Manual Chapter : Configuring Service Chains

Applies To:

Show Versions Show Versions

BIG-IP PEM

  • 11.5.10, 11.5.9, 11.5.8, 11.5.7, 11.5.6, 11.5.5, 11.5.4, 11.5.3, 11.5.2, 11.5.1
Manual Chapter

Overview: Configuring service chains

You can use the Policy Enforcement Manager to create service chains to route traffic to one or more value-added services on the way to its final destination. The service chains define the path and order that you want traffic to take. There are several value-added services involved and after each endpoint the traffic comes back to the BIG-IP system. An endpoint specifies each place you want to send the traffic, so the service chain is essentially between the value-added services endpoints for traffic to stop at on its way to the server it is headed to. For example, you can forward traffic sequentially for virus scanning, parental control, and caching.

You set up service chains by creating an enforcement policy that defines the traffic that you want to route to the service chain. Rules in the enforcement policy specify conditions that the traffic must match, and actions for what to do with that traffic. One of the actions you can take is to send the traffic to a service chain.

While a static service chain defines fixed value-added services, a dynamic service chain provides service chain action that can dynamically change depending on the flow of parameters and you can attach a steering policy that can override the decision of the next session. You can use dynamic service chain to insert or name header and steer different service. Internet Content Adaptation Protocol (ICAP) is one of the services possible to use in a service chain. Dynamic service chain makes the service chain intelligent and flexible by providing the following support:

  • Ability to add or skip different value-added services endpoints by selecting policy based forwarding endpoint.
  • Perform header insertion or removal per value-added service chain, depending on the policy.
  • Includes one sideband value-added service in the service chain using ICAP as the protocol.

You can create listeners to set up virtual servers and associate enforcement policies with the traffic that is sent to them. The system also creates a Policy Enforcement profile that specifies the enforcement policy that the system uses for the service chain.

Task Summary

About services profiles

You can configure the Internet Content Adaptation Protocol (ICAP) profile, request adaptation profile, and response adaptation profile for using the dynamic service chain feature in Policy Enforcement Manager.

The internal virtual server references the pool of content adaptation servers. The internal virtual server also references an ICAP profile, which includes specific instructions for how the BIG-IP system should modify each request or response. Once the request and response adapt profiles have been created, you can attach the profiles to the HTTP virtual server. The adapt profiles use multiple internal virtual servers for various content types.

The HTTP listener must have adapt profile set. The adapt profiles need to be configured as disabled and are enabled only when the forwarding endpoint is ICAP.

Creating a ICAP profile for policy enforcement

You create this ICAP profile when you want to use an ICAP server to wrap an HTTP request in an ICAP message before the BIG-IP system sends the request to a pool of web servers. The profile specifies the HTTP request-header values that the ICAP server uses for the ICAP message.

  1. On the Main tab, click Local Traffic > Profiles > Services > ICAP.
  2. Click Create.
  3. In the Name field, type a unique name for the profile.
  4. Click Finished.
After you create the ICAP profile, you can assign it to an internal virtual server so that the HTTP request that the BIG-IP system sends to an ICAP server is wrapped in an ICAP message, according to the settings you specified in the ICAP profile.

Creating a Request Adapt profile

You create a Request Adapt type of profile when you want a standard HTTP virtual server to forward HTTP requests to an internal virtual server that references a pool of ICAP servers. A Request Adapt type of profile instructs the HTTP virtual server to send an HTTP request to a named internal virtual server for possible request modification.
  1. On the Main tab, click Local Traffic > Profiles > Services > Request Adapt.
  2. Click Create.
  3. In the Name field, type a unique name for the profile.
  4. For the Parent Profile setting, retain the default value, requestadapt.
  5. On the right-side of the screen, clear the Custom check box.
  6. Disable the setting by clearing the Enabled check box. When you clear the Enabled check box, Policy Enforcement Manager controls this based on the policy.
  7. In the Preview Size field, type a numeric value. This specifies the maximum size of the preview buffer. This buffer holds a copy of the HTTP request header and the data sent to the internal virtual server, in case the adaptation server reports that no adaptation is needed. Setting the preview size to 0 disables buffering of the request and should only be done if the adaptation server always returns a modified HTTP request or the original HTTP request.
  8. For the Allow HTTP 1.0 setting, select the Enabled check box.
  9. Click Finished.
After you perform this task, the BIG-IP system contains a Request Adapt profile that a standard HTTP virtual server can use to forward an HTTP request to an internal virtual server for ICAP traffic.

