Welcome Serena Central users! CLICK HERE
The migration of the Serena Central community is currently underway. Be sure to read THIS MESSAGE to get your new login set up to access your account.
Anonymous_User Absent Member.
Absent Member.
1317 views

SLP in a school environment

Hi All

Ok this it what I have. Basically I have 2 networks, an Admin network
and a Student netwrok. The Admin network consists of many admin networks
with 1 network specifically for servers. The student network is the same
as the admin except with separate IP subnets. The Admin users can talk
to all Admin servers and student servers, the student users can only talk
to student servers. Admin servers and Student servers can all talk to
each other.

I origianlly put 2 scopes in for SLP, a student scope and a admin
scope, the reason being that I did not want student users getting a
address of a admin server in their get nearest server request then have
to wait while it timed out. So the the student users only have student
as their scope and only student servers reachable by students are in the
scope. In all the server scope lists there is a an entry for Admin and
Student scopes, there is a single DA that all the server point to.

This seems fine, it keeps the students from trying to accidentally
log into Admin servers and it seems to make sense, at least to me.

My concern is that Novell using pretty strong language in trying to
discourage the use of Multiple Scopes. Is this a viable option or is
there a better way to do this?

I have cluster services running and it seems fine with the current
SLP config, the only problem I have is backup exec taking forever to
discover agents, about 1.2 Min per agent. It was suggested the SLP may
be at the root of the BE problem.

Thanks

Labels (2)
0 Likes
10 Replies
Anonymous_User Absent Member.
Absent Member.

Re: SLP in a school environment

On 9/5/2006 blittrell@musd.org wrote:

> My concern is that Novell using pretty strong language in trying to
> discourage the use of Multiple Scopes.


Hmmm... I haven't seen any statement against multiple scopes from
Novell. Do you have an URL handy ?

> Is this a viable option or is
> there a better way to do this?


Well, yes. You are securing your network by obscurity. If you want
to secure your servers from certain users, I recommend implementing
network ACLs on layer3 devices / or even at the server itself with
FILTCFG.

Name resolution can only do so much. They can still browse your
directory tree and find the other servers if they wanted to. SLP won't
prevent that.

>
> I have cluster services running and it seems fine with the current
> SLP config, the only problem I have is backup exec taking forever to
> discover agents, about 1.2 Min per agent. It was suggested the SLP may
> be at the root of the BE problem.


Not familiar with BackupExec but how the discovery is done ? Using
SLP ? You can take a packet trace and find out what protocols are
being used during the discovery.


--
Edison Ortiz
Novell Product Support Forum SysOp
(No Email Support, Thanks !)
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SLP in a school environment

To truely see if SLP is the root of your issue with BE discovering the
agents you could turn off SLP for smdr
SMDR /NEW


"Edison Ortiz" <eortiz@nscsysop.com> wrote in message
news:xn0eqvawbhf3j000@support-forums.novell.com...
> On 9/5/2006 blittrell@musd.org wrote:
>
>> My concern is that Novell using pretty strong language in trying to
>> discourage the use of Multiple Scopes.

>
> Hmmm... I haven't seen any statement against multiple scopes from
> Novell. Do you have an URL handy ?
>
>> Is this a viable option or is
>> there a better way to do this?

>
> Well, yes. You are securing your network by obscurity. If you want
> to secure your servers from certain users, I recommend implementing
> network ACLs on layer3 devices / or even at the server itself with
> FILTCFG.
>
> Name resolution can only do so much. They can still browse your
> directory tree and find the other servers if they wanted to. SLP won't
> prevent that.
>
>>
>> I have cluster services running and it seems fine with the current
>> SLP config, the only problem I have is backup exec taking forever to
>> discover agents, about 1.2 Min per agent. It was suggested the SLP may
>> be at the root of the BE problem.

>
> Not familiar with BackupExec but how the discovery is done ? Using
> SLP ? You can take a packet trace and find out what protocols are
> being used during the discovery.
>
>
> --
> Edison Ortiz
> Novell Product Support Forum SysOp
> (No Email Support, Thanks !)



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SLP in a school environment

Hi Edison

First off, just about every Tid I have read about SLP and Scopes has
said that Novell strongly recommends the use of 1 scope, case in point is
this statement "Using a single SLP Scope is the strong recommendation of
Novell Support, however it is recommended that there be no more than
10,000 services registered in a single scope." Taken directly from TID
10062474 Titled "SLP Design and Implementation Guidelines".

