F5 Logo MyF5
Search
  1. MyF5 Home
  2. Knowledge Centers
  3. BIG-IP PEM
  4. BIG-IP Policy Enforcement Manager: Implementations
  5. Configuring Service Chains
Manual Chapter : Configuring Service Chains

Applies To:

Show Versions Show Versions

BIG-IP PEM

  • 12.1.6, 12.1.5, 12.1.4, 12.1.3, 12.1.2, 12.1.1, 12.1.0
Manual Chapter
Table of Contents | << Previous Chapter | Next Chapter >>

Configuring Service Chains

Overview: Configuring service chains

You can use the Policy Enforcement Manager™ to create service chains to route traffic to one or more value-added services on the way to its final destination. The service chains define the path and order that you want traffic to take. There are several value-added services involved and after each endpoint the traffic comes back to the BIG-IP system. An endpoint specifies each place you want to send the traffic, so the service chain is essentially between the value-added services endpoints for traffic to stop at on its way to the server it is headed to. For example, you can forward traffic sequentially for virus scanning, parental control, and caching.

You set up service chains by creating an enforcement policy that defines the traffic that you want to route to the service chain. Rules in the enforcement policy specify conditions that the traffic must match, and actions for what to do with that traffic. One of the actions you can take is to send the traffic to a service chain.

While a static service chain defines fixed value-added services, a dynamic service chain provides service chain action that can dynamically change depending on the flow of parameters and you can attach a steering policy that can override the decision of the next session. You can use dynamic service chain to insert or name header and steer different service. Internet Content Adaptation Protocol (ICAP) is one of the services possible to use in a service chain. Dynamic service chain makes the service chain intelligent and flexible by providing the following support:

  • Ability to add or skip different value-added services endpoints by selecting policy based forwarding endpoint.
  • Perform header insertion or removal per value-added service chain, depending on the policy.
  • Includes one sideband value-added service in the service chain using ICAP as the protocol.

You can create listeners to set up virtual servers and associate enforcement policies with the traffic that is sent to them. The system also creates a Policy Enforcement profile that specifies the enforcement policy that the system uses for the service chain.

Task Summary

About services profiles

You can configure the Internet Content Adaptation Protocol (ICAP) profile, request adaptation profile, and response adaptation profile for using the dynamic service chain feature in Policy Enforcement Manager™.

The internal virtual server references the pool of content adaptation servers. The internal virtual server also references an ICAP profile, which includes specific instructions for how the BIG-IP® system should modify each request or response. Once the request and response adapt profiles have been created, you can attach the profiles to the HTTP virtual server. The adapt profiles use multiple internal virtual servers for various content types.

The HTTP listener must have adapt profile set. The adapt profiles need to be configured as disabled and are enabled by PEM based on the policy action applied.

About service chain processing

The service chain endpoints that have steering policy attached, define the service chain. The dynamic service chain follows these processing strategies:

  • The initial subscriber flow start processing of the service chain starts from the first service.
  • The steering policy is evaluated before taking in account a default ICAP adaptation or the steering endpoint.

The steering policy changes the service chain in many ways:

  • Skips the part of the service chain.
  • Skips to different service of the ICAP or steering policy.
  • Skip the rest of the service chain and route traffic to the network.
  • Applies different services that are not on the chain. The steering policy can apply ICAP and skip the rest of the chain. It can also apply steering, skipping all ICAP on the VLAN. The service chain continues when the flow returns from the service.

Creating a ICAP profile for policy enforcement

You create this ICAP profile when you want to use an ICAP server to wrap an HTTP request in an ICAP message before the BIG-IP® system sends the request to a pool of web servers. The profile specifies the HTTP request-header values that the ICAP server uses for the ICAP message.

  1. On the Main tab, click Local Traffic > Profiles > Services > ICAP .
  2. Click Create.
  3. In the Name field, type a unique name for the profile.
  4. Click Finished.
After you create the ICAP profile, you can assign it to an internal virtual server so that the HTTP request that the BIG-IP system sends to an ICAP server is wrapped in an ICAP message, according to the settings you specified in the ICAP profile.
Note: Different services may require different ICAP profiles.

