Hello,

I have more network device that send their logs to 1 pool of syslog servers through standard VS.

I want to duplicate this traffic to 3 other pools. I wonder if this is possible via an iRule?

Thanks.

@cpt_ri_F5 Why not balance to all pool members in all the pools?

because I then want to separate the logs according to the role of the device in order to process them using different tools (monitor, SOC, ...). And the new pools contain my own syslog servers with their own rules.

@cpt_ri_F5 By this I mean if you had pool_1, pool_2, and pool_3 each with 2 pool members and you wanted to send the same traffic to all of them then why not just take the 6 pool members and add them all to one pool? This would accomplish your task of balancing to each pool member with the exception that instead of balancing to 1 pool member in each pool simultaniously you would only balance traffic to one pool member for each connection, depending on your load balancing method and various other configuration options. After it's all said and done, I do not believe you can balance to multiple pools simultaniously for 1 connection but if it was three unique connections with the same information then I suppose you could split it to multiple pools based on application information such as, source IP, destination IP, HTTP header information, and various other fields using an iRule.

Hello @Paulius,

existing traffic is not duplicate to all members of the existing pool.

=> I am interested if you manage to send the same traffic to all members of the pools 🙂

"After it's all said and done, I do not believe you can balance to multiple pools simultaniously for 1 connection "

=> no balance, but duplicate !

Thank you.

Hello @whisperer,

"you can attach multiple to the same VS." => How?

• An unlimited number of clone pools can be configured on the BIG-IP system

=> unlimited on the BIG-IP, not on the VS ! possible in client-side and server-side !

+ Interface mirroring is not supported on my platform:

• BIG-IP 2000s
• BIG-IP 2200s
• BIG-IP 4000s
• BIG-IP 4200v

You need to use TMSH to add clone pools:

tmsh modify /ltm virtual <virtual_name> clone-pools add { <pool_name> {context clientside | serverside } }

Hello @whisperer, thanks for your feedback,

But I have 2 questions:
1- is "Interface mirroring" mandatory to make the clone?
2- I do not want to colone all traffic to pool 1, 2, 3, I want to filter against the customer ip, possible to do an iRule, without impacting the original pool ?

TMSH : 
...
    clone-pools {
        pool-01 {
            context serverside
        }
        pool-02 {
            context serverside
        }
        pool-03 {
            context serverside
        }
    }
	...
	pool original-pool
...

Thank you.

Both clone pools and interface mirroring (which are different things and dont need to be configurered at the same time) dont give you the option to handle the server side differently for different destination. They are ways to take the traffic and send it to multiple destination at the same time.

I understand your request and might have a similar one soon.

This might be a way to go, do the clone pool from an iRule in which you look at the destination IP

https://clouddocs.f5.com/api/irules/clone.html

And to repeat, you don't need traffic mirror to do cloning.

Hello @boneyard,

That's exactly what I'm looking for, I'll try to set it up, thank you very much.

Good luck, if it turns out to be the solution please flag the question as answered.

Hello @boneyard 

I tried but unfortunately the clone (even with one pool-clone) does not work!

- test directly on the virtual server
- test via irule

each time I only receive traffic on the default pool

maybe does not work with a VS UDP?

yeah, that might make sense. where are your clone pool members, are they L2 connected or pass a L3 hop?

Hello @boneyard 

L3, in same subnet than default pool.

yeah, that isn't going to work. it is in the article, though it cost me some other articles to really get it.

Clone pool traffic is sent from the BIG-IP system to the IDS system (clone pool member) using the IDS system's L2 MAC address. 

Other packet header information contained in the clone pool traffic, such as the L3 addressing, remains the same as in the original packet sent to the virtual server pool member.

clone pools are for devices L2 connected and they also don't change the destination IP. So this won't work im afraid.

someone encounters the same here and solved it somewhat:

https://community.f5.com/t5/technical-forum/clone-pool-by-client-ip-not-working/td-p/153166

Thank you @boneyard 

Sorry, I don't understand, should I add the MACs of the servers in BIG-IP? or the servers must be connected in L2?

Moreover, for a large volume of logs, an iRule with CLIENT_DATA will not pose a performance problem?

I check the HLS runway...

Thanks.

---

@cpt_ri_F5 wrote:

Sorry, I don't understand, should I add the MACs of the servers in BIG-IP? or the servers must be connected in L2?

---

Must be connect L2. But also be able to accept a different destination IP then itself. As the article mentions it is meant for IDS like systems.

The effect on CPU is always difficult to predict. One way to find out, try and if possible with limited traffic and out of business hours.