For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

meena_60183's avatar
meena_60183
Icon for Nimbostratus rankNimbostratus
Jul 10, 2008

clone pool and port mirroring

Hi All,     I have a need where I need to copy (mirror) all the port 80/443 traffic from the clients to the virtual server to an external appliance for analysis. Due to some limitations on ...
config
design
skye_85588's avatar
skye_85588
Icon for Nimbostratus rankNimbostratus
Oct 21, 2013

Regarding Clone Pools and devices that do not have an IP/MAC readily available to respond to ARP requests from BIGIP:

It should be noted that for Foglight (or any other device where the device does not have an IP or it is not desirable to set one), in addition to the static ARP entry, an entry for the MAC will be necessary in the L2 Forwarding Database (FDB): sol6567: Maximum MAC addresses supported by various BIG-IP platforms | http://support.f5.com/kb/en-us/solutions/public/6000/500/sol6567.html

I have not fully tested the behaviors across all versions but suspect it would be a likely requirement for all 10/11 versions of BIGIP (please post any notable findings for others who may find this thread). I have requested that this information be shared in sol8573.

How to add fdb entries via tmsh

For now, I traced down some commands under 10.2.4 and 11.4.0; there are some subtle (but tricky syntax) differences in working with the fdb between these versions:

11.4.0:

tmsh create net vlan my_vlan interfaces add { 1.10 };tmsh create net arp 10.10.10.123 { mac-address 00:11:33:55:77:88 };tmsh modify net fdb vlan my_vlan { records add { 0:11:33:55:77:88 { interface 1.10 } } };tmsh list net vlan my_vlan; tmsh show net arp static;tmsh list net fdb vlan my_vlan

net vlan my_vlan {
    if-index 640
    interfaces {
        1.10 { }
    }
    tag 4093

Net::Arp

Name                  Address       HWaddress
/Common/10.10.10.123  10.10.10.123  0:11:33:55:77:88

net fdb vlan my_vlan {
    records {
        00:11:33:55:77:88 {
            interface 1.10
        }
    }
}

10.2.4:

tmsh create net vlan my_vlan interfaces add { 1.4 };tmsh create net arp 10.10.10.123 { mac-address 00:11:33:55:77:88 };tmsh modify net fdb my_vlan { records add { 00:11:33:55:77:88 { interface 1.4 } } };tmsh list net vlan my_vlan; tmsh show net arp static;tmsh list net fdb my_vlan

net vlan my_vlan {
    interfaces {
        1.4 { }
    }
    tag 4091
}

Net::Arp
Address       HWaddress

10.10.10.123  0:11:33:55:77:88

net fdb my_vlan {
    records {
        0:11:33:55:77:88 {
            interface 1.4
        }
    }
}
  • pmaupard_72733's avatar
    pmaupard_72733
    Oct 30, 2013
    my understanding of the L2 FDB is that it is of use if and only if a vlan a more than one physical interface and you wish to specify on which interface a mac address is found. In you case with a single physical interface in the vlan, it is not necessary according to F5 documentation. A weird message about static arp entries here : /var/log/ltm.3.gz:Oct 27 13:22:12 device-name err mcpd[5694]: 01070596:3: An unexpected failure has occurred, Cannot create arp entry: 'legal arp here', 'someIP in rd65535 - create socket failed: No such file or directory - net/validation/routing.cpp, line 646, exiting... should I be worried? 11.2.1HF6, a few random reboots lately..