UDP TCP Packet Duplication

Problem this snippet solves: This iApp provides full configuration of UDP/TCP packet duplication. It is commonly used to duplicate Syslog, SNMP Traps, Netflow, and Sflow data streams to multiple ven...
Published Mar 11, 2015
Version 1.0
application delivery
iApps
Ryan77777's avatar
Ryan77777
Icon for Altocumulus rankAltocumulus
Oct 26, 2018

I took Ken's excellent work and made it work for my particular use case. Sharing here in case it helps somebody else.
I un-iApp-ified it, added route domain support, fixed the pool problem, and it works great on 13.1 for me.

-- Create two VIPs

  • -- Create datagroup (nf_destinations.dg) and add IPs you want to send netflow/syslog to with string as the IP and port as the value
  • -- Create pool (nf_distribute.pool) that has a member of the distribute VIP
  • -- Create UDP profile and assign to both VIPs (collector and distributor) assign immediate timeout and enable datagram lb
  • -- Create two iRules, and assign to the VIPs accordingly
nf_collector.irule 
 Acquire UDP Netflow packet from collector and distribute
when CLIENT_ACCEPTED {
     Get source IP and break-out into variables
    scan [IP::client_addr] %d.%d.%d.%d a b c d
     Insert placeholder in UDP datagram for our source/dest embed
    UDP::payload replace 0 0 [binary format ssssa256 255 255 255 255 [string repeat "~" 256]]
     Set HSL distribute pool side-channel
    set hsl [HSL::open -proto UDP -pool nf_distribute.pool]
     Iterate over Netflow Destinations (via established datagroup)
    set id [class startsearch nf_destinations.dg]
    while { [class anymore nf_destinations.dg $id] } {
        set destinationelement [class nextelement nf_destinations.dg $id]
        set destination [lindex $destinationelement 0]
        set destinationwithpad "$destination[string repeat "~" [expr 256 - [string length $destination]]]"
         Embed source/dest and send to side-channel
        UDP::payload replace 0 264 [binary format ssssa256 $a $b $c $d $destinationwithpad]
        HSL::send $hsl "[UDP::payload]"
         Uncomment to help debug the collector
         log local0. "\[NF_COLLECTOR\] :: $destinationwithpad"
    }
     Drop packet... no longer need
    discard
}

 

nf_distribute.irule 
 Acquire UDP Netflow packet from collector and distribute
when CLIENT_ACCEPTED {
     Get embedded source/dest information from UDP payload, assign to variables
    binary scan [UDP::payload] ssssa256a* a b c d destinationwithpad data
     Assign destination (and remove padding)
    set destination [findstr $destinationwithpad "" 0 "~"]
     Source NAT packet so it comes from original source -- Add %route_domain after $d if you need route domain support
    snat "$a.$b.$c.$d"
     Remove embedded source/dest information from UDP payload, leave original data
    UDP::payload replace 0 [UDP::payload length] $data
     Send to embedded node (add %route_domain after $destination if you need route domain support and you do not include in the datagroup)
    node $destination:9996
     Uncomment to help debug the distributor
     log local0. "\[NF_DISTRIBUTOR\] :: $a.$b.$c.$d \-\-\> $destination 9996"
}

Boom. Netflow Replicator without paying 20k for a replication VM.
To be determined if this is resource-prohibitive however...


edit: to clean up bad iRule Formatting. LZ