|
-
November 3rd, 2005, 12:34 PM
#11
Senior Member
It's an unicast NLB with layer 3 3com switches....
-
November 3rd, 2005, 01:39 PM
#12
Layer 3 switches need to be specially configured to work with NLB. A VLAN must be established for the hosts in the cluster, and this VLAN must be configured to operate in Layer 2 mode. All Layer 3 switches may not support this capability, and when they do, the mechanism to setup the Layer-2 VLAN is specific to the particular make and model. Consult the documentation for the switch before attempting to configure such a system.
http://www.microsoft.com/technet/pro...ng/nlbfaq.mspx
No idea how to do this on 3Com switches.. I've only used Cisco's.
Oliver's Law:
Experience is something you don't get until just after you need it.
-
November 3rd, 2005, 01:49 PM
#13
Senior Member
Hey, thank you very much for your help man.
I think I've two possible solutions here:
- Buy a HUB so I connect the servers to that HUB and then uplink it to the switch.
- Create a VLAN, enable routing between that VLAN and the default one BUT the bad news on that one is that a change of IP implies DNS and routing changes that I'm not really sure to be ready for. 
Do you see anyone else?
-
November 3rd, 2005, 04:33 PM
#14
Senior Member
UPDATE: Finally I tested with some old HUB so I connected the two servers into that HUB and the HUB to one of the switches on my LAN... I rebooted both servers.. and... I'm still able to see all the conversations between the cluster and the clients! Actually, that I see is the packets that the clients are sending to the cluster, not the other direction...
Any idea??
-
November 3rd, 2005, 05:19 PM
#15
Derekk- This really comes down to your network configuration.
Using VLANs we create a dedicated private network for the private NLB connections. If you were to set a port on the switch to be a part of this VLAN you can sniff the traffic on this port and see all of the cluster private communication. If that port is not part of that VLAN you won't see the traffic.
The same is true of our public nics. Multicasting on the subnet must be supported. If you only want the machines that are part of the NLB to see the traffic don't assign any other ports to that VLAN.
So for instance on our catalyst switches there are a lot of ports. If I were to just plugin to any of those ports on the same switch I can't see any of the NLB traffic.
To me it sounds like you are multicasting all of your incoming data to all of the ports on your switch. So even if you put in a hub, you are still sending the incoming data to all of your switch ports...
Perhaps you need to put the machines that are part of the NLB into their own subnet, and make sure that data going to that subnet is only sent to the one port you are using for the hub uplink.
-
November 3rd, 2005, 05:32 PM
#16
Senior Member
Derekk- This really comes down to your network configuration
Yes it's true.
I just solved the issue setting to 0 the MaskSourceMAC registry parameter.
From now I can't see the nlb traffic anywhere on the network.
Tnak you very much and I apologize but my first intention was to discuss about nlb security.
Thank you all!
-
November 3rd, 2005, 10:40 PM
#17
This is all cute but you mentioned you're using SSL. If so, you're only sniffing the packet headers, not the data. If SSL is doing its job, at worst, you're creating a **** storm of unnecissary network traffic because of improper cluster configs (fail open condition that Cisco switches do and many others). Can you clarify what you're seeing? If you are seeing packet headers, this is normal.
To answer your question, yes, NLB is secure when done properly.
--TH13
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
November 4th, 2005, 08:48 AM
#18
Senior Member
-
November 4th, 2005, 03:44 PM
#19
Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden
-
November 4th, 2005, 05:07 PM
#20
Senior Member
As far as I know (is that expression correct?) nobody...
I dont know very much english but I'm pretty sure that
the if its conditional
Forget it, probably it was too early to write something....
By the way, I didn't realize it was you... I love your HPING tutorial
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|
Reply With Quote