Creating a Request Adapt profile

You create a Request Adapt type of profile when you want a standard HTTP virtual server to forward HTTP requests to an internal virtual server that references a pool of ICAP servers. A Request Adapt type of profile instructs the HTTP virtual server to send an HTTP request to a named internal virtual server for possible request modification.
  1. On the Main tab, click Local Traffic > Profiles > Services > Request Adapt .
  2. Click Create.
  3. In the Name field, type a unique name for the profile.
  4. For the Parent Profile setting, retain the default value, requestadapt.
  5. On the right-side of the screen, select the Custom check box.
  6. Disable the setting by clearing the Enabled check box.
    When you clear the Enabled check box, Policy Enforcement Manager™ controls this based on the policy.
  7. In the Preview Size field, type a numeric value.
    This specifies the maximum size of the preview buffer. This buffer holds a copy of the HTTP request header and the data sent to the internal virtual server, in case the adaptation server reports that no adaptation is needed. Setting the preview size to 0 disables buffering of the request and should only be done if the adaptation server always returns a modified HTTP request or the original HTTP request.
  8. For the Allow HTTP 1.0 setting, select the Enabled check box.
  9. Click Finished.
After you perform this task, the BIG-IP® system contains a Request Adapt profile that a standard HTTP virtual server can use to forward an HTTP request to an internal virtual server for ICAP traffic. You need to attach a Request Adapt profile to a standard HTTP virtual server to forward the HTTP requests.

Creating a Response Adapt profile

You create a Response Adapt type of profile when you want a standard HTTP virtual server to forward HTTP responses to an internal virtual server that references a pool of ICAP servers. A Response Adapt type of profile instructs the HTTP virtual server to send an HTTP response to a named internal virtual server for possible response modification.
  1. On the Main tab, click Local Traffic > Profiles > Services > Response Adapt .
  2. Click Create.
  3. In the Name field, type a unique name for the profile.
  4. For the Parent Profile setting, retain the default value, responseadapt.
  5. On the right-side of the screen, select the Custom check box.
  6. Disable the setting by clearing the Enabled check box.
    When you clear the Enabled check box, Policy Enforcement Manager™ controls the profile based on the policy.
  7. In the Preview Size field, type a numeric value.
    This specifies the maximum size of the preview buffer. This buffer holds a copy of the HTTP response header and the data sent to the internal virtual server, in case the adaptation server reports that no adaptation is needed. Setting the preview size to 0 disables buffering of the response and should only be done if the adaptation server always returns a modified HTTP response or the original HTTP response.
  8. For the Allow HTTP 1.0 setting, check the Enabled check box.
After you perform this task, the BIG-IP® system contains a Response Adapt profile that a standard HTTP virtual server can use to forward an HTTP response to an internal virtual server for ICAP traffic. You need to attach a Response Adapt profile to a standard HTTP virtual server to forward the HTTP responses.

Creating an internal virtual server for ICAP server

You perform this task to create a standard virtual server that can forward an HTTP request or response to an internal virtual server. The internal virtual server then sends the request or response to a pool of ICAP servers before the BIG-IP® system sends the request or response to the client or web server.
  1. On the Main tab, click Local Traffic > Virtual Servers .
    The Virtual Server List screen opens.
  2. Click the Create button.
    The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. From the Type list, select Internal.
  5. For the State setting, verify that the value is set to Enabled.
  6. From the Configuration list, select Advanced.
  7. From the ICAP Profile list, select the name of the HTTP profile that you created previously.
  8. From the Source Address Translation list, select Auto Map.
    The BIG-IP® system uses all of the self IP addresses as the translation addresses for the pool.
  9. Optionally, from the OneConnect Profile list, select a custom OneConnect profile.

Note: Setting OneConnect Profile to ICAP virtual server, is highly recomended when configuring ICAP virtual.

  1. From the Default Pool list, select the pool of ICAP servers that you previously created.
  2. Click Finished.
After you create the virtual server, the BIG-IP® system can forward an HTTP request or response to a pool of ICAP servers before sending the request or response to the client or web server, respectively.

