Forum Discussion
meena_60183
Nimbostratus
Nimbostratusclone pool and port mirroring
Hi All,
I have a need where I need to copy (mirror) all the port 80/443 traffic from the clients to the virtual server to an external appliance for analysis. Due to some limitations on using a tap or span port on the switch side, I thought of using clone pool on the F5 as a permanent solution.
Have anyone used this feature on the F5? Any drawbacks?
Thanks,
- The_BhattmanThere is one caviate which is clone pools are not compatible with asymmetric routing. With port mirror the traffic is not processed by the PVA ASIC or TMM. Only 1 port mirror instance can be configured on the BIGIP system. That's pretty much what I know about this.
Hope this helps
CB - cmbhatt's comments are spot on, and many customers are successfully using the clone pool feature for exactly this purpose. I have not heard of any issues or complaints.
hth
/deb 
Phillip_BlatzheSo, can I do this.
Create a Monitor Clone Pool.
Use that clone pool in multiple VIPs so that I can get all the data from the various VIPs to the analyzer?
Do I get bi-directional traffic?
Thanks,
Phillip
brad_11480I know this thread is old, but it also seems to be one of only a few that talk about clone pools verses port spanning/mirroring. I have recently plowed through the clone pool feature as it met our needs for implementing an application performance package (Foglight) for traffic from selected virtual servers on our F5 LTM/Viprion hardware. The documentation is pretty weak and it took a little probing to get an understanding of how this works.
Many IDS/IPS systems, packet monitors, and systems such as Foglight are passive and simply listen and capture packets that are on the 'wire'. They don't present an IP address and so it was a bit confusing as to how to setup the clone pool, which requires not only IP addresses but also port numbers.
What I found was that the port number means absolutely nothing. You can define it as all ports or just pick a port. You will get all traffic basically matching that of the virtual servers you set to have the traffic cloned.
The IP address is simply used as the tool for the F5 to go out and ARP to obtain a MAC address to stuff in the packets and send back out (via TMM) to whatever interface. For our situation, the only device on that interface was the monitoring device so I put a static ARP entry on the F5 guest to associate it with the interface. It now knows where to send the clone packets.
The packets that are cloned are left intact (except for the MAC address change to deliver it to the interface where the clone server pool is). This means that if the data is encrypted, it will remain encrypted, the source and destination IP's remain the same, etc. This was another question that the documentation didn't answer. Initially I thought it would be post SSL termination.. but as I just indicated.. the packets remain intact and are not altered. This means that if the data is encrypted it is cloned encrypted.
I haven't tried iRules with it yet and still have a question in an iRule as to how you specify if the traffic is server side or client side or both when you use the clone iRule. On the virtual server there are two settings-- one to clone client side and one to clone server side. Perhaps it relates to what event it occurs in (server side or client side).. It just isn't clear and may take a couple tries to figure out what traffic gets cloned.
It has worked well here and is providing a lot of flexibility on what traffic gets cloned/mirrored. Spanning the interface just wouldn't work well as it would have all traffic from the VLAN's that are in the trunk which is significantly greater than they wanted. This narrows it down to those virtual servers that they are working with.
