For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

ewspall_204706's avatar
ewspall_204706
Icon for Nimbostratus rankNimbostratus
Jun 02, 2015

Clone Pool in AWS

I have recently been setting up a POC for using a Clone Pool to replicate traffic to an IDS device (in this case RSA's Netwitness/Security Analytics).

 

I have been using the below resources to set this up in my on-prem network.

 

https://support.f5.com/kb/en-us/solutions/public/8000/500/sol8573.html

 

https://devcentral.f5.com/questions/clone-pool-and-port-mirroring

 

My end game however is to be able to clone traffic from our soon to be commissioned LTM devices in AWS, to our on-prem IDS device. My question is... is this possible? And if so how? I'm not seeing how I would be able to use the methods listed in the above articles over a point-to-point (L3) link to AWS.

 

Thanks

 

application delivery
aws
cloud
LTM
management

2 Replies

  • Peter_Stein_234's avatar
    Peter_Stein_234
    Icon for Nimbostratus rankNimbostratus
    Nov 18, 2015

    The problem with clone pools in AWS is the packets that are generated by the clone pool retain the original source and destination IPs but have their mac address changed in order to deliver the original data to a different layer 2 destination. Unfortunately (in my testing) AWS fabric drops this traffic. Probably because the security groups do stateful inspection and aren't fond of these out of state packets.

     

    As a work around I've attempted to create a GRE tunnel to the destination as GRE traffic is passed by AWS (if specific caveats are met). However since the decision to GRE encapsulate traffic is based on destination IP in the IP header this traffic will not traverse the tunnel.

     

    Least this has been my experience so far, I've not been able to get the native GRE tunnel to work in the virtual LTM, and have been forced to use Linux OS GRE tunnels, TMM (I'm assuming) seems to ignore any manual arp entries I put in to try to force this traffic in the correct direction.

     

    I'm currently looking for other methods to span traffic but sadly it appears putting the IDS logically in line may be necessary.

     

    • Peter_Stein_234's avatar
      Peter_Stein_234
      Icon for Nimbostratus rankNimbostratus
      Nov 19, 2015
      Update to this, it turns out that VPC doesn't drop this traffic for being out of state, it drops this traffic because "source/destination check" is turned on the originating and arriving interfaces. We originally turned this off on the instances, and still didn't see traffic pass, turns out this flag needs to be disabled on the actual instance interface. We are now cloning traffic in AWS!