Creating a pool

You can create a pool of servers that you can group together to receive and process traffic.
  1. On the Main tab, click Local Traffic > Pools .
    The Pool List screen opens.
  2. Click Create.
    The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add each resource that you want to include in the pool:
    1. (Optional) In the Node Name field, type a name for the node portion of the pool member.
    2. In the Address field, type an IP address.
    3. In the Service Port field, type a port number, or select a service name from the list.
    4. (Optional) In the Priority field, type a priority number.
    5. Click Add.
  5. Click Finished.
  6. Repeat these steps for each pool you want to create.
The new pool appears in the Pools list.

Creating endpoints for service chains

Before you can create an endpoint, you need to create a pool that specifies where you want to direct the classified traffic.
If you plan to set up a service chain, you need to create one or more endpoints that specify the locations of the value-added services to which to send the traffic.
  1. On the Main tab, click Policy Enforcement > Forwarding > Endpoints .
    The Endpoints screen opens.
  2. Click Create.
    The New Endpoint screen opens.
  3. In the Name field, type a name for the endpoint.
  4. From the Pool list, select the pool to which you want to steer a particular type of traffic.
  5. Use the default values for the other fields.
  6. Click Finished.
    The endpoint you created is on the endpoint list.
You link the endpoints together by creating a service chain.

Creating dynamic service chains

Before you can create a service chain, you need to have created endpoints for every service that you want the traffic to be directed to. Set up the servers at those endpoints to handle the traffic and (if conditions are right), return it to the BIG-IP® system. You should have attached the HTTP virtual server to the request adapt profile and response adapt profile. You also need to create VLANs for every traffic entry point.
To send traffic to multiple endpoints, including value-added services, you create service chains that define where to send traffic on the way to its final destination. This way, the system can route traffic to other servers that can handle additional functions. Additionally, you can attach a steering action policy, such as modify headers, when you create a service chain which can be later modified at the other end.
Note: If you want to use steering policy, you must define endpoint in service chain.
  1. On the Main tab, click Policy Enforcement > Forwarding > Service Chains .
    The Service Chains screen opens.
  2. Click Create
    The New Service Chains screen opens.
  3. In the Name field, type a name for the service chain.
  4. In the Service Chain List setting, add the endpoints to the service chain. For each place you want to send the traffic, specify the following information:
    1. From the Service Endpoint Name list, type the name of the service endpoint where the traffic is going to.
    2. From the VLAN list, select the name of the VLAN where the traffic is coming from.
      Note: Your first service chain should have subscriber VLAN in the VLAN field.
    3. From the Policy list, select the name of the steering policy.
      Note: If all the service endpoints do not have a steering policy, the service chain is static.
      Important: If the policy defining the steering does not match the policy set in the service chain, then the service chain is not processed.
    4. From the Forwarding Endpoint list, select the name of the endpoint to which you send traffic.

      When you configure a new forwarding endpoint ( Policy Enforcement > Forwarding > Endpoints ), set Address Translation and Port Translation as Disabled.

      Note: You need to always configure a default forwarding endpoint or else the flow will exit the service chain and get skipped. If you are in the final leg, then configure without default.
      Important: When you use ICAP service, you cannot have a ICAP and a forwarding endpoint on the same service endpoint.
    5. From the Service Option list, select the service option in case the service endpoint is not reachable. Select Optional if you want to skip the service endpoint. Select Mandatory if you want all traffic flows dropped.
      Note: To use dynamic service chain, select Optional. If service endpoint is not available and set to mandatory, you cannot steer policies.
      Note: The Service Option parameter works only if the right endpoint has a monitor set in the pool. For example, set gateway ICMP to the pool. Otherwise, traffic is dropped even if Optional is set.
    6. From the Internal Virtual list, select the internal ICAP virtual server.
      Important: You cannot have consecutive ICAP on the same VLAN.
    7. Click Add.
  5. From the ICAP Type list, select the action you want to implement. Select Request to send only HTTP requests to ICAP server. Select Response to send only HTTP responses to ICAP server. Select Request and Response to have both requests and responses.
    • Select Response to send only HTTP responses to ICAP server.
    • Select Request and Response to have both requests and responses.
    Note: Select the Internal Virtual to configure the ICAP Type setting.
  6. Click Finished.
    Note: If steering action is applied after the ICAP request, service endpoint with forwarding endpoint should have the same VLAN configured as the service endpoint with ICAP enabled.
You can direct traffic to the service chain you created in the policy rules in an enforcement policy.

