kkovachev at varna.net
Tue Feb 2 10:18:18 UTC 2010
On Tue, 02 Feb 2010 07:47:42 +0000, yvette hirth wrote
> Dirk H. Schulz wrote:
> > What I do not understand at the moment: If you can afford to restrict
> > one of every blade's two interfaces to cluster communication, why don't
> > you put them into a VLAN (the real interfaces, not virtual ones) and see
> > to it that the VLAN has not connection to any outside network?
> > Then the engineers would have no means of flooding your cluster
> > communication subnet.
> yes, like an old dell 5124 24-port gigE switch. i have about a bunch of
> them laying around, and you can find them for cheap on ebay (like $100
> or so). connect each port on the switch to one nic per blade.
> make sure your hosts files on all blades list all blades so as to avoid
> dns (i'm sure it does if your cluster is working properly). you can
> block and log dns->out on your iptables and that way any unknown hosts
> will show up pronto.
i would add when you separate the internal/comunication network, in host files
to list node1.internal, node2.internal pointing to the node IP in that
separated network and use those names in cluster.conf in order to move the
> just don't connect it to your firewall or any other internal network and
> that'll work fine for a heartbeat-only subnet. i used something like
> this on a colo-hosted site for high-security sql-only (no outside)
> access and it worked fab.
> yvette hirth
> Linux-cluster mailing list
> Linux-cluster at redhat.com
More information about the Linux-cluster