Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
NIC Config - Intra-Array
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
NIC Config - Intra-Array - 19.Jun.2008 10:49:03 AM
|
|
|
ldoodle
Posts: 70
Joined: 21.Mar.2005
From: England
Status: offline
|
Hiya,
Our ISA boxes have 2 NICs at the moment - one for External and one for Internal.
We are running a 2 server array at the main office (Enterprise), and a single firewall at the remote office (Standard), and my understanding is that dedicated Intra-Array NICs are only needed if you have more than one array (correct if wrong), which we don't currently have (just the one array for the main site).
I am planning to upgrade the remote office to the same config (1 CSS + 2 members) within 12 months, and have a second array.
Would this then bring up the requirement for dedicated Intra-Array NICs?
Thanks
< Message edited by ldoodle -- 19.Jun.2008 10:51:57 AM >
|
|
|
|
|
RE: NIC Config - Intra-Array - 19.Jun.2008 11:16:01 AM
|
|
|
Jason Jones
Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
A dedicated intra-array NIC is best practice and was also required when using NLB as the default unicast mode of ISA prevented intra-host communications unless you had a dedicated NIC.
With the advent of Windows 2003 SP1, it became possible for unicast NLB nodes to communicate without a dedicated NIC, but it still "feels right" to use an intra-array for all EE deployements IMHO.
There is also an issue of security in that all intra-array traffic is much better protected by using a server-server network as opposed to passing it across the internal network, which could be sniffed.
For the sake of an extra NIC per server, I always include it in my designs...
Have a look here for recommended intra-array NIC config.
Cheers
JJ
< Message edited by Jason Jones -- 19.Jun.2008 11:17:25 AM >
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: NIC Config - Intra-Array - 19.Jun.2008 11:47:57 AM
|
|
|
ldoodle
Posts: 70
Joined: 21.Mar.2005
From: England
Status: offline
|
OK, so i'm guessing the dedicated intra-array NICs are on their own address range, so for example:
LAN: 1.1.1.1/23
WAN: 2.2.2.2/29
DMZ: 3.3.3.3/29
Intra-Array: 4.4.4.4/29 or whatever mask is suitable
Just to clarify, does Intra-Array mean communication between x number of different arrays, or the communication between members of the same array?
If the latter (which I think is correct, or it would be Inter-Array), does the CSS server need to have a dedicated NIC?
Thanks
< Message edited by ldoodle -- 19.Jun.2008 11:51:09 AM >
|
|
|
|
|
RE: NIC Config - Intra-Array - 19.Jun.2008 12:16:17 PM
|
|
|
Jason Jones
Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Yep, it needs a unique subnet/network. A class C is normally fine, but just make sure it is unique within you environment. If the network is used elsewhere ISA will never be able to route the packets back out of the correct interface as it will send it down the intra-array NIC by mistake.
You also need to create an ISA network to represent the subnet and enabled the web proxy listener for this network.
Yep, Intra-array is the name for communications between array members in the SAME array. There is no communication between arrays.
Nope the CSS doesn't need a dedicated NIC as it hosts the array configuration and does not form part of the array (assuming you have a dedicated CSS of course).
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: NIC Config - Intra-Array - 19.Jun.2008 2:20:56 PM
|
|
|
gbarnas
Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline
|
quote:
ORIGINAL: Jason Jones
Yep, it needs a unique subnet/network. A class C is normally fine, but just make sure it is unique within you environment. If the network is used elsewhere ISA will never be able to route the packets back out of the correct interface as it will send it down the intra-array NIC by mistake.
In our enterprise, every ISA array or server cluster uses the same network for Intra-Array communications. We designated 172.31.255.0 as the intra-server network. Since our enterprise network is 10.0.0.0, it's pretty obvious that the 172.31.255.0 network is "special". Also, since that address range is captive to each set of clustered servers, there's no chance of mis-routed replies.
