[zorp] Clustering Zorp with LVS

Balazs Scheidler zorp@lists.balabit.hu
Wed, 14 Apr 2004 10:10:27 +0200


2004-04-14, sze keltezéssel 01:17-kor Sheldon Hearn ezt írta:

> Ideally, what the back load balancer for a Zorp cluster needs to do is
> this:
> 
> 1) When a SYN comes in from a Zorp host, create a new connection table
> entry, including the Layer 2 (Ethernet) address of the packet in the
> entry.
> 
> 2) When a packet comes back from the servers and is associated with a
> connection table entry based on Layer 3 and 4 features, route the packet
> via the Layer 2 address stored in the entry.
>  
> I've contacted 3 vendors and an open source group looking for a solution
> like this.  Here are the responses:
> 
> 1) Cisco say their 650x with Content Switching Module support
> transparent proxy firewalls, and a friend of mine at Cisco confirms
> this.

We are also using Cisco CSMs for this purpose. They are doing some kind
of TCP state tracking (I believe it is a simple timeout) and reply
packets are sent back where they came from.

The load balancing decision is based on the IP address in our case, but
AFAIK they can also do RR, but it makes debugging problems a nightmare.


> 4) The folks on the LVS mailing list can't think of anything better than
> the SH/DH approach.

In addition to LVS you can also implement load balancing via iptables
conntrack and connmark.

When the first packet of a given connection is received at the LB box
you mark it with a connection mark, this is the LB decision and you can
base it on anything you want to. (for example source port value, but
simple RR or random assignment might also work) Decision based on the
source port can be done using the u32 match, for RR and random marks you
will need to create custom iptables modules.

The connmark value selects which Zorp box you are going to use to proxy
that specific connection. Then copy this connmark to every packet
belonging to the same connection as an fwmark (CONNMARK --save-mark
IIRC), then do policy routing based on fwmark, and select different
gateways depending on the fwmark.

> 
> Now a Cisco 650x w/ CSM costs more than USD 70,000.  That's a lot of
> money to spend on a load balancer for 4 Zorp boxes!

true, Cisco products are exremely expensive. There are other load
balancers like radware, bigip or flatiron. They are somewhat cheaper.


-- 
Bazsi
PGP info: KeyID 9AF8D0A9 Fingerprint CD27 CFB0 802C 0944 9CFD 804E C82C 8EB1