TCP Optimization¶
Overview¶
BIG-IP Policy Enforcer (PE) includes a highly optimized TCP/IP stack that provides leading-edge TCP/IP techniques (which minimize the effects of congestion and packet loss for 3G/4G networks). TCP optimization delivers up to twice the performance gains for subscribers and four-times the improvement in bandwidth efficiency.
TCP optimization is supported as a PE policy action that can be applied to the traffic of subscribers. The action shall support different optimization parameters, each fine-tuned to a specific network type. An operator can then set up policies that enable it to employ the most suitable TCP Optimization parameters for a subscriber according to the network used.
TCP Optimization is achieved by fine-tuning some of the parameters that influence the TCP stack. The following table lists a few of those parameters:
| Memory Management Attributes |
| Proxy Buffer High |
| Proxy Buffer Low |
| Receive Window |
| Send Buffer |
| Congestion Control Attributes |
| Congestion Control Algorithm |
| Packet Loss Ignore Burst |
| Packet Loss Ignore Rate |
| Rate Pace |
| Loss Detection and Recovery |
| Early Retransmit |
| Retransmit threshold |
TCP Optimization supported as PE policy action allows for dynamic adjustments based on the type of network used such as 2G, 3G, and 4G networks. This flexibility makes sure that mobile users and service providers get optimized performance when they switch between different networks. This improves the user experience in various situations, especially when there is latency and packet loss.
TCP optimization is for both high-speed LANs and low-speed WANs. In high-speed environments, it quickly adjusts buffer sizes and manages congestion effectively. In low-speed WANs, it minimizes the effects of latency and packet loss, thereby enhancing overall application delivery. This dual capability ensures that service providers can maintain optimal performance regardless of their network conditions.
Installation¶
Following are the steps to install and apply the TCP Optimization use case:
DPI Profile¶
(Here) TCP Optimization is applied as a PE Policy action on DPI. Hence, the following DPI profile is required to enable application detection.
Copy the following example in
dpi-profile.yamlfile.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigDpiProfile
metadata:
name: "dpi-profile"
spec:
name: "dpiprofile-cnf"
enableApplicationDetection: true
enableLogUnclassifiedDomain: true
preset:
enableFlowBundling: true
analyzeSslServerside: true
enableCacheResults: true
analyzeDns: true
allowReclassification: true
Apply the DPI Profile.
kubectl apply -f dpi-profile.yaml -n <name_space>Verify that the DPI Profile is applied by checking the F5ingress logs.
I0224 11:41:43.489089 13 event.go:364] Event(v1.ObjectReference{Kind:"F5BigDpiProfile", Namespace:"default", Name:"dpi-profile", UID:"8588d3c6-5287-41bd-b0b1-c7260d6c73dc", APIVersion:"", ResourceVersion:"59202", FieldPath:""}): type: 'Normal' reason: 'Added/Updated' F5DpiProfile default/dpi-profile was added/updated
For more information, see F5BigDpiProfile CRD page.
PE Policy¶
Copy the following example in
pem-policy-dpi-tcpopt.yamlfile.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigPePolicy
metadata:
name: "pem-policy-dpi-tcpopt"
spec:
description: "pem policy for dpi with tcpopt as action"
rule:
- name: "dpi-rule-with-tcpopt-rule"
precedence: 1
filter:
deepPacketInspection:
- name: "class1"
match: "match"
category: "any"
application: "tcp"
action:
enableGate: true
tcpOptimizationUplink: "tcpopt-tcp-profile"
tcpOptimizationDownlink: "tcpopt-tcp-profile"
For the complete list of parameters supported, see spec.rule.action
Apply the PE policy.
kubectl apply -f pem-policy-dpi-tcpopt.yaml -n <name_space>Verify that the PE policy is applied by checking the F5ingress logs.
I0224 11:45:47.295465 13 event.go:364] Event(v1.ObjectReference{Kind:"F5BigPePolicy", Namespace:"default", Name:"pe-policy-dpi-tcpopt", UID:"d61a891f-0c90-4128-a0d0-5b2d206e1622", APIVersion:"", ResourceVersion:"59582", FieldPath:""}): type: 'Normal' reason: 'Added/Updated' pePolicy default/pe-policy-dpi-tcpopt was added/updated
For more information, see F5BigPePolicy CRD page.
