Arp_ignore and Arp_announce parameters in DR and Tun modes __ Load Balancing

First, explain why it is necessary to configure the Arp_ignore and Arp_announce parameters on the real server in DR and Tun mode, and the principles of the DR and Tun modes are related:






First: This is an unequal network model, in the client access to LVS, the request issued to RS, RS reply did not go through LVS, but directly to the request back to the client
IP Tunneling Technology Brief:
A tunnel, in effect, is the process by which a router encapsulates a network layer protocol into another protocol to pass across the network to another router. The sending router encapsulates the routed protocol packet, transmits it over the network, accepts the router to unpack the received packets, and takes out the original protocol, while the intermediate routers in transit do not care what the encapsulated protocol is. The encapsulation protocol here, called the transport Protocol, is a protocol that crosses the network to encapsulate the protocol, and the IP protocol is the only transport protocol that iOS chooses. The encapsulated protocol is either an IPX protocol or a AppleTalk protocol, which is usually referred to as a passenger agreement. It is important to note that tunneling technology is a point-to-point link and must be configured at both ends of the link





Dr Mode

1, first the user uses the CIP request VIP,
2, as you can see from the figure above, you need to configure the VIP on both the director server and the real server, then when the user requests to reach the front-end router of our cluster network, the source address of the request packet is the CIP target address as the VIP, At this point the router will send a broadcast to ask who is the VIP, then we cluster all the nodes are configured with a VIP, at this time who first response to the router then the router will send users request to who, so that our cluster system is not meaningless, Then we can configure the static route on the gateway router. The VIP is Director server, or a mechanism is used to not allow real server to receive ARP address resolution requests from the network, so that the user's request packets will pass through director Servre,
3, when the director server receives the user's request, according to the previous set of scheduling algorithm results to determine the request load to a real server, if the result of the scheduling algorithm at this time, the request load to real server 1, at this time director The Server modifies the target MAC address in the data frame to the MAC address of real Server1, and then sends the data frame out,
4, when Real Server1 receives a packet with a source address of the CIP destination address as a VIP, real Server1 discovers the destination address as the VIP, and the VIP is himself, and accepts the packet and gives the processing, and when the real Server1 finishes processing the request, will be a source address for the VIP destination address for the CIP packet sent out, at this time the response request will not go through the director server, but the direct response to the user

Among these three IP load balancing technologies, both DR and Tun modes need to configure the Arp_ignore and Arp_announce parameters on the real server, mainly to implement the ARP request against the VIP.

In the LVS environment, you need to set the following parameters

echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce

Let's take a look at Arp_ignore and arp_announce about the introduction of Arp_ignore :

Arp_ignore-integer Define Different modes for sending replies into response to received ARP requests Local Target IP addresses: 0-(default): Reply to any local target IP address, configured to any interface 1 -Reply only if the ' target IP address ' is ' local ' configured on the incoming interface 2-reply only if the Target IP address are local address configured on the incoming interface and both with the sender's IP address are Part from same subnet to this interface 3-do not reply for local addresses with scope host, only R Esolutions for global and link addresses are replied 4-7-reserved 8-do not reply to all local Addresses the max value from Conf/{all,interface}/arp_ignore are used when ARP request is received on the {interface}

Arp_ignore: Defines a different response mode for ARP queries with a destination address of local IP 0

0-(default): Respond to any ARP query request for any local IP address on any network interface

1-Only the target IP address is the ARP query request for the local address of the visiting network interface

2-only the target IP address is the ARP query request of the local address of the visiting network interface, and the visiting IP must be within the subnet segment of the network interface.

