Books
in black and white
Main menu
Home About us Share a book
Books
Biology Business Chemistry Computers Culture Economics Fiction Games Guide History Management Mathematical Medicine Mental Fitnes Physics Psychology Scince Sport Technics
Ads

Load Balancing Servers, Firewalls and Caches - Kopparapu C.

Kopparapu C. Load Balancing Servers, Firewalls and Caches - Wiley Computer Publishing, 2002. - 123 p.
ISBN 0-471-41550-2
Download (direct link): networkadministration2002.pdf
Previous << 1 .. 53 54 55 56 57 58 < 59 > 60 61 62 63 64 65 .. 70 >> Next

Obviously, the active-active design with stateful load balancing will be the most superior technical approach to high availability firewall load balancing. Stateful approach gives finer load distribution and stateful failover, while the active-active approach doubles the load-balancer capacity by utilizing both load balancers at the same time.
Interaction between Routers and Load Balancers
In high-availability design, we need to understand how the traffic flows between the router pair and the load balancer pair on each side of the firewalls. Once the traffic reaches the right load balancer, we know how it selects a firewall or forwards the traffic.
We can use either static routing or a dynamic routing protocol, such as OSPF (Open Shortest Path First) for routing between the routers, load balancers, and firewalls. Static routing is the most commonly used routing protocol on the firewalls because static routing is the simplest to configure and trouble shoot. However, dynamic routing can be used between the routers and load balancers for some benefits, as we will see next.
Let’s first discuss the case of static routing with active-standby load-balancing configuration. In the design shown in Figure 6.12, routers 1 and 2 have a static route pointing to VRRP-IP3 as the next hop to reach the internal network. Let’s suppose that load balancer 1 is the active unit. Load balancer 1 owns the VRRP-IP3, causing both routers 1 and 2 to forward all traffic to load balancer 1. If load balancer 1 fails, load balancer 2 takes over the VRRP-IP3, causing both routers to now forward traffic to load balancer 2. The same flow applies for traffic going to the external network from the load balancers. Load balancers have a static route to VRRP-IP1 to reach the external network. If router 1 owns the VRRP-IP1, then all traffic flows from load balancer 1 to router 1 to the external network. The biggest limitation in this case is that half the load-balancer capacity is unutilized because of active-standby topology. The traffic from the external network may come through either of the routers, but the traffic going to the external network will flow through the router that owns the VRRP-IP1.
Active--standby load balancing VRRP IP 1 VRRP-IP3
Router 1
External
Network
Router 2
Load
Balancer 1
X / X X active
s' standby
Load
Balancer 2
To firewalls
— Active paths Stand by paths
Figure 6.12: Interaction between routers and load balancers: active-standby design.
94
Interaction between Load Balancers and Firewalls
Let’s now consider the case of active-active load balancing, where both load balancers can perform firewall load balancing, as shown in Figure 6.13. We must distribute the traffic to both load balancers in order to utilize each load balancer’s capacity. One way to accomplish this is to use two VRRP-IP addresses on the load balancers, as shown in Figure 6.13, where each load balancer is active for a different VRRP-IP address. This is very analogous to server load balancing, in which each load balancer is active for a different VIP. But in this case, we must configure the routers appropriately to distribute the traffic among the load balancers. We can configure two static routes on each router, where one route points to VRRP-IP3 and the other to VRRP-IP4, and have each router distribute traffic across the two routes. But not all routers support load distribution across multiple static routes. If that’s the case, we can configure only one static route on each router, but point each router to a different VRRP-IP address on the load balancer. That is, configure a static route on router 1 to VRRP-IP3 and a static route on router 2 to VRRP-IP4. This will direct all traffic from each router to a different load balancer, resulting in a natural load distribution of traffic between two load balancers.
Active-active load balancing
Bidirectional load distribution with OSPF Equal-Cost Multipath Or load distribution using multiple static routes Figure 6.13: Interaction between routers and load balancers: active-active design.
Instead of using static routes, we can use a dynamic routing protocol, such as OSPF, that provides inherent capabilities to distribute traffic when there are multiple routes to a given destination. This capability is called Equal-Cost Multipath (ECMP). With OSPF, each router will have two OSPF routes. One route points to VRRP-IP3, and the other points to VRRP-IP4. Each router will use ECMP to distribute traffic across the two load balancers. With active-active configuration, both load balancers perform firewall load balancing for better scalability.
For traffic going from the load balancers to the routers, similar routing configuration can be applied in order to distribute traffic to the external network across the two routers.
Interaction between Load Balancers and Firewalls
Before we moved to high availability, all the firewalls were connected to the load balancers on each side of the firewall. Now, we have two load balancers on each side. We can connect the load balancers and firewalls in two ways. First, we can connect each firewall to each load balancer, as shown in Figure 6.14, but each firewall must now have four network interfaces as opposed to two interfaces, as shown in earlier designs. When using this design, it’s better to use active-active firewall load-balancing configuration with all active network interfaces in the firewalls. It’s not a good idea to use active-standby firewall network interfaces along with active-standby firewall load balancing because when a firewall network interface fails, the load balancer may not failover and vice versa.
Previous << 1 .. 53 54 55 56 57 58 < 59 > 60 61 62 63 64 65 .. 70 >> Next