|
On Fri, 7 Jul 2006, Roberto Nibali wrote:
So basically (interpreting your sketch) you want to design/implement a
high-available but also high-performance packet filter for your a dmz-like
zone?
right
Buy a commercial load balancer and be done with it. Spend the spare time with
your wife and kids or go to the pub with your buddies. Honestly, LVS won't
render you happy in such an environment for your purpose, in my belief and
experience.
part of the reason for the question is that if LVS can do it then the hundreds
of commercial load balancer vendors that use LVS are options, if not then I rule
them out entirely (even if their sales droids swear that they can do the job :-)
So you want an active/active cluster?
Ideally I want the option of active/active and active/standby
Active/active is impossible with LVS, with some limitation possible using
commercial LBs. Active/standby demands the use of proper state
synchronisation.
to clarify, I was refering to active/active as being the situation where some
connections are sent through one firewall and some are sent through a second (or
third, etc) firewall, with a particular session being sticky to a single
firewall. the Load balancers themselves would be active/standby.
I'm willing to loose connections if a box (firewall or load balancer) fails and
we switch to a different box that doesn't have the state.
with this in mind I don't think that state synchronisation is nessasary
(although, anywhere it exists it reduces the impact of a box failure)
Internet
| |
switch--------------switch
Are these both active paths or is it an active/hot-standby setup
implemented using HSRP/VRRP?
the routers (which I didn't diagram) present a single gateway IP address to
the stiff inside them. they then run BGP across a number of high-bandwidth
links. I think they use VRRP to implement their own HA, but that shouldn't
matter to the firewalls or load balancer.
Depends how you want to failover the LBs, really and if you want to hot-paths
in your setup or only one.
I had been thinking in terms of heartbeat to failover the LB's themselves, the
LB's would have a single IP as their gateway to the outside world and the
routers that are that gateway would deal with the multiple hot paths to the
Internet
David Lang
|