3-Do not return ARP requests to the network interface and respond only to the unique and connection addresses set up

4-7-Leave unused

8-do not respond to all (local address) ARP queries

Related Introduction to arp_announce :

Arp_announce-integer Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface:0-(default) with any local address, configured on any interface 1-try to avoid Loca L addresses that are not in the target's subnet for this interface. This are useful when target hosts reachable via this interface require the source IP addresses in ARP requests to be P Art of their logical network configured on the receiving interface. When we generate the request we'll check all our subnets that include the target IP and would preserve the source Addre SS if it is from such subnet. If There is no such subnet we select Source address according to the rules of level 2. 2-always use the best local to this target. In this mode we ignore the ' source address ' in the IP packet and try to select the ' we prefer for talks with The target host. Such the local to selected by looking for primary IP Addresses on "All" we subnets on the outgoing interface this include the target IP address. If no suitable local address is found we select the ' the ' the ' the ' the ' the ' the ' the ' outgoing interface or on all othe R interfaces, with the hope we receive reply for our request and even sometimes no matter the source IP address we Announce. The max value from Conf/{all,interface}/arp_announce is used. Increasing the restriction level gives to chance for receiving answer to the resolved target while decreasing the LE Vel announces more valid sender ' s information.

Arp_announce: On the network interface, the issue of the local IP address, ARP response, make the appropriate level of restrictions: To determine the extent of the restrictions, announced to the local source IP address ARP request for the interface

0-(default) Any local address on any network interface (ETH0,ETH1,LO)

1-try to avoid ARP response without the local address of the subnet segment of the network interface. It is useful to initiate an ARP request when the source IP address is set to reach this network interface through routing. The visit IP is checked for one of the IP in the subnet segment on all interfaces. If you change your visit IP does not belong to a subnet segment on each network interface, then the Level 2 approach is used.

2-Use the most appropriate local address for the query target. This mode ignores the source address of this IP packet and attempts to select a local address that can communicate with the address. The first is to select the local address in the subnet of all network interfaces that contains the destination IP address. If no suitable address is found, the current send network interface or other network interface that is likely to receive the ARP response will be selected for delivery.

A little supplement to the understanding of arp_announce

Assume that a Linux box X has three Interfaces-eth0, eth1 and eth2. Each interface has a IP address IP0, IP1 and IP2.  When a local application tries to send an IP packet with IP0 through the eth2. Unfortunately, The target node ' s MAC address isn't resolved. Thelinux Box X'll send the ARP request to know The MAC address of the target (or the gateway). In this case what are the IP source address of the "ARP Request Message"? The ip0-the IP Source address of the transmitting IP or ip2-the outgoing Interface? Until now (actually just 3 hours before) ARP request uses the IP addresses assigned to The outgoing interface (IP2 in the above example) However The Linux ' s behavior is a little bit Different. Actually the selection of source address in ARP request is totally configurable bythe proc Variable "arp_announce" If we want to use the IP2 not the IP0 in the ARP request, we should change the value to 1 or 2. The default value is 0-allow IP0 are used for ARP request.

In fact, the problem is the router, because the router is generally dynamic learning ARP packet (general dynamic configuration of DHCP), when the intranet machine to send an IP packet to the outside, then it will request the MAC address of the router, send an ARP request, This ARP request contains its own IP address and MAC address, and Linux default is to use IP Source IP address as the source IP address in the ARP, instead of using the send device above, so in the framework of LVS, all send packets are the same VIP address, Then ARP request will include VIP address and device MAC, and the router receives this ARP request will update its own ARP cache, this will cause IP spoofing, VIP is robbed, so there will be problems.

Why is the ARP cache updated, when it will be updated, in order to reduce the number of ARP requests, when the host received the request to ask their ARP, the source IP and the source Mac into their own ARP table, facilitate the next communication.   If you receive a packet that does not ask for your own (ARP is broadcast, and everyone receives it), it will be discarded, which will not cause too much useless data in the ARP table to cause useful records to be deleted. Set the Arp_ignore to 1 when setting the parameters, means that when someone else's ARP request comes over, if the received device does not have this IP, do not respond, the default is 0, as long as this machine above any one of the devices above the IP, in response to ARP request, and send a Mac Address