Re: High Speed Firewalls

["Paul D. Robertson" <proberts () clark net>]

On Fri, 3 Mar 2000, Bennett Todd wrote:

> For some applications, namely similarly configured servers that
> never do any significant extra processing, this feature may not pay
> its freight. In which case yes, the LocalDirector isn't competitive.
> But for a lot of jobs I still love it the best and specify it by
> strong preference.

In my last job one of our highly-trafficed units tried Distributed
Director pretty soon after introduction and threw it out fairly soon after
that (inside a week.)  I'm not aware of too many architectural instances
where such failover is necessary where I wouldn't mandate multiple
physical locations (or at least try to do so, especially in light of the
recent DDOS attacks)- perhaps you could share some scenerios that I've not
considered?  

I suppose both LD and DD have undergone some functionality changes since
we played with them- have you played much with F5's stuff to contrast the
two?  All the big Web sites and colocation facilities I've been to have
preferred BigIP to Cisco's offerings (the 3 major facilities that I've
checked out all offered BigIP as a managed service.)

Also, what kind of per-day hit rates are within your experience?  DD seemed 
bothered by ~3-5M hits when we looked at them (for the subset of boxes we
pointed them to.) but that was admittedly pretty soon after introduction
(I tend to shy away from products that hit the market poorly perpared for
it after seeing them fail.)

My recollections are slightly fuzzy, since they're the two of the 3 Cisco 
products that I wouldn't consider readily for production I never
revisited them (probably a failing on my part, but I'm a big fan of once
bitten twice shy.)  I'm aware that DD and LD are seperate products, but
unless I'm missing something architecturally, I can't imagine not doing
multiple sites for anything critical enough to spend money outside of
{hokey BIND tricks I made up, lbnamed.}

> Are there any other load balancers out there that can keep
> track of how fast their servers respond, and always prefer the
> currently-fastest box?

I don't know what knobs there are on BigIP, but AFAICT most of the Web
Monster sites prefer it over Distributed Director.  The few times I've
been personally involved in BigIP stuff it's been to troubleshoot some
weird set-ups, but there's supposedly a good bit of service check stuff in
there.  The only place I've seen real problems with it is for one or two
boxes to be fronting several thousand IP addresses, the ARP cache
and TCP stack doesn't seem to like service checking that every 30 seconds
if ~1,500 of the addresses don't exist (my supposition is that with static 
ARP entries even that problem would go away, but the design was to get
around a layer 8 issue that really needed fixing instead.) That's an 
implementation problem not a technical one though.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
proberts () clark net      which may have no basis whatsoever in fact."
                                                                     PSB#9280

Attachment: _bin
Description: