Applies To:

Show Versions Show Versions

Archived Manual Chapter: BIG-IP Reference Guide version 4.2: Configuring Filters
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

This article has been archived, and is no longer maintained.



5

Configuring Filters



Introduction

Filters control network traffic by setting whether packets are accepted or rejected at the external network interface. Filters apply to both incoming and outgoing traffic. When creating a filter, you define criteria which are applied to each packet that is processed by the BIG-IP. You can configure the BIG-IP to accept or block each packet, based on whether or not the packet matches the criteria.

The BIG-IP supports two types of filters, IP filters and rate filters.

Filter options are shown in Table 5.1.

The attributes you can configure for a filter

Filter Options

Description

IP filter

You can configure IP filters to control requests sent to the BIG-IP by other hosts in the network.

Rate filter

You can configure rate filters to control the flow of traffic into the BIG-IP based on rate classes you define. In order to create a rate filter, you must first define a rate class.

Rate class

You can define a rate class for use with a rate filter. A rate class is a definition used by a rate filter.

Warning: Filtering should be kept to the minimum necessary, as filters may adversely affect performance.

Warning: Rate filters that limit traffic can have an adverse effect on monitors. If you have a large number of monitors configured, and the filters limit the monitor traffic, the monitor will mark the service as down.

IP filters

Typical criteria that you define in IP filters are packet source IP addresses, packet destination IP addresses, and upper-layer protocol of the packet. However, each protocol has its own specific set of criteria that can be defined.

For a single filter, you can define multiple criteria in multiple, separate statements. Each of these statements should reference the same identifying name or number, to tie the statements to the same filter. You can have as many criteria statements as you want, limited only by the available memory. Of course, the more statements you have, the more difficult it is to understand and maintain your filters.

Configuring IP filters

When you define an IP filter, you can filter traffic in two ways:

  • The filter can filter traffic going to a specific destination, coming from a specific destination, or both.
  • The filter can allow network traffic through, or it can reject network traffic.

To define an IP filter using the Configuration utility

  1. In the navigation pane, click Filters.
    The IP Filters screen opens.
  2. In the IP Filters screen, click the Add button.
    The Add IP Filter screen opens.
  3. In the Add IP Filter screen, fill in the fields to define the filter. For additional information about defining an IP filter, click the Help button.

Note: For information on configuring IP filters from the command line, refer to the IPFW man page by typing man ipfw at the command prompt. You can configure more complex filtering by using the IPFW command line interface than you can from the Configuration utility.

Warning: Any ipfw-specific settings will be removed if you subsequently modify the filter using the Configuration utility.

Rate filters and rate classes

In addition to IP filters, you can also define rate filters. Rate filters consist of the basic filter and a rate class. Rate classes define how many bits per second are allowed per connection, and the number of packets in a queue.

Configuring rate filters and rate classes

Rate filters are a type of extended IP filter. They use the same IP filter method, but they apply a rate class which determines the volume of network traffic allowed through the filter.

Tip: You must define at least one rate class in order to apply a rate filter.

Rate filters are useful for sites that have preferred clients. For example, an e-commerce site may want to set a higher throughput for preferred customers, and a lower throughput for random site traffic.

Configuring rate filters involves both creating a rate filter and a rate class. When you configure rate filters, you can use existing rate classes. However, if you want a new rate filter to use a new rate class, you must configure the new rate class before you configure the new rate filter.

To configure a new rate class using the Configuration utility

  1. In the navigation pane, click Filters.
    The IP Filters screen opens.
  2. Click the Rate Filters tab.
    The Rate Filters screen opens.
  3. Click the Add Class button.
    The Add Rate Class screen opens.
  4. Type the necessary information to configure a new rate class. For additional information about configuring a new rate class, click the Help button.

Note: For information on configuring IP filters from the command line, refer to the IPFW man page.

After you have added a rate class, you can configure rate filters for your system.

To configure a rate filter using the Configuration utility

  1. In the navigation pane, click Filters.
    The IP Filters screen opens.
  2. Click the Rate Filters tab.
    The Rate Filters screen opens.
  3. Click the Add Filter button.
    The Add Rate Filter screen opens.
  4. Type the necessary information to configure a new rate filter. For additional information about configuring a rate filter, click the Help button.

Note: For information on configuring IP filters on the command line, refer to the IPFW man page.

Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)