[AusNOG] Experiences with web load balancers
Dobbins, Roland
rdobbins at arbor.net
Fri Jan 15 13:56:27 EST 2010
On Jan 15, 2010, at 6:12 AM, Michael Richardson wrote:
> I'm a CCNP, so I'm leaning towards Cisco, but the 4710s aren't really Cisco boxes anyway, just re-badged Arrowpoints.
Actually, this is incorrect.
Cisco have set forth four successive generations of load-balancers, from four separate acquisitions, all with completely different operating paradigms and all bearing no relation to one another in terms of capabilities, deployment scenarios, or anything else. The Arrowpoint acquisition - the Arrowpoint-based devices were horrible junk, totally unusable in any kind of real production environment - were the second generation. The ACE devices represent the fourth generation, again, from a completely separate acquisition.
> I'm hoping to get some feedback on good and bad experiences with different vendors.
My unremittingly poor experiences with all four generations of Cisco load-balancers in large-scale environments has led me to the conclusion that the Cisco load-balancers are completely inappropriate for anything other than internal, medium-enterprise applications. Cisco in fact do not market their load-balancers for large-scale Internet deployments, but rather focus on enterprise applications.
Netscaler and F5 would be my recommendation, if mod_backhand won't suffice for your particular application.
<http://www.backhand.org/mod_backhand/>
Under no circumstances would I recommend any of the various Cisco load-balancers for public-facing applications.
And whichever load-balancing system you end up using, keep in mind that it's a stateful DDoS chokepoint; one must implement BCPs such as stateless ACLs in hardware to enforce policy, S/RTBH and/or other mechanisms as a DDoS reaction mechanism, et. al. The load-balancing system itself, and everything southbound of it, must be protected against DDoS.
-----------------------------------------------------------------------
Roland Dobbins <rdobbins at arbor.net> // <http://www.arbornetworks.com>
Injustice is relatively easy to bear; what stings is justice.
-- H.L. Mencken
More information about the AusNOG
mailing list