Re: NLB through a firewall.
- From: "Mathieu CHATEAU" <gollum123@xxxxxxx>
- Date: Tue, 28 Aug 2007 11:27:31 +0200
sorry!
the firewall must allow connections from client IP to the NLB IP address (virtual one).
Servers that are NLB members send multicast address on the network segment.
The firewall receives it (it's a multicast) , as any other network connected device and drop it.
You can simply ignore these drops (make a rule to not log them)
from the previous link:
When you use the unicast method, all cluster hosts share an identical unicast MAC address. Network Load Balancing overwrites the original MAC address of the cluster adapter with the unicast MAC address that is assigned to all the cluster hosts.
When you use the multicast method, each cluster host retains the original MAC address of the adapter. In addition to the original MAC address of the adapter, the adapter is assigned a multicast MAC address, which is shared by all cluster hosts. The incoming client requests are sent to all cluster hosts by using the multicast MAC address.
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
"Johnny Lundgren" <JohnnyLundgren@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message news:B5D0B565-E544-4E8B-8EF2-2394487B7FBD@xxxxxxxxxxxxxxxx
Hello Mathieu,
I think there are a few words missing in your reply.
Could you please answer again ?
Thanks.
/Johnny Lundgren
"Mathieu CHATEAU" wrote:
Hello,
the firewall must allow connections from client to the NLB address.
NLB members multicast address. The firewall receives it (it's a multicast)
and drop it.
You may change to unicast, but it depends how the switch and firewall handle
the nlb virtual mac address
Selecting the Unicast or Multicast Method of Distributing Incoming Requests
http://technet2.microsoft.com/windowsserver/en/library/aa15cdd3-7ac5-4846-904e-4ff282f8e7f11033.mspx?mfr=true
How Network Load Balancing Technology Works
http://technet2.microsoft.com/windowsserver/en/library/1611cae3-5865-4897-a186-7e6ebd8855cb1033.mspx?mfr=true
If you change it you may have this issue:
IP Address Conflict Switching Between Unicast and Multicast NLB Cluster Mode
http://support.microsoft.com/kb/264645/en-us
--
Cordialement,
Mathieu CHATEAU
http://lordoftheping.blogspot.com
"Johnny Lundgren" <JohnnyLundgren@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:3A2449C5-5F9E-4188-949C-8A00409661A8@xxxxxxxxxxxxxxxx
> Hello,
>
> One of our customers has a D-Link DFL-800 firewall.
> In general, how should this firewall be configured to allow > communication
> between clients and an NLB cluster ?
>
> I know that the info is poor but I am hoping to get an answer that > could
> lead me in the right direction, at least.
>
> Customer says that the firewall is dropping multicast packets.
>
> Regards
>
> Johnny Lundgren
>
>
.
- References:
- Re: NLB through a firewall.
- From: Mathieu CHATEAU
- Re: NLB through a firewall.
- Prev by Date: Re: NLB through a firewall.
- Next by Date: Re: Security Configuration Wizard
- Previous by thread: Re: NLB through a firewall.
- Next by thread: Re: NLB through a firewall.
- Index(es):
Relevant Pages
|
