F5BigPePolicy¶
Overview¶
The F5BigPePolicy Custom Resource (CR) configures the Traffic Management Microkernel (TMM) Proxy Pod to manage 5G subscriber traffic using policy based classification criteria such as application type, URL category, or higher level packet flow information. Subscriber traffic can be allowed or denied, and optimized with the F5BigTcpSetting CR based on the F5BigPePolicy rule configuration. A F5BigPeProfile CR is required and referenced by the F5BigContextSecure CR to accept and process 5G application traffic using one or more F5BigPePolicy CRs.
This document guides you through understanding, configuring and installing the F5BigPePolicy and F5BigPeProfile CRs.
F5BigPePolicy CR parameters¶
The table below describes the F5BigPePolicy CR parameters used in this document. For the full list of parameters, refer to the F5BigPePolicy Reference.
spec.rule¶
Parameter | Description |
---|---|
name |
Specifies the name of the F5BigPePolicy rule. A policy can contain multiple rules. |
precedence |
Specifies the precedence, or order for processing rules and actions: 1 to 1024. |
spec.rule.filter.classification¶
Important: A F5BigClassificationprofile is required when using the
classification
feature.
Parameter | Description |
---|---|
name |
Specifies the name of the classification. |
match |
Specifies a traffic matching criteria: match (default), or no-match. |
category |
Specifies the type of traffic: any (default), Web, Audio_Video, Encrypted, File_Download_Servers, Search_Engines, Network_Management_and_Services, News_and_Media, and Advertisements. |
application |
Specifies the application type: any (default), amazon, apple, tcp, udp, http, ssl, youtube, google, ftp, cnn, and amazon_adv. |
spec.rule.filter.flow¶
Parameter | Description |
---|---|
match |
Specifies a traffic matching criteria: match (default), or no-match. |
protocol |
Specifies the protocol type for matching subscriber traffic: any (default), tcp, or udp. |
ipType |
Specifies the IP protocol type for matching subscriber traffic: any (default), ipv4, or ipv6. |
destinationAddress |
Specifies the destination IP address for matching subscriber traffic. The default is 0.0.0.0/0. |
destinationPort |
Specifies the destination port for matching subscriber traffic. The default is 0. |
sourceAddress |
Specifies the source IP address for matching subscriber traffic. The default is 0.0.0.0/0. |
spec.rule.action¶
Parameter | Description |
---|---|
gate |
Specifies whether to allow (enabled) or deny (disabled) subscriber traffic that matches a PE rule: Enabled (default) or Disabled. |
tcpOptimizationUplink |
Specifies the F5BigTcpSetting CR applied to the uplink traffic that matches the rule. |
tcpOptimizationDownlink |
Specifies the F5BigTcpSetting CR applied to the downlink traffic that matches the rule. |
F5BigPeProfile CR parameters¶
The table below describes the F5BigPeProfile CR spec
parameters used in this document.
Parameter | Description |
---|---|
description |
A description of the F5BigPeProfile CR. |
globalPolicy.highPrecedence |
Specifies a list of F5BigPePolicy CRs to apply as high precedence on subscriber traffic. |
globalPolicy.lowPrecedence |
Specifies a list of F5BigPePolicy CRs to apply as low precedence on subscriber traffic. |
unknownSubscriberpolicy |
Specifies a list of F5BigPePolicy CRs to apply to unknown subscriber traffic. |
CR examples¶
F5BigPePolicy
apiVersion: k8s.f5net.com/v1
kind: F5BigPePolicy
metadata:
name: "cnf-pe-policy"
namespace: "cnf-gateway"
spec:
rule:
- name: "stream-rule-1"
reportingProfile: "cnf-log-profile"
publisher: "cnf-hsl-pub"
precedence: 1
filter:
classification:
- application: "amazon"
category: "Audio_Video"
match: "match"
action:
gate: "Enabled"
tcpOptimizationDownlink: tcp-high-bw-profile
tcpOptimizationUplink: tcp-high-bw-profile
- name: "stream-rule-2"
precedence: 2
filter:
flow:
- match: "match"
protocol: "any"
ipType: "any"
sourceAddress: "2002::10:10:10:10/112"
destinationAddress: "2002::192:168:100:0/112"
destinationPort: 443
action:
gate: "Disabled"
F5BigPeProfile
apiVersion: "k8s.f5net.com/v1"
kind: F5BigPeProfile
metadata:
name: "cnf-pe-profile"
namespace: "cnf-gateway"
spec:
description: "web profile"
globalPolicy:
highPrecedence:
- "cnf-pe-policy"
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigPePolicy and F5BigPeProfile CR shortNames are pepol and peprof respectively.
