need a router/load balancer

[Mirlyn]

Got two separate incoming connections that I need to load balance across two webservers. I also need VPN capabilities.

Suggestions?

 

[tommyj27]

i think linux has some load-balancing capabilities, never used it before though

 

[Luis G]

Got two separate incoming connections that I need to load balance across two webservers. I also need VPN capabilities.

Suggestions?

You'll need a layer 4 router, unfortunately i have no experience managing routers so my recommendation knowledge is close to zero.

 

[Mirlyn]

i think linux has some load-balancing capabilities, never used it before though

After getting some quotes, I think this will be the way to go until we can buy one.

 

[samcurry]

mirlyn, if these are win2k or 03 servers they are capable of both the features your looking for.

 

[tommyj27]

hey mir, if you do go the linux route, let us/me know what you figure out, it sounds like an interesting project.

 

[rrfield]

What kind of internet connections are these? Cable or DSL, T1 or Frame Relay, DS3?

Real routers are expensive, is this for work or for home?

rrfield

 

[Mirlyn]

Dual Cable/DSL or T1s (undecided) for a new site which will be hosting two webservers with the possibility for adding more.

I have 2k and Serv03, but dont' want to mess with additional licensing for this site.

I'm probably going to do a linux-based router/load balancer. My coworker spent yesterday on the phone with Nortel and F5. After some consideration, we don't think one of these routers is best to start out with, but better to grow into.

Never done software VPN before, so that'll be new.

 

[tommyj27]

is there a particular reason this new site requires dual servers and connections? if it's for redundancy i would think keeping one machine on hot standby would be preferable putting them both online.

 

[Mirlyn]

is there a particular reason this new site requires dual servers and connections? if it's for redundancy i would think keeping one machine on hot standby would be preferable putting them both online.

Redundant connections for uptime and load, redundant servers for usage load. Yeah, chances are we'll hardly ever need the second machine right away, but the site may have additional responsibilites later (host more sites maybe) so I'd rather factor the cost in now.

 

[rrfield]

If it were me, I would get a Cisco 2600 serices router if you go with the T1 connections (probably a 2611XM with a FW/IDS/3DES image).

If you go with the cable/dsl connections, a Cisco Catalyst 3550 EMI.

But that's just me

 

[Mirlyn]

If it were me, I would get a Cisco 2600 serices router if you go with the T1 connections (probably a 2611XM with a FW/IDS/3DES image).

If you go with the cable/dsl connections, a Cisco Catalyst 3550 EMI.

But that's just me

I'll mention them in the meeting today. Does it do VPN as well?

Thanks.

 

[rrfield]

I'll mention them in the meeting today. Does it do VPN as well?

Thanks.

The 2600 routers will with the correct IOS. I don't know about the Catalyst 3550.

Is this a site-to-site VPN or software-to-site?

rrfield

 

[tommyj27]

i've been playing with a 2600 in one of my classes, it seems to add a pretty significant amount of latency to the network compared with even my puny P200 gateway. maybe they stand up and shine when you put a huge load on them.

 

[Mirlyn]

The 2600 routers will with the correct IOS. I don't know about the Catalyst 3550.

Is this a site-to-site VPN or software-to-site?

rrfield

I try and only use hardware. Software is just too iffy in the VPN world (imo). Too many ways to defeat software. Even fewer ways to defeat hardware.

Tried calling Cisco again, got nowhere. After several attempts to get ahold of someone there, I found out apparently I have to talk to a regional sales rep, but they couldn't tell me who is one for our area besides maybe CDW (they weren't sure). I don't have time to bullshit around. Screw that. I've already done two confrence calls with F5 engineers and I contacted them after Cisco (Monday afternoon). I need some critical info by Friday, and F5 has been there for me. Pricey, but they're interested in us being a sales rep for them (discount! + training!).

Is there another way to do this? After several meetings today, I've decided I probably am not going to get anywhere near maxing that T1 because its solely http requests. What I really need is a system to switch the site to the secondary line if something were to go down. I've got some specifics from F5, but I'm still open to other brands (provided they'll answer their phones ).

 

[rrfield]

What I really need is a system to switch the site to the secondary line if something were to go down.

Any router worth a damn should be able to do this. I have done it before, it usually involved adjusting administrative distances (AD) and depending on the operating system, using a "backup interface" command.

interface Serial0
ip address 1.1.1.1 255.255.255.252
backup interface serial 1
backup delay 5 20
(enable time and disable time)

interface Serial1
ip address 2.2.2.2 255.255.255.252

interface FastEthernet0
ip address 192.168.25.1 255.255.255.0

ip route 172.16.0.0 255.255.0.0 Serial0
ip route 172.16.0.0 255.255.0.0 Serial1 2

The "2" behind Serial1 indicates it has an AD of 2 (the default for a static route is 1, and the router always uses the path with the lowest AD). The same would have to be setup at the other end, with a backup route to the 192.168.25.0 subnet.

Any router I've ever worked with (though my experience is pretty limited to Cisco since that's what my company uses) can do this.

rrfield

 

[Mirlyn]

I guess it comes to this: Do we want to lay down the money now for something we won't need until later.

Probably so.

 

[tommyj27]

hey mirlyn, i'm building 2.4.23 on one of my machines and this caught my eye.

Linux Kernel v2.4.23 Configuration
virtual server support (EXPERIMENTAL) (NEW)   
  x CONFIG_IP_VS:                                                                                            x   
  x                                                                                                          x   
  x IP Virtual Server support will let you build a high-performance                                          x   
  x virtual server based on cluster of two or more real servers. This                                        x   
  x option must be enabled for at least one of the clustered computers                                       x   
  x that will take care of intercepting incomming connections to a                                           x   
  x single IP address and scheduling them to real servers.                                                   x   
  x                                                                                                          x   
  x Three request dispatching techniques are implemented, they are                                           x   
  x virtual server via NAT, virtual server via tunneling and virtual                                         x   
  x server via direct routing. The several scheduling algorithms can                                         x   
  x be used to choose which server the connection is directed to,                                            x   
  x thus load balancing can be achieved among the servers.  For more                                         x   
  x information and its administration program, please visit the                                             x   
  x following URL:                                                                                           x   
  x        [url]http://www.linuxvirtualserver.org

[/url]

 

[Inkara1]

I found a real nice router for you...

 

[Mirlyn]

hey mirlyn, i'm building 2.4.23 on one of my machines and this caught my eye.
[/url]

Havent done much with the advanced stuff in the new kernel. We're getting ready to update the offices and servers with 2.4.23. I'll have to play around with it.

I found a real nice router for you...

Interesting.....I'll keep it in mind.