LVS
lvs-users
[Top] [All Lists]
Google
 
Web LinuxVirtualServer.org
<prev [Date] next> <prev [Thread] next>

LVS-DR on router/firewall

from [Ray Bellis] [Permanent Link]
To: <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: LVS-DR on router/firewall
From: "Ray Bellis" <rpb@xxxxxxxxxxxxxxxx>
Date: Thu, 9 Dec 1999 13:26:54 -0000 
We've been investigating ways of adding load-balancing to our web server
cluster in combination with a firewall and we've just discovered LVS.

Our initial investigation indicates that LVS-DR is the way to go, but as I
said above we'd like to combine this with firewall/routing.  If this works
it could be a novel way of providing resiliency to the LVS system itself:

A crucial question for us is whether the VIP really needs to be a "local"
address on the LVS server or simply an address which is *routed* via the
LVS?  A diagram may help:

              Internet
                 |
                 |
        +--------+----------+
        |                   |
    +---+---+           +---+---+
    | LVS 1 |           | LVS 2 |
    | OSPF  |           | OSPF  |
    +---+---+           +---+---+
        |                   |
        +-------------------+
        |                   |
    +---+---+           +---+---+
    | WWW n |    ...    | WWW n |
    | OSPF  |           | OSPF  |
    +-------+           +-------+
   xx.xx.xx.1          xx.xx.xx.n

All boxes speak OSPF, but LVS 2 is configured as a higher cost router and
therefore any routes it advertises will only kick in if LVS 1 fails.  In
this manner we allow routing policies to handle LVS 1 failure instead of ARP
spoofing.

For this to work the VIP is in the *same* subnet as the web servers' RIPs,
packets arrive at the LVS from the Internet by virtue of the xx.xx.xx.0
subnet route advertisement from LVS 1.

Could this work?

We intend combining this with IP firewalling to restrict access to other
services at the same time.  I've seen mention in the archives that using
IPCHAIN is a possible 4th method of using LVS.  Given that we'd probably be
using IPCHAIN for the firewalling anyway could this be more optimal?

thanks,

Ray.

--
Ray Bellis, MA(Oxon) - Technical Director - community internet plc

Windsor House, 12 High Street, Kidlington, Oxford, OX5 2PJ
tel:  +44 1865 856000   email: ray.bellis@xxxxxxxxxxxxxxxx
fax:  +44 1865 856001     web: http://www.community.net.uk/

Attachment: Ray Bellis.vcf
Description: Vcard

----------------------------------------------------------------------
LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
To unsubscribe, e-mail: lvs-users-unsubscribe@xxxxxxxxxxxxxxxxxxxxxx
For additional commands, e-mail: lvs-users-help@xxxxxxxxxxxxxxxxxxxxxx
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
  • LVS-DR on router/firewall, Ray Bellis <=
Previous by Date:  Nat Cache LVS System Throughput: Re: ipvs 0.8.3, Michael Sparks
Next by Date:  2-billion-packet bug?, Jerry Glomph Black
Previous by Thread:  Nat Cache LVS System Throughput: Re: ipvs 0.8.3, Michael Sparks
Next by Thread:  2-billion-packet bug?, Jerry Glomph Black
Indexes:  [Date] [Thread] [Top] [All Lists]