[prev in list] [next in list] [prev in thread] [next in thread]
List: loadbalancing-l
Subject: RE: [load balancing] Alteon AD3 Load Balancing Problem
From: "Dusan Senkypl" <senkypl () trafficsyndicate ! com>
Date: 2002-12-17 11:24:57
[Download RAW message or body]
Please dismiss the last problem .. It was tracing down the issue and it
seems
that there is something weird with network interface card in our server
- it works
on local network but not on routed connections.. I've used 2nd card and
it works
now.
-----Original Message-----
From: owner-lb-l@vegan.net [mailto:owner-lb-l@vegan.net] On Behalf Of
Alex Moore
Sent: Tuesday, December 17, 2002 2:20 AM
To: lb-l@vegan.net
Subject: Re: [load balancing] Alteon AD3 Load Balancing Problem
Hi Dusan,
I hope I can shed some light on the problem. The main issue that I
think you are seeing is with filter 100. You definition is essentially
saying - all traffic from the servers network that is destined to the
servers network, allow. It is important to remember that a filter
matches patterns in a single packet on an ingress port. That is to say,
as a packet of data enters a port on the switch, it is compared against
the filters on that port, if a filter matches, the action is carried
out.
One recommendation that I would make is to apply your filters to the
ingress port for your solution, in this case port 1, so that your focus
on filtering is securing traffic inbound from the Internet (remember
filtering only occurs to inbound packets on a port). The filter setup
is much the same in this scenario, but a little more logical in my
opinion.
So we have:
Filter 10: dport http (allow)
Filter 11: sport http/adv/ack e (allow)
Filter 100: sport [your ip]/smask [your mask] (allow)
Filter 224: adv/log e (deny)
10 is the obvious, allows any traffic to port 80 on your servers (or
virtual servers).
11 is to allow return traffic from connections that your servers have
established to port 80, note the "ack" option from the advanced options,
this option enables a slight bit of extra security whereby rather than
letting ANY traffic with a source port of port 80, it only allows
traffic in response to a connection (ie, return traffic from an outbound
connection from your servers).
100 allows in any traffic from your office/management network for your
administration, note that you only need specify the source ip, the fact
that the data is routing into port 1 implies that the destination ip is
your servers, however in a more complicated network you may also wish to
specify the dip/dmask as those of your servers.
224 finally drops any further packets, notice another advanced option,
logging, this is useful to see what packets are falling through your
filters. The filters above get applied to packets with the following
flow:
[INTERNET]
|
\|/
[PORT 1 Filters]
|
\|/
[Servers]
So we have secured all inbound traffic to your servers. Depending on
how secure you want to be, we can end there. The internet can connect
to port 80 and your office can freely connect to the servers, all other
connections are blocked and logged. Your servers can send out udp
packets, establish outbound http streams and send out packets to your
office.
The other, perhaps less important, flow of traffic is:
[Internet]
/|\
|
[PORT 2 Filters]
/|\
|
[Servers]
Note that we have moved all our filters to port 1 so there should be no
filters on port 2 - remember we are protecting the solution from traffic
inbound from the Internet. So we are letting all traffic out from your
servers, however, you can still apply filters to port 2 if you wish to
restrict outbound packets from your servers.
I hope that helps, filtering is a little confusing at times,
particularly if you come from a stateful firewall background, let me
know if you have any questions
Regards,
Alex Moore
On Mon, 2002-12-16 at 12:15, Dusan Senkypl wrote:
> Hi,
>
> I'm trying to setup Aldeon AD3 as our Load Balancing solution.
>
> We have Port 1 attached to a switch with internet connection uplink.
> We have Port 2 attached to a switch with our server pool.
>
> There are 7 servers connected.
> 2 servers are standalone servers (no load balancing)
> 5 servers are load balanced - in 2 groups (3 & 2 servers).
>
> Everything works fine without filtering rules but when I try to setup
> filtering rules, I have major problems - I'm not ale to access servers
> from outside.
>
> I use 4 filtering rules:
>
> 10 & 11 should allow all http traffic inside& outside (we need to
> access xml sources from our servers) Rule 100 should allow all kind of
> communication we need among our servers (I'm not sure we need this
> as servers are on separate switch so we in fact need a ports required
by
> health checking.. )
> Rule 224 denies all traffic.
>
> It looks like something important is missing here (as it doesn't
> work..). Any ideas?
>
> Thank you very much.
>
> Dusan Senkypl
> senkypl@ibisit.com
>
>
>
> script start "Alteon AD3" 4 /**** DO NOT EDIT THIS LINE!
> /* Configuration dump taken 12:57:07 Mon Dec 16, 2002
> /* Version 10.0.25, Base MAC address 00:60:cf:48:16:e0 /c/sys
> http ena
> tnet ena
> /c/ip/if 1
> ena
> addr 38.144.107.2
> /c/ip/gw 1
> ena
> addr 38.144.107.1
> /c/vrrp/hotstan enabled
> /c/vrrp/vr 1
> ena
> vrid 1
> if 1
> addr 38.144.107.2
> /c/vrrp/group
> ena
> vrid 1
> if 1
> /c/slb
> on
> /c/slb/sync/peer 1
> ena
> addr 38.144.107.3
> /c/slb/real 1
> ena
> rip 38.144.107.41
> /c/slb/real 2
> ena
> rip 38.144.107.42
> /c/slb/real 3
> ena
> rip 38.144.107.43
> /c/slb/real 50
> ena
> rip 38.144.107.10
> /c/slb/real 60
> ena
> rip 38.144.107.20
> /c/slb/real 100
> ena
> rip 38.144.107.31
> /c/slb/real 102
> ena
> rip 38.144.107.32
> /c/slb/group 1
> add 1
> add 2
> add 3
> /c/slb/group 2
> add 101
> add 102
> /c/slb/port 1
> client ena
> hotstan ena
> /c/slb/port 2
> server ena
> hotstan ena
> /c/slb/port 8
> intersw ena
> /c/slb/virt 1
> ena
> vip 38.144.107.40
> /c/slb/virt 1/service http
> group 1
> /c/slb/virt 2
> ena
> vip 38.144.107.30
> /c/slb/virt 2/service http
> group 2
> /c/slb/filt 10
> ena
> action allow
> proto tcp
> dport http
> /c/slb/filt 11
> ena
> action allow
> proto tcp
> sport http
> /c/slb/filt 100
> ena
> action allow
> sip 38.144.107.1
> smask 255.255.255.192
> dip 38.144.107.1
> dmask 255.255.255.192
> /c/slb/filt 224
> ena
> action deny
> /c/slb/port 2
> filt ena
> add 10
> add 11
> add 100
> add 224
> /
> script end /**** DO NOT EDIT THIS LINE!
>
> ____________________
> The Load Balancing Mailing List
> Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
> Archive: http://vegan.net/lb/archive
> LBDigest: http://lbdigest.com
> MRTG with SLB: http://vegan.net/MRTG
> Hosted by: http://ww.tokkisystems.com
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
____________________
The Load Balancing Mailing List
Unsubscribe: mailto:majordomo@vegan.net?body=unsubscribe%20lb-l
Archive: http://vegan.net/lb/archive
LBDigest: http://lbdigest.com
MRTG with SLB: http://vegan.net/MRTG
Hosted by: http://www.tokkisystems.com
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic