I'm looking for recommendations for network load balancers. These, at
this time, will primarily be used to attach to a cluster of
webservers
although I would like a solution which can be repurposed to other
applications later. I am looking at F5's Big IP, Cisco's SLB, and
Foundry's ServerIron at this time.
We have Cisco 11503s and F5 Big IPs in our network. I bought the Big
IPs because I was getting rather fed up with the Cisco stuff. Each has
their quirks but I think I prefer the F5, especially for box-to-box
redundancy. That's really rough with the Cisco gear unless you want to
fork out a lot of cash for their ridiculously expensive ethernet modules
so you can get a direct box-to-box connection.
If you have load-balanced servers behind an F5 that also must be
available for direct connection, then the F5 is a huge pain, while that
is extremely simple with the Cisco gear. Other than that, I think I the
F5 is a better product and easier to manage once you get used to how it
works. If you've previously used the Cisco gear, you have to unlearn a
few concepts and terms in order to make sense of the F5 world.
We've used Foundry ServerIron's successfully in various configurations for the
last four years.
Keith
Keith Washington
The Weather Channel Interactive, TWCi
770-226-2685 office, 404-225-0221 pager keithw.pager@1weather.com text page
"John Neiberger"
<John.Neiberger@efir To: <nanog@merit.edu> stbank.com> cc:
Sent by: Subject: Re: NLB Recommendations
owner-nanog@merit.ed
u
06/09/2004 01:57 PM
I'm looking for recommendations for network load balancers. These, at
this time, will primarily be used to attach to a cluster of
webservers
although I would like a solution which can be repurposed to other
applications later. I am looking at F5's Big IP, Cisco's SLB, and
Foundry's ServerIron at this time.
We have Cisco 11503s and F5 Big IPs in our network. I bought the Big
IPs because I was getting rather fed up with the Cisco stuff. Each has
their quirks but I think I prefer the F5, especially for box-to-box
redundancy. That's really rough with the Cisco gear unless you want to
fork out a lot of cash for their ridiculously expensive ethernet modules
so you can get a direct box-to-box connection.
If you have load-balanced servers behind an F5 that also must be
available for direct connection, then the F5 is a huge pain, while that
is extremely simple with the Cisco gear. Other than that, I think I the
F5 is a better product and easier to manage once you get used to how it
works. If you've previously used the Cisco gear, you have to unlearn a
few concepts and terms in order to make sense of the F5 world.
I would like to hear from Charter Communication's network/security team why they have filtered outbound port 25 without any notice as of yesterday.
Does anybody else know of other cable/DSL providers that simply block outbound port 25?
thanks
arman
W. Mark Herrick, Jr.
Director - Data and Network Security
Adelphia Communications
5619 DTC Parkway
Greenwood Village, CO 80111
(O) 303-268-6440
(C) 720-252-5929
(F) 303-268-6382
Cox also filters your e-mail on their SMTP server such that if it contains
both words "root" and "password" it will get silently dropped. This is
why I'm using an alternate port to bypass their SMTP server (or you
wouldn't get this e-mail).
I find it hard to believe that Cox has secretly implemented a policy of
dropping all outgoing mail that contains the phrase "root password." In
fact, I just sent this e-mail to the NANOG mailing list via the Cox SMTP
server smtp.west.cox.net, so if they have implemented such a policy, they
haven't implemented it on all of their servers.
I just tested it and it looks like it isn't happening anymore. But it
definitely was (smtp.east.cox.net), and made me look like an idiot in one
situation where I was convinced the recepient's filter is dropping my
e-mail. If you google usenet for "cox root password" you'll see other
people describing it.
To be fair, this was more likely a fluke and Cox isn't to blame since they
are just trying to do their best to deal with spam... My message was meant
more as a general warning to people, not an anti-Cox thing of any kind, my
cable modem has been very stable lately and throughput is excellent
: But this is different - I'm not running a mail server -on- my Cox
: connection. I'm running one external to Cox but I can't connect to
: port 25 on it.
That's why port 587 was invented. It's the MSA (mail *submission* agent)
port, intended only for initial injection of mail into the SMTP delivery
network. Learn it, believe it, use it.
Mail *SPAM* Agent? when spammers also start probing for that port...
A site that has a bad port 25 policy also will likely also have a bad
MSA policy. MSA's can also be open relays just like standard port 25.
Splitting submission from transfer seems like a good idea though, but
in the light of good MTA's, so that the MSA don't need to add a handfull
of headers and also SMTP-AUTH and TLS it doesn't make much difference.
Requiring *Authentication*, may that be on 25 or 587, is the way to go
here... but then still that 'neighbor' will have a misconfig and spam
straight away. Not even talking about the bots.
: > That's why port 587 was invented. It's the MSA (mail *submission* agent)
: > port, intended only for initial injection of mail into the SMTP delivery
: > network. Learn it, believe it, use it.
:
: Mail *SPAM* Agent?
Port 587 should always be authenticated. If it isn't, that's a
misconfiguration.
(Of course, those of us on SPAM-L have even seen bots successfully perform
SMTP AUTH, but that's certainly in the minority. Port-25 blocking for
dynamic/residential ranges is still considered good form, as it does cut
down significantly on the level of unauthenticated wormspew.)
when spammers also start probing for that port...