Firewall Wizards mailing list archives
Re: High Speed Firewalls
From: Bennett Todd <bet () rahul net>
Date: Mon, 6 Mar 2000 12:48:36 -0500
2000-03-06-12:34:47 Mike Barkett:
Imagine the scenario in which a web server has failed, and a 404 error comes up for the main page. This server will be much quicker to respond than the full e-commerce/img/java-encrusted blicki.
More appealing and useful, too!
LD starts sending more and more requests to the failed server, and you've got a bad situation on your hands. I have seen it happen in extremely high-volume e-commerce environments and it's not pretty.
Nothing is pretty when you have a severely java-encrusted blicki (nice phrase!), and when you are claiming to be doing e-commerce as well the whole scene has just turned really really evil.
Hopefully Cisco has fixed or will fix this problem, but even if they did, the LD would not be the superior product. You can set the Alteons to expect a certain string of HTML code, and regularly monitor that type connection at layer 4. Now, that doesn't entirely make up for Alteon's lackluster NAT support, but that type of monitoring is where Cisco wants to be with their product.
I can definitely see designs where performance monitoring needs to be at higher layers of the protocol stack. I'm proud to refrain from committing such designs, but I can see how they arise. Another correspondent has pointed out to me that F5's BigIP now boasts flexible performance monitoring as well, so it sounds like there's plenty of competition to round things out. It's an interesting point you raise, though how the L-D's passive, low-level performance monitoring makes other varieties of screwup worse than simple round-robin, by favouring a server that's just shrieking 404 at everything thrown it's way rather than trying to get interesting work done. I continue to like the LocalDirector's algorithm very much, and look forward to finding out whether a BigIP can be configured to do the same trick, but if I were fielding more fragile servers into the farm, with more complex and subtle failure modes, I can see where it could work very poorly indeed. -Bennett
Attachment:
_bin
Description:
Current thread:
- Re: High Speed Firewalls, (continued)
- Re: High Speed Firewalls Paul D. Robertson (Mar 06)
- Re: High Speed Firewalls Bennett Todd (Mar 06)
- Re: High Speed Firewalls Paul D. Robertson (Mar 06)
- Re: High Speed Firewalls Bennett Todd (Mar 06)
- Re: High Speed Firewalls Chenggong Charles Fan (Mar 08)
- Re: High Speed Firewalls Bennett Todd (Mar 12)
- personal firewalls Randy Grimshaw (Mar 13)
- Re: personal firewalls Rick Murphy (Mar 21)
- Re: personal firewalls elad (Mar 21)
- Re: High Speed Firewalls Mike Barkett (Mar 07)
- Re: High Speed Firewalls Bennett Todd (Mar 07)
- Active FTP behind a router doing NAT Arnaud Chiaberge (Mar 12)
- Re: Active FTP behind a router doing NAT Ryan Russell (Mar 17)
- Re: High Speed Firewalls Eric Hall (Mar 13)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: High Speed Firewalls Crispin Cowan (Mar 12)
- RE: High Speed Firewalls David Newman (Mar 12)
- Re: RE: High Speed Firewalls Crispin Cowan (Mar 17)