Forum Discussion

CraigM_17826's avatar
CraigM_17826
Icon for Altostratus rankAltostratus
Feb 20, 2014

Datagroup issues on multi partitioned BigIP

Hi,

 

We have run into a issue. Our cloud provider has provided us two partitions on a Experion BigIP. We use one partition for production work, the other is used for testing/development work, for argumnents sake lets call the paritions prod and dev.

 

The issue we have run into is this, if we have a datagroup of the same name in both partitions, for some reason the iRule code in the dev partition is accessing the datagroup in the prod partition. We basically use datagroups for IP whitelists on some of our VIPs. So what we discovered was the IP we were adding to the local datagroup to allow connections from a certain host were not working. Out of desperation for some reason we made the changes to the datagroup of the same name in the prod partition and the VIP started allowing connections from the new IP. To me this does not sound right, I would have thought any references to a datagroup (or any object for that matter) would always check the current partition first, yet this does not seem to be the case.

 

So, has anyone else run into this behavior? Do we need to prefix the datagroup references with the partition name or should we start ensuring all datagroup names are unique across all partitions. The later will be difficult because we are on a shared BigIP with other clients of the cloud provider so we won't be able to ensure our object names are unique.

 

If it helps, the version of LTM they are running is 11.3.0 Build 4144.0 with Hotfix HF8.

 

regards,

 

Craig

 

application delivery
devops
iRules
LTM

5 Replies

Sort By
  • CraigM_17826's avatar
    CraigM_17826
    Icon for Altostratus rankAltostratus
    Feb 20, 2014

    Hi all,

     

    Ok, just saw this which goes some way to explain some of the things we saw, but not exactly because we do not have any of our datagroups in common, but it seems too much of a coincidence. Will go ahead and make the iRule changes.

     

    From https://devcentral.f5.com/wiki/iRules.class.ashx

     

    **Note that starting in v11, any data-groups that are configured in a partition other than Common must be referenced by /Partition_Name/Data-Group_Name, even by iRules configured in that partition. Data-groups referenced only by name are implicitly presumed to be /Common/Data-Group_Name. **

     

    Craig

     

  • Kevin_Stewart's avatar
    Kevin_Stewart
    Icon for Employee rankEmployee
    Feb 20, 2014

    It doesn't initially appear to be an issue on 11.5. As an alternative though, you may want to explicitly declare the partition in your class command:

    [class match -value [IP::client_addr] equals /dev/ip_datagroup]
  • FHenskens's avatar
    FHenskens
    Icon for Nimbostratus rankNimbostratus
    Dec 08, 2017

    This did the trick. Is there a way of finding out your current partition in tcl to contextually prepend it?

     

  • boneyard's avatar
    boneyard
    Icon for MVP rankMVP
    Dec 10, 2017

    to get the partition name do this:

    set partition   [URI::path [virtual name]]