[lvs-users] Firewall clustering

David Lang david.lang at digitalinsight.com
Tue May 17 18:36:50 BST 2011


On Tue, 17 May 2011, CeR wrote:

>> the usual way that LVS is used with pacemaker is that you have a HA pair of
>> LVS laod balancer boxes that load balance across a farm of additional
>> servers, but the LVS boxes themselves are active/bassive
>>
>
> Thanks, I will take a look?
>
> No. CLUSTERIP only works on the INPUT chain, not on the forward chain.

that's unfortunante. there isn't a way to do CLUSTERIP on the prerouteing chain?

but it depends on if the firewall is a packet filter firewall or a proxy 
firewall. If it's a proxy firewall CLUSTERIP works just fine.

>> Believe me that you do not want to setup an active/active firewall, but an
>> active/passive cluster.
>>
>
> What do you mean? Could you be more specific?
> OK to not user CLUSTERIP. But what about an active/active cluster for
> firewalling? Is there any problem?

going active/active adds complications (the load sharing mechanism can break, 
when something goes wrong and you need to check on it, you need to check two 
places, if one of the set is misconfigured you end up with intermittent 
problems, or problems that only happen from some locations and not others, you 
run the risk of not having enough power to handle the load if one box fails, 
...)

as noted by someone else, if you are just doing packet filtering you should not 
need active/active. a single, relatively low-spec box (by todays's terms) can 
handle multiple Gb/sec worth of traffic without any problems.

if you are doing proxies, you may run into load problems (but even there, 
today's hardware can do a LOT on a single box), but there CLUSTERIP will work.

David Lang




More information about the lvs-users mailing list