F5BigPePolicy¶
Overview¶
The F5BigPePolicy Custom Resource (CR) configures the Traffic Management Microkernel (TMM) Proxy Pod to manage subscriber traffic using policy-based classification criteria such as application type, URL category, or higher-level packet flow information. Subscriber traffic can be allowed or denied, and optimized with the F5BigTcpSetting CR based on the F5BigPePolicy rule configuration.
A F5BigPeProfile CR can reference one or more F5BigPePolicy CRs. To accept and process the application traffic, the F5BigContextSecure CR will reference the F5BigPeProfile.
This document guides you through understanding, configuring, and installing the F5BigPePolicy CR.
CR parameters¶
The tables in this section lists and describes the F5BigPePolicy CR parameters used in this document.
| Parameter | Description |
|---|---|
spec.enableState |
Specifies whether to evaluate or ignore this policy. When this parameter is set to true, the system will evaluate this policy for filtered flow. When set to false, the system will ignore this policy during evaluation. The default value for this parameter is true. |
spec.rule¶
| Parameter | Description |
|---|---|
name |
Specifies the name of the F5BigPePolicy rule. A policy can contain multiple rules. |
precedence |
Specifies the precedence, or order for processing rules and actions. The range is from 1 to 1024. |
spec.rule.filter.deepPacketInspection¶
Important: A F5BigDPIprofile is required when using the classification feature.
| Parameter | Description |
|---|---|
name |
Specifies the name of the deepPacketInspection filter. |
match |
Specifies traffic matching criteria. Values can be match (default), or no-match. |
category |
Specifies the type of traffic: any (default), Web, Audio_Video, Encrypted, File_Download_Servers, Search_Engines, Network_Management_and_Services, News_and_Media, and Advertisements. |
application |
Specifies the application type: any (default), amazon, apple, tcp, udp, http, ssl, youtube, google, ftp, cnn, and amazon_adv. |
spec.rule.filter.url_categorization¶
| Parameter | Description |
|---|---|
name |
Specifies the name of the URL categorization. |
match |
Specifies the URL categories of the traffic matching the selected criteria. Values can be match (default), or no-match. |
category |
Specifies the URL category of the traffic. For example, adult or business-and-economy. The default is any. For the full list of URL categories, see Filter URL categories section. |
spec.rule.filter.flow¶
| Parameter | Description |
|---|---|
name |
Specifies the name of the flow filter. |
match |
Determines whether the rule applies to the traffic based on its alignment with the selected application or category. Matching criteria: match (default), or no-match. Note: More than one (no-match) criteria works as match all traffic. |
dscp |
DSCP marking involves categorization of the incoming traffic based on the value selected in the DSCP field in the IP header. |
protocol |
Specifies the protocol of the traffic to which the rule applies. The options are any (default), TCP, or UDP. |
internetProtocolVersion |
Specifies the IP address type that this rule applies to. The options are any (default), ipv4, or ipv6. This mandates both the sourceAddress and destinationAddress to be of same type. |
sourceVlan |
Specifies incoming traffic from a VLAN. Add a source VLAN to define which traffic the rule applies to. Any (default) matches traffic from all VLANs. Specifies the name of the vlan of F5BigNetVlans. |
sourceAddress |
Specifies the source address that must match or not match the source address of the flow for the rule to apply. Enter the IP address or netmask of the source. The default is 0.0.0.0/0. |
sourcePort |
Specifies the source port that must match or not match the source port of the flow for the rule to apply. The value 0 (default) matches traffic from all ports. |
destinationAddress |
Specifies the destination IP address that must match or not match the destination address of the flow for the rule to apply. Enter the IP address or netmask of the source. The default is 0.0.0.0/0. |
destinationPort |
Specifies the destination port that must match or not match the destination port of the flow for the rule to apply. The value 0 (default) matches traffic from all ports. |
ecnDetection |
ECN detection recognizes the packets marked with the Congestion Encountered (CE) code point in traffic when the ECN feature is enabled (set to true). The default value for this parameter is false. |
Note: For sourceVlan parameter, the user can specify a VLAN object name (F5BigNetVlan.spec.name), even if the VLAN object has not yet been created. Once the VLAN object with a name is created, it is automatically associated with the flow filter through soft referencing.
spec.rule.action¶
| Parameter | Description |
|---|---|
enableGate |
Specifies that traffic can pass through the system when set to true (default). Select False to drop the traffic that this applies to. |
tcpOptimizationUplink |
Specifies the F5BigTcpSetting CR applied to the uplink traffic that matches the rule. |
tcpOptimizationDownlink |
Specifies the F5BigTcpSetting CR applied to the downlink traffic that matches the rule. |
udpRatePacingEnabled |
Specifies that the UDP rate pacing action takes place, when enabled. The value can be true or false (default). |
sendBuffer |
Used to store the UDP packets when the maximum rate exceeds. If the value exceeds 4294967295 (maximum limit), all the incoming UDP packets will be dropped on the floor. |
maxRate |
Specifies the UDP max rate that can be set on a per flow basis. The value 0 (default) can be used to turn off the rate limitation. |
debugUdpRatePacing |
Enables UDP rate pacing iRule logs when set to true. The default value is false. |
CR Examples¶
F5BigPePolicy
Following is an example F5BigPePolicy CR.
apiVersion: "k8s.f5net.com/v1"
kind: F5BigPePolicy
metadata:
name: "pe-policy-dpi"
spec:
description: "pe policy for dpi"
rule:
- name: "dpi-rule"
precedence: 1
filter:
deepPacketInspection:
- name: "class1"
match: "match"
category: "Search_Engines"
application: "any"
action:
enableGate: true
CR shortName¶
CR shortNames provide an easy way to view installed CRs, and their configuration parameters. The CR shortName can also be used to delete the CR instance. The shortName of F5BigPePolicy CR is pepol.
View CR instance:
Run the following command to view the CR Instance:
kubectl get pepol -n <namespace>
View CR configuration:
Run the following command to view the CR configuration:
kubectl get pepol -n <namespace> -o yaml
Procedure¶
Following are the steps to install the example F5BigPePolicy CR.
The example
F5BigPePolicyapplies the higher-bandwidth F5BigTcpSetting CR to Audio_Video application traffic, and Disables (denies) application traffic from the source IP subnet 2002::10:10:10:10/112, destined to the IP subnet 2002::192:168:100:0/112. Copy the example CR into a YAML file: Note: The F5BigPePolicy references the F5BigLogProfile, F5BigLogHslpub, and F5BigTcpSetting CRs.apiVersion: "k8s.f5net.com/v1" kind: F5BigPePolicy metadata: name: "pe-policy-dpi" spec: description: "pe policy for dpi" rule: -name: "dpi-rule" precedence: 1 filter: deepPacketInspection: - name: "class1" match: "match" category: "Search_Engines" application: "any" action: enableGate: true
Apply the F5BigPePolicy CR.
kubectl apply -f cnf-pe-policy-cr.yaml -n <name_space>In the following example, the BIG-IP Controller logs indicate the F5BigPePolicy CR was added/updated.
I0202 12:00:00.12347 1 event.go:282 Event(v1.ObjectReference{Kind:"F5pePolicy", pePolicy cnf-gateway/cnf-pe-policy was added/updated
Feedback
To provide feedback and help improve this document, please email us at cnfdocs@f5.com