[Bro] Bro Cluster on RHEL Server 5-6

Seth Hall seth at icir.org
Tue Oct 11 09:40:43 PDT 2011


On Oct 11, 2011, at 12:29 PM, Will wrote:

> Thanks for the info! Is your aggregator/balancer appliance designed to do load balancing based on session hashing and MAC re-writing? Or are you load balancing based on protocol, etc. and using PF_RING to load balance among nodes?

It's a mix between the two.  There is a frontend device that is splitting the traffic out to some 10G interfaces (not actually MAC address rewriting in this case, sending sessions directly to physical ports).  Each worker is splitting the traffic further with PF_RING clustering.  If the frontend box was doing MAC address rewriting, there wouldn't even be a need for PF_RING on each box since a number of MAC addresses could be passed directly to each worker and filtered with BPF filters.

Sorry if it sounds complicated and vague, it's just that there are a lot of options in how you build your own system. :)

  .Seth

--
Seth Hall
International Computer Science Institute
(Bro) because everyone has a network
http://www.bro-ids.org/





More information about the Bro mailing list