Second point is that I do use ACL's to block the Students from the
Admin side, I guess I did not make it clear, I just said they are not
allowed. The whole reason I went with 2 scopes was because I am blocking
via ACL's and did not want SLP to report a server on the Admin side as a
valid server to login to when a client does their "Get Nearest Server
Request" and then have to wait for that connection to timeout because it
is blocked via ACL.

So you see I never relied on SLP for security in the first place.
From the Docs at Novell there were comments to the effect that the only
conceavable reason to use more then 1 scope is to, as you stated, hide
network resources. Well I don't much care about hiding them, I think I
do a pretty good job of securing them as is, what I don't want however is
random long login times because I "do" block traffic to servers that
would show up as services if I did have a single SLP scope.

What I want to know is wether there is a problem with this, like does
the client already know it cannot get to a server so it won't use slp
reported server as a login point. Am I correct in assuming that if I had
a single SLP scope with half the servers blocked via ACL's that stations
on the side of the network that are being blocked by those ACL's will try
and communicate with those servers and eventually time out causing extra
traffic and a slow down in the machine itself?

Thanks




> On 9/5/2006 blittrell@musd.org wrote:
>
> > My concern is that Novell using pretty strong language in trying to
> > discourage the use of Multiple Scopes.

>
> Hmmm... I haven't seen any statement against multiple scopes from
> Novell. Do you have an URL handy ?
>
> > Is this a viable option or is
> > there a better way to do this?

>
> Well, yes. You are securing your network by obscurity. If you want
> to secure your servers from certain users, I recommend implementing
> network ACLs on layer3 devices / or even at the server itself with
> FILTCFG.
>
> Name resolution can only do so much. They can still browse your
> directory tree and find the other servers if they wanted to. SLP won't
> prevent that.
>
> >
> > I have cluster services running and it seems fine with the

current
> > SLP config, the only problem I have is backup exec taking forever to
> > discover agents, about 1.2 Min per agent. It was suggested the SLP

may
> > be at the root of the BE problem.

>
> Not familiar with BackupExec but how the discovery is done ? Using
> SLP ? You can take a packet trace and find out what protocols are
> being used during the discovery.
>
>
> --
> Edison Ortiz
> Novell Product Support Forum SysOp
> (No Email Support, Thanks !)


0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SLP in a school environment

Hmmm, hadn't thought of that, I think I may try that. So do that on
every remote server correct?

Thanks

> To truely see if SLP is the root of your issue with BE discovering the
> agents you could turn off SLP for smdr
> SMDR /NEW



0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SLP in a school environment

On 9/6/2006 blittrell@musd.org wrote:

> Hi Edison
>
> First off, just about every Tid I have read about SLP and Scopes has
> said that Novell strongly recommends the use of 1 scope, case in point is
> this statement "Using a single SLP Scope is the strong recommendation of
> Novell Support, however it is recommended that there be no more than
> 10,000 services registered in a single scope." Taken directly from TID
> 10062474 Titled "SLP Design and Implementation Guidelines".


From the TID you are referring to:

"The reason for having a single scope is that eDirectory will use SLP to lookup
the IP addresses of server names in their replica ring. If they cannot resolve
the server name to an IP address, it will cause replica sync issues. All
servers which hold a replica of a specific eDirectory partition must also have
their ndap.novell and bindery.novell SLP Services registered to a common SLP
Scope."

In other words, if you configure SLP properly, you can have as many
scopes as you want. SLP is confusing as it is for administrators
migrating from IPX/SAP environments. Novell support wants to make
things simpler and encourage people to go with a single scope. It
doesn't mean that they are discouraging admins for implementing
multiple scopes if those admins know what they are doing.

>
> Second point is that I do use ACL's to block the Students from the
> Admin side, I guess I did not make it clear, I just said they are not
> allowed. The whole reason I went with 2 scopes was because I am blocking
> via ACL's and did not want SLP to report a server on the Admin side as a
> valid server to login to when a client does their "Get Nearest Server
> Request" and then have to wait for that connection to timeout because it
> is blocked via ACL.


