Bro Cluster on RHEL Server 5-6

Is/has anyone run a bro cluster on RHEL Server 5 or 6? Successfully?

Are there any issues, concerns or significant performance differences to be aware of?

Thanks!

Will

That is what we use at the NCSA.

Is/has anyone run a bro cluster on RHEL Server 5 or 6? Successfully?
Are there any issues, concerns or significant performance differences to be
aware of?
Thanks!

We have a 15 node cluster running on RHEL 6, as well as another standalone
RHEL 6 box. Have not seemed to experience any problems with the OS or
install, and we are also running PF_RING on those hosts to optimize
for the multi-cores. I just wish I could say that our network
aggregator/balancer hardware that we purchased worked as well. :confused:

Thanks for the info! Is your aggregator/balancer appliance designed to do load balancing based on session hashing and MAC re-writing? Or are you load balancing based on protocol, etc. and using PF_RING to load balance among nodes?

Will

It's a mix between the two. There is a frontend device that is splitting the traffic out to some 10G interfaces (not actually MAC address rewriting in this case, sending sessions directly to physical ports). Each worker is splitting the traffic further with PF_RING clustering. If the frontend box was doing MAC address rewriting, there wouldn't even be a need for PF_RING on each box since a number of MAC addresses could be passed directly to each worker and filtered with BPF filters.

Sorry if it sounds complicated and vague, it's just that there are a lot of options in how you build your own system. :slight_smile:

  .Seth

Thanks for the info! Is your aggregator/balancer appliance designed to do load balancing based on session hashing and MAC re-writing? Or are you load balancing based on protocol, etc. and using PF_RING to load balance among nodes?

It’s a mix between the two. There is a frontend device that is splitting the traffic out to some 10G interfaces (not actually MAC address rewriting in this case, sending sessions directly to physical ports). Each worker is splitting the traffic further with PF_RING clustering. If the frontend box was doing MAC address rewriting, there wouldn’t even be a need for PF_RING on each box since a number of MAC addresses could be passed directly to each worker and filtered with BPF filters.

Sorry if it sounds complicated and vague, it’s just that there are a lot of options in how you build your own system. :slight_smile:

It is complicated, and once you understand it, it’s not so vague really. I have a better understanding than ever that there are an unlimited number of options for designing and configuring your own cluster environment. What has helped me the most is hearing about what is working well for folks out there and get ideas for which direction I should be going. I really appreciated Martin’s quick start guide as well as his other posts on clusters and PF_RING. I think it is good to get some documentation out there about a few of the more mainstream cluster configurations (hardware and software) that people can use. For me, it was hard (understandably so) to garner support by just saying, “Bro is awesome and does amazing things!” But when it actually started to work and I was asked how we go about the hardware design, I really didn’t have any good answers, other than remain “vague” and says, “it’s complicated!” lol

When things finally do get off the ground, I will be happy to share how we ended up doing it and how it’s working.

Thanks again!

Will