Re: Experience with Open Source load balancers?

[Mark Andrews <marka () isc org>]

In message <BANLkTimxkNx5=__jXD9056FAO19V1zoKqg () mail gmail com>, Michael Loftis
 writes:
> On Mon, May 16, 2011 at 5:15 PM, Welch, Bryan <Bryan.Welch () arrisi com> wrot=
> e:
> > Greetings all.
> >
> > I've been tasked with comparing the use of open source load balancing sof=
> tware against commercially available off the shelf hardware such as F5, whi=
> ch is what we currently use. =A0We use the load balancers for traditional l=
> oad balancing, full proxy for http/ssl traffic, ssl termination and certifi=
> cate management, ssl and http header manipulation, nat, high availability o=
> f the physical hardware and stateful failover of the tcp sessions. =A0These=
>  units will be placed at the customer prem supporting our applications and =
> services and we'll need to support them accordingly.
> > Now my "knee jerk" reaction to this is that it's a really bad idea. =A0It=
>  is the heart and soul of our data center network after all. =A0However, on=
> ce I started to think about it I realized that I hadn't had any real experi=
> ence with this solution beyond tinkering with it at home and reading about =
> it in years past.
> > Can anyone offer any operational insight and real world experiences with =
> these solutions?
>
> Honestly I think to get *all* those features you're much better off
> with commercial solutions like the ones you're already using from F5,
> or something from Cisco, Coyote Point, Brocade, or others.  You can
> absolutely put together a solution based on any number of open source
> products, but you won't get the single integrated front end for
> management and configuration that any of the commercial options will
> provide, you may be missing features, and ultimately, you're on the
> hook for making it work.  In particular the stateful failover has been
> problematic in open source solutions in my experience.  They've come a
> VERY long way, but it is a hard problem to tackle.
>
> I've worked with open source and commercial solutions, and while the
> open source systems were almost always far more flexible, and cheaper
> up front, they certainly required more work to get going..  Once setup
> and running though both types of solutions had pretty equal amounts of
> maintenance, with the commercial solutions requiring somewhat less
> time/babysitting for upgrades and to enable or use new features or
> functionality.

Just make sure the DNS components return valid responses to AAAA
queries as well as valid responses to A queries.  Many load balancers
get this wrong.  They return NXDOMAIN instead of NOERROR, they drop
AAAA queries, they don't return CNAMEs when the A response returns
a CNAME, they return the wrong SOA record (doesn't match the zone
delegated to the box).

Better still would be for them to return AAAA records but until one
is ready to do that the negative responses need to be correct.

If they are returning AAAA queries check NS, SOA, TXT and MX responses
for similar errors.  AAAA is just more visible as browsers make AAAA
queries and the others are done in the background.

Mark
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka () isc org