In message <BANLkTimxkNx5=__jXD9056FAO19V1zoKqg@mail.gmail.com>, Michael Loftis writes:
Greetings all.
I've been tasked with comparing the use of open source load balancing sof= tware against commercially available off the shelf hardware such as F5, whi= ch is what we currently use. =A0We use the load balancers for traditional l= oad balancing, full proxy for http/ssl traffic, ssl termination and certifi= cate management, ssl and http header manipulation, nat, high availability o= f the physical hardware and stateful failover of the tcp sessions. =A0These= units will be placed at the customer prem supporting our applications and = services and we'll need to support them accordingly.
Now my "knee jerk" reaction to this is that it's a really bad idea. =A0It= is the heart and soul of our data center network after all. =A0However, on= ce I started to think about it I realized that I hadn't had any real experi= ence with this solution beyond tinkering with it at home and reading about = it in years past.
Can anyone offer any operational insight and real world experiences with =
On Mon, May 16, 2011 at 5:15 PM, Welch, Bryan <Bryan.Welch@arrisi.com> wrot= e: these solutions?
Honestly I think to get *all* those features you're much better off with commercial solutions like the ones you're already using from F5, or something from Cisco, Coyote Point, Brocade, or others. You can absolutely put together a solution based on any number of open source products, but you won't get the single integrated front end for management and configuration that any of the commercial options will provide, you may be missing features, and ultimately, you're on the hook for making it work. In particular the stateful failover has been problematic in open source solutions in my experience. They've come a VERY long way, but it is a hard problem to tackle.
I've worked with open source and commercial solutions, and while the open source systems were almost always far more flexible, and cheaper up front, they certainly required more work to get going.. Once setup and running though both types of solutions had pretty equal amounts of maintenance, with the commercial solutions requiring somewhat less time/babysitting for upgrades and to enable or use new features or functionality.
Just make sure the DNS components return valid responses to AAAA queries as well as valid responses to A queries. Many load balancers get this wrong. They return NXDOMAIN instead of NOERROR, they drop AAAA queries, they don't return CNAMEs when the A response returns a CNAME, they return the wrong SOA record (doesn't match the zone delegated to the box). Better still would be for them to return AAAA records but until one is ready to do that the negative responses need to be correct. If they are returning AAAA queries check NS, SOA, TXT and MX responses for similar errors. AAAA is just more visible as browsers make AAAA queries and the others are done in the background. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org