how to clone/mirror traffic of a "member"

This is an interesting (and a bit old-but still relevant) discussion. From my brief encounter with clone in trying to set it up to have traffic from a virtual server cloned/duplicated to a capture system (Foglight), I ran into two things that just don't seem to be explained anywhere:

 

 

1. why is there a port defined on the pool members? It doesn't seem that the packets are altered in any way, so it certainly isn't cloning the traffic and sending it all to that destination port. It seems to be simply putting the clone mac address and routing them through TMM to whatever interface that would be. I defined port 0 (any port) but still think it really doesn't matter.

 

 

2. the pool member IP seems to serve only to resolve to a MAC address so that the F5 TMM well send it out the desired interface.

 

 

3. if the IDS (Foglight) probe interface doesn't present an IP address, the F5 won't be able to get a MAC address when it goes out to ARP for it (there won't be a reply to the who has request). This was a huge mystery as to where the packets were going for a while. They actually weren't going anywhere as the MAC wasn't available to clone the packets to. I implemented a work around to get it out to a 'monitor' interface on the Viprion/VLAN where the IDS was attached directly (layer 2). I'm not familiar with IDS systems so perhaps most provide a way for the listening interface to be configured with an IP-- in this case I really don't need it as long as it will spill it out the interface for the IDS to 'sniff'. This was done via TMOS command like:

 

 

create net arp clonemac ip-address mac-address 00:11:22:33:44:55

 

 

the mac is a dummy address as well.

 

 

is this a reasonable approach? thanks!