Forum Discussion

What_Lies_Bene1's avatar
What_Lies_Bene1
Icon for Cirrostratus rankCirrostratus
May 13, 2014

TCP Traffic Path Diagram

Hi all,

 

It's bugged me ever since I looked at the ADF exam blueprint that there still wasn't a definitive document or diagram available that described or showed the TCP Traffic Path and Order of Operations of a packet passing through an F5. I'm aware of the BigIP Path Graph v1.7 from Red Education but that's five years old and hasn't been subject to any review. To that end I've recently started my own as you can see below.

 

Comments and more importantly corrections or queries are encouraged. Note as it stands I've not added many iRule events as I'd like to get the flow and order sorted first. I'm pretty sure what I've done is mostly correct but I'd love some review before I continue and finish off the server side operations. Many thanks in advance. You may need to right-click, open image/in new tab to see it full size.

 

 

New version - December 2015:

 

 

advanced firewall manager
application delivery
devops
iRules
LTM

49 Replies

Show More
  • Karim_Benyello1's avatar
    Karim_Benyello1
    Icon for Cirrus rankCirrus
    Aug 09, 2017

    Hello,

     

    I just wanted to say that the FLOW_INIT is triggered after packet filter. It was well represented in version 0.1 however in version 0.5 the "Packet filter on VLAN" was moved down below "AFM/TMM Processing begins" .

     

    Could you please explain why you made such a modification ?

     

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Aug 22, 2017

      are you really sure Karim? logically i would say that FLOW_INIT doesnt trigger if a packet filter already has blocked the connection to start with.

       

      this is where What Lies Beneath determined the situation i believe: https://devcentral.f5.com/questions/the-flow_init-event-and-event-order

       

      if i test this and block traffic with a packet filter i don't get a FLOW_INIT event, if i remove the packet filter i get it, tells me the diagram is ok.

       

    • Karim_Benyello1's avatar
      Karim_Benyello1
      Icon for Cirrus rankCirrus
      Aug 26, 2017

      boneyard, We are saying the same thing: If the packet filter blocks the packet we'll not get the flow init event.

       

      However, the diagram v0.5, the flow_init box is represented before the packet filter box. Which seems to say that whether we're blocked or not by packet filter we always get the flow init event (which I think is incorrect)

       

      You can see that in v0.1 of the diagram, the flow_init box was set after the packet filter box, which make more sens for me.

       

      Thanks,

       

    • boneyard's avatar
      boneyard
      Icon for MVP rankMVP
      Aug 28, 2017

      ah now i see it, i didn't notice the two pictures. well we touched the question a few times, perhaps Steven will pop up and explain :)

       

  • Carlande_Desarm's avatar
    Carlande_Desarm
    Icon for Nimbostratus rankNimbostratus
    Jan 12, 2018

    Hello all,

     

    • anyone has a comment when it comes to NFVS vs VS? what is the precedence order for VS, NAT, SNAT, NFVS please?

       

    • also, somewhere in the documentations it is said that SNAT is preferred over NAT and somewhere else it mentions reversely that NAT is preferred over SNAT... like in this article: https://support.f5.com/csp/article/K9038

       

    Please help clarifying the correct statement for these 2 points. Thanks.