LVS/DR mode for one public address deployment

Source: Internet
Author: User

I have read a lot of articles about LVS deployed in LVS/DR mode on the Internet with a public IP address. When I select two modes: LVS/DR and LVS/NAT, many people think that multiple public addresses must be used in the DR model. This is what I thought at the beginning that DIP, VIP, and RIP must be in the same network segment, the only solution we know is to add a router before the LVS cluster and use the router for static NAT translation. The LVS cluster at the backend uses the DR mode. However, in this way, it is quite cost-effective. A router is responsible for NAT translation, and the pressure is forwarded to the front-end router. In addition, in the performance, the speed is not improved compared with the simple DR mode. The performance of DR mode is definitely much better than that of NAT. Generally, in NAT mode, the number of realservers cannot exceed 10, while in DR mode, hundreds of realservers are also problematic. In the past two days, we have been wondering whether we can use the simple DR mode and use a public IP address (VIP is a public IP address, RIP and DIP use Intranet addresses ). According to some documents, Dr. Wen Yu has already explicitly stated on the official website that configuring the DR mode allows VIP, DIP, and RIP to be deployed in different network segments. Refer to the and here the site also has an introduction to the DR mode using different CIDR blocks, see the here, I in Dr. Zhang Wenyi certainly answer the following reference the above introduction, it summarizes the common network architecture scenario in real scenarios. This topology is a common type. First, we will analyze how data packets are transferred when LVS is working. the customer sends a service request with the source IP address and the target IP address the data packet goes through the intermediate layer-by-layer routing, and goes to Director3.Director to query the table items defined in ipvsadm. Select a realserver based on the algorithm, therefore, ctor only changes the target mac address of the Data Layer 2 and forwards the packet to the realserver4.Realserver of the private IP address. After receiving the packet, the packet is forwarded to the client.
The key step is: how does the realserver reply data packets to the client? First, define a special route on the realserver. All data packets whose destination is VIP are sent from the loopback port, so the source address is still VIP, And the Source and Destination addresses of the data packets are not changed. However, due to the limitation of arp broadcast and response methods, the outside world does not know that there is a VIP on the realserver, And the realserver does not know other hosts in the VIP segment, so the data packet is stuck in the realserver. The solution is to add a default route on the realserver and send unknown packets to the gateway of the private network address. Therefore, after receiving the packets, the router forwards the route directly to the customer, in this topology, the vro interface must have two addresses, one being the gateway address of the private network, one is that the gateway address of the public network implements the LVS/DR mode of a single public IP address, which may also be confusing, and a common topology is shown.

In this figure, ctor pulls a leased line from the ISP directly (as for the firewall between the ISP and director, it is temporarily blocked) data packets are transferred in this way. The customer --> Internet --> ctor --> Realserver --> Gateway --> the customer's topology is ever-changing. The specific implementation based on the actual scenario is followed by the specific implementation method, the following experiment is completed by a virtual machine. First, a topology where the 192 network segment simulates the public network and 10 network segments simulate the private network
First, we will introduce the experiment environment: the client is my host, and the Director and two realservers are both virtual machines. They are connected with the virtual switch VMnet8, in which the customer acts as both the customer and the gateway, therefore, two addresses are configured on the VMnet8 NIC (to avoid confusion, the experiment will verify through packet capture). ctor first configures the address [root @ localhost ~] # Ifconfig eth0 netmask [root @ localhost ~] # Ifconfig eth0: 1 netmask up and then configure the cluster service [root @ localhost ~] # Ipvsadm-A-t 80-s rr # create an http cluster service and use the polling algorithm [root @ localhost ~] # Ipvsadm-a-t 80-r # Add a realserver and use the DR mode. We can see that the VIP and realserver RIP that provide services are not in the same network segment [root @ localhost ~] # Ipvsadm-a-t 80-r # Add a realserver in the same way. Now, ctor configuration is complete. view the IP Address Configuration

View ipvsadm Configuration

As you can see, this is the route mode. In different network segments, the realserver first restricts arp broadcast and response [root @ ww1 ~]. # Echo 2>/proc/sys/net/ipv4/conf/all/arp_announce [root @ ww1 ~] # Echo 2>/proc/sys/net/ipv4/conf/lo/arp_announce [root @ ww1 ~] # Echo 1>/proc/sys/net/ipv4/conf/all/arp_ignore [root @ ww1 ~] # Echo 1>/proc/sys/net/ipv4/conf/lo/arp_ignore and configure the address [root @ ww1 ~] # Ifconfig eth0 netmask [root @ ww1 ~] # Ifconfig lo: 1 netmask broadcast # configuring VIP must not allow the realserver to broadcast externally
Configure the route [root @ ww1 ~] # Route add-host dev lo: 1 # The request is a VIP package and goes out through the lo: 1 interface. The source address is still VIP, will not change the source address from eth0 to RIP [root @ ww1 ~] # Route add default gw # add a default route pointing to the gateway of the private network. In this experiment, it is my client and then start the web Service [root @ ww1 ~] # Echo "web1">/var/www/html/index.html # create a webpage file and Mark web1. Use web2 in realserver2 to mark [root @ ww1 ~] # Service httpd start # now that the http service is started, the configuration of realserver1 is complete, and the configuration of realserver2 is also followed by this configuration. You can view the IP Address Configuration if the webpage file is different.

Here we provide the NIC information of the second realserver, which will be used to verify the data transfer and view the mac address.

View route table
The OK configuration has been completed. Open the browser verification on the client (capture the data of the VMnet8 Nic using the packet capture tool during browsing) and refresh the page multiple times. The returned content is different each time.

Check the number of connections on director and find that the connection is in.
Capture the packet and check the mac address of the local host VMnet8.

This package is sent from the local host to ctor. For the mac address of each virtual machine and host, you can view the IP address display result in the previous article. This package is sent by director to the realserver, the source IP address and destination IP address are not changed. director only changes the destination mac address.

This package is a package sent from the realserver to a local client (the source and target mac addresses can be verified). The source address is VIP and the target address is the local client. Packet Capture verifies the data flow. It is feasible to implement LVS/DR with a public IP address. When data packets arrive at the customer end, the private network gateway is used in the internal network, which is equivalent to a circle inside the company, compared with the NAT mode, the efficiency of the DR mode cannot be compared with that of the NAT mode. In the actual deployment of LVS, try to use the DR mode. Author: lustlost

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.