Glenn
|
|
|
|
|
RE: NIC Config - Intra-Array - 19.Jun.2008 6:30:06 PM
|
|
|
Jason Jones
Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
I don't see a problem with using the same intra-array network definition across multiple arrays, but the key issue is to make sure you do not choose an address that overlaps with any part of the WAN/LAN that may need to communicate with ISA. Using a complete separate IP address class (as per Glenns example) is a good way to try avoid any potential problems.
IMHO I would use rather different intra-array networks per array, not that it really matters though...
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: NIC Config - Intra-Array - 20.Jun.2008 5:42:17 AM
|
|
|
ldoodle
Posts: 70
Joined: 21.Mar.2005
From: England
Status: offline
|
quote:
ORIGINAL: Jason Jones
Yep, it needs a unique subnet/network. A class C is normally fine, but just make sure it is unique within you environment. If the network is used elsewhere ISA will never be able to route the packets back out of the correct interface as it will send it down the intra-array NIC by mistake.
You also need to create an ISA network to represent the subnet and enabled the web proxy listener for this network.
Yep, Intra-array is the name for communications between array members in the SAME array. There is no communication between arrays.
Nope the CSS doesn't need a dedicated NIC as it hosts the array configuration and does not form part of the array (assuming you have a dedicated CSS of course).
Cheers
JJ
Just thinking out loud here - technically could I use a 10.x.x.x address for LAN, DMZ and Intra-Array. As long as they have a different subnet, it should work OK shouldn't it?
So for example:
Main Office:
LAN 10.0.0.0/23 (10.0.0.0 - 10.0.1.255)
WAN: ISP
DMZ: 10.0.100.0/24 (10.0.100.0 - 10.0.100.255)
Intra-Array: 10.0.101.0/24 (10.0.101.0 - 10.0.101.255)
VPN: 10.0.201.0/24 (10.0.201.0 - 10.0.201.255)
Branch Office:
LAN 10.0.2.0/23 (10.0.2.0 - 10.0.3.255)
WAN: ISP
DMZ: 10.0.102.0/24 (10.0.102.0 - 10.0.102.255)
Intra-Array: 10.0.103.0/24 (10.0.103.0 - 10.0.103.255)
VPN: 10.0.203.0/24 (10.0.203.0 - 10.0.203.255)
Or is that a complete nose-turn to best practices? :)
< Message edited by ldoodle -- 20.Jun.2008 5:45:03 AM >
|
|
|
|
|
RE: NIC Config - Intra-Array - 20.Jun.2008 7:11:08 AM
|
|
|
Jason Jones
Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Personally I would use a different class. There is a lot of value in making DMZ or hearbeat networks "look different" and this also avoid potetial problems if someone gets a subnet mask wrong.
If you are worried about big overlapps, just choose a private range but subnet it down to just a few hosts - maybe use a /28 or something?
What you have proposed will work technically, but I wouldn't do it that way. Maybe put the DMZ on a class B and Intra-array on a class C.
Cheers
JJ
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: NIC Config - Intra-Array - 20.Jun.2008 7:24:28 AM
|
|
|
ldoodle
Posts: 70
Joined: 21.Mar.2005
From: England
Status: offline
|
Yeah I wouldn't have actually used a setup like that, and can see the pros of different addresses.
I just like to try to understand as much about a product as I can!
Thanks
< Message edited by ldoodle -- 20.Jun.2008 7:26:27 AM >
|
|
|
|
|
RE: NIC Config - Intra-Array - 20.Jun.2008 7:26:47 AM
|
|
|
gbarnas
Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline
|
That's exactly the point of using a "special" intra-array network... it's never going to be part of your enterprise LAN or VPN environment. Most cluster systems I've seen employ a /24 subnet, even if connecting just two systems. If you use a different network for each cluster (or ISA array - same difference), you or the network group need to track each network.