Creating a Response Adapt profile

You create a Response Adapt type of profile when you want a standard HTTP virtual server to forward HTTP responses to an internal virtual server that references a pool of ICAP servers. A Response Adapt type of profile instructs the HTTP virtual server to send an HTTP response to a named internal virtual server for possible response modification.
  1. On the Main tab, click Local Traffic > Profiles > Services > Response Adapt.
  2. Click Create.
  3. In the Name field, type a unique name for the profile.
  4. For the Parent Profile setting, retain the default value, responseadapt.
  5. On the right-side of the screen, select the Custom check box.
  6. Disable the setting by clearing the Enabled check box. When you clear the Enabled check box, Policy Enforcement Manager controls the profile based on the policy.
  7. In the Preview Size field, type a numeric value. This specifies the maximum size of the preview buffer. This buffer holds a copy of the HTTP response header and the data sent to the internal virtual server, in case the adaptation server reports that no adaptation is needed. Setting the preview size to 0 disables buffering of the response and should only be done if the adaptation server always returns a modified HTTP response or the original HTTP response.
  8. For the Allow HTTP 1.0 setting, check the Enabled check box.
After you perform this task, the BIG-IP system contains a Response Adapt profile that a standard HTTP virtual server can use to forward an HTTP response to an internal virtual server for ICAP traffic.

Creating an internal virtual server for ICAP server

You perform this task to create a standard virtual server that can forward an HTTP request or response to an internal virtual server. The internal virtual server then sends the request or response to a pool of ICAP servers before the BIG-IP system sends the request or response to the client or web server.
  1. On the Main tab, click Local Traffic > Virtual Servers. The Virtual Server List screen opens.
  2. Click the Create button. The New Virtual Server screen opens.
  3. In the Name field, type a unique name for the virtual server.
  4. For the Destination setting, in the Address field, type the IP address that you want to use as a destination for client traffic destined for a pool of HTTP web servers. The IP address you type must be available and not in the loopback network.
  5. In the Service Port field, type 80, or select HTTP from the list.
  6. From the Type list, select Internal.
  7. For the State setting, verify that the value is set to Enabled.
  8. From the HTTP Profile list, select the name of the HTTP profile that you created previously.
  9. From the Configuration list, select Advanced.
  10. From the Request Adapt Profile list, select the ICAP profile that you previously created for handling HTTP requests.
  11. From the Response Adapt Profile list, select the ICAP profile that you previously created for handling HTTP responses.
  12. From the Source Address Translation list, select Auto Map. The BIG-IP system uses all of the self IP addresses as the translation addresses for the pool.
  13. From the Default Pool list, select the pool of ICAP servers that you previously created.
  14. Click Finished.
After you create the virtual server, the BIG-IP system can forward an HTTP request or response to a pool of ICAP servers before sending the request or response to the client or web server, respectively.

Creating a pool

You can create a pool of servers that you can group together to receive and process traffic.
  1. On the Main tab, click Local Traffic > Pools. The Pool List screen opens.
  2. Click Create. The New Pool screen opens.
  3. In the Name field, type a unique name for the pool.
  4. Using the New Members setting, add each resource that you want to include in the pool:
    1. Type an IP address in the Address field.
    2. Type a port number in the Service Port field, or select a service name from the list.
    3. To specify a priority group, type a priority number in the Priority Group Activation field.
    4. Click Add.
  5. Click Finished.
The new pool appears in the Pools list.

Creating endpoints for service chains

Before you can create an endpoint, you need to create a pool that specifies where you want to direct the classified traffic.
If you plan to set up a service chain, you need to create one or more endpoints that specify the locations of the value-added services to which to send the traffic.
  1. On the Main tab, click Policy Enforcement > Forwarding > Endpoints. The Endpoints screen opens.
  2. Click Create. The New Endpoint screen opens.
  3. In the Name field, type a name for the endpoint.
  4. From the Pool list, select the pool to which you want to steer a particular type of traffic.
  5. Use the default values for the other fields.
  6. Click Finished. The endpoint you created is on the endpoint list.
You link the endpoints together by creating a service chain.

Creating dynamic service chains

Before you can create a service chain, you need to have created endpoints for every service that you want the traffic to be directed to. Set up the servers at those endpoints to handle the traffic and (if conditions are right), return it to the BIG-IP system. You should have attached the HTTP virtual server to the request adapt profile and response adapt profile. You also need to create VLANs for every traffic entry point.
To send traffic to multiple endpoints, including value-added services, you create service chains that define where to send traffic on the way to its final destination. This way, the system can route traffic to other servers that can handle additional functions. Additionally, you can attach a steering action policy, such as modify headers, when you create a service chain which can be later modified at the other end.
Note: If you want to use steering policy, you must define endpoint in service chain.
  1. On the Main tab, click Policy Enforcement > Forwarding > Service Chains. The Service Chains screen opens.
  2. Click Create The New Service Chains screen opens.
  3. In the Name field, type a name for the service chain.
  4. In the Service Chain List setting, add the endpoints to the service chain. For each place you want to send the traffic, specify the following information:
    1. From the Service Endpoint Name list, type the name of the service endpoint where the traffic is going to.
    2. From the VLAN list, select the name of the VLAN where the traffic is coming from.
      Note: Your first service chain should have subscriber VLAN in the VLAN field.
    3. From the Policy list, select the name of the steering policy.
      Note: If all the service endpoints do not have a steering policy, the service chain is static.
      Important: If the policy defining the steering does not match the policy set in the service chain, then the service chain is not processed.
    4. From the Forwarding Endpoint list, select the name of the endpoint to which you send traffic.

