It's an unicast NLB with layer 3 3com switches....
Printable View
It's an unicast NLB with layer 3 3com switches....
http://www.microsoft.com/technet/pro...ng/nlbfaq.mspxQuote:
Layer 3 switches need to be specially configured to work with NLB. A VLAN must be established for the hosts in the cluster, and this VLAN must be configured to operate in Layer 2 mode. All Layer 3 switches may not support this capability, and when they do, the mechanism to setup the Layer-2 VLAN is specific to the particular make and model. Consult the documentation for the switch before attempting to configure such a system.
No idea how to do this on 3Com switches.. I've only used Cisco's.
Hey, thank you very much for your help man.
I think I've two possible solutions here:
- Buy a HUB so I connect the servers to that HUB and then uplink it to the switch.
- Create a VLAN, enable routing between that VLAN and the default one BUT the bad news on that one is that a change of IP implies DNS and routing changes that I'm not really sure to be ready for. ;)
Do you see anyone else?
UPDATE: Finally I tested with some old HUB so I connected the two servers into that HUB and the HUB to one of the switches on my LAN... I rebooted both servers.. and... I'm still able to see all the conversations between the cluster and the clients! Actually, that I see is the packets that the clients are sending to the cluster, not the other direction...
Any idea??
Derekk- This really comes down to your network configuration.
Using VLANs we create a dedicated private network for the private NLB connections. If you were to set a port on the switch to be a part of this VLAN you can sniff the traffic on this port and see all of the cluster private communication. If that port is not part of that VLAN you won't see the traffic.
The same is true of our public nics. Multicasting on the subnet must be supported. If you only want the machines that are part of the NLB to see the traffic don't assign any other ports to that VLAN.
So for instance on our catalyst switches there are a lot of ports. If I were to just plugin to any of those ports on the same switch I can't see any of the NLB traffic.
To me it sounds like you are multicasting all of your incoming data to all of the ports on your switch. So even if you put in a hub, you are still sending the incoming data to all of your switch ports...
Perhaps you need to put the machines that are part of the NLB into their own subnet, and make sure that data going to that subnet is only sent to the one port you are using for the hub uplink.
Yes it's true.Quote:
Derekk- This really comes down to your network configuration
I just solved the issue setting to 0 the MaskSourceMAC registry parameter.
From now I can't see the nlb traffic anywhere on the network.
Tnak you very much and I apologize but my first intention was to discuss about nlb security.
Thank you all!
This is all cute but you mentioned you're using SSL. If so, you're only sniffing the packet headers, not the data. If SSL is doing its job, at worst, you're creating a **** storm of unnecissary network traffic because of improper cluster configs (fail open condition that Cisco switches do and many others). Can you clarify what you're seeing? If you are seeing packet headers, this is normal.
To answer your question, yes, NLB is secure when done properly.
--TH13
Since we're using SSL of course I was only able to see the headers, but I was wondering what could happen I we didn't use it. Could you imagine someone in that circumstances download CAIN? ;)
Anyway, I see that the "**** storm" you meant was just a consequence of a missconfiguration (even if that config was exctracted from Microsoft docs), or better, if you build NLB clusters it's important you tune up the config. That's what I learned thank you and one day testing... If someone gets offended because my poor knowledge it's his/her bussiness, I don't really care... :)
I'm happy to see the issue solved and to see that NLB works really fine if you use and configure it properly :)
Who got offended?
As far as I know (is that expression correct?) nobody...Quote:
Who got offended?
I dont know very much english but I'm pretty sure that
the if its conditional ;)Quote:
If someone gets offended
Forget it, probably it was too early to write something....
By the way, I didn't realize it was you... I love your HPING tutorial ;)