Manual Chapter : BIG-IP Reference Guide v4.1: Configuring Filters

Applies To:

Show Versions Show Versions

BIG-IP versions 1.x - 4.x

  • 4.1.1 PTF-06, 4.1.1 PTF-05, 4.1.1 PTF-04, 4.1.1 PTF-03, 4.1.1 PTF-02, 4.1.1 PTF-01, 4.1.1, 4.1.0
Manual Chapter


4

Configuring Filters



Introduction

Filters control network traffic by setting whether packets are forwarded or rejected at the external network interface. Filters apply to both incoming and outgoing traffic. When creating a filter, you define criteria which are applied to each packet that is processed by the BIG-IP. You can configure the BIG-IP to forward or block each packet, based on whether or not the packet matches the criteria.

The BIG-IP supports two types of filters, IP filters and rate filters.

Filter options are shown in Table 4.1

The attributes you can configure for a filter

Firter Options

Description

IP filter

You can configure IP filters to control requests sent to the BIG-IP by other hosts in the network.

Rate filter

You can configure rate filters to control the flow of traffic into the BIG-IP based on rate classes you define. In order to create a rate filter, you must first define a rate class.

Rate class

You can define a rate class for use with a rate filter. A rate class is a definition used by a rate filter to restrict the flow of traffic into the BIG-IP.

Warning: Filtering should be kept to the minimum necessary, as filters may adversely affect performance.

IP filters

Typical criteria that you define in IP filters are packet source IP addresses, packet destination IP addresses, and upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can be defined.

For a single filter, you can define multiple criteria in multiple, separate statements. Each of these statements should reference the same identifying name or number, to tie the statements to the same filter. You can have as many criteria statements as you want, limited only by the available memory. Of course, the more statements you have, the more difficult it is to understand and maintain your filters.

Configuring IP filters

When you define an IP filter, you can filter traffic in two ways:

  • You can filter traffic going to a specific destination or coming from a specific destination, or both.
  • The filter can allow network traffic through, or it can reject network traffic.

To define an IP filter using the Configuration utility

  1. In the navigation pane, click Filters.
    The IP Filters screen opens.
  2. In the IP Filters screen, click the Add button.
    The Add IP Filter screen opens.
  3. In the Add IP Filter screen, fill in the fields to define the filter. For additional information about defining an IP filter, click the Help button.

    Note: For information on configuring IP filters from the command line, refer to the IPFW man page by typing man ipfw at the command prompt. You can configure more complex filtering from the IPFW command line interface than you can in the Configuration utility.

Warning: Any ipfw-specific settings will be removed if you subsequently modify the filter using the Configuration utility.

Rate filters and rate classes

In addition to IP filters, you can also define rates of access by using a rate filter. Rate filters consist of the basic filter and a rate class. Rate classes define how many bits per second are allowed per connection, and the number of packets in a queue.

Configuring rate filters and rate classes

Rate filters are a type of extended IP filter. They use the same IP filter method, but they apply a rate class which determines the volume of network traffic allowed through the filter.

Tip: You must define at least one rate class in order to apply a rate filter.

Rate filters are useful for sites that have preferred clients. For example, an e-commerce site may want to set a higher throughput for preferred customers, and a lower throughput for random site traffic.

Configuring rate filters involves both creating a rate filter and a rate class. When you configure rate filters, you can use existing rate classes. However, if you want a new rate filter to use a new rate class, you must configure the new rate class before you configure the new rate filter.

To configure a new rate class using the Configuration utility

  1. In the navigation pane, click Filters.
    The IP Filters screen opens.
  2. Click the Rate Filters tab.
    The Rate Filters screen opens.
  3. Click the Add Class button.
    The Add Rate Class screen opens.
  4. Type the necessary information to configure a new rate class. For additional information about configuring a new rate class, click the Help button.

    Note: For information on configuring IP filters from the command line, refer to the IPFW man page.

    After you have added a rate class, you can configure rate filters for your system.

To configure a rate filter using the Configuration utility

  1. In the navigation pane, click Filters.
    The IP Filters screen opens.
  2. Click the Rate Filters tab.
    The Rate Filters screen opens.
  3. Click the Add Filter button.
    The Add Rate Filter screen opens.
  4. Type the necessary information to configure a new rate filter. For additional information about configuring a rate filter, click the Help button.

    Note: For information on configuring IP filters on the command line, refer to the IPFW man page.