| View previous topic :: View next topic |
| Author |
Message |
Moe
Xsan Master
Joined: 04 May 2006
Posts: 61
|
 Posted: Wed Aug 08, 2012 3:54 am Post subject: Filtering traffic on the metadata/house network interfaces |
 |
|
What would be the easiest way to filter traffic going on network interfaces on OS X clients ?
I'd like to force OS X to direct any file sharing, bonjour, NFS on a certain interface, and block it on the metadata network interface
Changing the priority of the interfaces doesn't seem the best solution at one customer's site
Regards |
|
| Back to top |
|
 |
matx
Xsan Master
Joined: 15 Apr 2005
Posts: 378
|
| Posted: Wed Aug 08, 2012 1:24 pm Post subject: |
|
|
| "set service order" is meant to solve this kind of thing. Put the main LAN at the top. Xsan metadata network after it. All traffic except Xsan stuff will go through the main interface. |
|
| Back to top |
|
|
rberd
Been around the blocks
Joined: 05 Oct 2009
Posts: 22
|
| Posted: Wed Aug 08, 2012 1:39 pm Post subject: |
|
|
| This is interesting as I am noticing something similar. I have the service order set correctly as mentioned, but every so often in Apple Remote Desktop I see the Metadata Network IP address listed for workstations and servers instead of the Public IP address. |
|
| Back to top |
|
|
JSamuel
Xsan Master
Joined: 05 Jan 2011
Posts: 169
|
| Posted: Wed Aug 08, 2012 7:10 pm Post subject: |
|
|
Apple's workflow would put the MDLAN at the lowest priority, and since we're talking static IPs anyway, a static internal IP with a tight subnet (ie: 255.255.255.0 - as I'll be surprised if you need more than 254 MDLAN IPv4 addresses!)
You could go a step further and make your settings on the switch (depending on layer and management capability) to drop other traffic but I doubt this is a good idea, nor found the need to even investigate this in the past (in any case, your MD switch is a seperate device)
| rberd wrote: | | but every so often in Apple Remote Desktop I see the Metadata Network IP address listed for workstations and servers instead of the Public IP address. |
Where are you running ARD from? Naturally ARD will scan "Local Network" when in Scanner mode, which will go through each interface in order and pickup whatever it can find... because it's scanning. So if you're on a machine which has MD LAN visibility, it will do this.
If you're on a management machine which doesn't have MD LAN access, just "WLAN", then ARD's DNS resolution shouldn't be showing you MD LAN IPs nor MD LAN rDNS entries, unless, your DNS is bad. |
|
| Back to top |
|
|
brianwells
Xsan Master
Joined: 22 Oct 2008
Posts: 80
|
| Posted: Wed Aug 08, 2012 7:37 pm Post subject: |
|
|
How do your workstations and servers appear in DNS? I had both the public and metadata IP addresses showing up when I did a DNS query. It turned out that the computers were registering both IP addresses with the Active Directory domain controller for inclusion in DNS.
I was able to restrict registration to just the public IP address by following the steps in this Apple support article: http://support.apple.com/kb/HT3169 |
|
| Back to top |
|
|
abstractrude
Xsan Master
Joined: 13 Mar 2008
Posts: 860
|
| Posted: Wed Aug 08, 2012 8:00 pm Post subject: |
|
|
| hmm. this is a weird one. I really dont know what you would do other than a firewall. Run this on the localhost or the remote machine. Simply block all access except the xsan related ports. Easier on the remote machines... |
|
| Back to top |
|
|
morphenine
Xsan Master
Joined: 22 Dec 2008
Posts: 126
|
| Posted: Fri Aug 10, 2012 5:40 pm Post subject: |
|
|
| In the past I've used ipfw and route settings on SAN machines to block certain traffic from traversing the metadata. You can also turn off bonjour for the metadata ports. |
|
| Back to top |
|
|
Moe
Xsan Master
Joined: 04 May 2006
Posts: 61
|
| Posted: Wed Sep 12, 2012 2:26 pm Post subject: |
|
|
| morphenine wrote: | | You can also turn off bonjour for the metadata ports. |
How do you do this for certain network interfaces ? |
|
| Back to top |
|
|
Moe
Xsan Master
Joined: 04 May 2006
Posts: 61
|
| Posted: Wed Sep 12, 2012 2:55 pm Post subject: |
|
|
| JSamuel wrote: |
If you're on a management machine which doesn't have MD LAN access, just "WLAN", then ARD's DNS resolution shouldn't be showing you MD LAN IPs nor MD LAN rDNS entries, unless, your DNS is bad. |
At a customer site, they're using 172.17.2.x for house network and 192.168.99.x for Metadata network
In ARD , if you put the range from 172.17.2.1 to 172.17.2.255 , it shows up a list of systems on the network, in the list, one clients shows up with it's IP on the 192.168.99.x
So there's some kind of routing / bridging happening, clue where is it coming from |
|
| Back to top |
|
|
|
Xsanity Forum
Forum Search
Forum Help
Log in to check messages
Xsanity Articles
