netcat.ca

VRF is a method to maintain separate and distinct routing tables on a router. You can assign an interface to a VRF and it will not be able to communicate with others in other VRFs. You can the same IP address in VRF1 and VRF2 for example and they will not clash or cause routing loops. We will be using VRF with BGP to create a protected segment of our network. This segment will be filtered automatically by some anti-DDOS devices since the traffic will have to go through them. The setup is quite sophisticated and require new features of the IOS. The Juniper approach is much cleaner and more understandable. I have to admit that it’s not my idea to use VRF and that I would never have come to such conclusion. There is so much to learn…

I am currently evaluating some reverse proxy and load balancing servers. I have installed and tested lighttpd with mod_cache and mod_proxy_core and Litespeed. I have not yet tested Squid. Overall, I must admit Litespeed is a very nice product.

Litespeed v4 will have caching support. The current version has only reverse proxy without caching. The configuration is easy in the web interface. You only have to understand their concept which is similar to that of Apache: Server -> Listener (IP and Port pair) -> Virtual Host. The big advantage is that you can set usage limits at every level: number of simultaneous connections per client IP, per vhost, bandwidth per client IP, per vhost, per server… The request filter and context are very nice. You can ban/filter by URI, POST content, user agent… It uses the mod_security syntax. Litespeed is commercial however. I will have to evaluate the licensing costs to see if it is worth the hassle.

I had some problems with mod_cache and mod_proxy_cache working properly. I will have to check it again. mod_cache is a third party module and not maintained by the main lighttpd developer. This is a big downside.

I have read Squid documentation but did not find any filtering capability. If there were a mod_security port, that would be great. I will have to install and evaluate Squid anyway.

So far, I am impressed with Litespeed and can’t wait to see version 4.

Anycast routing is a load balancing and redundancy technique that is being used by many companies now. F.root-servers.net runs under anycast. Cachefly too. Anycast is basically having several servers using the same IP address that are geographically dispersed. They use BGP to announce the anycast/virtual IP address. The end-users connects to the nearest server network-wise (BGP). If the server crashes, the BGP session will terminate also. The anycast/virtual IP address will no longer be announced and routed to the crashed server. The trafic will be sent to the remaining anycast servers.

It is a very clever technique involving the use of BGP. It is advisable to run some load balancing software behind the anycast IP. Anycast can also be used for stateful connections (TCP). The routing must be stable otherwise the end-user would ‘hop’ among the anycast servers. This may cause some session issues.

While maintaining the simplicity of our network, I am trying to design a redundant, resilient service that can use anycast as a technique. UDP Anycast for DNS is easy to setup. But more thoughts should be allocated to TCP anycast however