F5BigPePolicy

Overview

The F5BigPePolicy Custom Resource (CR) configures the Traffic Management Microkernel (TMM) Proxy Pod to manage 5G subscriber traffic using policy based classification criteria such as application type, URL category, or higher level packet flow information. Subscriber traffic can be allowed or denied, and optimized with the F5BigTcpSetting CR based on the F5BigPePolicy rule configuration. A F5BigPeProfile CR is required and referenced by the F5BigContextSecure CR to accept and process 5G application traffic using one or more F5BigPePolicy CRs.

This document guides you through understanding, configuring and installing the F5BigPePolicy and F5BigPeProfile CRs.

F5BigPePolicy CR parameters

The table below describes the F5BigPePolicy CR parameters used in this document. For the full list of parameters, refer to the F5BigPePolicy Reference.

spec.rule

Parameter	Description
name	Specifies the name of the F5BigPePolicy rule. A policy can contain multiple rules.
precedence	Specifies the precedence, or order for processing rules and actions: 1 to 1024.

spec.rule.filter.classification

Important: A F5BigClassificationprofile is required when using the classification feature.

Parameter	Description
name	Specifies the name of the classification.
match	Specifies a traffic matching criteria: match (default), or no-match.
category	Specifies the type of traffic: any (default), Web, Audio_Video, Encrypted, File_Download_Servers, Search_Engines, Network_Management_and_Services, News_and_Media, and Advertisements.
application	Specifies the application type: any (default), amazon, apple, tcp, udp, http, ssl, youtube, google, ftp, cnn, and amazon_adv.

spec.rule.filter.flow

Parameter	Description
match	Specifies a traffic matching criteria: match (default), or no-match.
protocol	Specifies the protocol type for matching subscriber traffic: any (default), tcp, or udp.
ipType	Specifies the IP protocol type for matching subscriber traffic: any (default), ipv4, or ipv6.
destinationAddress	Specifies the destination IP address for matching subscriber traffic. The default is 0.0.0.0/0.
destinationPort	Specifies the destination port for matching subscriber traffic. The default is 0.
sourceAddress	Specifies the source IP address for matching subscriber traffic. The default is 0.0.0.0/0.

spec.rule.action

Parameter	Description
gate	Specifies whether to allow (enabled) or deny (disabled) subscriber traffic that matches a PE rule: Enabled (default) or Disabled.
tcpOptimizationUplink	Specifies the F5BigTcpSetting CR applied to the uplink traffic that matches the rule.
tcpOptimizationDownlink	Specifies the F5BigTcpSetting CR applied to the downlink traffic that matches the rule.

F5BigPeProfile CR parameters

The table below describes the F5BigPeProfile CR spec parameters used in this document.

Parameter	Description
description	A description of the F5BigPeProfile CR.
globalPolicy.highPrecedence	Specifies a list of F5BigPePolicy CRs to apply as high precedence on subscriber traffic.
globalPolicy.lowPrecedence	Specifies a list of F5BigPePolicy CRs to apply as low precedence on subscriber traffic.
unknownSubscriberpolicy	Specifies a list of F5BigPePolicy CRs to apply to unknown subscriber traffic.

CR examples

F5BigPePolicy

apiVersion: k8s.f5net.com/v1
kind: F5BigPePolicy
metadata:
  name: "cnf-pe-policy"
  namespace: "cnf-gateway"
spec:
  rule:
    - name: "stream-rule-1"
      reportingProfile: "cnf-log-profile"
      publisher: "cnf-hsl-pub"
      precedence: 1
      filter:
        classification:
          - application: "amazon"
            category: "Audio_Video"
            match: "match"
      action:
        gate: "Enabled"
        tcpOptimizationDownlink: tcp-high-bw-profile
        tcpOptimizationUplink: tcp-high-bw-profile
    - name: "stream-rule-2"
      precedence: 2
      filter:
        flow:
          - match: "match"
            protocol: "any"
            ipType: "any"
            sourceAddress: "2002::10:10:10:10/112"
            destinationAddress: "2002::192:168:100:0/112"
            destinationPort: 443
      action:
        gate: "Disabled"

F5BigPeProfile

apiVersion: "k8s.f5net.com/v1"
kind: F5BigPeProfile
metadata:
  name: "cnf-pe-profile"
  namespace: "cnf-gateway"
spec:
  description: "web profile"
  globalPolicy:
    highPrecedence:
      - "cnf-pe-policy"

CR shortName

CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The F5BigPePolicy and F5BigPeProfile CR shortNames are pepol and peprof respectively.

