Let's start with a brief introduction about LVS load balancing
LVS (Linux Virtual server) Linux server cluster system
For high-scalability, high-availability services, load-balanced scheduling solutions for IP tiers and content request distribution, implemented in the Linux kernel, and a set of servers that make up a virtual server for scalable, highly available network services Load Balancing 1. A large number of art of war access or data traffic to the multi-state node device processing, reduce the user's waiting time 2. A single heavy load operation is divided into a multi-state node device for parallel processing, after each node device processing ends, the results are summarized, returned to the user Load Scheduler a group of servers connected by a high-speed LAN or geographically distributed WAN, with a load Balancer scheduler (load Balancer) on their front-end, the load Balancer Scheduler can seamlessly dispatch network requests to real servers, making the structure of the server cluster transparent to the user , users access the network services provided by the cluster system, just like accessing a high-performance, highly available server. IP load Balancing Technology (three kinds) 1.vs/nat (network address translation) through the network address translation, the scheduler rewrites the target address of the request message, according to the preset scheduling algorithm, the request is distributed to the backend real server, the real server response message through the scheduler, the source address of the message is rewritten, And then return to the client, complete the entire scheduling process 2.vs/tun (IP tunnel mode) scheduler forwards the requested message through the IP tunnel to the real server, and the real server directly returns the result to the user, the scheduler only processing the request message, because the General Network Service response is greater than the request, the use of IP tunnel mode , the maximum throughput of a clustered system can be increased by 10 times times. 3.VS/DR (direct routing) by overwriting the MAC address of the request message, sending the request to the true server, the real server will directly return the response to the user, the time of the traffic pattern can greatly improve the scalability of the cluster system, this method does not have the cost of IP tunneling, There is no need for the real server in the cluster to support the IP tunneling protocol, except that the scheduler and the real server have a NIC attached to the same physical network segment. Among the three IP load balancing technologies, the DR and Tun modes need to be configured on the real server for the Arp_ignore and arp_announce parameters, mainly to implement an ARP request that disables the response to the VIP.
In the LVS environment, you need to set the following parameters
echo "1" >/proc/sys/net/ipv4/conf/all/arp_ignore echo "1" >/proc/sys/net/ipv4/conf/lo/arp_ignore echo "2" >/proc/sys/net/ipv4/conf/lo/arp_announce echo "2" >/proc/sys/net/ipv4/conf/all/arp_announce |
Let's take a look at the introduction about Arp_ignore and arp_announce.
About
Arp_ignoreThe related introduction:
Arp_ignore-integerdefine different modes for sending replies on response Toreceived ARP requests that resolve local Targ ET IP addresses:0-(default): Reply for any local target IP address, Configuredon to interface1-reply only if the Targ Et IP address is local addressconfigured on the incoming interface2-reply only if the target IP address is local address Configured on the incoming interface and both with Thesender ' s IP address is part from same subnet on this interface3-d o reply for local addresses configured with scope Host,only resolutions for global and link addresses is replied4-7- Reserved8-do not reply for all local addressesthe max value from Conf/{all,interface}/arp_ignore is Usedwhen ARP reques T is received on the {interface} |
Arp_ignore: Defines a different answer mode for ARP asking for a local IP address 0
0-(default): Responds to ARP query requests for any local IP address on any network interface
1-Answer only the destination IP address is the ARP query request that visited the local address of the network interface
2-Answer only the destination IP address is the ARP query request that accesses the local address of the network interface, and the visiting IP must be within the subnet segment of the network interface
3-Do not respond to ARP requests from the network interface, but only to the unique and connected addresses of the settings
4-7-Leave unused
8-ARP queries that do not respond to all (local addresses)
Introduction to arp_announce :
