Results 1 to 16 of 16
  1. #1
    Join Date
    Oct 2010
    Posts
    74

    Is this possible?

    Is it possible to have on a windows 2008 enterprise server the following configuration:

    2 Network interface cards, EACH attached to a seperate gbit port creating independant network connections to the internet so if one fails the other stays up.

    Each NIC would have its' own ip on the same server.

    Can this be done? My host said this in a ticket:

    "it would still most likely not work as they are
    both routing to the internet and the default routes would be for the primary
    network card in the system.
    "

  2. #2
    Join Date
    Jan 2007
    Location
    /dev/null
    Posts
    3,696
    Well, for that you'd actually need different transits on each port... Something that makes them seperate that actually results in only 1 of the 2 going down.

  3. #3
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by Robert vd Boorn View Post
    Well, for that you'd actually need different transits on each port... Something that makes them seperate that actually results in only 1 of the 2 going down.
    What do you mean by different transits? By "going down" I mean let's say port 1 was suddenly unplugged (for example), I want port 2 to remain operational.

  4. #4
    the routing table on the server specifies a particular default gateway. all packets headed to the internet will attempt to travel out that gateway, which will go down if the primary network card goes down. there is no easy way to provide redundancy at this level.
    Phoenix Dedicated Servers -- IOFLOOD.com
    Email: sales [at] ioflood.com
    Skype: iofloodsales
    Backup Storage VPS -- 1TBVPS.com

  5. #5
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by funkywizard View Post
    the routing table on the server specifies a particular default gateway. all packets headed to the internet will attempt to travel out that gateway, which will go down if the primary network card goes down. there is no easy way to provide redundancy at this level.
    Is there another way to get this network redundancy + independance? Assume that the host's gateway servers won't go down, only my network card\port. I would have thought that traffic directed to 1.1.1.1 would come into port 1 and go out of port 1 (network card 1), where all traffic to 2.2.2.2 would come into port 2, and go out of port 2 (network card 2)

  6. #6
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    Quote Originally Posted by RPGamer1 View Post
    Is there another way to get this network redundancy + independance? Assume that the host's gateway servers won't go down, only my network card\port. I would have thought that traffic directed to 1.1.1.1 would come into port 1 and go out of port 1 (network card 1), where all traffic to 2.2.2.2 would come into port 2, and go out of port 2 (network card 2)
    To answer the first question, yep, it will work, as long as you have the the independent network info on each nic needed for that network, and assuming this isn't on the SAME network, that you actually have two independent routes out to the 'net (different providers, gateways, etc.).

    The redundancy really depends on what you are doing, what apps, etc.
    If you can monitor the IP on, say, 1.1.1.1 from outside, if it goes down, re-route to 2.2.2.2. Which method is best to achieve this, though, depends on what you are trying to do. If you are, say, running a game server, DNS failover or low TTLs with a manual switch would work. There are so many ways to do, I'd really need to know what you were running and how the server is used.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  7. #7
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by mugo View Post
    To answer the first question, yep, it will work, as long as you have the the independent network info on each nic needed for that network, and assuming this isn't on the SAME network, that you actually have two independent routes out to the 'net (different providers, gateways, etc.).

    The redundancy really depends on what you are doing, what apps, etc.
    If you can monitor the IP on, say, 1.1.1.1 from outside, if it goes down, re-route to 2.2.2.2. Which method is best to achieve this, though, depends on what you are trying to do. If you are, say, running a game server, DNS failover or low TTLs with a manual switch would work. There are so many ways to do, I'd really need to know what you were running and how the server is used.
    Hey thanks for helping out. I'm running a game server, I want different instances of the game server to run on different ips and NICs + ports for redundancy. So players that want to play on game instance 1 will connect to 1.1.1.1, and game instance 2, 2.2.2.2 etc.

    I want the NICs to be completely independant from each other. By independant for redundancy I don't mean different transit providers or power outages etc, I mean incase one gets DDoS'd, I want the other to be operational.

    Before anybody thinks we will crash long before the 1gbps limit, we have in the past run perfectly at 995+ mbps.

  8. #8
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    So long as the game supports running two instances and binding to individual IPs, you should have no problem. If one NIC gets a DDoS, just shutting down that interface would help, but that also depends a lot on what you are connected to, and if you DC has true DDoS mitigation.
    That crap usually stuffs the pipes, not just the one NIC. That being said, most of the "I'm a mad player and gonna DOS your server" dweebs usually do exactly what you are expecting here...DOS the server IP with some crappy ping flood, etc.
    As long as they don't also know your other NICs IP, that should work for you.

