Manual Chapter : BIG-IP Reference Guide v4.5:Filters

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.6.1, 4.6.0, 4.5 PTF-08, 4.5 PTF-07, 4.5 PTF-06, 4.5 PTF-05, 4.5 PTF-04, 4.5 PTF-03, 4.5 PTF-02, 4.5 PTF-01, 4.5.9, 4.5.0
Manual Chapter


12

Filters


Introducing filters

Filters control network traffic by specifying whether an external network interface accepts or rejects packets. Filters apply to both incoming and outgoing traffic. When creating a filter, you define criteria that are applied to each packet that the BIG-IP system processes. You can configure the BIG-IP system to accept or block each packet, based on whether or not the packet matches the criteria.

The BIG-IP system supports two types of filters, IP filters and rate filters.

Filter options are shown in Table 12.1 .

 

Filter Options

Description

IP filter

You can configure IP filters to control requests sent to the BIG-IP system by other hosts in the network.

Rate filter

You can configure rate filters to control the flow of traffic into the BIG-IP system based on rate classes you define. In order to create a rate filter, you must first define a rate class.

Rate class

You can define a rate class for use with a rate filter. A rate class is a definition used by a rate filter.

 

Warning


Filtering should be kept to the minimum necessary, as filters may adversely affect performance.

Warning


Rate filters that limit traffic can have an adverse effect on monitors. If you have a large number of monitors configured, and the filters limit the monitor traffic, the monitor will mark the service as down.

IP filters

Typical criteria that you define in IP filters are packet source IP addresses, packet destination IP addresses, and upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can be defined.

For a single filter, you can define multiple criteria in multiple, separate statements. Each of these statements should reference the same identifying name or number, to tie the statements to the same filter. You can have as many criteria statements as you want, limited only by the available memory. Of course, the more statements you have, the more difficult it is to understand and maintain your filters.

Configuring IP filters

When you define an IP filter, you can filter traffic in two ways:

  • The filter can filter traffic going to a specific destination, coming from a specific destination, or both.
  • The filter can allow network traffic through, or it can reject network traffic.
To define an IP filter using the Configuration utility
  1. In the navigation pane, click Filters.
    The IP Filters screen opens.
  2. In the IP Filters screen, click the Add button.
    The Add IP Filter screen opens.
  3. In the Add IP Filter screen, fill in the fields to define the filter. For additional information about defining an IP filter, click the Help button.

Note


For information on configuring IP filters from the command line, refer to the IPFW man page by typing man ipfw at the command prompt. You can configure more complex filtering by using the IPFW command line interface than you can from the Configuration utility.

Warning


Any IPFW-specific settings will be removed if you subsequently modify the filter using the Configuration utility.

Rate filters and rate classes

In addition to IP filters, you can also define rate filters. Rate filters consist of the basic filter and a rate class. Rate classes define how many bits per second are allowed per connection, and the number of packets in a queue.

Configuring rate filters and rate classes

Rate filters are a type of extended IP filter. They use the same IP filter method, but they apply a rate class which determines the volume of network traffic allowed through the filter.

Tip


You must define at least one rate class in order to apply a rate filter.

Rate filters are useful for sites that have preferred clients. For example, an e-commerce site may want to set a higher throughput for preferred customers, and a lower throughput for random site traffic.

Configuring rate filters involves both creating a rate filter and a rate class. When you configure rate filters, you can use existing rate classes. However, if you want a new rate filter to use a new rate class, you must configure the new rate class before you configure the new rate filter.

To configure a new rate class using the Configuration utility
  1. In the navigation pane, click Filters.
    The IP Filters screen opens.
  2. Click the Rate Filters tab.
    The Rate Filters screen opens.
  3. Click the Add Class button.
    The Add Rate Class screen opens.
  4. Type the necessary information to configure a new rate class. For additional information about configuring a new rate class, click the Help button.

Note


For information on configuring IP filters from the command line, refer to the ipfw man page.

After you have added a rate class, you can configure rate filters for your system.

To configure a rate filter using the Configuration utility
  1. In the navigation pane, click Filters.
    The IP Filters screen opens.
  2. Click the Rate Filters tab.
    The Rate Filters screen opens.
  3. Click the Add Filter button.
    The Add Rate Filter screen opens.
  4. Type the necessary information to configure a new rate filter. For additional information about configuring a rate filter, click the Help button.

Note


For information on configuring IP filters on the command line, refer to the ipfw man page.