clone pool and port mirroring

I know this thread is old, but it also seems to be one of only a few that talk about clone pools verses port spanning/mirroring. I have recently plowed through the clone pool feature as it met our needs for implementing an application performance package (Foglight) for traffic from selected virtual servers on our F5 LTM/Viprion hardware. The documentation is pretty weak and it took a little probing to get an understanding of how this works.

 

 

Many IDS/IPS systems, packet monitors, and systems such as Foglight are passive and simply listen and capture packets that are on the 'wire'. They don't present an IP address and so it was a bit confusing as to how to setup the clone pool, which requires not only IP addresses but also port numbers.

 

 

What I found was that the port number means absolutely nothing. You can define it as all ports or just pick a port. You will get all traffic basically matching that of the virtual servers you set to have the traffic cloned.

 

 

The IP address is simply used as the tool for the F5 to go out and ARP to obtain a MAC address to stuff in the packets and send back out (via TMM) to whatever interface. For our situation, the only device on that interface was the monitoring device so I put a static ARP entry on the F5 guest to associate it with the interface. It now knows where to send the clone packets.

 

 

The packets that are cloned are left intact (except for the MAC address change to deliver it to the interface where the clone server pool is). This means that if the data is encrypted, it will remain encrypted, the source and destination IP's remain the same, etc. This was another question that the documentation didn't answer. Initially I thought it would be post SSL termination.. but as I just indicated.. the packets remain intact and are not altered. This means that if the data is encrypted it is cloned encrypted.

 

 

I haven't tried iRules with it yet and still have a question in an iRule as to how you specify if the traffic is server side or client side or both when you use the clone iRule. On the virtual server there are two settings-- one to clone client side and one to clone server side. Perhaps it relates to what event it occurs in (server side or client side).. It just isn't clear and may take a couple tries to figure out what traffic gets cloned.

 

 

It has worked well here and is providing a lot of flexibility on what traffic gets cloned/mirrored. Spanning the interface just wouldn't work well as it would have all traffic from the VLAN's that are in the trunk which is significantly greater than they wanted. This narrows it down to those virtual servers that they are working with.