|
I understand why finding the answer can be tedious, but as a long time
LKML reader and poster I disagree about the subscriber-only list astatus
;-)
Matti and DaveM are robots and never sleep, so they can handle malicious
emails ... here, we don't even know if the ml maintainer is still
alive :).
it's not the end of the world by any means, I just added it as a PS to
voice my opinion on the matter
It's duly noted :)
So basically (interpreting your sketch) you want to design/implement a
high-available but also high-performance packet filter for your a
dmz-like zone?
right
Buy a commercial load balancer and be done with it. Spend the spare time
with your wife and kids or go to the pub with your buddies. Honestly,
LVS won't render you happy in such an environment for your purpose, in
my belief and experience.
So you want an active/active cluster?
Ideally I want the option of active/active and active/standby
Active/active is impossible with LVS, with some limitation possible
using commercial LBs. Active/standby demands the use of proper state
synchronisation.
Do the firewalls have different IPs?
yes
Do you intend to run routing protocols on top of this topology?
no
Internet
| |
switch--------------switch
Are these both active paths or is it an active/hot-standby setup
implemented using HSRP/VRRP?
the routers (which I didn't diagram) present a single gateway IP address
to the stiff inside them. they then run BGP across a number of
high-bandwidth links. I think they use VRRP to implement their own HA,
but that shouldn't matter to the firewalls or load balancer.
Depends how you want to failover the LBs, really and if you want to
hot-paths in your setup or only one.
In my opinion, this is not doable with any load balancer, since you
need an interconnect link to exchange session information. Neither
with F5, nor any application switch from Nortel Networks would this be
possible and also not with IPVS. However, what is possible to set up,
is an active/hot-standby cluster using VRRP (keepalive). In such a
setup the SH and DH schedulers (and maybe the port 0 service for
persistent binding of RELATED connections), together with session
state synchronisation might provide you the desired result. I would
need to think about it a bit more in detail, however I'm not quite
sure how your network setup looks like.
I have been running this setup useing load balancers from Radware for
several years. What happens is that the load balancers on the inside
keep track of which firewall the connection comes through and sends the
replies back to that firewall (I don't know the details, but I assume
that they would look at the MAC address that the packets come from and
track that so that the replies go back to the same one)
Would make sense, I'll have a look at this.
the servers themselves are NOT load balanced (at least for the
purposes of these discussions, any load balanceing that they have is
done by seperate equipment) the outside load balancers need to make a
decision on which firewall to send the traffic through
SH scheduling might do the trick for ingress, if I'm not mistaken. On
the other hand you would need to use DH scheduling for egress.
I'll have to lookup what this means.
Well the source and destination hash scheduling approach probably does
not work either, since my proposal is based on the assumption that the
hash value function is bijective regarding the SH and DH schedulers.
Only a bijective function can assure the same routing based on a flow.
Do you plan to use 4 physical machines for the load balancers or do
you want to use 2 physical machines with 3 NICs?
4 physical machines (useing only two machines puts the load balancers in
parallel with the firewalls, meaning a comprimise of the load balancer
bypasses the firewalls.
Sure, I just asked :).
Cheers,
Roberto Nibali, ratz
--
echo
'[q]sa[ln0=aln256%Pln256/snlbx]sb3135071790101768542287578439snlbxq' | dc
|
