RE: [pfSense Support] Securing CARP

Mon, 01 Aug 2005 11:30:32 -0700 

Randy,

        Microsoft's clustering works somewhat similarly...  It sends
heartbeat traffic about every second to a "fake" MAC Address that is based
upon the load balanced IP address..  

        We've found that with Cabletron 2200 (or 6000 series) switches (the
2H and 6H models, not 2E or 6E) running on the 4.xx.xx firmware, you can use
Classification VLANs to limit this traffic based upon MAC Address, (IP
Address, many variations possible...) to a specific VLAN.  The great thing
about this is that the ports the machines are plugged into can be assigned
to a particular VLAN, but each packet of traffic coming out of those ports
will be individually checked, and potentially assigned to a different VLAN.
That VLAN can be set to forward out to the ports that both machines are
plugged into.  The rest of the traffic coming from those machines is
assigned to the VLAN that the port is assigned to...  

   We have not found a way to do a similar VLAN using Cisco gear,
unfortunately.. (It looks inevitable that we will move to Cisco...)

Paul


-----Original Message-----
From: Scott Ullrich [mailto:[EMAIL PROTECTED] 
Sent: Monday, August 01, 2005 12:56 PM
To: Randy B
Cc: Bill Marquette; [email protected]
Subject: Re: [pfSense Support] Securing CARP

On 8/1/05, Randy B <[EMAIL PROTECTED]> wrote:
> There's an intro to "the rest of the story".  This particular system has
> to be able to support 800+ concurrent clients, each with 20Kbps nominal
> bandwidth and 20% spikes to 300Kbps.  :-D  Two huge boxes won't cut it,
> especially when the load scales out well past 1000.  Hence load load
> balancing.

Wow.  Let me know if you actually get this working!  
 
> So CARP by design (and uncontrollably so) sends it's management packets
> out the interface it's balancing.  Seems counter-intuitive to me; it's
> just multicast, so I would think you should be able to direct it
> wherever need be.  At least I've got pfsync on a dedicated NIC.

Can a layer3 switch filter this somehow?

Scott

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to