Difference between revisions of "Using the hidden interface to disable ARP"

From LVSKB
Jump to: navigation, search
 
(Disable ARP for VIP)
 
(3 intermediate revisions by the same user not shown)
Line 1: Line 1:
 
== Introduction ==
 
== Introduction ==
  
 +
The "hidden" flag on interface is to hide an interface from the [[ARP]] protocol. When the "hidden" flag is enabled at an interface, any IP address configured at the hidden interface will not participate ARP.
 +
 +
The "hidden" device flag is available in the Linux 2.2 kernel series starting from 2.2.14. For the  "hidden" device flag on the Linux kernel 2.4 and 2.6, you need to apply the hidden patch against the Linux kernel 2.4 and 2.6 respectively. Please go to [http://www.ssi.bg/~ja/#hidden Julian's Software Patches and Docs] to download the hidden patches.
 +
 +
Note that for the Linux kernel 2.4 and 2.6, you may use the arp_announce/arp_ignore flag on interface (see [[Using arp_announce/arp_ignore to disable ARP]]), then you will not need to patch and rebuild the kernel.
  
 
== Disable ARP for VIP ==
 
== Disable ARP for VIP ==
  
 +
The configuration instructions to hide interface from ARP for LVS are as follows:
 +
 +
# Start the hiding interface functionality
 +
echo 1 > /proc/sys/net/ipv4/conf/all/hidden
 +
# Hide all addresses for this interface
 +
echo 1 > /proc/sys/net/ipv4/conf/<interface_name>/hidden
 +
 +
Note that once an interface is set hidden, all the addresses of the interface is hidden from ARP broadcast and being included in the ARP response of other addresses. So, it is not good to configure [[VIP]] on the aliases of real Ethernet interfaces and make it hidden, unless you have a unused Ethernet interface.
 +
 +
For [[LVS/DR]] clusters, it is good to configure [[VIP]]s on the aliases of dummy or loopback device and hide the corresponding device. Then, you can configure as many [[VIP]]s as you want.
 +
 +
For [[LVS/TUN]] clusters, first you need to configure tunl0 device up, then configure VIPs on the aliases of tunnel/dummy/loopback device and hide that device. A configuration example is as follows:
 +
 +
# Insert the ipip module
 +
insmod ipip
 +
# Make the tunl0 device up
 +
ifconfig tunl0 up
 +
# Start the hiding interface functionality
 +
echo 1 > /proc/sys/net/ipv4/conf/all/hidden
 +
# Hide all addresses for this tunnel device
 +
echo 1 > /proc/sys/net/ipv4/conf/tunl0/hidden
 +
# Configure a VIP on an alias of tunnel device
 +
ifconfig tunl0:0 <VIP> up
 +
 +
Note that configuring the tunl0 device up is to make the kernel decapsulate the received ipip packets correctly. Now, you can configure as many VIPs as you want for [[LVS/TUN]].
  
 
== References ==
 
== References ==
  
 +
* http://www.ssi.bg/~ja/hidden.txt
 
* http://www.linuxvirtualserver.org/docs/arp.html
 
* http://www.linuxvirtualserver.org/docs/arp.html
  
 
[[Category:ARP Issue]]
 
[[Category:ARP Issue]]

Latest revision as of 12:02, 29 October 2006

Introduction

The "hidden" flag on interface is to hide an interface from the ARP protocol. When the "hidden" flag is enabled at an interface, any IP address configured at the hidden interface will not participate ARP.

The "hidden" device flag is available in the Linux 2.2 kernel series starting from 2.2.14. For the "hidden" device flag on the Linux kernel 2.4 and 2.6, you need to apply the hidden patch against the Linux kernel 2.4 and 2.6 respectively. Please go to Julian's Software Patches and Docs to download the hidden patches.

Note that for the Linux kernel 2.4 and 2.6, you may use the arp_announce/arp_ignore flag on interface (see Using arp_announce/arp_ignore to disable ARP), then you will not need to patch and rebuild the kernel.

Disable ARP for VIP

The configuration instructions to hide interface from ARP for LVS are as follows:

# Start the hiding interface functionality
echo 1 > /proc/sys/net/ipv4/conf/all/hidden
# Hide all addresses for this interface
echo 1 > /proc/sys/net/ipv4/conf/<interface_name>/hidden

Note that once an interface is set hidden, all the addresses of the interface is hidden from ARP broadcast and being included in the ARP response of other addresses. So, it is not good to configure VIP on the aliases of real Ethernet interfaces and make it hidden, unless you have a unused Ethernet interface.

For LVS/DR clusters, it is good to configure VIPs on the aliases of dummy or loopback device and hide the corresponding device. Then, you can configure as many VIPs as you want.

For LVS/TUN clusters, first you need to configure tunl0 device up, then configure VIPs on the aliases of tunnel/dummy/loopback device and hide that device. A configuration example is as follows:

# Insert the ipip module
insmod ipip
# Make the tunl0 device up
ifconfig tunl0 up
# Start the hiding interface functionality
echo 1 > /proc/sys/net/ipv4/conf/all/hidden
# Hide all addresses for this tunnel device
echo 1 > /proc/sys/net/ipv4/conf/tunl0/hidden
# Configure a VIP on an alias of tunnel device
ifconfig tunl0:0 <VIP> up

Note that configuring the tunl0 device up is to make the kernel decapsulate the received ipip packets correctly. Now, you can configure as many VIPs as you want for LVS/TUN.

References