F5BigFastl4Setting¶
The F5BigFastl4Setting CR currently provides one option to fine-tune how Traffic Management Microkernel (TMM) handles connections. Once configured and installed, the F5BigFastl4Setting CR can then be referenced by the F5BigContextSecure Custom Resource (CR).
This document guides you through understanding, configuring and installing a simple F5BigFastl4Setting CR.
CR parameters¶
The table below describes the CR spec
parameters:
Parameter | Description |
---|---|
idleTimeout |
Specifies the number of seconds that a connection is idle before the connection is eligible for deletion: 0 to 4294967295. The default value is 300. |
ipFragReass |
This is a configurable option to enable/disable fragmentation reassembly in TMM. The default value for this parameter is false. If the F5BigContextSecure uses FastL4 profile and fragmentation reassembly is required, the user has to enable this option by setting the value as true. |
CR Example¶
apiVersion: "k8s.f5net.com/v1"
kind: F5BigFastl4Setting
metadata:
name: "cnf-fastl4-optimize"
namespace: "cnf-gateway"
spec:
idleTimeout: 150
ipFragReass: false
Default profile¶
After installing the BIG-IP Controller, a default F5BigFastL4Setting CR is created in each new namespace. In this example, a default F5BigFastL4Setting CR exists in the cnf-gateway namespace:
oc get f5-big-fastl4-settings -n cnf-gateway
NAME
sys-default-fastl4
Installation¶
Use the steps below to install the F5BigTcpSetting CR.
Copy the example F5BigTcpSetting CR modifies the idleTimeout period. Copy and paste the example into a YAML file:
apiVersion: "k8s.f5net.com/v1" kind: F5BigFastl4Setting metadata: name: "cnf-fastl4-optimize" namespace: "cnf-gateway" spec: idleTimeout: 150 ipFragReass: false
Install the CR:
oc apply -f cnf-fastl4-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigTcpSetting CR was added/updated:
I0202 12:00:00.12349 1 event.go:282 Event(v1.ObjectReference{Kind:"F5TcpSetting", TcpSetting cnf-gateway/cnf-tcp-optimize was added/updated
The example F5BigContextSecure CR listens for connections destined to IP addresses in the 2002::200:200:200:0/112 subnet, using any protocol, and only on the subscriber-vlan interface. The CR also references the F5BigFastl4Setting profile. Copy and paste the example into a YAML file:
apiVersion: k8s.f5net.com/v1 kind: F5BigContextSecure metadata: name: "cnf-context" namespace: "cnf-gateway" spec: ipv6destinationAddress: "2002::200:200:200:0/112" destinationPort: 0 ipProtocol: "any" profile: "fastL4" fastL4Settings: profileName: "cnf-fastl4-optimize" vlans: vlanList: - "subscriber-vlan"
Install the
F5BigContextSecure
CR:oc apply -f f5-cnf-context.yaml
In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-context was added/updated
The TMM Proxy Pod can now process application traffic using the
F5BigFastl4Setting
CR.To see how the packets are received and forwarded with fragments, perform the following:
Login to the TMM pod by using the following command:
oc exec -it tmm_pod_name -c debug -- /bin/bash
Run the following command to see the IP stats:
/tmctl -d blade ip_stat
Following is a sample output for the command. If the
reassembleFrags
parameter is set totrue
and the TMM receives a fragmented packet, then thereassembled
counter will get incremented.tx rx dropped rx_frag rx_frag_dropped tx_frag tx_frag_dropped ------ ------ ------- ------- --------------- ------- --------------- 125494 155586 0 0 0 0 0 reassembled err_cksum err_len err_mem err_rtx err_proto err_opt ----------- --------- ------- ------- ------- --------- ------- 0 0 0 0 0 0 0
Note: Values can be seen in the IP stats only when the
reassembleFrags
parameter is set to true. If the values is set to false, the values will be displayed as zero.
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.