, select the default settingipother, or any other Any IP profile from where the new profile can inherit the settings.You will see multiple Any IP profiles from the list only if you have created the profiles earlier.
- ClickUpdate.
Now you have updated the Any IP profile and attached it to the Any IP
traffic.
IPOther filter for current PEM actions
The policy actions configured in the Policy Enforcement Manager
can support non-TCP and non-UDP traffic flows. This table contains the information that
highlights the actions supported for non-TCP and non-UDP traffic.
Action |
All non-TCP and non-UDP flows |
---|---|
Forwarding |
Only non-tunnel protocols.
ICMP traffic can be steered. |
Service-chain |
Only non-tunnel protocols.
ICMP traffic can be steered. |
Cloning |
Yes |
BWC (both directions) |
Yes |
L2 QoS markings (both directions) |
Yes |
Flow Reporting |
Yes |
Session Reporting |
Yes |
Gate status drop |
Yes |
Quota |
Yes |
HTTP-redirect |
No |
Modify HTTP headers |
No |
iRules |
CLIENT_DATA and CLIENT_ACCEPTED iRules only (like UDP filter). |