How to block traffic with U/L bit set, on certain ports on Catalyst 2950
We have some industrial terminals which can't handle a lot of network traffic.
So we isolated them by ACL's which only allow traffics too and from the proxy server that controls those terminals. No broadcasts, etc ...
Works fine, except still a lot of unwanted traffic goes through.
With Ethereal we discovered that those packets do not have the terminals as destination, nor do they have the proxy server as source.
And still they get through. All those packets come from our MS-Networked Load Balanced servers. Using NLB sets the U/L bit of the mac-address, because NLB assigns it's own MAC-address to the NLB-NIC's.
Those packets are broadcasted throughout the whole of our network, even bypassing the ACL's. Because of the high speed backbone, those poor industrial terminals with 10 Mbps NIC's and a DOS IP-stack get on their knees.
How can we block this traffic? So, all packets at layer 2 with the U/L bit set on the ports of the terminals. (Using Catalyst 2950)
Urgent and difficult, so 500 points.
J.
So we isolated them by ACL's which only allow traffics too and from the proxy server that controls those terminals. No broadcasts, etc ...
Works fine, except still a lot of unwanted traffic goes through.
With Ethereal we discovered that those packets do not have the terminals as destination, nor do they have the proxy server as source.
And still they get through. All those packets come from our MS-Networked Load Balanced servers. Using NLB sets the U/L bit of the mac-address, because NLB assigns it's own MAC-address to the NLB-NIC's.
Those packets are broadcasted throughout the whole of our network, even bypassing the ACL's. Because of the high speed backbone, those poor industrial terminals with 10 Mbps NIC's and a DOS IP-stack get on their knees.
How can we block this traffic? So, all packets at layer 2 with the U/L bit set on the ports of the terminals. (Using Catalyst 2950)
Urgent and difficult, so 500 points.
J.
ASKER
Thinks for the input and I should have mentioned this: we already tried solving it with VLAN's. Called an external expert for this, but we can not do this at the moment.
It should have been the best sollution, but we currently only have one Catalyst. If I understand correctly we need two of them to give the proxy server the ability to communicate with the rest of the network. All our other switches are non-Cisco and they couldn't set it up reliably.
J.
It should have been the best sollution, but we currently only have one Catalyst. If I understand correctly we need two of them to give the proxy server the ability to communicate with the rest of the network. All our other switches are non-Cisco and they couldn't set it up reliably.
J.
What have you got for an IP Scheme? Have you considered breaking down your subnet assignments so that the broadcasts only hit that particular subnet?
JK
JK
ASKER
The problem is not regular broadcasts. Subnet assignments don't help. This is traffic that is somehow broadcasted on layer 2, just because the U/L bit is set.
J.
J.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Thanks JK, that's an eye opener. Been using NLB for years and never considered that problem. You really showed the heart of the problem. I was trying to cure the symptoms instead of the illness.
I'll post again how we (hopefully) finally solved it.
In the mean time, if anyone has a sollution for the symptoms please post it here. I know, I know, not a good idea, but as temporary workaround...
Within a few days I should be able to close this.
J.
I'll post again how we (hopefully) finally solved it.
In the mean time, if anyone has a sollution for the symptoms please post it here. I know, I know, not a good idea, but as temporary workaround...
Within a few days I should be able to close this.
J.
ASKER
Sorry, I forgot to close this.
We solved it by an acl which blocks all traffic on the uplink port except to the servers.
Later on we will look at how we can change NLB so that it doesn't generate this traffic.
J.
We solved it by an acl which blocks all traffic on the uplink port except to the servers.
Later on we will look at how we can change NLB so that it doesn't generate this traffic.
J.
JK