cancel
Showing results for 
Search instead for 
Did you mean: 

UDP packet duplication and send them to 2 different pools

djzoidberg
Nimbostratus
Nimbostratus

Hello everyone,

I have a VIP that is receiving all syslogs of a customer's firewalls. (more or less 350 devices)

 

The customer needs to send the same an exact copy of each message to another pool.

[SYSLOG MESSAGE]--[POOL 1]--[MEMBER 1 A] | |-[MEMBER 2 A] | '-[MEMBER 3 A] | [CLONED MESSAGE]--[POOL 2]--[MEMBER 1 B] '-[MEMBER 2 B]

 

Do you have some suggestion to obtain this behaviour?

 

Thanks in advance,

Regards.

 

EDIT 1

I've tested HSL but it is starting each connection from TMM and it is not possible change the source IP address preserving the original IP.

when CLIENT_ACCEPTED { set syslog_pool1 [HSL::open -proto UDP -pool pool_1] set syslog_pool2 [HSL::open -proto UDP -pool pool_2] } when CLIENT_DATA { HSL::send $syslog_pool1 [UDP::payload] HSL::send $syslog_pool2 [UDP::payload] }

 

4 REPLIES 4

Hello,

 

maybe clone pools might work for you. The idea is to use them for sending traffic to an IDS, but I think they could satisfy your requirement too.

 

K13392: Configuring the BIG-IP system to send traffic to an intrusion detection system (11.x - 15.x)

 

But honestly I don't have a lot a experience with clone pools, so this I sort a of a shot in the dark.

 

KR

Daniel

Hello Daniel,

thank you for answering.

 

I think that, it is not the right way. Clone pools change the destination mac address and not the destination IP address. Other then that, I have also to balance the traffic on the second pool.

I also think that clone pools that Daniel says is the option that should be tested. You can also check using iRules to do the same with clone pools command https://clouddocs.f5.com/api/irules/clone.html . You can also check this article for SPAN mirroring https://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-system-passive-monitoring-14-0-0/configuring-the-big-ip-system-for-passive-monitoring.html .

webguy96
Nimbostratus
Nimbostratus

These steps might help. I have not validated the client-ip replace logic but can tell you send raw [UDP::payload] works fine in our testing.

Be sure to match up whatever you decide to use for your Log Publisher name to the reference within the iRule.

 

1) Create a single pool containing all members that need the duplicated syslog data

Ex: syslog_pool

Members:

10.10.0.100:514

10.10.0.101:514

2) Create a new HSL Log Destination

a) Select your pool from step 1

b) Select 'UDP' for the protocol

c) Change distribution type from 'adaptive' to 'replicated'

 

3) Create a new HSL Log Publisher entitled 'syslog_publisher'

a) Select the HSL Log Destination from step 2

 

4) Create a new iRule that will handle the inbound traffic

when CLIENT_ACCEPTED {

set payloadLength [UDP::payload length]

set address [IP::client_addr]

set addressLength [ string length $address ]

   set hsl [HSL::open -publisher /Common/syslog_publisher]

}

when CLIENT_DATA {

   HSL::send $hsl "UDP::payload replace $payloadLength $addressLength $address"

}

5) Create a standard virtual server

a) Assign the appropriate IP and Service Port

b) Select UDP Protocol

c) Select UDP Profile

d) Assign the iRule from step 4