We have three multi-server ISA arrays here, 7 Windows clusters, and about a dozen *nix clusters. It now comes down to keeping track of 20 subnets or 1.
In IDoodle's example, he's using the same core network for intra-array, DMZ, and Internal. This opens the possibility for misconfiguration by using an overlapping network. By using a different range entirely (ie - 10 for your enterprise, and 172.31 for your clusters) it's very unlikely to have problems.
Also - for IDoodle - Assigning ip addresses on decimal boundaries makes it easy for us analog life forms to recognize network divisions, but binary life(less) forms prefer binary divisions. As your network becomes more complex, you'll find that starting a network address range with "50" or "100" will cause more problems than if you start with, say, "64" or "128". Using these powers of two will allow simple routing (summary routes) instead of having to specify several or even dozens of route statements in the future.
Glenn
|
|
|
|
|
RE: NIC Config - Intra-Array - 20.Jun.2008 8:17:56 AM
|
|
|
ldoodle
Posts: 70
Joined: 21.Mar.2005
From: England
Status: offline
|
As there is no communication between arrays, I therefore assume multiple arrays can have the same NIC config.
Another example (Intra-Array NIC only):
Main Office:
Server1: 172.31.255.1/29
Server2: 172.31.255.2/29
Branch Office:
Server1: 172.31.255.1/29
Server2: 172.31.255.2/29
Or does the same apply for remote-site VPN networks (must be unique network ID), and therefore each Intra-Array NIC needs a unique address (so .3 and .4 for Branch Office servers), even if in different arrays?
Last question I promise!
< Message edited by ldoodle -- 20.Jun.2008 8:21:14 AM >
|
|
|
|
|
RE: NIC Config - Intra-Array - 20.Jun.2008 9:42:50 AM
|
|
|
gbarnas
Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline
|
There is no routing of that address range. Only computers directly connected to an array or cluster will be aware of those addresses, and since each cluster is directly connected, they will never try to route to them via the other interfaces.
That is why it's important to use a unique address for intra-cluster communications.
There's no need to use different addresses, although some people feel that it adds an extra level of identification. For me, I start with 1 and go up for each array/cluster.
Glenn
|
|
|
|
|
RE: NIC Config - Intra-Array - 21.Jun.2008 7:55:53 AM
|
|
|
gbarnas
Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline
|
Anal? with 24 pages & 2 visio's to document my home network config - certainly not me! ;)
One more comment about network setup - "Organization"
You'll need a VIP address for each array to implement NLB. I might use the .1 address for the VIP, and use 2-7 for the physical addresses (start with 2 & 3, the rest are for possible growth). Allocate another block of addresses for your servers, and another for other hosts. I usually allow at least 50% for growth in each address block, often more.
Like my earlier comment - arrange hosts on a power of 2 boundary whenever possible. If you expect 12 servers, round up to 16 & double - 32. Place the server address block on a multiple of 32 boundary, 32-63, 64-95, etc... This way, should you ever want to islolate them via a firewall, you can easily move them as a logical subnet.
Glenn
< Message edited by gbarnas -- 21.Jun.2008 7:59:53 AM >
|
|
|
|
|
RE: NIC Config - Intra-Array - 26.Jun.2008 9:56:07 AM
|
|
|
ldoodle
Posts: 70
Joined: 21.Mar.2005
From: England
Status: offline
|
quote:
ORIGINAL: gbarnas
You'll need a VIP address for each array to implement NLB. I might use the .1 address for the VIP, and use 2-7 for the physical addresses (start with 2 & 3, the rest are for possible growth)
I do the opposite - start with .1 for physical and the last for the virtual.
quote:
ORIGINAL: gbarnas
Like my earlier comment - arrange hosts on a power of 2 boundary whenever possible. If you expect 12 servers, round up to 16 & double - 32. Place the server address block on a multiple of 32 boundary, 32-63, 64-95, etc... This way, should you ever want to islolate them via a firewall, you can easily move them as a logical subnet.
