Applies To:

Show Versions Show Versions

Manual Chapter: Configuring Service Chains
Manual Chapter
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Overview: Configuring service chains

You can use the Policy Enforcement Manager to create service chains to route traffic to one or more value-added services on the way to its final destination. The service chains define the path and order that you want traffic to take. An endpoint specifies each place you want to send the traffic, so the service chain is essentially a list of endpoints for traffic to stop at on its way to the server it is headed to. For example, you can forward traffic for virus scanning, parental control, and caching.

You set up service chains by creating an enforcement policy that defines the traffic that you want to route to the service chain. Rules in the enforcement policy specify conditions that the traffic must match, and actions for what to do with that traffic. One of the actions you can take is to send the traffic to a service chain.

You can create listeners to set up virtual servers, and associate enforcement policies with the traffic that is sent to them. The system also creates a Policy Enforcement profile that specifies the enforcement policy that the system uses for the service chain.

Task Summary

Creating a pool

You can create a pool of servers that you can group together to receive and process traffic.
  1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add each resource that you want to include in the pool:
    1. Type an IP address in the Address field.
    2. Type a port number in the Service Port field, or select a service name from the list.
    3. To specify a priority group, type a priority number in the Priority Group Activation field.
    4. Click Add.
  5. Click Finished.
The new pool appears in the Pools list.

Creating endpoints for service chains

Before you can create an endpoint, you need to create a pool that specifies where you want to direct the classified traffic.
If you plan to set up a service chain, you need to create one or more endpoints that specify the locations of the value-added services to which to send the traffic.
  1. On the Main tab, click Policy Enforcement > Forwarding > Endpoints. The Endpoints screen opens.
  2. Click Create. The New Endpoint screen opens.
  3. In the Name field, type a name for the endpoint.
  4. From the Pool list, select the pool to which you want to steer a particular type of traffic.
  5. Use the default values for the other fields.
  6. Click Finished. The endpoint you created is on the endpoint list.
You link the endpoints together by creating a service chain.

Creating service chains

Before you can create a service chain, you need to have created endpoints for every service that you want the traffic to be directed to. You have to have set up the servers at those endpoints to handle the traffic and (if conditions are right) return it to the BIG-IP system. You also need to have created VLANs for every traffic entry point.
To send traffic to multiple endpoints, including value-added services, you create service chains that define where to send traffic on the way to its final destination. This way, the system can route traffic to other servers that can handle additional functions.
  1. On the Main tab, click Policy Enforcement > Forwarding > Service Chains.
  2. Click Create. The New Service Chain screen opens.
  3. In the Name field, type a name for the service chain.
  4. In the Service Chain List setting, add the endpoints to the service chain. For each place you want to send the traffic, specify the following information:
    1. From the VLAN list, select the name of the VLAN where the traffic is coming from.
    2. From the Forwarding Endpoint list, select the name of the endpoint to which to send traffic.
    3. Click Add.
  5. Click Finished.
You can direct traffic to the service chain you created in the policy rules in an enforcement policy.

Creating an enforcement policy

If you want to classify and intelligently steer traffic, you need to create an enforcement policy. The policy describes what to do with specific traffic, and how to treat the traffic.
  1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
  2. Click Create. The New Policy screen opens.
  3. In the Name field, type a name for the policy.
    Tip: When creating policies you plan to apply globally or to unknown subscribers, it is a good idea to include the word global or unknown in the policy name to distinguish these from other subscriber policies.
  4. Click Finished. The new enforcement policy is added to the policy list.
Now you must add rules to the enforcement policy to define traffic filters and actions.

Adding rules to an enforcement policy

Before you can add rules to an enforcement policy, you need to create the policy, then reopen it.
You add rules to an enforcement policy to select the traffic you want to affect, and the actions to take. A rule associates an action with a specific type of traffic. So you can, for example, add a rule to select all audio-video traffic and send it to a pool of servers that are optimized to handle that type of traffic.
  1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to. The properties screen for the policy opens.
  3. In the Policy Rules area, click Add. The New Rule screen opens.
  4. In the Name field, type a name for the rule.
  5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    Tip: All rules in policy are run concurrently. Precedence takes effect when there are conflicting rules. For example, if you have a rule 1 with precedence 10 with Gate Status disabled for Google and you have rule 2 with precedence 11 with Gate Status enabled, then rule 1 is implemented first because it has higher precedence.
  6. Use the Classification, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule. Other tasks describe how to do this in detail.
  7. Use the Reporting, Forwarding, or QoS areas to specify what you want to do with the traffic that you are classifying. Other tasks describe how to do this in detail. If you leave Gate Status enabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
  8. Click Finished.
  9. Repeat steps 3-8 to create as many rules as needed to handle the traffic you are interested in.
The enforcement policy includes the rules with the conditions and actions you added.
Now you need to associate the enforcement policy with the virtual server (or servers) to which traffic is directed.