Creating an enforcement policy

If you want to classify and intelligently steer traffic, you need to create an enforcement policy. The policy describes what to do with specific traffic, and how to treat the traffic.
  1. On the Main tab, click Policy Enforcement > Policies .
    The Policies screen opens.
  2. Click Create.
    The New Policy screen opens.
  3. In the Name field, type a name for the policy.
    Tip: When creating policies you plan to apply globally or to unknown subscribers, it is a good idea to include the word global or unknown in the policy name to distinguish these from other subscriber policies.
  4. From the Transactional list, select Enabled if you want the BIG-IP system to allow policy enforcement on each HTTP transaction.
  5. Click Finished.
    Important: The system performance is significantly affected, depending on complexity of the classification and the type of policy action.
    The new enforcement policy is added to the policy list.
Now you must add rules to the enforcement policy to define traffic filters and actions.

Configuring steering action policy

You can configure HTTP headers of the steering policy in the BIG-IP® system.
Note: If the steering action is enabled, steering policy is evaluated based on the VLAN flow. If no steering policy is configured, then the default endpoint is the next service endpoint.
  1. On the Main tab, click Policy Enforcement > Policies .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click Add.
    The New Rule screen opens.
  4. In the Name field, type a name for the rule.
  5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    Tip: All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and Gate Status disabled for a search engine, and you have rule 2 with precedence 11 and Gate Status enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. From the Modify Header list, select Enabled, to modify the HTTP request header.
    More modify header configuration options display.
  7. To modify the HTTP request header, select the action you want to implement.
    • Select Insert String Value to insert a stringvalue that you have specified before.
    • Select Insert Value from Script to specify that the BIG-IP system can insert value received from the TCL expression.
    • Select Remove to remove the string value that you previously created.
  8. In the Header Name field, type a header name.
  9. In the String Value field, type a string value for the header.
  10. Click Finished.
You can add more rules to an enforcement policy in addition to configuring HTTP header action.

Adding rules to an enforcement policy

Before you can add rules to an enforcement policy, you need to create the policy, then reopen it.
You add rules to an enforcement policy to select the traffic you want to affect, and the actions to take. A rule associates an action with a specific type of traffic. So you can, for example, add a rule to select all audio-video traffic and send it to a pool of servers that are optimized to handle that type of traffic.
  1. On the Main tab, click Policy Enforcement > Policies .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click Add.
    The New Rule screen opens.
  4. In the Name field, type a name for the rule.
  5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    Tip: All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and Gate Status disabled for a search engine, and you have rule 2 with precedence 11 and Gate Status enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
  7. From the Modify Header list, select Enabled, to modify the HTTP request header.
    More modify header configuration options display.
  8. Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic.
    Other tasks describe how to do this in detail.
    If you leave Gate Status enabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
  9. From the Congestion Detection list, select Enable, to congestion detection in the Radio Access Network.
    1. In the Threshold field, type the lower threshold bandwidth for a session. The default value is 1000kbs.
    2. ForDestination list, select the publisher name from the HSL publisher drop-down list.
    The state of congestion detection is now controlled by policy application, and different subsets of subscribers can have different settings. This enables congestion-detection for specific types of applications as it pairs with specific policy rule conditions.
  10. Click Finished.
  11. Repeat steps 3-8 to create as many rules as needed to handle the traffic you are interested in.
The enforcement policy includes the rules with the conditions and actions you added.
Now you need to associate the enforcement policy with the virtual server (or servers) to which traffic is directed.