View CR instance:

kubectl get pepol -n <namespace>
kubectl get peprof -n <namespace>

View CR configuration:

kubectl get pepol -n <namespace> -o yaml
kubectl get peprof -n <namespace> -o yaml

PE Logging

A F5BigLogProfile CR can be configured to log subscriber connection information such as subscriber ID, call duration, destination IP address and port, etc., when the connection matches an F5BigPePolicy CR rule. This section demonstrates two methods for logging subscriber connection data.

Note: The F5BigPePolicy references the both the F5BigLogProfile and the F5BigLogHslpub CRs.

Reporting Fields

The reportingFields parameter provides options that are easily viewed while configuring the F5BigLogProfile, however, the logging format on the remote server is more difficult to view.

In this example, the F5BigLogProfile is configured to capture and log the packet’s source and destination information.

apiVersion: "k8s.f5net.com/v1"
kind: F5BigLogProfile
metadata:
name: "cnf-log-profile"
namespace: "cnf-gateway"
spec:
pe:
reportingFields:
- "Source IP"
- "Source Port"
- "Destination IP"
- "Destination Port"
reportingType: flow-reporting

The reportingFields log entires will appear similar to the following on the remote server:

Apr  4 15:48:36 f5-tmm-5896659874-bzfc8 tmm[33] 10.20.2.220,57236,10.30.2.220,80
Apr  4 15:48:59 f5-tmm-5896659874-bzfc8 tmm[33] 10.20.2.220,59720,10.30.2.220,53

Format Script

The formatScript parameter provides options that are more difficult to view while configuring the F5BigLogProfile, however, the logging format on the remote server is easier to view.

In this example, the F5BigLogProfile is configured to capture and log the packet’s source and destination information.

apiVersion: "k8s.f5net.com/v1"
kind: F5BigLogProfile
metadata:
  name: "cnf-log-profile"
  namespace: "cnf-gateway"
spec:
  pe:
    formatScript: return (src-ip:[PEM::flow stats reported src-ip],src-port:[PEM::flow stats reported src-port],dst-ip:[PEM::flow stats reported dst-ip],dst-port:[PEM::flow stats reported dst-port],timestamp:[PEM::flow stats reported timestamp])
    reportingType: flow-reporting

The formatScript log entires will appear similar to the following on the remote server:

Apr  4 15:52:42 f5-tmm-5896659874-bzfc8 tmm[33] (src-ip:10.20.2.220,src-port:57240,dst-ip:10.30.2.220,dst-port:80)
Apr  4 15:52:43 f5-tmm-5896659874-bzfc8 tmm[33] (src-ip:10.20.2.220,src-port:59934,dst-ip:10.30.2.220,dst-port:53)

For a full list of parameter options, refer to the spec.pe section of the F5BigLogProfile Reference.

Requirements

Ensure you have:

• Installed the BIG-IP Controller.
• A Linux based workstation.

Installation

Use these steps to install the example F5BigPePolicy CR, and the optional CNFs CRs. Each step offers a brief description of the example CR.

Tip: Open a second shell to view the CNFs Event Logs while installing.

