[load balancing] lb choice problem & tech. questions

From: Rob Lohman (r.lohmanIZZATlectric.nl)
Date: Thu Apr 19 2001 - 10:34:08 EDT

  • Next message: Cabral, Ken: "RE: [load balancing] lb choice problem & tech. questions"

    Hi everyone!

    I'am new to the list and very glad to have found it. Good
    (technical) information & people to talk to about hw load
    balancers is allmost impossible to find!

    I hope you don't mind throughing my big problem in front of
    you guys with my first post...

    We have just bought a Cisco LocalDirectory 416 which is
    probably gonna be returned shortly, because of serious
    troubles I had with it:

     - really broken manual
     - unable to get the box working (100%) with multiple
       subnets (even with help from the suplier)
     - IP packages on one subnet that belong on another

    If anyone has succesfully set this thing up with multiple
    subnets, please please reply or mail me!

    But that is not my main question, since we are probably
    gonna return it, I was wondering what other (good) options
    I have for products in the same price range (more or less),
    which do at least the following:

     - TCP (FTP, HTTP, VNC, SSL)
     - Fully supports different subnets (per nic would be nice,
       so it becomes more like a router then a (secure) bridge)
     - SNMP interface would be nice
     - Secure operations (only allowing traffic that should be
       traversing the lb) -> firewalling

    We don't have the money to buy a full blown firewall and a
    load balancer on top, so it needs to be one product. The Cisco
    LocalDirector can be set in secure mode and it allmost does
    what we need, however not completely.

    I want to be able to setup a private network on one site of
    the load balancer within one of the private ranges (10.x or
    192.168.x for example). Then I want the other side to be on
    the Internet (public side). The device needs to be able to do
    this 100% perfect. I could not get this to work with the
    LocalDirector. When running sniffers on both side of the network,
    I discovered the following things that went wrong with the LD:

     - ARP request & response (especially broadcast ones) where
       visible on both sides of the LocalDirector. When a server in
       the private range made an ARP request, it was visible on the
       public side too. This is not acceptable because our hosting
       partner does not ALLOW such packets on his network.
     - When a webbrowser (on the public network) accessed a server
       in the private network (through a VIP - virtual IP address)
       the server was asked, responded and (after much work) the
       LocalDirector forwarded the response on the public network,
       but with the WRONG MAC ADDRESS!!! So the client never saw
       the response back (IP address was correct though)

    I was unable to remove the second problem, so when on two different
    subnets I could not get the LocalDirector to work properly. The
    first problem was also unfixable because the LD is like a secure
    bridge, it forwards some packets everywhere. This is unacceptable
    in our design. I would like to be able to give each NIC it's own
    IP address & subnet mask so that only traffic to and from that
    range is transmitted there....

    Any help, information, insigths etc. would be very very much
    appreciated! I'am currently looking at F5's Big/Ip LB and
    Foundry's ServerIron, but I'am unable to get these details from
    them.

    Thanks in advance for any help!

    Regards,

    Rob Lohman
    r.lohmanIZZATlectric.nl



    This archive was generated by hypermail 2b30 : Thu Apr 19 2001 - 09:36:20 EDT