Dr. I Doctor
Dr. I Doctor's Informational Juggernaut
February 1, 2008
Switch Port Broadcast Flooding in ISA Server Load Balancing
Dear Doctor,
Our network border is controlled by a pair of Windows servers running Microsoft's Internet Security and Acceleration (ISA) Server 2004 in a load-balancing configuration. We process a high volume of SSL transactions, and the ISA server does a good job of distributing the encryption workload, while also providing for emergency failover should one ISA server die. We've noticed a problem, however, on both the LAN and WAN switch ports to which the ISA server connects. These ports have high traffic volumes, even when the level of SSL connections is low. After connecting a sniffer, we see packets unrelated to the ISA servers — packets that should be going to other devices on our LAN! How can this be? I thought switches ensured that such traffic mixing never occurred.
Gentle User,
Switches normally do isolate traffic so that each port carries only packets destined for the devices connected to that port. However, there are two instances when this rule is broken: when the link state of a port changes (e.g., from down to up), and when the switch sees a MAC address arrive on a port that isn't the MAC address table entry for that port. In some switches when these events occur, the switch invalidates its MAC address table and reverts to broadcast mode — sending every packet to every port — until it relearns the port locations for each destination MAC address.
Normally, both of these events are rare, so broadcast traffic is infrequent. A failing Ethernet port, continually fluctuating between up and down, can cause a broadcast storm by constantly invalidating the MAC address table. So can a pair of devices, such as the ISA server, that uses MAC address spoofing to balance incoming traffic. Some Ethernet switches (particularly Cisco) do not behave well when confronted with the same MAC address on two different ports, resulting in the broadcast storm that you observed.
The best fix is to swap in Ethernet switches that are known to be compatible with ISA Server load balancing. If that's not practical, you may want to contact your current switch vendor to see whether it has a programmatic workaround.
Posted by mbeckman at February 1, 2008 4:46 PM
| Sun | Mon | Tue | Wed | Thu | Fri | Sat |
|---|---|---|---|---|---|---|
| 1 | ||||||
| 2 | 3 | 4 | 5 | 6 | 7 | 8 |
| 9 | 10 | 11 | 12 | 13 | 14 | 15 |
| 16 | 17 | 18 | 19 | 20 | 21 | 22 |
| 23 | 24 | 25 | 26 | 27 | 28 | 29 |
| 30 | 31 |
Blog Policy
We welcome your comments and opinions and encourage lively debate on the issues. However, Penton Media reserves the right to delete or move any content that it may determine, in its sole discretion, violates or may violate its Terms of Use or is otherwise unacceptable. For more information, see Penton Media's Terms of Use.