pwoll_74049We are also trying to setup a clone pool to use with the Foglight Experience Monitor appliance. Your post is very helpful. The appliance has two Ethernet interfaces. Eth1 has an IP address and is connected to a switch. Eth2 is not configured nor cabled. Foglight has indicated that eth2 must be used to receive the clone pool traffic. Could you clarify whether we need to configure eth2 with a new IP and cable it to get the clone pool working?- Kevin_Stewart
Employee
While the clone pool doesn't change the source or destination IP of cloned traffic, it needs an IP to send the traffic to (via ARP/MAC address). So to define a clone pool you need an IP address - which in this case I'd assume is on the Foglight eth2 interface. So yes. - brad_11480Well, from what I remember the Foglight doesn't allow you to set an address on the interface it is using for "Snooping" traffic-- and you don't need to do anything on the Foglight side.. That interface is just pulling whatever traffic comes across it. on the F5 side, however, as Kevin indicated, you need an IP address and it uses that to ARP to get the MAC associated with it. So hence a problem when the Foglight doesn't do this. What we did was fool the F5 into thinking that there was a device out there using a TMSH command to create the ARP entry. here are my notes... There are a number of things they don't tell you. 1. the clone pool needs to go out a different interface.. it will basically change the MAC and send it to whatever interface that pool is on. 2. most IPS systems tap and listen and don't present themselves as a device with an IP on that network. This makes it tough as the F5 will go out with an ARP requsest to get the MAC associated with the IP of the clone pool member. 3. it doesn't matter what port is on the pool member. the clone sends all traffic as it is. 4. create a selfIP on that interface that allows traffic to route to its subnet. 5. create pool will members in that same subnet so they receive the traffic. 6. it probably has to be layer2 away (no routers and such). so what do you do when the clone member isn't a real device out there since the IDS doesn't have an IP on that interface? you fool the F5 into thinking there is a device out there. 1. define the pool member without a port and without a health monitor (it isn't really there, remember). 2. in TMSH define an arp entry for it with a dummy mac. Example where 192.168.30.124 is the pool member defined create net arp clonemac ip-address 192.168.30.124 mac-address 00:11:22:33:44:55 (Note this is done in TMSH as it is TMM that clones.. Putting this on on the OS level won't pick up the ARP entry.) The sample config statements were as follows. the network interface was defined for a VLAN named VLclone on physical network interface 1/1.4 of the F5/Viprion: ltm pool /Common/pool_clone_foglight { description "for Foglight IDS" members { /Common/192.168.30.124:0 { address 192.168.30.124 } } } and for the virtual servers using it the 'clone' under advanced is set: ltm virtual /Common/vs_webdev_http { clone-pools { /Common/pool_clone_foglight { context clientside } /Common/pool_clone_foglight { context serverside } } and also for the https service.. (The foglight will need the certificate key to decrypt the packets)
- brad_11480
*dup*
skye_85588Regarding Clone Pools and devices that do not have an IP/MAC readily available to respond to ARP requests from BIGIP:
It should be noted that for Foglight (or any other device where the device does not have an IP or it is not desirable to set one), in addition to the static ARP entry, an entry for the MAC will be necessary in the L2 Forwarding Database (FDB): sol6567: Maximum MAC addresses supported by various BIG-IP platforms | http://support.f5.com/kb/en-us/solutions/public/6000/500/sol6567.html
I have not fully tested the behaviors across all versions but suspect it would be a likely requirement for all 10/11 versions of BIGIP (please post any notable findings for others who may find this thread). I have requested that this information be shared in sol8573.
How to add fdb entries via tmsh
For now, I traced down some commands under 10.2.4 and 11.4.0; there are some subtle (but tricky syntax) differences in working with the fdb between these versions:
11.4.0:
tmsh create net vlan my_vlan interfaces add { 1.10 };tmsh create net arp 10.10.10.123 { mac-address 00:11:33:55:77:88 };tmsh modify net fdb vlan my_vlan { records add { 0:11:33:55:77:88 { interface 1.10 } } };tmsh list net vlan my_vlan; tmsh show net arp static;tmsh list net fdb vlan my_vlan net vlan my_vlan { if-index 640 interfaces { 1.10 { } } tag 4093 Net::Arp Name Address HWaddress /Common/10.10.10.123 10.10.10.123 0:11:33:55:77:88 net fdb vlan my_vlan { records { 00:11:33:55:77:88 { interface 1.10 } } }10.2.4:
tmsh create net vlan my_vlan interfaces add { 1.4 };tmsh create net arp 10.10.10.123 { mac-address 00:11:33:55:77:88 };tmsh modify net fdb my_vlan { records add { 00:11:33:55:77:88 { interface 1.4 } } };tmsh list net vlan my_vlan; tmsh show net arp static;tmsh list net fdb my_vlan net vlan my_vlan { interfaces { 1.4 { } } tag 4091 } Net::Arp Address HWaddress 10.10.10.123 0:11:33:55:77:88 net fdb my_vlan { records { 0:11:33:55:77:88 { interface 1.4 } } }- my understanding of the L2 FDB is that it is of use if and only if a vlan a more than one physical interface and you wish to specify on which interface a mac address is found. In you case with a single physical interface in the vlan, it is not necessary according to F5 documentation. A weird message about static arp entries here : /var/log/ltm.3.gz:Oct 27 13:22:12 device-name err mcpd[5694]: 01070596:3: An unexpected failure has occurred, Cannot create arp entry: 'legal arp here', 'someIP in rd65535 - create socket failed: No such file or directory - net/validation/routing.cpp, line 646, exiting... should I be worried? 11.2.1HF6, a few random reboots lately..
