firewall sandwich load balancing (fwd)

David Lang dlang at digitalinsight.com
Fri Jul 7 19:46:31 BST 2006 

On Fri, 7 Jul 2006, Roberto Nibali wrote:

>>> So basically (interpreting your sketch) you want to design/implement a 
>>> high-available but also high-performance packet filter for your a dmz-like 
>>> zone?
>> 
>> right
>
> Buy a commercial load balancer and be done with it. Spend the spare time with 
> your wife and kids or go to the pub with your buddies. Honestly, LVS won't 
> render you happy in such an environment for your purpose, in my belief and 
> experience.

part of the reason for the question is that if LVS can do it then the hundreds 
of commercial load balancer vendors that use LVS are options, if not then I rule 
them out entirely (even if their sales droids swear that they can do the job :-)

>>> So you want an active/active cluster?
>> 
>> Ideally I want the option of active/active and active/standby
>
> Active/active is impossible with LVS, with some limitation possible using 
> commercial LBs. Active/standby demands the use of proper state 
> synchronisation.

to clarify, I was refering to active/active as being the situation where some 
connections are sent through one firewall and some are sent through a second (or 
third, etc) firewall, with a particular session being sticky to a single 
firewall. the Load balancers themselves would be active/standby.

I'm willing to loose connections if a box (firewall or load balancer) fails and 
we switch to a different box that doesn't have the state.

with this in mind I don't think that state synchronisation is nessasary 
(although, anywhere it exists it reduces the impact of a box failure)


>>>>         Internet
>>>>   |                    |
>>>> switch--------------switch
>>> 
>>> Are these both active paths or is it an active/hot-standby setup 
>>> implemented using HSRP/VRRP?
>> 
>> the routers (which I didn't diagram) present a single gateway IP address to 
>> the stiff inside them. they then run BGP across a number of high-bandwidth 
>> links. I think they use VRRP to implement their own HA, but that shouldn't 
>> matter to the firewalls or load balancer.
>
> Depends how you want to failover the LBs, really and if you want to hot-paths 
> in your setup or only one.

I had been thinking in terms of heartbeat to failover the LB's themselves, the 
LB's would have a single IP as their gateway to the outside world and the 
routers that are that gateway would deal with the multiple hot paths to the 
Internet

David Lang

Search lvs-users Archives
Limit search to: Subject & Body Subject Author
Sort by: Reverse Sort
More information about the lvs-users mailing list