• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion for Using NLB Part 2

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> General >> Discussion for Using NLB Part 2 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion for Using NLB Part 2 - 6.Feb.2003 9:10:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the NLB part 2 article over at http://www.isaserver.org/articles/basicnlbpart2.html

Thanks!
Tom

[ February 06, 2003, 04:57 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion for Using NLB Part 2 - 6.Mar.2003 11:54:00 AM   
sselic

 

Posts: 2
Joined: 5.Mar.2003
Status: offline
We use multicast mode setup... do you think it is worth changining it to unicast mode to see if we still have ISA sending two different sequence numbers on the same TCPIP stack?
Many thanks,
Srdjan

(in reply to tshinder)
Post #: 2
RE: Discussion for Using NLB Part 2 - 6.Mar.2003 2:49:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Srdjan,

Perhaps. Try it out and let us know what happens.

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion for Using NLB Part 2 - 4.Jul.2003 10:47:00 PM   
ponicke

 

Posts: 46
Joined: 23.Oct.2001
Status: offline
Tom, could you explain this again with a little more details

Quick Tip: You can tell a multicast MAC address from a unicast MAC address by looking at the high order octet in the MAC address. If the low order bit in the high order octet in the MAC address is 1, then the address is a multicast MAC address. If the low order bit in the higher order octet in the MAC address is 0, then the address is a unicast MAC address.

TIA

Alejandro

(in reply to tshinder)
Post #: 4
RE: Discussion for Using NLB Part 2 - 5.Jul.2003 6:44:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Alejandro,

Check this page out, he does a very good job of it:

http://www.firewall.cx/multicast-intro.php

HTH,
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion for Using NLB Part 2 - 1.Jul.2005 8:57:00 AM   
Guest
Hi Tom,

I was reading your article, and i want to ask you two question. First, With ISA 2004 i dont have the option of multicast, or they are?

Second, Why a second NIC? I just could not set an unique NIC with two IP Addresses?

Thanks [Cool]

(in reply to tshinder)
  Post #: 6
RE: Discussion for Using NLB Part 2 - 7.Mar.2008 11:30:03 AM   
moi

 

Posts: 1
Joined: 7.Mar.2008
Status: offline
HI Tom,
following para is from your article
"NLB solves this problem by masking the cluster MAC address. The switch learns MAC addresses associated with its ports by looking at the source MAC address in the Ethernet frame header. NLB will create a bogus MAC address and assign that bogus MAC address to each adapter in the NLB array. NLB will assign each NLB adapter a different bogus MAC address based on the host ID of the array member and this address will appear in the Ethernet frame header. "
As mentioned in your Article as above we tried to do NLB using Unicast, But unfortunately we are not getting the Bogus MAc Address getting registered. So i entered a static ARP entry for the bogus and it started working. But after some time again it stopped working and i
noticed that there is an Dynamic ARP entry for "NLB MAC address" registered to only ONE OF THE PORT for the Cluster IP Address. This is causing us problem.
Now my questions are :
1) Will the bogus MAC address based on the Host id will get register automatically ?
2) Why does the NLB MAC Address appear dynamically on the ARP for one of the port, and how can we remove this.
I hope the questions are clear
Thanks and Regards
Najeeb

(in reply to Guest)
Post #: 7
RE: Discussion for Using NLB Part 2 - 26.Aug.2008 10:30:42 PM   
dcjones21

 

Posts: 3
Joined: 26.Aug.2008
Status: offline
Ok, but what should the network do to protect itself?

I'm an IT consultant and have a client that has 3 ISA servers generating multicast traffic all over their flat Ethernet network.

They have 400 users, 30 servers and about 60 switches in one VLAN. All of corporate uses these ISA as their Internet proxies. So they are important and heavily used. Other corporate servers are mixed in with the corporate office users. I know its a bad design and am recommending moving all servers to a separate VLAN, but what to do about the flood? Moving the ISAs to the same VLAN as the other servers will affect them also.

Do I need to turn on IGMP support for the switches to minimize port flooding or move the servers into their own VLAN to they don't bother the users and other servers?

Thanks for your help!

(in reply to tshinder)
Post #: 8
RE: Discussion for Using NLB Part 2 - 27.Aug.2008 4:16:26 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Have you specifically configured ISA Server for multicast support, as by default it uses unicast?

Based upon your answes, I can hopefully provide some options

Cheers

JJ


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to dcjones21)
Post #: 9
RE: Discussion for Using NLB Part 2 - 27.Aug.2008 7:32:56 AM   
dcjones21

 

Posts: 3
Joined: 26.Aug.2008
Status: offline
I'll check. Hopefully they know.

My sniffer trace shows the servers are sending out port 2171 (msfw-storage) traffic using a multicast MAC address with a Unicast IP address to each other.

I also see a lot of port 8080 http ACKs using a local administered MAC address with a Unicast IP.

Thanks for your help.

(in reply to Jason Jones)
Post #: 10
RE: Discussion for Using NLB Part 2 - 27.Aug.2008 9:00:16 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
It sounds more like you are having problems with unicast switch flooding which is sometimes a problem for default ISA deployments with NLB.

A good overview of the deployment issues of NLB can be found here:

http://technet.microsoft.com/en-us/library/cc783135.aspx

The easiest and often best solution is to create a dedicated VLAN for the NLB enabled interfaces as this will isloate the broadcast traffic to this VLAN and prevent the switch flooding for other hosts.

The alternative otpion is to move ISA over to using multicast NLB but this takes a little more work and also needs associated network changes if you have a routed network.

More info here if you need it:

http://blog.msfirewall.org.uk/2008/08/enabling-nlb-multicast-mode-on-isa.html

Cheers

JJ



_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to dcjones21)
Post #: 11
RE: Discussion for Using NLB Part 2 - 27.Aug.2008 9:26:55 AM   
dcjones21

 

Posts: 3
Joined: 26.Aug.2008
Status: offline
Thanks for your help.

Looks like the isolating VLAN is going to be our best option.

(in reply to Jason Jones)
Post #: 12

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> General >> Discussion for Using NLB Part 2 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts