IBM Dispatcher X iptables AND linux advanced routing

IBM Dispatcher X iptables AND linux advanced routing

[Bruno Negrão]

Hi guys,

I'm reading a documentation regarding high availability of LDAP server, and this 
document says it is possible use an IBM network device called IBM Dispatcher 
that can automatically divide the bandwidth between two LDAP servers (a master 
and a slave server (that is a replica of the master)). But further on, it can 
route all the LDAP traffic to only one server, if the other server is down.

I know it's possible to implement bandwidth control with linux, but what about 
the second feature? Does someone know if it's possible to implement the second 
feature using linux?

Thank you,
-------------------------------------------------
Bruno Negrao - Network Manager
Engepel Teleinformática. 55-31-34812311
Belo Horizonte, MG, Brazil 

RE: IBM Dispatcher X iptables AND linux advanced routing

[Seferovic Edvin]

Hi,

I am not sure, but that Dispatcher has almost the same ability, as a Radius
Proxy. The Radius Proxy is able to send the Request packets to different
servers ( AFAIK ), without client knowing something about it.

Though LDAP is not same as the RADIUS, but I can imagine that is able to
write a daemon ( on the balancer box ) that allows connections. And this
same daemon should be able to forward the queries to the real servers ( of
course the one that are alive ). It also should be able to know which
servers are alive and which not...

Just my 50 cent... :D

Regards,

Edvin Seferovic 

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Bruno Negrão
Sent: Mittwoch, 22. Juni 2005 19:18
To: netfilter@lists.netfilter.org
Subject: IBM Dispatcher X iptables AND linux advanced routing

Hi guys,

I'm reading a documentation regarding high availability of LDAP server, and
this 
document says it is possible use an IBM network device called IBM Dispatcher

that can automatically divide the bandwidth between two LDAP servers (a
master 
and a slave server (that is a replica of the master)). But further on, it
can 
route all the LDAP traffic to only one server, if the other server is down.

I know it's possible to implement bandwidth control with linux, but what
about 
the second feature? Does someone know if it's possible to implement the
second 
feature using linux?

Thank you,
-------------------------------------------------
Bruno Negrao - Network Manager
Engepel Teleinformática. 55-31-34812311
Belo Horizonte, MG, Brazil 

Re: IBM Dispatcher X iptables AND linux advanced routing

[Bruno Negrão]

Hi Seferovic, thanks for answering.


>Though LDAP is not same as the RADIUS, but I can imagine that is able to
>write a daemon ( on the balancer box ) that allows connections. And this
>same daemon should be able to forward the queries to the real servers ( of
>course the one that are alive ). It also should be able to know which
>servers are alive and which not...

Ok, but my question is not only about LDAP. The IBM Dispatcher is multipurpose, 
so I'm looking for a multipurpose solution, if exists, based on iptables + 
advanced routing.

To write a daemon for this is not what I looking for right now.

Regards,
bnegrao 

Re: IBM Dispatcher X iptables AND linux advanced routing

[Taylor, Grant]

Hmm, interesting question.  The short answer is yes, the long answer is yes you can do something similar in multiple ways.  The first thing that comes to mind that would satisfy the 2nd half of your question "...route all <your favorite service here> traffic to only one server if the other server is down." is VRRP (Virtual Router Redundancy Protocol).  VRRP is not a load balancer but it will allow you to send your traffic to multiple servers and have one answer for you no matter which one is down.  VRRP works by taking two or more systems (routers for what it was designed for but it should be able to be used for other things too) and have them collectively act like an additional virtual server in such that they collectively (in turn *) answer for the virtual IP that they pretend to be.  The boxen running vrrpd will periodically probe each other (ping / look for heart beat from other (master) system(s)) and take over the active role of the virtual IP if the ""acting master is 
not or has not responded with in a specified amount of time.  VRRP will make a virtual IP and MAC that is common among all the systems running in the VRRP system so as to not confuse any client systems that are connecting to it.  You can get more information on VRRP at http://sourceforge.net/projects/vrrpd/.

The other method that comes to mind is a Linux Virtual Server.  LVS is really a load balancer that route jobs to two or more multiple servers behind the LVS router to handle the job.  I have not read much about LVS so I can not talk about it as much as I can VRRP.  But from what I have read the LVS router will monitor each ""real server behind it and remove a dead / non responding server from the list of available servers to route jobs to thus ensuring that all jobs are handled and that no down or over loaded server gets traffic when it is unable to handle it.  From my reading (what little of it I have done) LVS has 3 different ways to route traffic to the real server that handles it, each with it's pros and cons.  You can get more information on LVS at http://www.linuxvirtualserver.org/.

