* Re: [LARTC] failover strategies - failing open vs. failing closed.
2004-12-28 13:29 [LARTC] failover strategies - failing open vs. failing closed Kelly Jeglum
@ 2004-12-28 14:50 ` Amit Vyas
2004-12-28 17:01 ` Francisco Pereira
` (3 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Amit Vyas @ 2004-12-28 14:50 UTC (permalink / raw)
To: lartc
Hi All,
I want to setup a machine to connect to internet at a limited rate of 64
kbps.
That machine is connected to a switch. so my LAN and Internet both comes
from the same eth0.
How can I limit only the internet access from this machine to 64kbps and
still using 100mbps for LAN
I am trying to implement this Please guide me If i am wrong.
I mark all the packets going out to LAN.
Then I can setup a root qdisc to classify packets based on that mark. If
match then I can setup a class to accept those setup a fifo for those
packets. but if the packets are not for the LAN then i can pass them to
other class which is tbf shaping at rate 64kbps.
Am i right on these lines.
This is the setup
+------------+ eth0 +-----------+ internet
| machine |---------------| Switch |-------------
+------------+ +-----------+
trying to get some thing like this
root qdisc (CBQ or something)
/ \
/ \
/ \
/ \
class class
Internal LAN Pcakets Any other unclassified Packets
| |
| |
FIFO TBF (rate 64kbps)
Please Help me out with marking the packets and to classify them.
Just started off with Traffic Shaping. gigles...... : )
It is alos possible to alternatively to mark internet traffic as it
would be less in comparison to LAN and thus processor friendly.
Amit Vyas
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] failover strategies - failing open vs. failing closed.
2004-12-28 13:29 [LARTC] failover strategies - failing open vs. failing closed Kelly Jeglum
2004-12-28 14:50 ` Amit Vyas
@ 2004-12-28 17:01 ` Francisco Pereira
2004-12-28 19:28 ` Stef Coene
` (2 subsequent siblings)
4 siblings, 0 replies; 6+ messages in thread
From: Francisco Pereira @ 2004-12-28 17:01 UTC (permalink / raw)
To: lartc
Mensaje citado por Kelly Jeglum <Jeglum@AUX.UWM.EDU>:
> I'd like to setup a box with 2 NICs as a firewall which will also rate
> limits outbound traffic. What happens when/if that box hangs or is
> rebooted?
>
> I'd like a solution that when there is a failure, traffic can still go
> through the box even though the firewall and rate limiting functions will no
> longer be in effect.
>
Maybe it is more than what you need, but did you know Virtual Router Redundancy
Protocol?
http://ftp.ietf.org/rfc/rfc2338.txt
There are several linux implementations.
> I believe that this is "failing closed" but have yet to find an intuitive
> definition - "closed" to traffic going through or (the opposite of an "open"
> circuit) a "closed" circuit which would allow traffic?
>
-------------------------------------------------------------
La Tienda del Portal esta de fiesta!
http://tienda.montevideo.com.uy
-------------------------------------------------------------
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] failover strategies - failing open vs. failing closed.
2004-12-28 13:29 [LARTC] failover strategies - failing open vs. failing closed Kelly Jeglum
2004-12-28 14:50 ` Amit Vyas
2004-12-28 17:01 ` Francisco Pereira
@ 2004-12-28 19:28 ` Stef Coene
2005-01-06 22:16 ` Jose Luis Araujo
2005-01-10 17:49 ` Yaman Saqqa
4 siblings, 0 replies; 6+ messages in thread
From: Stef Coene @ 2004-12-28 19:28 UTC (permalink / raw)
To: lartc
On Tuesday 28 December 2004 14:29, Kelly Jeglum wrote:
> I'd like to setup a box with 2 NICs as a firewall which will also rate
> limits outbound traffic. What happens when/if that box hangs or is
> rebooted?
>
> I'd like a solution that when there is a failure, traffic can still go
> through the box even though the firewall and rate limiting functions will
> no longer be in effect.
I'm afraid that's not possible if the box is also doing NAT. What you can do
is use 2 boxes and only 1 of them is active. If it fails, the other takes
over.
Take a look at http://www.linuxvirtualserver.org/. You need the loadbalancer
part of it.
Stef
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [LARTC] failover strategies - failing open vs. failing closed.
2004-12-28 13:29 [LARTC] failover strategies - failing open vs. failing closed Kelly Jeglum
` (2 preceding siblings ...)
2004-12-28 19:28 ` Stef Coene
@ 2005-01-06 22:16 ` Jose Luis Araujo
2005-01-10 17:49 ` Yaman Saqqa
4 siblings, 0 replies; 6+ messages in thread
From: Jose Luis Araujo @ 2005-01-06 22:16 UTC (permalink / raw)
To: lartc
Hi.