1. The example F5BigLogHslpub CR specifies a remote server with IP/port [2002::10:30:2:220]:514, and the udp protocol. Copy and paste the example into a YAML file:

   Note: The F5BigLogHslpub CR will be referenced by both the F5BigLogProfile and the F5BigClassificationprofile CRs.

   apiVersion: k8s.f5net.com/v1
   kind: F5BigLogHslpub
   metadata:
     name: "cnf-hsl-pub"
     namespace: "cnf-gateway"
   spec:
     pool:
     - name: "hsl-pool"
       endpoint:
       - "[2002::10:30:2:220]:514"
     syslog:
     - name: "cnf-syslog"
       format: "rfc5424"
       protocol: "udp"
       pool: "hsl-pool"
   

2. Install the F5BigLogHslpub CR:

   kubectl apply -f cnf-hsl-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigLogHslpub CR was added/updated:

   I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5Hslpub",
   F5Hslpub cnf-gateway/cnf-hsl-pub was added/updated
   

3. The example F5BigLogProfile CR specifies policy enforcement events to such as Source IP and Destination IP, and sends them to the remove logging server. Copy and paste the example into a YAML file:

   Note: The F5BigLogProfile CR will be referenced by the F5BigPePolicy CR.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigLogProfile
   metadata:
     name: "cnf-log-profile"
     namespace: "cnf-gateway"
   spec:
     pe:
       reportingFields:
         - "Source IP"
         - "Source Port"
         - "Destination IP"
         - "Destination Port"
       reportingType: flow-reporting
   

4. Install the F5BigLogProfile CR:

   kubectl apply -f cnf-log-profile.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigLogProfile CR was added/updated:

   I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5LogProfile",
   LogProfile cnf-gateway/cnf-log-profile was added/updated
   

5. The example F5BigTcpSetting CR increases the sendBuffer and proxyBuffer sizes to increase TCP throughput. Copy the example CR into a YAML file:

   Note: The F5BigTcpSetting CR will be referenced by the F5BigPeProfile.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigTcpSetting
   metadata:
     name: "tcp-high-bw-profile"
     namespace: "cnf-gateway"
   spec:
     sendBufferSize: 150000
     receiveWindowSize: 70000
     proxyBufferHigh: 20000
     proxyBufferLow: 5000
     idleTimeout: 150
     resetOnTimeout: false
   

6. Install the F5BigTcpSetting CRs:

   kubectl apply -f cnf-tcp-high-bw-cr.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigTcpSetting CR was added/updated:

   I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5TcpSetting",
   TcpSetting cnf-gateway/tcp-high-bw-profile was added/updated
   

7. The example F5BigClassificationprofile enables important parameters such as ApplicationDetection, UrlCategorization, and analyzeDns. Copy the example CR into a YAML file:

   Note: The F5BigClassificationprofile will be referenced by the F5BigContextSecure CR, and references the F5BigLogHslpub CR.

   apiVersion: "k8s.f5net.com/v1"
   kind: F5BigClassificationprofile
   metadata:
     name: "cnf-class-profile"
     namespace: "cnf-gateway"
   spec:
     name: "cnf-class-profile"
     enableApplicationDetection: true
     enableUrlCategorization: true
     logPublisher: "cnf-hsl-pub"
     preset:
       enableFlowBundling: true
       analyzeSslServerside: false
       enableCacheResults: true
       analyzeDns: true
   

8. Install the F5BigClassificationprofile CR:

   kubectl apply -f cnf-class-profile.yaml
   

   In this example, the BIG-IP Controller logs indicate the F5BigClassificationprofile CR was added/updated:

   I0624 12:00:00.12347   1 event.go:282] Event(v1.ObjectReference{Kind:"F5ClassificationProfile",
   F5ClassificationProfile cnf-gateway/cnf-class-profile was added/updated
   

9. The example F5BigPePolicy applies the higher bandwidth F5BigTcpSetting CR to Audio_Video application traffic, and Disables (denies) application traffic from source IP subnet 2002::10:10:10:10/112, destined to the IP subnet 2002::192:168:100:0/112. Copy the example CR into a YAML file:

   Note: The F5BigPePolicy references the F5BigLogProfile, F5BigLogHslpub, and F5BigTcpSetting CRs.

