Learn F5 Technologies, Get Answers & Share Community Solutions Join DevCentral

Filter by:
  • Solution
  • Technology
Answers

Datagroup issues on multi partitioned BigIP

Hi,

We have run into a issue. Our cloud provider has provided us two partitions on a Experion BigIP. We use one partition for production work, the other is used for testing/development work, for argumnents sake lets call the paritions prod and dev.

The issue we have run into is this, if we have a datagroup of the same name in both partitions, for some reason the iRule code in the dev partition is accessing the datagroup in the prod partition. We basically use datagroups for IP whitelists on some of our VIPs. So what we discovered was the IP we were adding to the local datagroup to allow connections from a certain host were not working. Out of desperation for some reason we made the changes to the datagroup of the same name in the prod partition and the VIP started allowing connections from the new IP. To me this does not sound right, I would have thought any references to a datagroup (or any object for that matter) would always check the current partition first, yet this does not seem to be the case.

So, has anyone else run into this behavior? Do we need to prefix the datagroup references with the partition name or should we start ensuring all datagroup names are unique across all partitions. The later will be difficult because we are on a shared BigIP with other clients of the cloud provider so we won't be able to ensure our object names are unique.

If it helps, the version of LTM they are running is 11.3.0 Build 4144.0 with Hotfix HF8.

regards,

Craig

0
Rate this Question

Answers to this Question

placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

It doesn't initially appear to be an issue on 11.5. As an alternative though, you may want to explicitly declare the partition in your class command:

[class match -value [IP::client_addr] equals /dev/ip_datagroup]
1
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

Hi all,

Ok, just saw this which goes some way to explain some of the things we saw, but not exactly because we do not have any of our datagroups in common, but it seems too much of a coincidence. Will go ahead and make the iRule changes.

From https://devcentral.f5.com/wiki/iRules.class.ashx

**Note that starting in v11, any data-groups that are configured in a partition other than Common must be referenced by /Partition_Name/Data-Group_Name, even by iRules configured in that partition. Data-groups referenced only by name are implicitly presumed to be /Common/Data-Group_Name. **

Craig

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

how did this turn out for you? did it solve the issue?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

This did the trick. Is there a way of finding out your current partition in tcl to contextually prepend it?

0
placeholder+image
USER ACCEPTED ANSWER & F5 ACCEPTED ANSWER

to get the partition name do this:

set partition [URI::path [virtual name]]

0