Sorry for the delay. Hope you are still interested in the idea.
Kelly Jeglum wrote:
>I'd like to setup a box with 2 NICs as a firewall which will also rate
>limits outbound traffic. What happens when/if that box hangs or is
>rebooted?
>
>
If you are doing NAT or routing, the you need to use VRRPD with two
machines.
>I'd like a solution that when there is a failure, traffic can still go
>through the box even though the firewall and rate limiting functions will no
>longer be in effect.
>
>
If on the other hand you want just the rate limiting, then you can try
something. It only has a drawback, the switch that you will use must
have Vlan and STP.
The trick is this, you choose three ports, and assign those to, say vlan
2, then choose another 3 ports and assign those to vlan 3.
Enable STP on both Vlan's, increase the portcost on one port on each
Vlan, and use a crossed cable to link them.
Connect a port from each Vlan to the bridge/rate limiter.
Connect the remaining port to your inner router, and to your outer router.
Now, the idea is, the Vlan will divide the switch virtually, traffic
from vlan 2 won't go to vlan 3, only if they are physically connected,
they behave like two switches (witch will also work, provided that the
switches permit VTP). When everything is working properly, the switch
will see two links from vlan 2 to vlan 3 and will disable the one with
the higher cost (the cross cable), then all your traffic will flow
thought the bridge.
If the bridge stops,hangs is disconnected, the switch will only see one
link (the cross cable) and will enable it, bypassing the bridge.
I have this setup in operation now, and it works great.
For those wondering, it is using a cisco 2900XL and the fallback time is
from 30 to 50 seconds.
Hope it helps
José Araújo
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: [LARTC] failover strategies - failing open vs. failing closed.
2004-12-28 13:29 [LARTC] failover strategies - failing open vs. failing closed Kelly Jeglum
` (3 preceding siblings ...)
2005-01-06 22:16 ` Jose Luis Araujo
@ 2005-01-10 17:49 ` Yaman Saqqa
4 siblings, 0 replies; 6+ messages in thread
From: Yaman Saqqa @ 2005-01-10 17:49 UTC (permalink / raw)
To: lartc
OK ... what about syncing connection tracking state tables between the
two routers/fw's, is the ct_sync code from netfilter stable .. has any
one used it on a production environment .. the netfilter-failover
mailing list is pretty dead !
On Thu, 06 Jan 2005 22:16:42 +0000, Jose Luis Araujo
<jlaraujo@mercs.homeip.net> wrote:
> Hi.
>
> Sorry for the delay. Hope you are still interested in the idea.
>
> Kelly Jeglum wrote:
>
> >I'd like to setup a box with 2 NICs as a firewall which will also rate
> >limits outbound traffic. What happens when/if that box hangs or is
> >rebooted?
> >
> >
> If you are doing NAT or routing, the you need to use VRRPD with two
> machines.
>
> >I'd like a solution that when there is a failure, traffic can still go
> >through the box even though the firewall and rate limiting functions will no
> >longer be in effect.
> >
> >
> If on the other hand you want just the rate limiting, then you can try
> something. It only has a drawback, the switch that you will use must
> have Vlan and STP.
>
> The trick is this, you choose three ports, and assign those to, say vlan
> 2, then choose another 3 ports and assign those to vlan 3.
>
> Enable STP on both Vlan's, increase the portcost on one port on each
> Vlan, and use a crossed cable to link them.
> Connect a port from each Vlan to the bridge/rate limiter.
> Connect the remaining port to your inner router, and to your outer router.
>
> Now, the idea is, the Vlan will divide the switch virtually, traffic
> from vlan 2 won't go to vlan 3, only if they are physically connected,
> they behave like two switches (witch will also work, provided that the
> switches permit VTP). When everything is working properly, the switch
> will see two links from vlan 2 to vlan 3 and will disable the one with
> the higher cost (the cross cable), then all your traffic will flow
> thought the bridge.
> If the bridge stops,hangs is disconnected, the switch will only see one
> link (the cross cable) and will enable it, bypassing the bridge.
>
> I have this setup in operation now, and it works great.
>
> For those wondering, it is using a cisco 2900XL and the fallback time is
> from 30 to 50 seconds.
>
> Hope it helps
>
> José Araújo
>
> _______________________________________________
> LARTC mailing list / LARTC@mailman.ds9a.nl
> http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
>
--
abulyomon
www.KiLLTHeUPLiNK.com
_______________________________________________
LARTC mailing list / LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/mailman/listinfo/lartc HOWTO: http://lartc.org/
^ permalink raw reply [flat|nested] 6+ messages in thread