   apiVersion: k8s.f5net.com/v1
   kind: F5BigPePolicy
   metadata:
     name: "cnf-pe-policy"
     namespace: "cnf-gateway"
   spec:
     rule:
       - name: "stream-rule-1"
         reportingProfile: "cnf-log-profile"
         publisher: "cnf-hsl-pub"
         precedence: 1
         filter:
           classification:
             - application: "amazon"
               category: "Audio_Video"
               match: "match"
         action:
           gate: "Enabled"
           tcpOptimizationDownlink: tcp-high-bw-profile
           tcpOptimizationUplink: tcp-high-bw-profile
       - name: "stream-rule-2"
         precedence: 2
         filter:
           flow:
             - match: "match"
               protocol: "any"
               ipType: "any"
               sourceAddress: "2002::10:10:10:10/112"
               destinationAddress: "2002::192:168:100:0/112"
               destinationPort: 443
         action:
           gate: "Disabled"
   

10. Install the F5BigPePolicy CR:

    kubectl apply -f cnf-pe-policy-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigPePolicy CR was added/updated:

    I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5PemPolicy",
    PemPolicy cnf-gateway/cnf-pe-policy was added/updated
    

11. Copy the example F5BigPeProfile CR into a YAML file:

    Note: The F5BigPeProfile references the F5BigPePolicy, and will be referenced by the F5BigContextSecure CR.

    apiVersion: "k8s.f5net.com/v1"
    kind: F5BigPeProfile
    metadata:
      name: "cnf-pe-profile"
      namespace: "cnf-gateway"
    spec:
      description: "web profile"
      globalPolicy: 
        highPrecedence:
          - "cnf-pe-policy"
    

12. Install the F5BigPeProfile CR:

    kubectl apply -f cnf-pe-profile-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigPeProfile CR was added/updated:

    I0202 12:00:00.12347   1 event.go:282 Event(v1.ObjectReference{Kind:"F5PemProfile",
    PemProfile cnf-gateway/cnf-pe-profile was added/updated
    

13. The example F5BigContextSecure CR listens for connections destined to the any IPv6 subnet on port 443 received on the subscriber-vlan interface. Copy and paste the example into a YAML file:

    Note: The F5BigContextSecure CR references the F5BigPeProfile and F5BigClassificationprofile CRs.

    apiVersion: k8s.f5net.com/v1
    kind: F5BigContextSecure
    metadata:
      name: "cnf-pe-context"
      namespace: "cnf-gateway"
    spec:
       ipv6destinationAddress: "::/0"
       destinationPort: 443
       ipProtocol: "tcp"
       profile: "fastL4"
       pemProfile: "cnf-pe-profile"
       classificationProfile: "cnf-class-profile"
       vlans:
         vlanList:
           - "subscriber-vlan"
    

14. Install the F5BigContextSecure CR:

    kubectl apply -f f5-cnf-context-cr.yaml
    

    In this example, the BIG-IP Controller logs indicate the F5BigContextSecure CR was added/updated:

    I0202 12:00:00:12350    1 event.go:282] Event(v1.ObjectReference{Kind:"F5SecureContext",
    SecureContext cnf-gateway/cnf-pe-context was added/updated
    

15. Review the Policy Enforcement statistics section.

Policy Enforcement statistics

If the TMM Debug sidecar is enabled (default), use the steps below to verify F5BigPePolicy match statistics.

1. Log in to the TMM debug Pod:

   In this example, the TMM debug container is in the cnf-gateway namespace:

   kubectl exec -it deploy/f5-tmm -c debug -n cnf-gateway -- bash
   

2. Verify the F5BigPePolicy statistics:

   tmctl -d blade pem_actions_stat -s pass,drop,tcpopt_to_net,tcpopt_to_sub
   

   In this example, optimization is applied to both uplink (tcpopt_to_net) and downlink (tcpopt_to_sub) traffic.

   pass drop tcpopt_to_net tcpopt_to_sub
   ---- ---- ------------- -------------
     6    0             6             6
   

Feedback

Provide feedback to improve this document by emailing cnfdocs@f5.com.

Supplemental

• The F5BigCecPeGlobaloptions CR can be used to modify some of F5BigPePolicy CR’s default behaviors.