It was never stated the use of network ACLs.
Furthermore, with network ACLs the client won't be able to see the server
at all *and* GNS is part of the IPX/SAP world - SLP does not use GNS.


>
> So you see I never relied on SLP for security in the first place.
> From the Docs at Novell there were comments to the effect that the only
> conceavable reason to use more then 1 scope is to, as you stated, hide
> network resources.


No, the reason for scoping is to limit WAN traffic. It was never intended
for security purposes.

In addition to limiting WAN traffic, SLP is not TREE centric. You can
scope your SLP environment when you want servers in multiple TREEs
to exchange name resolution information.

>
> What I want to know is wether there is a problem with this, like does
> the client already know it cannot get to a server so it won't use slp
> reported server as a login point. Am I correct in assuming that if I had
> a single SLP scope with half the servers blocked via ACL's that stations
> on the side of the network that are being blocked by those ACL's will try
> and communicate with those servers and eventually time out causing extra
> traffic and a slow down in the machine itself?


The clients won't be able to search for such server in the first place. With
a proper network ACL, you can block traffic based on source/destination
along with port/service. It's like grabbing a laptop and taking it home, does
the laptop time-out at home ? No, 'cause there isn't any NetWare server
around.


--
Edison Ortiz
Novell Product Support Forum SysOp
(No Email Support, Thanks !)
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SLP in a school environment

Hi Edison

I understand that novell wants to make it as simple as possible but you
have to admit, saying that they strongly recommend using 1 scope does imply
fairly strongly that they want to you to use 1 scope. My only concern was
that there was a reason behind this other then dumbing it down for people
that are unsure of SLP.

As far as the SLP and ACL's, I try to stick to the KISS principle, that
is Keep It Simple Stupid:). I block everything from the Student side going
to the Admin side and only allow ports needed for remote control etc... Now
what it sound like your telling me is that if a client wants to login to
the Tree it goes to the DA, but cannot see servers that are being blocked
by the ACL even though the DA can see it because the DA is on a server on
the Student Server network that can see servers on the Admin and student
side. This is what is confusing to me, if the DA can see the Admin servers
and the Student servers why would it not report to the client all the
servers? It does not know that the client can't contact those servers, it
just knows that those servers are advertising services, right? If this is
the case then why wouldn't the DA report to the client that Admin1 server
is ok to login to as your primary server, thus causing the client to timeout?

I see you point about the laptop but I am not talking about a machine
logging into a foreign network, I am talking about a machine logging into a
tree where some servers are blocked from being accessed on certain subnets.
So if I do use 1 scope my thinking is that the client may try to access a
blocked server, because the DA said it was available, then timeout, thus
causing long login issues

Anyways, I guess it is a moot point, it sounds like multiple scopes is
no problem and that there is really no reason not to do it as long as it is
configured properly.

Thanks for the help
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SLP in a school environment

blittrell@musd.org wrote:

>If this is
>the case then why wouldn't the DA report to the client that Admin1 server
>is ok to login to as your primary server, thus causing the client to
>timeout?


I think (and I could be totally off base and Edison will laugh at me) that
this might help -
http://support.novell.com/docs/Tids/Solutions/10053626.html

I only thought of it because I did some work at a school district where
they set the costing method to ICMP and then blocked ICMP on the network 🙂



--
Joe Moore
Novell Support Forums SysOp
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SLP in a school environment

On 9/7/2006 Joseph Moore [SysOp] wrote:

> I could be totally off base


You are not, that's a good TID. However, it won't prevent
students from attaching to the unwanted server if they
browse to it 🙂


--
Edison Ortiz
Novell Product Support Forum SysOp
(No Email Support, Thanks !)
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SLP in a school environment

Edison Ortiz wrote:

> it won't prevent
>students from attaching to the unwanted server if they
>browse to it 🙂


attaching don't mean nothing if they don't have rights to it 🙂

--
Joe Moore
Novell Support Forums SysOp
0 Likes
Anonymous_User Absent Member.
Absent Member.

Re: SLP in a school environment

On 9/11/2006 Joseph Moore [SysOp] wrote:

> attaching don't mean nothing if they don't have rights to it 🙂


Agreed but OP doesn't want students to even see the server.


--
Edison Ortiz
Novell Product Support Forum SysOp
(No Email Support, Thanks !)
0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.