On Tue, 17 May 2011, CeR wrote:
>> the usual way that LVS is used with pacemaker is that you have a HA pair of
>> LVS laod balancer boxes that load balance across a farm of additional
>> servers, but the LVS boxes themselves are active/bassive
> Thanks, I will take a look?
> No. CLUSTERIP only works on the INPUT chain, not on the forward chain.
that's unfortunante. there isn't a way to do CLUSTERIP on the prerouteing chain?
but it depends on if the firewall is a packet filter firewall or a proxy
firewall. If it's a proxy firewall CLUSTERIP works just fine.
>> Believe me that you do not want to setup an active/active firewall, but an
>> active/passive cluster.
> What do you mean? Could you be more specific?
> OK to not user CLUSTERIP. But what about an active/active cluster for
> firewalling? Is there any problem?
going active/active adds complications (the load sharing mechanism can break,
when something goes wrong and you need to check on it, you need to check two
places, if one of the set is misconfigured you end up with intermittent
problems, or problems that only happen from some locations and not others, you
run the risk of not having enough power to handle the load if one box fails,
as noted by someone else, if you are just doing packet filtering you should not
need active/active. a single, relatively low-spec box (by todays's terms) can
handle multiple Gb/sec worth of traffic without any problems.
if you are doing proxies, you may run into load problems (but even there,
today's hardware can do a LOT on a single box), but there CLUSTERIP will work.
Please read the documentation before posting - it's available at:
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users