    Just realize that if you get hit with a big botnet, a true "worthy" DDoS, then separate NICs arent' going to do much for you, unless they have completely separate networks (switches, gateways/providers, etc.) and you can turn off the affected NIC (otherwise the server has a hefty chance of sitting there answering partial ACKs till the cows come home). True DDoS, Smurfs (eve the "bounce" site of such), and similar junk can bring an entire network to it's knees pretty quick.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  9. #9
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by mugo View Post
    So long as the game supports running two instances and binding to individual IPs, you should have no problem. If one NIC gets a DDoS, just shutting down that interface would help, but that also depends a lot on what you are connected to, and if you DC has true DDoS mitigation.
    That crap usually stuffs the pipes, not just the one NIC. That being said, most of the "I'm a mad player and gonna DOS your server" dweebs usually do exactly what you are expecting here...DOS the server IP with some crappy ping flood, etc.
    As long as they don't also know your other NICs IP, that should work for you.

    Just realize that if you get hit with a big botnet, a true "worthy" DDoS, then separate NICs arent' going to do much for you, unless they have completely separate networks (switches, gateways/providers, etc.) and you can turn off the affected NIC (otherwise the server has a hefty chance of sitting there answering partial ACKs till the cows come home). True DDoS, Smurfs (eve the "bounce" site of such), and similar junk can bring an entire network to it's knees pretty quick.
    Yup, game instance supports it (and is currently bound to multple ips though on the same NIC).

    I have zero problem with asking the host to nullroute any ip that attracts more bandwidth they are comfortable with for the cleanliness of their network, but the key is to have the other instances to be 100% unaffected in the meantime (let's assume we're not talking about 5gbps+ attacks here, more along the lines of 1-2gbps of raw un-intelligent udp/tcp shell floods).

    Do you have any comments to the quote I posted in the first post about their reasons for not doing it that I can pass onto them?

    Edit: Also assume the dc has state of the art pipes that can handle said 1-2 gbps floods no problem

  10. #10
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    On said quote, it doesn't sound like that applies to your situation. Just the separate network information on each NIC will take care of itself, enabled or not.
    Note on your edit: note, if you think you may have the potential for being DDoSed for real, check with your DC to see if they have mitigation setup. Null routes don't do much if you are being hit with literally thousands of different IPs (no DC tech is going to sit there all night and add IPs to null routes manually), and for true, large distributed attacks, it takes true appliances / bypass switches and techniques...my biggest DC doesn't support this (they cater to big businesses, so not much need), but many of the more mature budget-ish to middle-of-the-road DCs that allow games / IRC do have something in place.
    May be worth checking out, just to see what switch you have to flip should you ever need it. Hope you don't!
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  11. #11
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by mugo View Post
    On said quote, it doesn't sound like that applies to your situation. Just the separate network information on each NIC will take care of itself, enabled or not.
    Note on your edit: note, if you think you may have the potential for being DDoSed for real, check with your DC to see if they have mitigation setup. Null routes don't do much if you are being hit with literally thousands of different IPs (no DC tech is going to sit there all night and add IPs to null routes manually), and for true, large distributed attacks, it takes true appliances / bypass switches and techniques...my biggest DC doesn't support this (they cater to big businesses, so not much need), but many of the more mature budget-ish to middle-of-the-road DCs that allow games / IRC do have something in place.
    May be worth checking out, just to see what switch you have to flip should you ever need it. Hope you don't!
    I forgot to mention they also said this:

    "Windows has routing
    issues with IPs that route to the same subnet spread across multiple network
    cards."

    Is that true? If so, could I justify getting another ip from another subnet for the extra NICs? I currently have 4 ips assigned to the server I'm using, I'd be willing to give some up for some from another subnet.

    Also by nullroute I mean nullroute my ip that's attracting the attack, as the other instances would still be 100% operational, and the players can just skedaddle over there. (Let's also assume the offender isn't gonna bother going after ALL instances).

    Also a side note, the host has actually been quite generous in nullrouting 20+ attacking ips in the past.

  12. #12
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    Actually, yes, I've seen all Win boxes have issues when using same-subnet IPs on separate nics, but I usually have good luck just setting the metrics to different values. If you can get a separate subnet IP from your provider, that would be ideal.
    If they are providing two switch ports, or your switch has the ability, you may ask them to subnet your given IPs. If they happen to "lay right" in the subnet space, it may be as simple as them changing a routing statement, and you changing your subnet mask to match. If you can use two /30s instead of one /24, for instance, that would also solve that issue.
    But also, Win 2008 handles these issues a little better... server 2003 was the real "metric setting" headache stepchild.
    Even if you had all the IPs on one NIC, and they nullrouted 1.1.1.1 for you, the 2.2.2.2 would still work fine.
    Separate NICs basically gives you the advantage of turning one down, having separate BW usage, and the ability to move IPs from one to the other (if on the same subnet), and, of course, process offloading, which most NICs support now-a-days (separate processors, rather than your main server CPU processing NIC overhead).
    Shoot, you can team them also! So many ways...
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  13. #13
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by mugo View Post
    Actually, yes, I've seen all Win boxes have issues when using same-subnet IPs on separate nics, but I usually have good luck just setting the metrics to different values. If you can get a separate subnet IP from your provider, that would be ideal.
    If they are providing two switch ports, or your switch has the ability, you may ask them to subnet your given IPs. If they happen to "lay right" in the subnet space, it may be as simple as them changing a routing statement, and you changing your subnet mask to match. If you can use two /30s instead of one /24, for instance, that would also solve that issue.
    But also, Win 2008 handles these issues a little better... server 2003 was the real "metric setting" headache stepchild.
    Even if you had all the IPs on one NIC, and they nullrouted 1.1.1.1 for you, the 2.2.2.2 would still work fine.
    Separate NICs basically gives you the advantage of turning one down, having separate BW usage, and the ability to move IPs from one to the other (if on the same subnet), and, of course, process offloading, which most NICs support now-a-days (separate processors, rather than your main server CPU processing NIC overhead).
    Shoot, you can team them also! So many ways...

