[Bro] Bro Cluster on RHEL Server 5-6

Will baxterw3232 at gmail.com
Tue Oct 11 11:38:50 PDT 2011

On Tue, Oct 11, 2011 at 11:40 AM, Seth Hall <seth at icir.org> wrote:

> On Oct 11, 2011, at 12:29 PM, Will wrote:
> > Thanks for the info! Is your aggregator/balancer appliance designed to do
> load balancing based on session hashing and MAC re-writing? Or are you load
> balancing based on protocol, etc. and using PF_RING to load balance among
> nodes?
> It's a mix between the two.  There is a frontend device that is splitting
> the traffic out to some 10G interfaces (not actually MAC address rewriting
> in this case, sending sessions directly to physical ports).  Each worker is
> splitting the traffic further with PF_RING clustering.  If the frontend box
> was doing MAC address rewriting, there wouldn't even be a need for PF_RING
> on each box since a number of MAC addresses could be passed directly to each
> worker and filtered with BPF filters.
> Sorry if it sounds complicated and vague, it's just that there are a lot of
> options in how you build your own system. :)

It is complicated, and once you understand it, it's not so vague really. I
have a better understanding than ever that there are an unlimited number of
options for designing and configuring your own cluster environment. What has
helped me the most is hearing about what is working well for folks out there
and get ideas for which direction I should be going. I really appreciated
Martin's quick start guide as well as his other posts on clusters and
PF_RING. I think it is good to get some documentation out there about a few
of the more mainstream cluster configurations (hardware and software) that
people can use. For me, it was hard (understandably so) to garner support by
just saying, "Bro is awesome and does amazing things!" But when it actually
started to work and I was asked how we go about the hardware design, I
really didn't have any good answers, other than remain "vague" and says,
"it's complicated!" lol

When things finally do get off the ground, I will be happy to share how we
ended up doing it and how it's working.

Thanks again!


>  .Seth
> --
> Seth Hall
> International Computer Science Institute
> (Bro) because everyone has a network
> http://www.bro-ids.org/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ICSI.Berkeley.EDU/pipermail/bro/attachments/20111011/c0716e85/attachment.html 

More information about the Bro mailing list