For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

player_72606's avatar
player_72606
Icon for Nimbostratus rankNimbostratus
Sep 16, 2010

bring down VS using iRule

Hi all,

 

 

i need to bring down/offline VS and drop the icmp echo-request and echo-reply when it's pool member are down.

 

 

any ideas how to?

 

application delivery
dev
devops
iRules

4 Replies

  • George_Watkins_'s avatar
    George_Watkins_
    Historic F5 Account
    Sep 17, 2010
    Hi player,

     

     

    I think I may have answered this question in another forum, but I'll give it another go. As long as a virtual server is configured, the LTM will continue to answer echo-requests regardless of the state of the assigned pool. The only way (that I know of) to stop all traffic destined for a virtual address is to use the 'b virtual address arp disable' command. For instance, if you wanted to disable all traffic for virtual address 10.0.0.1 you'd issue the command: b virtual address 10.0.0.1 arp disable. Then enable it again whenever it is needed.

     

     

    A tangential use case, but I've use this for migrating virtuals between physical boxes.

     

     

    -George
  • Austin_Geraci's avatar
    Austin_Geraci
    Icon for MVP rankMVP
    Sep 20, 2010

    Hey Guys, this is a tough one, I've thought about it in the past but couldn't come up with anything.. I can't find doc that references ICMP in the command list, and I'm not sure what event it would fall under because ICMP, even though still at the network layer, is a separate protocol than IP.... so I don't see a event that would support it.. Like you mention it seems to be a fundamental function of a VS... Here's an old post talking about the same issue... http://devcentral.f5.com/Forums/tabid/1082223/asg/50/showtab/groupforums/afv/topic/aff/5/aft/3591/Default.aspx Some interesting ideas.... Can you invoke a bigpipe command or script from an irule? If so, you could use the arp idea in that post.. I'm not to sure about deleting the VS.. as how would you add it back in?

     

  • player_72606's avatar
    player_72606
    Icon for Nimbostratus rankNimbostratus
    Sep 20, 2010
    well, the only thing to do is to disable the ARP on the VS,

     

     

    disable ARP upon down/offline pool members

     

    enable ARP upon online pool members

     

     

    the issue here is how to automate it , some kind of a monitor is needed here also...
  • Hamish's avatar
    Hamish
    Icon for Cirrocumulus rankCirrocumulus
    Sep 20, 2010
    It would really have to be external... You could have something like nagios watch the pool status (Could be via traps, but they're not guaranteed, so you really want to poll as well to catch missing traps), and when it goes down, run a small script that uses an iControl call (In perl or whatever) to down the VS... Then when it comes back up, re-enable it...

     

     

    H