I see the benefit of this, but can I ask why you have started with 32-63 and not 0-31?
Thanks
|
|
|
|
|
RE: NIC Config - Intra-Array - 26.Jun.2008 11:35:02 AM
|
|
|
Jason Jones
Posts: 2121
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
quote:
ORIGINAL: ldoodle
quote:
ORIGINAL: gbarnas
You'll need a VIP address for each array to implement NLB. I might use the .1 address for the VIP, and use 2-7 for the physical addresses (start with 2 & 3, the rest are for possible growth)
I do the opposite - start with .1 for physical and the last for the virtual.
quote:
ORIGINAL: gbarnas
Like my earlier comment - arrange hosts on a power of 2 boundary whenever possible. If you expect 12 servers, round up to 16 & double - 32. Place the server address block on a multiple of 32 boundary, 32-63, 64-95, etc... This way, should you ever want to islolate them via a firewall, you can easily move them as a logical subnet.
I see the benefit of this, but can I ask why you have started with 32-63 and not 0-31?
Thanks
I disagree with both 
In my experience, it is more likely to add more virtual IPs (VIPs) than dedicated IPs (DIPs) expecisally on the external interface. Hence it makes sense to set aside a block of addresse for array members (DIPs) then leave a block of addresses above this for the growing VIPs.
This way you avoid the chance of having:
DIP Server 1 = .1
DIP Server 2 = .2
VIP1 =.3
DIP Server 3= .4
VIP2 = .5
VIP3 = .6
DIP Server 4 = .7
and hopfully have this:
DIP Server 1 = .1
DIP Server 2 = .2
...
DIP Server 10 = .10
VIP1 = .20
VIP2 = .21
...
VIP10 = .30
Alternatively if you like the default gateway to be .1 flip them around as follows:
DIP Server 1 = .20
DIP Server 2 = .21
...
DIP Server 10 = .30
VIP1 = .1
VIP2 = .2
...
VIP10 = .10
By allowing growth in both the VIP and DIP addresses, you will always have a contiguous flow of addressing that makes sense...I also never publish anything on the primary VIP as I leave this as a special gateway only VIP.
All just IMHO of course 
Cheers
JJ
< Message edited by Jason Jones -- 26.Jun.2008 11:39:41 AM >
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: NIC Config - Intra-Array - 26.Jun.2008 3:33:02 PM
|
|
|
gbarnas
Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline
|
Yeah - hadn't had my coffee yet.. Most of the time I had added an additional server - DIP - so that was on my mind. The point was, and Jason clarified it - that you define a block for VIP and another for DIP, otherwise you wind up with a mess of interspersed DIP & VIP addresses.
As for starting with 32-63 - just habit. I usually stick my communications gear at the lowest addresses, infrastructure servers above that, and app servers above that. Based on my example, we wanted 32 addresses for servers. Since I mentally assign routers and such to low addresses, I moved to the next full block. Grouping similar servers & network equipment into logical address blocks allows you to apply subnet rules, especially to devices that don't authenticate to ISA.
Finally, if you do want the flexibility of being able to subnet those devices, you'll probably want to treat it like a subnet from day-1 and avoid the first 2 & last address in the block. ;)
Glenn
|
|
|
|
|
RE: NIC Config - Intra-Array - 30.Jun.2008 12:06:45 PM
|
|
|
gbarnas
Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline
|
You're still thinking decimal though.. 1-5 is not a binary divisible range, 0-3 and 0-7 are. Even though you won't be subnetting, you can easily summarize a group of systems for applying network or firewall rules if they are on binary boundaries - multiples of 2, 4, 8, 16, etc.
It's easier for the computer, which means there's less chance of misconfiguration (or misinterpretation of your expectations). That's not to say 1-5,6-10, etc won't work, it's just "unnatural" in terms of networking.
Glenn
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