    a /30 is a single ip instead of a /24 which is 2 ips correct? If so that's not a problem at all assuming they are willing to make the modifications that seems to be like a 30 seconds fix?

    As for the rest, I am indeed using windows 2008 enterprise. Also yes I agree about 2.2.2.2 still working fine if they nullrouted 1.1.1.1, but I want 2.2.2.2 to not be affected for even one second prior to them actually nullrouting it (at this point in time, the pipe is full, and all functionality is dead without 2 ports, 2 ips, 2 nics).

    Can you also clarify what you mean by "team them"?

    And side note again, I looked at some of your old posts because you seem to be the encyclopedia in this area, found this: http://www.webhostingtalk.com/showthread.php?t=871556 damn 15+ years experience, thanks a lot for this.

    Edit: Did some reading on ip block sizes, a /30 is still 2 ips, a /24 is 256, wouldn't having a /30 still be a problem as it's still on the same subnet? Or do you mean splitting my 4 ips into 2x /30s and attaching 2 and 2 to the NICs
    Last edited by RPGamer1; 05-04-2011 at 03:30 AM.

  14. #14
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    /30 is 4, but that means 2 usable (/32 is single).

    I see your point on the non-affected 2.2.2.2, and that's a good idea to split them off.

    You can team nics, most of them, anyway...but this would make it essentially 1 NIC again, capable of 2G. But, to get the use of that, you must also create an etherchannel on your connecting switch...so that will only work if you have a common switch capable of aggregating two or more ports. Cisco supports aggregating up to 8 ports into one etherchannel. It's just a way to get more then 1G of throughput. Basically binding your nics, then put them them on a group of bound switch ports.

    The /30 is just an example, you would want to select the size you need for the number of IPs. If you have two on each, you would need a /30 (1 network marker, one broadcast, 2 usable). Each NIC would be a /30. It really doesn't matter the size, as long as you have enough usable IPs (2 always go to NW marker and Broadcast, or "first and last" IP).
    The magic is having them on separate subnets, then you don't have to worry about metrics and cross-talk and junk like that.
    Your DC will have to route them to you that way, though. How they would do that depends on the equipment, really...and if they can hand you two ports, or you have a switch capable of IPing each of the ports so they can poke the specific route to the ports IP.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

  15. #15
    Join Date
    Oct 2010
    Posts
    74
    Quote Originally Posted by mugo View Post
    /30 is 4, but that means 2 usable (/32 is single).

    I see your point on the non-affected 2.2.2.2, and that's a good idea to split them off.

    You can team nics, most of them, anyway...but this would make it essentially 1 NIC again, capable of 2G. But, to get the use of that, you must also create an etherchannel on your connecting switch...so that will only work if you have a common switch capable of aggregating two or more ports. Cisco supports aggregating up to 8 ports into one etherchannel. It's just a way to get more then 1G of throughput. Basically binding your nics, then put them them on a group of bound switch ports.

    The /30 is just an example, you would want to select the size you need for the number of IPs. If you have two on each, you would need a /30 (1 network marker, one broadcast, 2 usable). Each NIC would be a /30. It really doesn't matter the size, as long as you have enough usable IPs (2 always go to NW marker and Broadcast, or "first and last" IP).
    The magic is having them on separate subnets, then you don't have to worry about metrics and cross-talk and junk like that.
    Your DC will have to route them to you that way, though. How they would do that depends on the equipment, really...and if they can hand you two ports, or you have a switch capable of IPing each of the ports so they can poke the specific route to the ports IP.
    I sent my host this link, and they said
    "it isn't viable from a technical standpoint."

    Do you have any other methods of binding 2gbps to 2 NICs/ips that they might not know about?

  16. #16
    Join Date
    Mar 2009
    Location
    Austin Tx
    Posts
    2,001
    I don't think you really want to bind, that's just a "what you can do". In your scenario, "good" would be to just have each NIC on a separate subnet. That way, you don't have to worry about metric setting, etc. to prevent crosstalk. This would help deter most kiddie DOS attacks. "Better", actually have them on separate networks. That would help against larger DDoS, as you would have separate uplink ports (or even switches).
    But, even if you just split them out and put a couple of IPs on one NIC, a couple on the other, set your metrics, that should work fine. If you ever do have to bring one down, the metric becomes moot, as you then only have one NIC that is talking.
    This is the best signature in the world....Tribute!
    (It is not the best signature in the world, no. This is just a tribute)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •