Difference between revisions of "Using policy routing to disable ARP"

From LVSKB
Jump to: navigation, search
 
 
Line 1: Line 1:
 
== Introduction ==
 
== Introduction ==
  
 +
The classic TCP/IP routing algorithms used today make their routing decisions based only on the destination address of IP packets. However, we often find ourselves wanting to route IP packets depending not only on the destination addresses, but also on other packet fields such as the source address, the IP protocol, the transport protocol ports, or even data within the packet payload. This type of IP routing is referred to as "policy routing".
  
 
== Disable ARP for VIP ==
 
== Disable ARP for VIP ==
  
 +
Julian suggested to use the advanced policy routing approach to get around the [[ARP]] problem of the [[real server]]s in the [[LVS/DR]] and [[LVS/TUN]] clusters. For example, 172.26.20.118 is the [[VIP]] address, and the commands are as follows:
 +
 +
# Block  access from the  LAN to the  real server's VIP.  By
 +
# this  way we ignore the router's ARP probes. The drawback:
 +
# we  ignore the  client's probes too.  We have  to do this
 +
# because the client on the LAN can receive replies from all
 +
# real servers
 +
ip rule add prio 99 from 172.26.20/24 table 99
 +
ip route add table 99 blackhole 172.26.20.118
 +
 +
# Now  accept  locally  any  other  traffic,  i.e.  not from
 +
# 172.26.20/24
 +
ip rule add prio 100 table 100
 +
ip route add table 100 local 172.26.20.118 dev lo
 +
 +
Policy routing is faster than [[Using redirect to disable ARP|the REDIRECT approach]], but the client on the same LAN cannot access the virtual service on the [[VIP]]. The real servers ignore the traffic from the LAN to the VIP, in order to discard the [[ARP]] request for the VIP too.
  
 
== References ==
 
== References ==
  
 
* http://www.linuxvirtualserver.org/docs/arp.html
 
* http://www.linuxvirtualserver.org/docs/arp.html
 +
* [http://www.unixreview.com/documents/s=1350/urm0006d/ Policy Routing in Linux]
  
 
[[Category:ARP Issue]]
 
[[Category:ARP Issue]]

Latest revision as of 08:27, 11 November 2006

Introduction

The classic TCP/IP routing algorithms used today make their routing decisions based only on the destination address of IP packets. However, we often find ourselves wanting to route IP packets depending not only on the destination addresses, but also on other packet fields such as the source address, the IP protocol, the transport protocol ports, or even data within the packet payload. This type of IP routing is referred to as "policy routing".

Disable ARP for VIP

Julian suggested to use the advanced policy routing approach to get around the ARP problem of the real servers in the LVS/DR and LVS/TUN clusters. For example, 172.26.20.118 is the VIP address, and the commands are as follows:

# Block  access from the  LAN to the  real server's VIP.  By
# this  way we ignore the router's ARP probes. The drawback:
# we  ignore the  client's probes too.   We have  to do this
# because the client on the LAN can receive replies from all
# real servers
ip rule add prio 99 from 172.26.20/24 table 99
ip route add table 99 blackhole 172.26.20.118
# Now  accept  locally  any  other  traffic,  i.e.  not from
# 172.26.20/24
ip rule add prio 100 table 100
ip route add table 100 local 172.26.20.118 dev lo

Policy routing is faster than the REDIRECT approach, but the client on the same LAN cannot access the virtual service on the VIP. The real servers ignore the traffic from the LAN to the VIP, in order to discard the ARP request for the VIP too.

References