Managing packet filters

Hi everyone,

 

 

I'm working on assembling a service-provider offering with the BIG-IP platform. Management of multiple tenants on the BIG-IP platform seems to sometimes be more of an art than science. One thing I haven't really figured out - what's a good way to manage packet filters?

 

 

Since there is only one global packet filter rules list, I'm really concerned about being able to manage rules for multiple customers without affecting traffic while not exposing/breaking our management or HA critical traffic.

 

 

On Linux's netfilter, people tend to use iptables rules as a lower-level language that higher-level scripts generate. Is anyone doing something similar to prevent packet filters from getting out of control? Even getting my in-band management traffic has proven to be pretty tricky.

 

 

Thanks,

 

Ross