Clone Pool in AWS

Question

I have recently been setting up a POC for using a Clone Pool to replicate traffic to an IDS device (in this case RSA's Netwitness/Security Analytics).&nbsp;
I have been using the below resources to set this up in my on-prem network.&nbsp;
https://support.f5.com/kb/en-us/solutions/public/8000/500/sol8573.html&nbsp;
https://devcentral.f5.com/questions/clone-pool-and-port-mirroring&nbsp;
My end game however is to be able to clone traffic from our soon to be commissioned LTM devices in AWS, to our on-prem IDS device. My question is... is this possible? And if so how? I'm not seeing how I would be able to use the methods listed in the above articles over a point-to-point (L3) link to AWS.&nbsp;
Thanks &nbsp;

peter_stein_234 · Answer

The problem with clone pools in AWS is the packets that are generated by the clone pool retain the original source and destination IPs but have their mac address changed in order to deliver the original data to a different layer 2 destination.  Unfortunately (in my testing) AWS fabric drops this traffic.  Probably because the security groups do stateful inspection and aren't fond of these out of state packets.&nbsp;
As a work around I've attempted to create a GRE tunnel to the destination as GRE traffic is passed by AWS (if specific caveats are met).  However since the decision to GRE encapsulate traffic is based on destination IP in the IP header this traffic will not traverse the tunnel.  &nbsp;
Least this has been my experience so far, I've not been able to get the native GRE tunnel to work in the virtual LTM, and have been forced to use Linux OS GRE tunnels, TMM (I'm assuming) seems to ignore any manual arp entries I put in to try to force this traffic in the correct direction.&nbsp;
I'm currently looking for other methods to span traffic but sadly it appears putting the IDS logically in line may be necessary.&nbsp;

peter_stein_234 · Answer

Update to this, it turns out that VPC doesn't drop this traffic for being out of state, it drops this traffic because "source/destination check" is turned on the originating and arriving interfaces.  We originally turned this off on the instances, and still didn't see traffic pass, turns out this flag needs to be disabled on the actual instance interface.

We are now cloning traffic in AWS!

Forum Discussion

Clone Pool in AWS

2 Replies

Recent Discussions

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

About AWAF "Redirect URLs" in "Responses and Blocks"

ISP Bandwidth Utilization

Related Content

Clone Pools

Clone Pool Across L3

F5 Distributed Cloud and AWS VPC Lattice

Living on the AWS Edge - BIG-IP on AWS Outposts

DevCentral Visits: AWS re:invent 2023