[Spread-users] Complex Spread Configuration

Matthew T. Kromer matt at zope.com
Mon Apr 29 16:16:47 EDT 2002


I have a complex Spread configuration I am trying to set up.  The 
complexity comes about due to some severe firewalling, IP NAT 
translation, and IP aliasing.

Here is the configuration of machines.

"development" is at IP address 170.109.46.240.  This machine is not 
available outside of the local LAN due to firewall rules.

"staging" is at IP address 170.109.46.240.  This machine is not 
available outside the local LAN with one caveat, that from the 
production pod, packets destined for 170.109.48.254 are rewritten to 
170.109.46.240.  This address is an IP alias on the box; the base 
address of the box is 170.109.46.181.

"production 1" is at IP address 192.168.50.40  -- Clearly, private 
address space.  All packets arriving at this address from 170.109.46.240 
are rewritten to be as from 170.109.48.254.  A NAT rewriting rule will 
allow packets destined to this machine to be delivered to 170.109.48.68. 
 This box has IP aliases from 192.168.50.40 to 192.168.50.69.

"production 2" is at IP address 192.168.50.70  -- Clearly, private 
address space.  All packets arriving at this address from 170.109.46.240 
are rewritten to be as from 170.109.48.254.  A NAT rewriting rule will 
allow packets destined to this machine to be delivered to 170.109.48.69. 
 This box has IP aliases from 192.168.50.70 to 192.168.50.99.

"production 3" is at IP address 192.168.50.100  -- Clearly, private 
address space.  All packets arriving at this address from 170.109.46.240 
are rewritten to be as from 170.109.48.254.  A NAT rewriting rule will 
allow packets destined to this machine to be delivered to 170.109.48.70. 
 This box has IP aliases from 192.168.50.100 to 192.168.50.129.

I *think* it should be possible to configure spread, albeit with two 
caveats:  1) since the "development" machine is not ever reachable from 
the production cluster, it may need to be dropped from the spread 
config.  2)  the production and staging configurations may need to be 
different; because of the address translation that takes place.

I would *think* that I could get away with something like this on "staging":

Spread_Segment 225.0.0.1 {  # Fake a multicast
     staging 170.109.46.240 {
            D 170.109.46.18
            C 170.109.46.240
     }
}
Spread_Segment 225.0.0.2 { # Fake a multicast
      prod1 170.109.48.68
      prod2 170.109.48.69
      prod3 170.109.48.70
}

and like the following on "production":

Spread_Segment 225.0.0.1 { # Fake a multicast
     staging 170.109.48.254
}

Spread_Segment 225.0.0.2 { # Fake a multicast
     prod1 192.168.50.40
     prod2 192.168.50.100
     prod3 192.168.50.70
}



Is this valid?  I'm having a tough time getting this working for a 
production site.


-- 
Matt Kromer
Zope Corporation  http://www.zope.com/ 








More information about the Spread-users mailing list