Manual Chapter : BIG-IP Reference Guide v4.6.2: Filters

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.6.4, 4.6.3, 4.6.2
Manual Chapter


13

Filters



Introducing filters

Filters control network traffic by specifying whether an external network interface accepts or rejects packets. Filters apply to both incoming and outgoing traffic. When creating a filter, you define criteria that are applied to each packet that the BIG-IP system processes. You can configure the BIG-IP system to accept or block each packet, based on whether or not the packet matches the criteria.

The BIG-IP system supports two types of filters, IP filters and rate filters.

Filter options are shown in Table 13.1 .

 

Filter Options

Description

IP filter

You can configure IP filters to control requests sent to the BIG-IP system by other hosts in the network.

Rate filter

You can configure rate filters to control the flow of traffic into the BIG-IP system based on rate classes you define. In order to create a rate filter, you must first define a rate class.

Rate class

You can define a rate class for use with a rate filter. A rate class is a definition used by a rate filter.

 

Warning


Filtering should be kept to the minimum necessary, as filters may adversely affect performance.

Warning


Rate filters that limit traffic can have an adverse effect on monitors. If you have a large number of monitors configured, and the filters limit the monitor traffic, the monitor will mark the service as down.


IP filters

Typical criteria that you define in IP filters are packet source IP addresses, packet destination IP addresses, and upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can be defined.

For a single filter, you can define multiple criteria in multiple, separate statements. Each of these statements should reference the same identifying name or number, to tie the statements to the same filter. You can have as many criteria statements as you want, limited only by the available memory. Of course, the more statements you have, the more difficult it is to understand and maintain your filters.


Configuring IP filters

When you define an IP filter, you can filter traffic in two ways:

  • The filter can filter traffic going to a specific destination, coming from a specific destination, or both.
  • The filter can allow network traffic through, or it can reject network traffic.

To define an IP filter using the Configuration utility

  1. In the navigation pane, click Filters.
    The IP Filters screen opens.
  2. In the IP Filters screen, click the Add button.
    The Add IP Filter screen opens.
  3. In the Add IP Filter screen, fill in the fields to define the filter. For additional information about defining an IP filter, click the Help button.

    Note


    For information on configuring IP filters from the command line, refer to the IPFW man page by typing man ipfw at the command prompt. You can configure more complex filtering than you can from the Configuration utility by using the IPFW command line interface.

Warning


If you subsequently modify the filter using the Configuration utility, any IPFW-specific settings are removed.

Rate filters and rate classes

In addition to IP filters, you can also define rate filters. Rate filters consist of the basic filter and a rate class. Rate classes define how many bits per second are allowed per connection, and the number of packets in a queue.

While IP filters determine access by either allowing or denying network traffic, rate filters determine the rate of traffic throughput. Unlike IP filters, rate filters apply to outbound traffic only, that is, traffic going either from the BIG-IP system to an internal web server, or from the BIG-IP system to an external client.

Rate filters are useful for sites that have preferred clients. For example, an e-commerce site may want to set a higher throughput for preferred customers, and a lower throughput for random site traffic.


Configuring rate filters and rate classes

Rate filters are a type of extended IP filter. They use the same IP filter method, but they apply a rate class, which determines the volume of network traffic allowed through the filter.

Tip


You must define at least one rate class in order to apply a rate filter.

Configuring rate filters involves both creating a rate filter and a rate class. When you configure rate filters, you can use existing rate classes. However, if you want a new rate filter to use a new rate class, you must configure the new rate class before you configure the new rate filter.

When configuring a rate filter, you must specify an IP address. For example, to configure a rate filter for traffic going from a BIG-IP system to an internal web server, you must specify the web server's node addess as the destination IP address.

To configure a new rate class using the Configuration utility

  1. In the navigation pane, click Filters.
    The IP Filters screen opens.
  2. Click the Rate Filters tab.
    The Rate Filters screen opens.
  3. Click the Add Class button.
    The Add Rate Class screen opens.
  4. Type the necessary information to configure a new rate class. For additional information about configuring a new rate class, click the Help button.

    Note


    For information on configuring IP filters from the command line, refer to the ipfw man page.

    After you have added a rate class, you can configure rate filters for your system.


To configure a rate filter using the Configuration utility
  1. In the navigation pane, click Filters.
    The IP Filters screen opens.
  2. Click the Rate Filters tab.
    The Rate Filters screen opens.
  3. Click the Add Filter button.
    The Add Rate Filter screen opens.
  4. Type the necessary information to configure a new rate filter. For additional information about configuring a rate filter, click the Help button.

    Note


    For information on configuring IP filters on the command line, refer to the ipfw man page.