View CR instance:
kubectl get pepol -n <namespace>
kubectl get peprof -n <namespace>
View CR configuration:
kubectl get pepol -n <namespace> -o yaml
kubectl get peprof -n <namespace> -o yaml
PE Logging¶
A F5BigLogProfile CR can be configured to log subscriber connection information such as subscriber ID, call duration, destination IP address and port, etc., when the connection matches an F5BigPePolicy CR rule
. This section demonstrates two methods for logging subscriber connection data.
Note: The F5BigPePolicy references the both the F5BigLogProfile and the F5BigLogHslpub CRs.
Reporting Fields¶
The reportingFields
parameter provides options that are easily viewed while configuring the F5BigLogProfile, however, the logging format on the remote server is more difficult to view.
In this example, the F5BigLogProfile is configured to capture and log the packet’s source and destination information.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigLogProfile
metadata:
name: "cnf-log-profile"
namespace: "cnf-gateway"
spec:
pe:
reportingFields:
- "Source IP"
- "Source Port"
- "Destination IP"
- "Destination Port"
reportingType: flow-reporting
The reportingFields
log entires will appear similar to the following on the remote server:
Apr 4 15:48:36 f5-tmm-5896659874-bzfc8 tmm[33] 10.20.2.220,57236,10.30.2.220,80
Apr 4 15:48:59 f5-tmm-5896659874-bzfc8 tmm[33] 10.20.2.220,59720,10.30.2.220,53
Format Script¶
The formatScript
parameter provides options that are more difficult to view while configuring the F5BigLogProfile, however, the logging format on the remote server is easier to view.
In this example, the F5BigLogProfile is configured to capture and log the packet’s source and destination information.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigLogProfile
metadata:
name: "cnf-log-profile"
namespace: "cnf-gateway"
spec:
pe:
formatScript: return (src-ip:[PEM::flow stats reported src-ip],src-port:[PEM::flow stats reported src-port],dst-ip:[PEM::flow stats reported dst-ip],dst-port:[PEM::flow stats reported dst-port],timestamp:[PEM::flow stats reported timestamp])
reportingType: flow-reporting
The formatScript
log entires will appear similar to the following on the remote server:
Apr 4 15:52:42 f5-tmm-5896659874-bzfc8 tmm[33] (src-ip:10.20.2.220,src-port:57240,dst-ip:10.30.2.220,dst-port:80)
Apr 4 15:52:43 f5-tmm-5896659874-bzfc8 tmm[33] (src-ip:10.20.2.220,src-port:59934,dst-ip:10.30.2.220,dst-port:53)
For a full list of parameter options, refer to the spec.pe section of the F5BigLogProfile Reference.
Installation¶
Use these steps to install the example F5BigPePolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.
Tip: Open a second shell to view the CNFs Event Logs while installing.
The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514, and the udp protocol. Copy and paste the example into a YAML file:
Note: The F5BigLogHslpub CR will be referenced by both the F5BigLogProfile and the F5BigClassificationprofile CRs.
apiVersion: k8s.f5net.com/v1 kind: F5BigLogHslpub metadata: name: "cnf-hsl-pub" namespace: "cnf-gateway" spec: pool: - name: "hsl-pool" endpoint: - "[2002::10:30:2:220]:514" syslog: - name: "cnf-syslog" format: "rfc5424" protocol: "udp" pool: "hsl-pool"
Install the F5BigLogHslpub CR:
kubectl apply -f cnf-hsl-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub", F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
The example F5BigLogProfile CR specifies policy enforcement events to such as Source IP and Destination IP, and sends them to the remove logging server. Copy and paste the example into a YAML file:
Note: The F5BigLogProfile CR will be referenced by the F5BigPePolicy CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigLogProfile metadata: name: "cnf-log-profile" namespace: "cnf-gateway" spec: pe: reportingFields: - "Source IP" - "Source Port" - "Destination IP" - "Destination Port" reportingType: flow-reporting
Install the F5BigLogProfile CR:
kubectl apply -f cnf-log-profile.yaml
In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile", LogProfile cnf-gateway/cnf-log-profile was added/updated
The example F5BigTcpSetting CR increases the sendBuffer and proxyBuffer sizes to increase TCP throughput. Copy the example CR into a YAML file:
Note: The F5BigTcpSetting CR will be referenced by the F5BigPeProfile.