      When you configure a new forwarding endpoint (Policy Enforcement > Forwarding > Endpoints), set Address Translation and Port Translation as Disabled.

      Note: You need to always configure a default forwarding endpoint or else the flow will exit the service chain and get skipped. If you are in the final leg, then configure without default.
      Important: When you use ICAP service, you cannot have a ICAP and a forwarding endpoint on the same service endpoint.
    5. From the Service Option list, select the service option in case the service endpoint is not reachable. Select Optional if you want to skip the service endpoint. Select Mandatory if you want all traffic flows dropped.
      Note: To use dynamic service chain, select Optional. If service endpoint is not available and set to mandatory, you cannot steer policies.
    6. From the Internal Virtual list, select the internal ICAP virtual server.
      Important: You cannot have consecutive ICAP on the same VLAN.
    7. Click Add.
  5. Click Finished.
    Note: If steering action is applied after the ICAP request, service endpoint with forwarding endpoint should have the same VLAN configured as the service endpoint with ICAP enabled.
You can direct traffic to the service chain you created in the policy rules in an enforcement policy.

Creating an enforcement policy

If you want to classify and intelligently steer traffic, you need to create an enforcement policy. The policy describes what to do with specific traffic, and how to treat the traffic.
  1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
  2. Click Create. The New Policy screen opens.
  3. In the Name field, type a name for the policy.
    Tip: When creating policies you plan to apply globally or to unknown subscribers, it is a good idea to include the word global or unknown in the policy name to distinguish these from other subscriber policies.
  4. From the Transactional list, select Enabled if you want the BIG-IP system to allow policy enforcement on each HTTP transaction.
  5. Click Finished.
    Important: The system performance is significantly affected, depending on complexity of the classification and the type of policy action.
    The new enforcement policy is added to the policy list.
Now you must add rules to the enforcement policy to define traffic filters and actions.

Configuring steering action policy

You can configure HTTP headers of the steering policy in the BIG-IP system.
Note: If the steering action is enabled, steering policy is evaluated based on the VLAN flow. If no steering policy is configured, then the default endpoint is the next service endpoint.
  1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to. The properties screen for the policy opens.
  3. In the Policy Rules area, click Add. The New Rule screen opens.
  4. In the Name field, type a name for the rule.
  5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    Tip: All rules in policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have a rule 1 with precedence 10 with Gate Status disabled for a search engine and you have rule 2 with precedence 11 with Gate Status enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule).
  6. From the Modify Header list, select Enabled, to modify the HTTP request header. More modify header configuration options display.
  7. To modify the HTTP request header, select the action you want to implement.
    • Select Insert String Value to insert a stringvalue that you have specified before.
    • Select Insert Value from Script to specify that the BIG-IP system can insert value received from the TCL expression.
    • Select Remove to remove the string value that you previously created.
  8. In the Header Name field, type a header name.
  9. In the String Value field, type a string value for the header.
  10. Click Finished.
You can add more rules to an enforcement policy in addition to configuring HTTP header action.

Adding rules to an enforcement policy

Before you can add rules to an enforcement policy, you need to create the policy, then reopen it.
You add rules to an enforcement policy to select the traffic you want to affect, and the actions to take. A rule associates an action with a specific type of traffic. So you can, for example, add a rule to select all audio-video traffic and send it to a pool of servers that are optimized to handle that type of traffic.
  1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to. The properties screen for the policy opens.
  3. In the Policy Rules area, click Add. The New Rule screen opens.
  4. In the Name field, type a name for the rule.
  5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    Tip: All rules in policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have a rule 1 with precedence 10 with Gate Status disabled for a search engine and you have rule 2 with precedence 11 with Gate Status enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule).
  6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule. Other tasks describe how to do this in detail.
  7. From the Modify Header list, select Enabled, to modify the HTTP request header. More modify header configuration options display.
  8. Use the Reporting, Quota, Forwarding, Modify Header or QoS areas to specify what you want to do with the traffic that you are classifying or specify what actions you want to apply to the traffic. Other tasks describe how to do this in detail. If you leave Gate Status enabled (default) and specify no other actions, the system stores traffic classification statistics on the BIG-IP system, and forwards the traffic to its destination without any further action.
  9. Click Finished.
  10. Repeat steps 3-8 to create as many rules as needed to handle the traffic you are interested in.
The enforcement policy includes the rules with the conditions and actions you added.
Now you need to associate the enforcement policy with the virtual server (or servers) to which traffic is directed.

