Re: Multi-homed MSCS servers

From: Henry <Henry@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 11 Oct 2007 06:31:01 -0700

--
Henry

"Phillip Windell" wrote:

"Henry" <Henry@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6656E2CA-C583-4706-9F62-A58DF6212ACE@xxxxxxxxxxxxxxxx

I have two multi-homed servers setup in an active - passive configuration
using MSCS (on W2K3 R2). Each of these servers has 5 NIC cards (one using
a
x-over cable for the heartbeat signal, the other four connected to four
different subnets servicing client requests to an Oracle database and to
shared files on the filesystem. The cluster is presently assigned an IP
adress on one of the four subnets. There is an external router that routes
between subnets.
The customer has installed a firewall between all the subnets in order to
keep certain data and information secure. This has presented a problem
since
it appears that client requests coming from the subnets remote to the one
cluster IP address subnet start communication to the cluster IP and then
after several seconds the server starts responding using the NIC that is
on
the clients local subnet (I beleive this is called an asymmetric routing
loop). This has effectively caused communication problems since the
firewall
is performing TCP SYN and TCP SEQ checking and starts to block this
communication. We have persuaded them to disable the SYN and SEQ checking
for

Is it possible (and/or practical) to give the cluster IP addresses on the
other three subnets?

No.

Has anyone had a similar issue?

No, but only because I would have never done it like that.

I probably should have mentioned that 2 of the NIC's connect to VLAN's that
contain high speed document imaging equipment that, considering their speed
(1150 documents/minute with 6 images/document) could easily approach
saturaturation of a single NIC causing queries from other subnets to be
unacceptably slow.

If anyone has some advice it would be most welcomed.

I'm no expert on Clusters, but I do know how to deal with infrastructure.
Get rid of all the Nics except one. I suspect you can keep the "heardbeat
nic" since it doesn't connect anywhere else. The Cluster will be identified
by a virtual address for the cluster and it should be only one and it should
be on only one subnet.

As far as the Firewall, I really see no justification for that,...I don't
believe you should be seeking "security" at Layers 3&4 in the middle of the
LAN between the Resource and the Clients/Applications that require it. At
that point you should be looking to find your means of security in the
Database Engine Config and the Config and Design of the Application that
accesses the data. The Firewall seems to me more likely a way to just jam
up the works and screw up the functionality,...although I don't know much
about your exact situation either. But it is very common for people to
become their own worst enemy "in the name of security",...particularly when
they believe a Firewall is the universal security tool for every situation.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------

I agree that the firewall location is quite unncecessary but it's tough to
convince the Government of that fact. My thought is that the firewall should
not be present in the current location. I am only looking for options for the
problem at hand. My first opinion is that the firewall between these VLAN's
be replaced with a switch and the firewall moved to the perimeter of the
system. Other than that I was just looking for comments on if adding multiple
cluster IP addresses to a muti-homed server was a resonable undertaking.

Thanks for your comments.

Henry

Follow-Ups:
- Re: Multi-homed MSCS servers
  - From: Phillip Windell

References:
- Re: Multi-homed MSCS servers
  - From: Phillip Windell

Prev by Date: Utility to block traffic to one specific IP address
Next by Date: Re: Utility to block traffic to one specific IP address
Previous by thread: Re: Multi-homed MSCS servers
Next by thread: Re: Multi-homed MSCS servers
Index(es):
- Date
- Thread

Relevant Pages

Re: Multi-homed MSCS servers
... The cluster is presently assigned an IP ... adress on one of the four subnets. ... The customer has installed a firewall between all the subnets in order to ... it appears that client requests coming from the subnets remote to the one ...
(microsoft.public.windows.server.networking)
understanding hacmp5 and IP aliasing
... I now want to setup a cluster but with using IP aliases.The manual says ... I need to have boot and service networks on seperate subnets. ... subnets on the same card at the same time without having 2 cables going ...
(comp.unix.aix)
Re: Geographically Dispersed Clusters
... I was able to test running with multiple IP ... addresses this morning and they both came online and allowed the cluster to ... separate routed subnets. ...
(microsoft.public.windows.server.clustering)
Re: Is this a bug?
... Understood, but the key question is, did it work without your application ... the web application on node A was visitable for all subnets. ... Created a cluster on Node B using local quotm. ... Some subnents could not visit the web application, while telnet could connect the port of the web app. ...
(microsoft.public.windows.server.clustering)
Routing issue on Solaris
... I've added static routes via the route command (not what I ... and have added the proper allow rules to the firewall software. ... When I try to run traceroute to these new subnets, ... The box is running Solaris 7, Checkpoint 4.1, and has 9 interfaces. ...
(SunManagers)