TCP profile¶
Copy the following example in
tcpopt-tcp-profile.yamlfile.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigTcpSetting
metadata:
name: "tcpopt-tcp-profile"
spec:
description: 'TCP Profile for tcp optimization'
ratePace: true
ratePaceMaxRate: 200
Apply the TCP Profile.
kubectl apply -f tcpopt-tcp-profile.yaml -n <name_space>Verify that the TCP profile is applied by checking the F5ingress logs.
I0224 11:45:47.295465 13 event.go:364] Event(v1.ObjectReference{Kind:"F5BigPePolicy", Namespace:"default", Name:"tcpopt-tcp-profile", UID:"d61a891f-0c90-4128-a0d0-5b2d206e1622", APIVersion:"", ResourceVersion:"59582", FieldPath:""}): type: 'Normal' reason: 'Added/Updated' pePolicy default/tcpopt-tcp-profile was added/updated
For more information, see F5BigTcpSetting CRD page.
PE Profile¶
Copy the following example in
pem-profile-dpi-tcpopt.yamlfile.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigPeProfile
metadata:
name: "pem-profile-dpi-tcpopt"
spec:
description: "pem profile for dpi"
globalPolicy: {}
unknownSubscriberpolicy:
- "pem-policy-dpi-tcpopt"
Apply the PE Profile.
kubectl apply -f pem-profile-dpi-tcpopt.yaml -n <name_space>Verify that the PE profile is applied by checking the F5ingress logs.
I0224 12:04:57.863324 13 event.go:364] Event(v1.ObjectReference{Kind:"F5BigPeProfile", Namespace:"default", Name:"pe-profile-dpi-tcpopt", UID:"d83453b9-8501-4214-b7fc-ad76c3694c7d", APIVersion:"", ResourceVersion:"61373", FieldPath:""}): type: 'Normal' reason: 'Added/Updated' peProfile default/pe-profile-dpi-tcpopt was added/updated
For more information, see F5BigPeProfile CRD page.
Secure Context¶
Copy the following example into the
secure_context.yamlfile.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigContextSecure
metadata:
name: "virtual-server"
spec:
destinationAddress: "0.0.0.0/0"
destinationPort: 0
ipProtocol: "tcp"
snat:
type: "automap"
peProfile: "pem-profile-dpi-tcpopt"
dpiProfile: "dpiprofile"
profile: "tcp"
Apply the Secure Context CRD.
kubectl apply -f secure_context.yaml -n <name_space>Verify that the Secure Context CR is applied by checking the F5ingress logs.
I0221 08:06:28.013501 13 event.go:377] Event(v1.ObjectReference{Kind:"F5BigContextSecure", Namespace:"default", Name:"virtual-server", UID:"ec203939-44ef-4c32-9bc6-8e84b1501869", APIVersion:"", ResourceVersion:"12572", FieldPath:""}): type: 'Normal' reason: 'Added/Updated' SecureContext default/virtual-server was added/updated
For more information, see F5BigContextSecure CRD page.
Policy Enforcement statistics¶
If TMM Debug is installed, use the following steps to verify PE actions statistics.
Log in to the TMM debug Pod.
kubectl exec -it deploy/f5-tmm -c debug -n <name_space> -- bashVerify the
pem_actions_statstatistics. Run the following command:tmctl -d blade pem_actions_stat -w 130Sample output:
pass drop clone redirect icap_request icap_response steering w_steering steering_on_response bwc_uplink bwc_downlink dscp_marking_uplink ---- ---- ----- -------- ------------ ------------- -------- ---------- -------------------- ---------- ------------ ------------------- 4 0 0 0 0 0 0 0 0 0 0 0 dscp_marking_downlink http_headers_modify insert_content irule l2_marking_uplink l2_marking_downlink flow_report session_report transaction_report --------------------- ------------------- -------------- ----- ----------------- ------------------- ----------- -------------- ------------------ 0 0 0 0 0 0 0 0 0 reeval_cnt reeval_max media_qoe dtos_td rancon_detect tcpopt_to_net tcpopt_to_sub tcpana_to_net tcpana_to_sub sfc_path ---------- ---------- --------- ------- ------------- ------------- ------------- ------------- ------------- -------- 0 0 0 0 0 2 2 0 0 0
Verify the
pem_tcpopt_statstatistics. Run the following command:tmctl -d blade pem_tcpopt_stat -w 130Sample output:
name count failed ------------------------------------- ----- ------ default-tcpopt-tcp-profile-tcpsetting 4 0
Feedback
To provide feedback and help improve this document, please email us at cnfdocs@f5.com.