Creating a rule for forwarding traffic

You can create a rule that forwards traffic to an endpoint. For example, you might want to direct video traffic to a server that is optimized for video viewing.
  1. On the Main tab, click Policy Enforcement > Policies .
    The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to.
    The properties screen for the policy opens.
  3. In the Policy Rules area, click Add.
    The New Rule screen opens.
  4. In the Name field, type a name for the rule.
  5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    Tip: All rules in a policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have rule 1 with precedence 10 and Gate Status disabled for a search engine, and you have rule 2 with precedence 11 and Gate Status enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule). In some cases, different policy actions are not conflicting, and hence, applied in parallel.
  6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule.
  7. In the Gate area, for Gate Status, select Enabled.
    Options provide several ways to forward the traffic.
  8. In the Forwarding area, for HTTP Redirect, select Enabled, and type the URL.
  9. From the Forwarding list, select an option where you would like to forward the traffic.
    Options Description
    Route to Network The traffic flow is forwarded to the default destination.
    Forwarding to Endpoint The flow is steered to a different destination and you can select one of the endpoints.
    Forward to ICAP virtual Server The flow is forwarded to the ICAP virtual server.
  10. From the Forwarding Fallback Action list, select Drop or Continue to specify if the connection can remain unchanged or should be dropped if the forwarding action fails.
  11. From the ICAP Virtual Server list, select an internal virtual server that you have created, or click Create to create a new internal virtual server.
  12. From the ICAP Type list, select an ICAP adaptation type.
    • Select Request to send a portion of the request to the ICAP server.
    • Select Response to receive a portion of the response from the ICAP server.
    • Select Request and Response to have both types of adaptation.
  13. From the Service Chain list, select Create to direct traffic to more than one location (such as value-added services).
  14. Click Finished.
You have created a rule that forwards traffic.

Creating a data plane virtual group

If you want to steer specific traffic (or otherwise regulate certain types of traffic) you must first develop appropriate enforcement policies. If using a Gx interface to a PCRF, you need to create a new virtual group in listeners that connect to a PCRF.
You can create listeners that specify how to handle traffic for policy enforcement. Creating a listener performs preliminary setup on the BIG-IP® system for application visibility, intelligent steering, bandwidth management, and reporting.
  1. On the Main tab, click Policy Enforcement > Listeners .
    The Listeners screen opens.
  2. Click Data Plane.
    The Data Plane screen opens.
  3. Click Add Group.
    The New Virtual Group screen opens.
  4. In the Name field, type a unique name for the listener.
  5. In the Destination Address field, type the IP address of the virtual server. For example, 10.0.0.1 or 10.0.0.0/24.
    Note: When you use an IPv4 address without specifying a prefix, the BIG-IP® system automatically uses a /32 prefix.
    Tip: You can use a catch-all virtual server (0.0.0.0) to specify all traffic that is delivered to the BIG-IP® system. Configure the source and destination setting, during forwarding mode only. In the relay mode, the client does not have an IP address and the DHCP provides the client with an IP address.
    The system will create a virtual server using the address or network you specify.
  6. For the Service Port setting, type or select the service port for the virtual server.
  7. From the VLAN and Tunnel Traffic list, select Enabled on. Then, for the VLANs and Tunnels setting, move the VLAN or VLANs on which you want to allow the virtual servers to share traffic from the Available list to the Selected list.
  8. For the VLANs and Tunnels setting, move the VLANs and tunnels that you want to monitor from the Available list to the Selected list.
  9. In the Policy Provisioning area, select enforcement policies to apply to the traffic.
    1. For Global Policy, move policies to apply to all subscribers to High Precedence or Low Precedence.
      Note: For URL categorization to take effect, you need to associate the enforcement policy with a classification profile.
    2. For Unknown Subscriber Policy, move policies to use if the subscriber is unknown to Selected.
    The system applies the global policy to all subscribers in parallel with the subscriber policies, and must be configured with unknown subscriber policy. High-precedence global policies override conflicting subscriber policies, and low-precedence policies are overridden by conflicting subscriber policies.
  10. Click Finished.
    The Policy Enforcement Manager creates a listener.
When you create a listener, Policy Enforcement Manager™ also creates virtual servers for each type of traffic (TCP, UDP, or both and IP), and a virtual server for HTTP traffic. The system sets up classification and assigns the appropriate policy enforcement profile to the virtual servers. If you are connecting to a RADIUS authentication server, a virtual server for RADIUS is also added.
Now you can send traffic through the network. As network traffic moves through the BIG-IP® system, the system classifies the traffic, and if you have developed policies, the system performs the actions specified by the enforcement policy rules.
Table of Contents | << Previous Chapter | Next Chapter >>
Contact Support Contact Support

Have a Question?

Support and Sales >

About F5

Education

F5 Sites

Support Tasks




©2023 F5 Networks, Inc. All rights reserved.


Trademarks Policies Privacy California Privacy Do Not Sell My Personal Information