From a removed point of view VRRP will vary easily provide your fail over and redundancy for any system to fail, however there will only be one ""system doing the work and thus not load balance.  Where as LVS will be able to load balance across multiple ""systems that are actually doing the work and redirect to different systems if a worker is down.  However it looks like if the LVS router goes down your entire logical system goes down.

Thus I would be tempted to use a combination of VRRP and LVS to ensure the maximum uptime and availability.  To do so you would want to have a two or more systems configured identically as LVS routers that were responding on a VRRP IP address.  Thus if either of the LVS routers went down and took the virtual IP that LVS was functioning on VRRP would automatically activate the virtual IP on one of the other VRRP systems that was configured as an identical LVS router.  During this transition you might have some state of an ongoing connection lost and thus redirected (unless you found a way to share the state information between multiple LVS servers).

I don't know if this answer is overkill or not, but this is just my take on what you asked.  I would not mind playing with VRRP and would be willing to help get something up and running if you would like some additional help.  I suppose I could be persuaded to do some work with LVS too...



Grant. . . .

Bruno Negrão wrote:
> Hi guys,
> 
> I'm reading a documentation regarding high availability of LDAP server,
> and this document says it is possible use an IBM network device called
> IBM Dispatcher that can automatically divide the bandwidth between two
> LDAP servers (a master and a slave server (that is a replica of the
> master)). But further on, it can route all the LDAP traffic to only one
> server, if the other server is down.
> 
> I know it's possible to implement bandwidth control with linux, but what
> about the second feature? Does someone know if it's possible to
> implement the second feature using linux?
> 
> Thank you,

Re: IBM Dispatcher X iptables AND linux advanced routing

[Andre Raabe]

[-- Attachment #1: Type: text/plain, Size: 983 bytes --]

On Wed, Jun 22, 2005 at 02:17:37PM -0300, Bruno Negrão wrote:
> 
> I know it's possible to implement bandwidth control with linux, but what 
> about the second feature? Does someone know if it's possible to implement 
> the second feature using linux?
> 
Maybe take a look at the ClusterIP feature available in newer kernel
versions. Form the iptable man page:
 CLUSTERIP
 This module allows you to configure a simple cluster of nodes that
 share a certain IP and MAC address without an explicit load
 balancer in front of them. Connections are statically distributed
 between the nodes in this cluster.
 
Another possible solution would be IPVS [1], which implements 
transport-layer load balancing.

[1] http://www.linuxvirtualserver.org/software/ipvs.html

Best regards,

-- 
Andre Raabe <raabe@tuxknowledge.org>

GnuPG: 0x5FF2A39C | ECBD D562 72C9 DD1B B741 52C0 AFE1 8DA7 5FF2 A39C
http://www.tuxknowledge.org | bash@jabber.ccc.de | encryption welcome

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 189 bytes --]

RE: IBM Dispatcher X iptables AND linux advanced routing

[Seferovic Edvin]

Hi,

how can this be achieved? When I have three boxes with the CLUSTERIP
enabled, and each box is connected to a switch and they all have the same IP
address, how will balancing work in such case.

I am sorry for my bad understanding of clustering concepts. Can somebody
give me a hint where to look for ( I would prefer a HowTo explaining how to
set up two boxes and load balancing between those ).

TIA

Regards,

Edvin Seferovic

-----Original Message-----
From: netfilter-bounces@lists.netfilter.org
[mailto:netfilter-bounces@lists.netfilter.org] On Behalf Of Andre Raabe
Sent: Mittwoch, 22. Juni 2005 21:16
To: netfilter@lists.netfilter.org
Subject: Re: IBM Dispatcher X iptables AND linux advanced routing

On Wed, Jun 22, 2005 at 02:17:37PM -0300, Bruno Negrão wrote:
> 
> I know it's possible to implement bandwidth control with linux, but what 
> about the second feature? Does someone know if it's possible to implement 
> the second feature using linux?
> 
Maybe take a look at the ClusterIP feature available in newer kernel
versions. Form the iptable man page:
 CLUSTERIP
 This module allows you to configure a simple cluster of nodes that
 share a certain IP and MAC address without an explicit load
 balancer in front of them. Connections are statically distributed
 between the nodes in this cluster.
 
Another possible solution would be IPVS [1], which implements 
transport-layer load balancing.

[1] http://www.linuxvirtualserver.org/software/ipvs.html

Best regards,

-- 
Andre Raabe <raabe@tuxknowledge.org>

GnuPG: 0x5FF2A39C | ECBD D562 72C9 DD1B B741 52C0 AFE1 8DA7 5FF2 A39C
http://www.tuxknowledge.org | bash@jabber.ccc.de | encryption welcome