Creating a rule for forwarding traffic

You can create a rule that forwards traffic to an endpoint. For example, you might want to direct video traffic to a server that is optimized for video viewing.
  1. On the Main tab, click Policy Enforcement > Policies. The Policies screen opens.
  2. Click the name of the enforcement policy you want to add rules to. The properties screen for the policy opens.
  3. In the Policy Rules area, click Add. The New Rule screen opens.
  4. In the Name field, type a name for the rule.
  5. In the Precedence field, type an integer that indicates the precedence for the rule in relation to the other rules. Number 1 has the highest precedence. Rules with higher precedence are evaluated before other rules with lower precedence.
    Tip: All rules in policy are run concurrently. Precedence takes effect when there are conflicting rules. The conflict occurs when the traffic matches two rules and the policy actions from these rules differ. For example, if you have a rule 1 with precedence 10 with Gate Status disabled for a search engine and you have rule 2 with precedence 11 with Gate Status enabled, then rule 1 is processed first because it has higher precedence. Rules conflict if they have identical or overlapping classification criteria (for the traffic that matches more than one rule).
  6. Use the Classification, URL, Flow, and Custom Criteria tabs to identify the traffic that you want to be affected by this rule. Other tasks describe how to do this in detail.
  7. In the Gate area, for Gate Status, select Enabled. Options provide several ways to forward the traffic.
    • To redirect traffic to a URL, for HTTP Redirect, select Enabled, and type the URL.
    • To direct traffic to specific location, from the Forwarding list, select an option where you would like to forward the traffic.
      • If you select Route to Network then the traffic flow is forwarded to the default destination.
      • If you select Forwarding to Endpoint, the flow is steered to a different destination and you can select one of the endpoints.
      • If you select >Forward to ICAP virtual Server, the flow is forwarded to the ICAP virtual server.
    • To direct traffic to more than one location (such as value-added services), from the Service Chain list, select the name of a service chain that you previously created.
  8. Click Finished.
You have created a rule that forwards traffic.

Creating a listener

If you want to steer specific traffic, or otherwise regulate certain types of traffic, you need to have developed enforcement policies. If using a Gx interface to a PCRF, you need to create a listener that connects to a PCRF.
You can create listeners that specify how to handle traffic for policy enforcement. Creating a listener does preliminary setup on the BIG-IP system for application visibility, intelligent steering, bandwidth management, and reporting.
  1. On the Main tab, click Policy Enforcement > Listeners. The Listeners screen opens.
  2. Click Create. The New Listener screen opens.
  3. In the Name field, type a unique name for the listener.
  4. For the Destination setting, select Host or Network, and type the IP address or network and netmask to use.
    Tip: You can use a catch-all virtual server (0.0.0.0) to specify all traffic that is routed to the BIG-IP system.
    The system will create a virtual server using the address or network you specify.
  5. For the Service Port setting, type or select the service port for the virtual server.
  6. Subscriber provisioning using RADIUS is enabled by default. If your system is using RADIUS for snooping subscriber identity, you need to specify VLANs and tunnels. If you are not using RADIUS, you need to disable it.
    • For the VLANs and Tunnels setting, move the VLANs and tunnels that you want to monitor for RADIUS traffic from the Available list to the Selected list.
    • If you do not want to use RADIUS, from the Subscriber Identity Collection list, select Disabled.
  7. In the Policy Provisioning area, select enforcement policies to apply to the traffic.
    1. For Global Policy, move policies to apply to all subscribers to High Precedence or Low Precedence.
      Note: For URL categorization to take effect, you need to associate the enforcement policy with a classification profile.
    2. For Unknown Subscriber Policy, move policies to use if the subscriber is unknown to Selected.
    The system applies the global policy to all subscribers in parallel with the subscriber policies, and must be configured with unknown subscriber policy. High-precedence global policies override conflicting subscriber policies, and low-precedence policies are overridden by conflicting subscriber policies.
  8. Click Finished. The Policy Enforcement Manager creates a listener, and displays the listener list.
When you create a listener, the Policy Enforcement Manager also creates virtual servers for each type of traffic (TCP, UDP, or both and IP), and a virtual server for HTTP traffic. The system sets up classification and assigns the appropriate policy enforcement profile to the virtual servers. If you are connecting to a RADIUS authentication server, a virtual server for RADIUS is also added.
Now you can send traffic through the network. As network traffic moves through the BIG-IP system, the system classifies the traffic, and if you have developed policies, the system performs the actions specified by the enforcement policy rules.