apiVersion: "k8s.f5net.com/v1" kind: F5BigTcpSetting metadata: name: "tcp-high-bw-profile" namespace: "cnf-gateway" spec: sendBufferSize: 150000 receiveWindowSize: 70000 proxyBufferHigh: 20000 proxyBufferLow: 5000 idleTimeout: 150 resetOnTimeout: false
Install the F5BigTcpSetting CRs:
kubectl apply -f cnf-tcp-high-bw-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigTcpSetting CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5TcpSetting", TcpSetting cnf-gateway/tcp-high-bw-profile was added/updated
The example F5BigClassificationprofile enables important parameters such as ApplicationDetection, UrlCategorization, and analyzeDns. Copy the example CR into a YAML file:
Note: The F5BigClassificationprofile will be referenced by the F5BigContextSecure CR, and references the F5BigLogHslpub CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigClassificationprofile metadata: name: "cnf-class-profile" namespace: "cnf-gateway" spec: name: "cnf-class-profile" enableApplicationDetection: true enableUrlCategorization: true logPublisher: "cnf-hsl-pub" preset: enableFlowBundling: true analyzeSslServerside: false enableCacheResults: true analyzeDns: true
Install the F5BigClassificationprofile CR:
kubectl apply -f cnf-class-profile.yaml
In this example, the BIG-IP Controller logs indicate the F5BigClassificationprofile CR was added/updated:
I0624 12:00:00.12347 1 event.go:282] Event(v1.ObjectReference{Kind:"F5ClassificationProfile", F5ClassificationProfile cnf-gateway/cnf-class-profile was added/updated
The example F5BigPePolicy applies the higher bandwidth F5BigTcpSetting CR to Audio_Video application traffic, and Disables (denies) application traffic from source IP subnet 2002::10:10:10:10/112, destined to the IP subnet 2002::192:168:100:0/112. Copy the example CR into a YAML file:
Note: The F5BigPePolicy references the F5BigLogProfile, F5BigLogHslpub, and F5BigTcpSetting CRs.
apiVersion: k8s.f5net.com/v1 kind: F5BigPePolicy metadata: name: "cnf-pe-policy" namespace: "cnf-gateway" spec: rule: - name: "stream-rule-1" reportingProfile: "cnf-log-profile" publisher: "cnf-hsl-pub" precedence: 1 filter: classification: - application: "amazon" category: "Audio_Video" match: "match" action: gate: "Enabled" tcpOptimizationDownlink: tcp-high-bw-profile tcpOptimizationUplink: tcp-high-bw-profile - name: "stream-rule-2" precedence: 2 filter: flow: - match: "match" protocol: "any" ipType: "any" sourceAddress: "2002::10:10:10:10/112" destinationAddress: "2002::192:168:100:0/112" destinationPort: 443 action: gate: "Disabled"
Install the F5BigPePolicy CR:
kubectl apply -f cnf-pe-policy-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigPePolicy CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5PemPolicy", PemPolicy cnf-gateway/cnf-pe-policy was added/updated
Copy the example F5BigPeProfile CR into a YAML file:
Note: The F5BigPeProfile references the F5BigPePolicy, and will be referenced by the F5BigContextSecure CR.
apiVersion: "k8s.f5net.com/v1" kind: F5BigPeProfile metadata: name: "cnf-pe-profile" namespace: "cnf-gateway" spec: description: "web profile" globalPolicy: highPrecedence: - "cnf-pe-policy"
Install the F5BigPeProfile CR:
kubectl apply -f cnf-pe-profile-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigPeProfile CR was added/updated:
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5PemProfile", PemProfile cnf-gateway/cnf-pe-profile was added/updated
The example F5BigContextSecure CR listens for connections destined to the any IPv6 subnet on port 443 received on the subscriber-vlan interface. Copy and paste the example into a YAML file:
Note: The F5BigContextSecure CR references the F5BigPeProfile and F5BigClassificationprofile CRs.
apiVersion: k8s.f5net.com/v1 kind: F5BigContextSecure metadata: name: "cnf-pe-context" namespace: "cnf-gateway" spec: ipv6destinationAddress: "::/0" destinationPort: 443 ipProtocol: "tcp" profile: "fastL4" pemProfile: "cnf-pe-profile" classificationProfile: "cnf-class-profile" vlans: vlanList: - "subscriber-vlan"
Install the F5BigContextSecure CR:
kubectl apply -f f5-cnf-context-cr.yaml
In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:
I0202 12:00:00:12350 1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext", SecureContext cnf-gateway/cnf-pe-context was added/updated
Review the Policy Enforcement statistics section.
Policy Enforcement statistics¶
If the TMM Debug sidecar is enabled (default), use the steps below to verify F5BigPePolicy match statistics.
Log in to the TMM debug Pod:
In this example, the TMM debug container is in the cnf-gateway namespace:
kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
Verify the F5BigPePolicy statistics:
tmctl -d blade pem_actions_stat -s pass,drop,tcpopt_to_net,tcpopt_to_sub
In this example, optimization is applied to both uplink (tcpopt_to_net) and downlink (tcpopt_to_sub) traffic.
pass drop tcpopt_to_net tcpopt_to_sub ---- ---- ------------- ------------- 6 0 6 6
Feedback¶
Provide feedback to improve this document by emailing cnfdocs@f5.com.
Supplemental¶
- The F5BigCecPeGlobaloptions CR can be used to modify some of F5BigPePolicy CR’s default behaviors.