Simplifying Local Traffic Policies In BIG-IP 12.1

Following up on yesterday’s Introduction to Local Traffic Policies (really a rehash of Steve McCarthy’s article from 11.4), we’ll look at improvements made to local traffic policies interfaces and logic in BIG-IP 12.1.  Local traffic policies are sets of rules defined and published to various virtual servers across your BIG-IP.  Major interface and workflow improvements in 12.1 ease administration of existing and new local traffic policies.  12.1’s goal is to make your local traffic processing easy to implement and reduce the need for those pesky 5 line iRules that can quietly breed like vermin across your BIG-IP ecosystem.  I’m lookin’ at you citizenelah!

Workflow

The pseudo-process for building local traffic policies hasn’t changed since inception in 11.4.  Policies are defined in the centralized policy manager interface located within the Local Traffic menu of BIG-IP.  Creating policies consist of:

  • A policy name and strategy
  • A rule matching condition
  • A processing action for the condition
  • Publishing the completed policy (new in 12.1)
  • A a virtual server for policy assignment

BIG-IP version 12.1 adds the concept of publishing rules prior to applying them.  This removes the possibility for a developer/orchestration admin to enumerate and apply incomplete policies still under development.  Prior versions allowed in-progress policies to be available for selection within a virtual server and if a user accidentally enabled it, your traffic would be bound for darkness.  Adding this publication steps gives the admin or developer a little breathing room during policy creation.  Upgrades from previous versions will place the pre-existing policies into the published category.

Building a Policy

The Local Traffic Policy management interface is located under the Local Traffic menu within BIG-IP 11.4 through current releases.  Building a policy is quite simple now but let’s check out the not-so subtle differences.  I think you’ll agree this is a much easier way to implement conditional rules over the older HTTP Class, iRules, or older traffic policy builders.

 

That’s right, if you haven’t used them before, local traffic policies have been sitting there all along since 11.4.  However I personally cannot blame you if you ignored them.  They were a bit intimidating as the comparison below shows.

BIG-IP 11.6

BIG-IP 12.1

 

 

In version 12.1, you can change the operands within the strategy, still using:

  • first-match:  starts the actions for the first rule in the rules list that matches the connection conditions
  • best-match:  selects and stars the actions of the rule in the rules list with the best match.  For expanded focus on best match, see the 12.1 LTM LTM Guide
  • all-match:  stars the actions for all rules int eh rules match list.  When multiple rules match, the best match method is then applied.  Lowest ordinal, highest priority, or first rule matches all fall into “all-match.

 

Local Traffic Policy Rule Improvements

Customer feedback gave us a lot to work with to fix the rule interface and it shows here.  Previous versions blasted the user with a large and complicated screen that required a lot of examination and experimentation.  Version 12.1 brought the rule creation back to a purist IF/THEN logical workflow as show below.

BIG-IP 11.6

BIG-IP 12.1

 

Seriously… that’s a HUGE difference. Additional rules and actions can be added to a policy by clicking a plus sign on the right side (cut out of screenshot).  Suddenly adding a URI redirect or weak cipher use logging statement becomes a lot easier to implement.  Once complete, publishing the local traffic policy completes the processing making it available to all virtual servers.  Recycling one of Steve McCarthy’s recipes for selective compression is quite easy to implement shown below.

BIG-IP 12.1 Compression Rule

Configuration (via bigip.conf)

ltm policy /Common/Drafts/selective_compression {
    controls { compression }
    requires { http }
    rules {
        rule-1 {
            actions {
                0 {
                    compress
                    response
                    enable
                }
            }
            conditions {
                0 {
                    http-header
                    name Content-type
                    starts-with
                    values { text/ }
                }
                1 {
                    cpu-usage
                    last-1min
                    less-or-equal
                    values { 5 }
                }
            }
        }
    }
    strategy /Common/first-match
}

 

You’re starting to get the idea of how easy it is to build local traffic policies in 12.1’s new centralized Local Traffic Policy interface.  Maybe you already have a few iRules slated for retirement in lieu of the improved ease local policies provide.  The performance gains are definitely worth taking a closer look.  For detailed information on local traffic policies and methods behind creating and management please review the support documentation BIG-IP Local Traffic Management: Getting Started with Policies.  We encourage sharing what iRules you can decommission with local traffic policies, drop us a line or even post your config in codeshare.

Published Jun 03, 2016
Version 1.0