|
4、禁止ARP请求发往RealServers;
传统认为,解决ARP问题可以基于网络接口,也可以基于主机来实现.Linux采用了基于主机的方式, 其可以在大多场景中工作良好,但LVS却并不属于这些场景之一,因此,过去实现此功能相当麻烦.现在可以通过设置arp_ignore,arp_announce,这变得相对简单的多了.
Linux 2.2和2.4(2.4.26之前的版本)的内核解决“ARP问题”的方法各不相同,且比较麻烦.幸运的是,2.4.26和2.6的内核中引入了两个新的调整ARP栈的标志
(device flags):arp_announce和arp_ignore.基于此,在DR/TUN的环境中,所有IPVS相关的设定均可使用arp_announce=2和arp_ignore=1/2/3来解决“ARP问题”了.以下是官方说明:
arp_annouce:Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface;
0 - (default) Use any local address, configured on any interface.
1 - Try to avoid local addresses that are not in the target''s subnet for this interface.
2 - Always use the best local address for this target.
arp_ignore: Define different modes for sending replies in response to received ARP requests that resolve local target IP address.
0 - (default): reply for any local target IP address, configured on any interface.
1 - reply only if the target IP address is local address configured on the incoming interface.
2 - reply only if the target IP address is local address configured on the incoming interface and both with the sender''s IP address are part from same subnet on this interface.
3 - do not reply for local address configured with scope host,only resolutions for golbal and link addresses are replied.
4-7 - reserved
8 - do not reply for all local addresses
arp_announce:定义了网卡在向外宣告自己的MAC-IP时候的限制级别
拥有帝国一切,皆有可能。欢迎访问phome.net
有三个值:
0:默认值,不管哪块网卡接收到了ARP请求,只要发现本机有这个MAC都给与响应
1:尽量避免响应ARP请求中MAC不是本网卡的,一个主机有多块网卡,其中一块网卡接收到了ARP请求,发现所请求的MAC是本机另一块网卡的,这个时候接收到ARP请求的这块网卡就尽量避免响应
2:总是使用最合适的网卡来响应,一个主机有多块网卡,其中一块网卡接收到了ARP请求,发现所请求的MAC是本机另一块网卡的,这个时候接收到ARP请求的这块网卡就一定不响应,只有发现请求的MAC是自己的才给与响应
arp_ignore:定义了网卡在响应外部ARP请求时候的响应级别
这里有8个值,但我们只使用了2个
0:默认值,不管哪块网卡接收到了ARP请求,只要发现本机有这个MAC都给与响应
1:总是使用最合适的网卡来响应,一个主机有多块网卡,其中一块网卡接收到了ARP请求,发现所请求的MAC是本机另一块网卡的,这个时候接收到ARP请求的这块网卡就一定不响应,只有发现请求的MAC是自己的才给与响应
在RealServers上,VIP配置在本地回环接口lo上.如果回应给Client的数据包路由到了eth0接口上,则arp通告或请应该通过eth0实现,因此,需要在sysctl.conf文件中定义如下配置:
vim /etc/sysctl.conf
net.ipv4.conf.eth0.arp_ignore = 1
net.ipv4.conf.eth0.arp_announce = 2
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 2
以上选项需要在启用VIP之前进行,否则,则需要在Drector上清空arp表才能正常使用LVS.
到达Director的数据包 会经过PREROUTING,而后经过路由发现其目标地址为本地某接口的地址,因 |