Creating a rule for forwarding traffic

You can create a rule that forwards traffic to an endpoint. For example, you might want to direct video traffic to a server that is optimized for video viewing.
  1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to. The properties screen for the policy opens.
  3. In the Policy Rules area, click Add. The New Rule screen opens.
  4. In the Name field, type a name for the rule.
  5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    Tip: All rules in policy are run concurrently. Precedence takes effect when there are conflicting rules. For example, if you have a rule 1 with precedence 10 with Gate Status disabled for Google and you have rule 2 with precedence 11 with Gate Status enabled, then rule 1 is implemented first because it has higher precedence.
  6. Use the Classification, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule. Other tasks describe how to do this in detail.
  7. In the Forwarding area, for Gate Status, select Enabled. Options provide several ways to forward the traffic.
    • To redirect traffic to a URL, for HTTP Redirect, select Enabled, and type the URL.
    • To direct traffic to specific location, from the Forwarding Endpoint list, select the name of an endpoint that you previously created.
    • To direct traffic to more than one location (such as value-added services), from the Service Chain list, select the name of a service chain that you previously created.
  8. Click Finished.
You have created a rule that forwards traffic.

Creating a listener

If you want to steer specific traffic, or otherwise regulate certain types of traffic, you need to have developed enforcement policies. If using a Gx interface to a PCRF, you need to create a listener that connects to a PCRF.
You can create listeners that specify how to handle traffic for policy enforcement. Creating a listener does preliminary setup on the BIG-IP system for application visibility, intelligent steering, bandwidth management, and reporting.
  1. On the Main tab, click Policy Enforcement > Listeners. The Listeners screen opens.
  2. Click Create. The New Listener screen opens.
  3. In the Name field, type a unique name for the listener.
  4. For the Destination setting, select Host or Network, and type the IP address or network and netmask to use.
    Tip: You can use a catch-all virtual server (0.0.0.0) to specify all traffic that is routed to the BIG-IP system.
    The system will create a virtual server using the address or network you specify.
  5. For the Service Port setting, type or select the service port for the virtual server.
  6. Subscriber provisioning using RADIUS is enabled by default. If your system is using RADIUS for snooping subscriber identity, you need to specify VLANs and tunnels. If you are not using RADIUS, you need to disable it.
    • For the VLANs and Tunnels setting, move the VLANs and tunnels that you want to monitor for RADIUS traffic from the Available list to the Selected list.
    • If you do not want to use RADIUS, from the Subscriber Identity Collection list, select Disabled.
  7. In the Policy Provisioning area, select enforcement policies to apply to the traffic.
    1. For Global Policy, move policies to apply to all subscribers to High Precedence or Low Precedence.
    2. For Unknown Subscriber Policy, move policies to use if the subscriber is unknown to Selected.
    The system applies the global policy to all subscribers in parallel with the subscriber policies. High-precedence global policies override conflicting subscriber policies, and low-precedence policies are overridden by conflicting subscriber policies.
  8. Click Finished. The Policy Enforcement Manager creates a listener, and displays the listener list.
When you create a listener, the Policy Enforcement Manager also creates virtual servers for each type of traffic (TCP, UDP, or both), and a virtual server for HTTP traffic. The system enables classification and assigns the appropriate policy enforcement profile to the virtual servers. If you are connecting to a RADIUS authentication server, a virtual server for RADIUS is also added.
Now you can send traffic through the network. As network traffic moves through the BIG-IP system, the system classifies the traffic, and if you have developed policies, the system performs the actions specified by the enforcement policy rules.
Table of Contents   |   << Previous Chapter   |   Next Chapter >>

Was this resource helpful in solving your issue?




NOTE: Please do not provide personal information.



Incorrect answer. Please try again: Please enter the words to the right: Please enter the numbers you hear:

Additional Comments (optional)