Forum Discussion

Comex_17260's avatar
Comex_17260
Icon for Nimbostratus rankNimbostratus
Feb 01, 2012

how to clone/mirror traffic of a "member"

Hello folks,

 

 

I searched "clone" word to see if related subject is covered but the search functionality of the forum does not seem to be working at all.

 

 

Right, here is my problem.

 

I have a really huge UDP traffic with all ports which is distributed into x number of servers. For troubleshooting and testing issues, I want to clone the traffic which goes to a specific member/node.

 

 

I am aware of that there is clone pool attribute in GUI, but I do not want to clone all the traffic of the pool, because I cannot put another x number of servers as it would cost a lot of money.

 

 

Is it possible for me to clone the traffic which goes to member x.x.x.x/[all ports] of real_pool to member x.x.x.y/[all ports] of clone_pool?

 

 

Here is my code which actually did not work, but I believe it' give an idea what i am up to.

 

 

 


when SERVER_CONNECTED {
    
    if { [IP::addr [IP::server_addr] equals x.x.x.x] } {
         
        clone pool clone_Pool member x.x.x.y 0
    }
    
    pool real_Pool member x.x.x.x 0

}

 

 

 

Best,

 

 

-Cx

 

application delivery
dev
devops
iRules

15 Replies

Sort By
Show More
  • hooleylist's avatar
    hooleylist
    Icon for Cirrostratus rankCirrostratus
    Feb 03, 2012
    Hi Aydin,

     

     

    That makes sense I guess. Thanks for posting the solution. I updated the clone wiki page with your example.

     

     

    Aaron
  • Comex_17260's avatar
    Comex_17260
    Icon for Nimbostratus rankNimbostratus
    Feb 06, 2012
    Thank you very much Aydin, and everybody. This should be what i was looking for.
  • aydin_7552's avatar
    aydin_7552
    Icon for Nimbostratus rankNimbostratus
    Apr 11, 2012
    hi everyone

     

    if necessary, the client site exam.

     

    I tested successfully

     

     

    when CLIENT_ACCEPTED {

     

    if { [IP::addr [IP::client_addr] equals 9.9.10.11] } {

     

    clone pool TEST

     

    log local0. "client: [IP::client_addr]"

     

    }

     

    }
  • brad_11480's avatar
    brad_11480
    Icon for Nimbostratus rankNimbostratus
    May 20, 2013
    This is an interesting (and a bit old-but still relevant) discussion. From my brief encounter with clone in trying to set it up to have traffic from a virtual server cloned/duplicated to a capture system (Foglight), I ran into two things that just don't seem to be explained anywhere:

     

     

    1. why is there a port defined on the pool members? It doesn't seem that the packets are altered in any way, so it certainly isn't cloning the traffic and sending it all to that destination port. It seems to be simply putting the clone mac address and routing them through TMM to whatever interface that would be. I defined port 0 (any port) but still think it really doesn't matter.

     

     

    2. the pool member IP seems to serve only to resolve to a MAC address so that the F5 TMM well send it out the desired interface.

     

     

    3. if the IDS (Foglight) probe interface doesn't present an IP address, the F5 won't be able to get a MAC address when it goes out to ARP for it (there won't be a reply to the who has request). This was a huge mystery as to where the packets were going for a while. They actually weren't going anywhere as the MAC wasn't available to clone the packets to. I implemented a work around to get it out to a 'monitor' interface on the Viprion/VLAN where the IDS was attached directly (layer 2). I'm not familiar with IDS systems so perhaps most provide a way for the listening interface to be configured with an IP-- in this case I really don't need it as long as it will spill it out the interface for the IDS to 'sniff'. This was done via TMOS command like:

     

     

    create net arp clonemac ip-address mac-address 00:11:22:33:44:55

     

     

    the mac is a dummy address as well.

     

     

    is this a reasonable approach? thanks!

     

  • What_Lies_Bene1's avatar
    What_Lies_Bene1
    Icon for Cirrostratus rankCirrostratus
    May 21, 2013
    I'd say this is indeed a reasonable approach based on how the feature 'works';

     

     

    1) This is just really to provide consistency with the standard Pool configuration mechanism, no port is required

     

    2) Correct

     

    3) This mostly makes sense although I'd use the real MAC myself