Arp_announce-integerdefine different restriction levels for announcing the Localsource IP address from IP packets in ARP Requests sent oninterface:0-(default) use no local address, configured on any interface1-try to avoid local Addresse s that is not in the target ' ssubnet for this interface. This mode was useful when targethosts reachable via this interface require the source IPaddress in ARP requests to BES part Of their logical networkconfigured on the receiving interface. When we generate therequest we'll check all our subnets that include thetarget IP and would preserve the source address I F it is fromsuch subnet. If There is no such subnet we select SourceAddress according to the rules for level 2.2-always use the best local addres s for this target. In this mode we ignore the source address in the IP packetand try to select Local address so we prefer for talks withthe Target host. Such Local address is selected by Lookingfor primary IP addresses on all we subnets on the Outgoinginterface that include the target IP address. If No suitablelocal address is found we select the first local addresswe has on the outgoing interface or on all other in Terfaces,with the hope we'll receive reply for our request Andeven sometimes no matter the source IP address we announce . The max value from Conf/{all,interface}/arp_announce is used. Increasing the restriction level gives more chance forreceiving answer from the resolved target while decreasingthe level Announces more valid sender ' s information. |
Arp_announce: On the network interface, the local IP address of the emitted, ARP response, to make the appropriate level of restriction: to determine the different degree of restrictions, announcing the ARP request from the local source IP address interface
0-(default) Any local address on any network interface (ETH0,ETH1,LO)
1-try to avoid an ARP response that does not take the local address of the network interface subnet segment. It is useful when the source IP address of the originating ARP request is set to reach this network interface through a route. This checks whether the visiting IP is one of the IP within the subnet segment on all interfaces. If the IP is not in the subnet segment of each network interface, then the Level 2 is used for processing.
2-Use the most appropriate local address for the query target. In this mode, the source address of this IP packet is ignored and an attempt is to select a local address that can communicate with that address. First, select the local address in the subnet of all network interfaces that contains the destination IP address in the subnet. If no appropriate address is found, the current send network interface or other network interface that is likely to receive the ARP response will be selected for sending.
A little supplement to the understanding of arp_announce
Assume that a Linux box X has three Interfaces-eth0, eth1 and eth2. Each interface have an IP address IP0, IP1 and IP2. When a local application tries to send an IP packet with IP0 through the eth2. Unfortunately, The target node's MAC address is not resolved. Thelinux Box X would send the ARP request to know The MAC address of the target (or the gateway). In the that is the IP source address of the "ARP Request Message"? The ip0-the IP Source address of the transmitting IP or ip2-the outgoing Interface? Until now (actually just 3 hours before) ARP request uses the IP address assigned to The outgoing interface (IP2 in the above example) however the Linux ' s behavior are a little bit Different. Actually the selection of source address in ARP request is totally configurable bythe proc Variable "arp_announce" If we want the IP2 not the IP0 in the ARP request, we should a change of the value to 1 or 2. The default value is 0-allow IP0 are used for ARP request. |
In fact, the router is the problem, because the router is generally dynamic learning ARP packet (generally dynamic configuration of DHCP), when the intranet machine to send an IP packet to the outside, then it will request the MAC address of the router, send an ARP request, This ARP request includes its own IP address and MAC address, and Linux by default is using the IP Source IP address as the source IP address in the ARP, rather than using the sending device above, so in the LVS such a framework, all the sending packets are the same VIP address, Then the ARP request will include the VIP address and the device Mac, and the router receives this ARP request will update its own ARP cache, which will cause IP spoofing, VIP is robbed, so there will be problems.
Why the ARP cache is updated, when it will be updated, in order to reduce the number of ARP requests, when the host receives the request for its own ARP requests, the source IP and the source Mac into its own ARP table, convenient for the next communication. If you receive a package that is not asking for your own (ARP is broadcast and everyone receives it), it will be discarded, so that there is too much useless data in the ARP table causing the useful records to be deleted.
Set the parameter when the Arp_ignore is set to 1, meaning that when someone else's ARP request comes over, if the receiving device does not have this IP, will not respond, the default is 0, as long as the machine above any one of the devices above the IP, respond to the ARP request, and send the MAC address Other relevant information: http://kb.linuxvirtualserver.org/wiki/Using_arp_announce/arp_ignore_to_disable_ARPhttp:// itnihao.blog.51cto.com/1741976/752472
Meaning of Arp_ignore and arp_annonuce parameter configuration in LVS load balancing