Forum Discussion
Observing unexpected VLAN traffic on F5OS TMOS Tenant
I noticed running on TMOS (17.1.3) based tenant on an F5 OS (1.7) appliance (R4800) that I was receiving traffic from unattached VLAN.
It was first observed while investigating something else and happened to run 'pcacp -ni 0.0' (within the TMOS Tenant shell).
Confirmed the unexpected frames still held the correct VLAN TAG # (one that was not attached/assigned to this Tenant).
Curious if anyone else has seen this, if this expected (that L2 traffic would be seen that does not belong to a Tenant)? Running on R4000 series appliance. Both expected VLANs and unexpected vlans are sharing the same LACP Bond (2x 10g) to the network in the F5 OS layer. I would expect this sounds like a bug, otherwise why even have the 'VLAN' assignment section in Tenant configuration.
I am curious though if this may just be a side effect of the NIC driver / 'pcacp' running in a VM-on-Container environment that is F5OS w/ TMOS.
Curious if anyone else has run into this.
The way I read this documentation would indicate this probably shouldn't be happening:
https://clouddocs.f5.com/training/community/rseries-training/html/rseries_networking.html
- zamroni777Nacreous
above doc mentions that r4000 series shares network adapter using sr-iov.
probably the host f5os doesnt disable promiscuous mode which causes traffic of other vlans is captured by that particular tenant.
- MJ_1024Altocumulus
I think you are correct.
This link also goes into some of the extra shared information in a r2000 and r4000 platform, and how more interface level visibility is seen due to the platform design.https://clouddocs.f5.com/training/community/rseries-training/html/rseries_inside_the_tenant.html
What I don't see anywhere in the document is a warning/note for additional traffic isolation considerations on these platforms.
My next step is to actually test if traffic can be generated / processed incorrectly on a Tenant.
It's one thing to 'see' someone else's VLAN traffic, it is much worse if a tenant can be re-configured to communicate on a VLAN it should not be part of.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com