Forum Discussion

th_93192's avatar
th_93192
Icon for Nimbostratus rankNimbostratus
Mar 13, 2013

clone pools layer2 adjacency?

We are trying to replicate traffic coming into a virtual server to an additional set of server(s) for purposes of side by side testing with 'real' traffic before going live. The clone pool feature seems to be what we are looking for so i have been trying to get it working.

 

our setup is:

 

LTM -> trans-vlan -> router -> host-vlan

 

real_pool -> contains pool members connected to host-vlan (10.10.10.2)

 

clone_pool -> contains pool member connected to host-vlan (10.10.10.3)

 

(i definately have the loopback interfaces configured correctly since i can access services on the clone pool server using 10.10.10.2 (after manually adding an arp entry on another server). E.g.

 

On server3 add arp entry to point 10.10.10.2 at clonepool server MAC

 

On server3 curl http://10.10.10.2 - response html page confirms that content came from filesystem on 10.10.10.3 clone pool server, so loopback working

 

However, when i add clonepool (both/and/or server/client side) to the virtual server config, no traffic is receieved on the clonepool server. tcpdump on LTM on the trans-vlan interface shows traffic being duplicated, layer 3 address is 10.10.10.2, MAC address is always the router MAC on the other end of trans-vlan (as expected).

 

My conclusion is that clonepools will not work unless the LTM and clonepool target server are layer 2 adjacent?

 

I have played around with npath in the past and remember that requires pool members be 'directly connected' on a common VLAN to the LTM so I guess in theory the same is true for clone pools given only the layer 2 address is changed and layer 3 remains same for cloned traffic?

 

Thanks for any help!

 

config
design

1 Reply

Sort By
  • nitass's avatar
    nitass
    Icon for Employee rankEmployee
    Mar 14, 2013
    My conclusion is that clonepools will not work unless the LTM and clonepool target server are layer 2 adjacent?

    i think so.

     

     

    Clone pool traffic is sent from the BIG-IP system to the IDS system (clone pool member) using the IDS system's L2 MAC address. Other packet header information contained in the clone pool traffic, such as the L3 addressing, remains the same as in the original packet sent to the virtual server pool member.

    sol8573: Configuring the BIG-IP system to send traffic to an intrusion detection system (9.x - 10.x)

     

    http://support.f5.com/kb/en-us/solutions/public/8000/500/sol8573.html

     

     

    I have played around with npath in the past and remember that requires pool members be 'directly connected' on a common VLAN to the LTM

    i understand l3 npath is also possible.

     

     

    sol13403: Configuring Layer 3 nPath load balancing and monitoring

     

    http://support.f5.com/kb/en-us/solutions/public/13000/400/sol13403