DaemonForums  

Go Back   DaemonForums > Miscellaneous > General software and network

General software and network General OS-independent software and network questions, X11, MTA, routing, etc.

Reply
 
Thread Tools Display Modes
  #1   (View Single Post)  
Old 5th March 2014
pttymuth's Avatar
pttymuth pttymuth is offline
Port Guard
 
Join Date: Jul 2013
Posts: 13
Default Redundancy for colocation

Hi All

I'm hoping to get some advice on protecting a few websites hosted from a colocation rack. There is no schedule or deadline for it, so I'd like to take the time to design a robust setup before making heavy use of the servers. I have a vague idea of what it is that I'm looking for, but I don't know enough about complicated protocols like OSPF, BGP, and STP to reason whether or not they're necessary and/or where to place them.

I can get 6U of space for a good price, and I already have two light-duty 1U boxes with a lot of NICs and two beefier 2U boxes. The 1U boxes I'm thinking of turning into a redundant firewall with relayd load balancing (RNWT) to the two boxes behind it. The two 2U boxes are acting as redundant web applications server (RWAS). This diagram shows what it might look like
Code:
 
           ISP                    ISP
            |                      |   
            |                      |   
            |                      |   
      ---------------      ---------------
      |     if1     |      |     if1     |
      |  RNET1      |      |   RNET2     |
      |          if0|__  __|if0          | 
      |             |  \/  |             |
      |          if3|__/\__|if3          |
      |          if2|------|if2          |
      |    if4,5,6  |      | if6,5,4     |
      ---------------      ---------------
              | |\            /| |
              | | \          / | |
              | |  \        /  | |
              | |   \      /   | |
              | |    \    /    | |
              | |     \  /     | |
              | |      \/      | |
              | |      /\      | |
              | |     /  \     | |
              | |    /    \    | |
         -------------   -------------
         | if0,1,2   |   | if2,1,0   |	
         |  RWAS1    |	 |  RWAS2    |
         -------------   -------------
There will only be one ISP.

RNET1 and RNET2 are the 1U boxes with lots of NICs.

RWAS1 and RWAS2 are the 2U boxes with more processing power.

For RNETs:
- if0 - Dedicated IPMI port, not visible to the device's OS
- if1 - ISP connection. Dedicated Public IP for management and a shared public VIP used by relayd through if2 CARP...
- if2 - CARP for both RNET1 and RNET2
- if3 - "IPMI-IN" RNET1's if3 is connected to RNET2's if0, RNET2's if0 is connected to RNET1's if3. Makes it possible to reach an offline RNET from an online RNET. These should probably only be accessible to someone connecting through a VPN or SSH tunnel. Private IP.
- if4 - Connected to RWAS1's if2 or RWAS2's if1. Load balances using relayd to RWASs, SSL acceleration, also forwards SSH connections.
- if5 - Connected to RWAS2's if2 or RWAS1's if1. Load balances using relayd to RWASs, SSL acceleration, also forwards SSH connections.
- if6 - Connected to RWAS1's if0 or RWAS2's if0. Only to be used for Wake-On-LAN. Private IP.

For RWASs:
- if0 - Management port for the RWAS servers. Will have Wake-On-LAN enabled. These should probably only be accessible to someone connecting through a VPN or directly from the RNETs. Private IP.
- if1 - Connected to RNET1 and RNET2. Allows both RWAS1 and RWAS2 to communicate through either RNET1 or RNET2, even when one of the RNETs is offline. Gets HTTP and SSH connections. Public IP.
- if2 - Connected to RNET1 and RNET2. Allows both RWAS1 and RWAS2 to communicate through either RNET1 or RNET2, even when one of the RNETs is offline. Gets HTTP and SSH connections. Public IP.

IPs / Routing
The RWAS if1 and if2 interfaces will have their own public IP addresses.

Questions:

1. Does this make sense?
2. Will OSPF, STP, and BGP be needed to implement?

As the servers become available to me, I'll update the thread with any new developments.
Reply With Quote
  #2   (View Single Post)  
Old 6th March 2014
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
 
Join Date: May 2008
Location: USA
Posts: 7,975
Default

I don't believe, based on what you've posted, that you'll require use of either of the routing management protocols, nor should you require the bridge loop management protocol. The clients will reach this farm via its single outward facing carp(4) address. Your relayd(8) load balancer will manage the traffic to the back ends at Layer 3 and/or Layer 7, and carp(4) will manage back end redundant links as well.

I've set up a similar infrastructure with relayd, where the web servers were on separate platforms from the application servers and the database servers. I used relayd to manage all of the traffic between the web (nginx) and application (php-fhm) servers. However, all of that was in a lab environment; the infrastructure was never launched in production.
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
pfsync+carp+wifi firewall redundancy inquiry revzalot OpenBSD Security 1 18th May 2009 03:06 PM
iptables fw redundancy revzalot Other BSD and UNIX/UNIX-like 3 17th June 2008 04:51 PM


All times are GMT. The time now is 03:44 AM.


Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick