On 7/26/2012 1:54 AM, Ondrej Zajicek wrote:
On Wed, Jul 25, 2012 at 11:46:10PM +0300, Eliezer Croitoru wrote:
i' kind of new in some of this stuff so i need basically directions.
i am working on a lab for a real implementation.
the way things works now is like that:
10 proxies behind 2 LB that works based o linux route policies.
the policies are "from ip/mask use routing table 10" will take all
traffic from these sources through proxy 10 route that is store in linux
routing table 10 that contains "default via proxy_ip".
there is a "master" server that gets live extended status of each proxy.
it can be up\down load = 80% etc...
and if a change of a route on the LB should be changed it is being
committed using a script over ssh almost manually.
..
so i want the master to monitor the proxy servers and in a case of
change in the network status of a proxy for any reason to let say down i
would change the routes in specific table and then send bird "configure
soft" to update the settings.
so if there is a nice method of combining all bird capabilities and some
routing protocol for the process i will be very happy to hear about it.
Hello
That is interesting setup. If you want just to synchronize tables
between master and LB, you could do that for one table on master and
one table on LB by using e.g. BGP (see comment below), but it is
problematic to synchronize several such tables. I guess that you could
have several parallel BGP sessions, one for each table, but you would
probably have to use different pair of IP addresses for each BGP
session. Note that if 'master' crashes, BGP sessions would go down and
default routes in LBs would disappear.
Thanks Ondrej for the notice.
i have seen before this effect while using BGP.
it's a known issue about BGP session.
since they are all connected to one segment\switch if something fails
it's bad for the whole setup.
i think i have heard that there are ways to hold the routing tables
after a disconnection for some amount of time.
if you have knowledge about this or other option i will be happy to hear
about it.
i have tried to use bgp in a local as between the master and the LB but
it seems that on the LB when he gets the static route it states the
route:
0.0.0.0 .... unreachable.
This is probably caused by 'gateway recursive' mode on BGP (default for IBGP).
See 'gateway direct' option and then question 'IBGP does not work ...' in FAQ:
https://git.nic.cz/redmine/projects/bird/wiki/FAQ
nice.
I must say that since bird has a very unique syntax for config(i do like
it though) it took me awhile to get some of it.
while reading this faq i got a bit confused on where i should put the
"gateway direct;".
it's obviates that some work on more examples in the wiki would make
it's much easier to understand the syntax.
also from a reason unknown i registered to the wiki but unable to
login\reset or whatever i want to do with my account.
the only thing is that i can get a email with a link that dosnt do
anything to my eyes.
Another, completely different way how to implement this would be that
'master' would just announce which proxies are 'usable' (through one BGP
session) and LBs would fill all tables from this information. That could
be done using static recursive routes. For example for proxy 10.100.1.10
we will use auxiliary pseudo-IP 10.100.2.10 and if 10.100.1.10 is
usable, master will propagate pseudo-route:
10.100.2.10/32 via 10.100.1.10
to LB. On LB, there will be static recusive route:
route default recursive 10.100.2.10
If master propagated that pseudo-route, this recursive route will appear as:
route default via 10.100.1.10
otherwise it will appear as
route default unreachable
this is a great idea.
well the truth is that the scenario is the old setup which makes the
whole thing more complicated to coordinate couple systems together such
as filtering cache routing etc..
The LB is actually a routing server and the basic setup is
client-->gw\LNS-->LB-->proxy-->EDGE....
and back:
...EDGE-->LB-->proxy-->LNS\gw-->client
this setup is nice and works well but i actually can remove the LB and
to use the EDGE as a LB to the proxy server.
the edge is a very strong machine that can take all the stress of the
network doubles**** so if i can make the setup less one point of failure
this is a very nice way to do so.
You could have such recursive route for each proxy so you will get a
table with a set of default routes that are either corrrect or
unreachable. Unfortunately being unreachable does not lower route
priority, so you would have to use another table connected with pipe and
in pipe filter you do something like 'if dest = RTD_UNREACHABLE then
prio = 1'. this will move all unreachable routes to the bottom, so the
reachable route with highest configured priority will be used. This have
to be replicated for each table on LB (probably with different priority
for each static routes so that different one will be used as best one),
only the table with pseudo-routes received from master will be shared.
adding pipes and filters will be very simple and really not such a huge
thing for this small routing table.
It is pretty complex and i don't know if it does what you really need,
but it should work.
it's a bit complex but it seems like a pretty strait forward
since the current setup is based on a routing table per prefix.
in the current setup it can be very nasty.
I have tested using one table with weighted default routes something
like that:
ip route append default scope global nexthop via 192.168.10.200 dev eth1
weight 1 nexthop via 192.168.10.201 dev eth1 weight 1
my design compared to the current one should be more user friendly.
it uses iptables marking and then by the mark use specific routing table.
this way i can redirect only web traffic port 80\8080\8000.
all the other packets will flow straight from the edge to the Internet.
so removing the LB machine and use only the edge router to perform the
whole thing.
so specific table with:
route prefix multipath via proxy1 weight 100 via proxy2 weight proxy2.
should do the job.
Thanks,
Eliezer
--
Eliezer Croitoru
https://www1.ngtech.co.il
IT consulting for Nonprofit organizations
eliezer <at> ngtech.co.il
