|
Hello,
On Fri, 8 Sep 2000, Stephen Rowles wrote:
> At 13:40 08/09/2000 -0400, you wrote:
> > > After trying to use Direct Routing on an ATM network I discovered that
> > > because of the ATM it is not possible to have duplicate MAC addresses for
> >a
> > > single IP. The cluster will be a telnet / compute cluster which will load
Believe me, the same is for the Ethernet.
> > > balance telnet, ftp, and SSH traffic.
> >
>
> The problem is that when the real-servers reply to a machine that requires
> a route across the ATM, the packets that are sent claim to be from the VIP
> (which the director ARPs for and the ATM registers the director MAC as
> belonging to that IP address) BUT they have different MAC addresses because
> the come from different real-servers. So there are lots of packets claiming
> to be from the VIP, all with different MAC addresses :). The ATM won't
> route these for two reasons (having talked to the manufactures) 1) to
> prevent IP spoofing attacks on the network. 2) the MAC address is
> fundamental to the way that the ATM routing software route IP packets - it
> is not possible for it to deliver packets to more than one MAC address for
> a given IP - doh!
You have to try LVS/DR with hiding the devices in
the real servers:
http://www.linuxvirtualserver.org/arp.html
You have to patch your real servers with
hidden-2.3.41-1.diff
I have never tried ATM but looking in the ATM docs
and the sources in 2.4 I don't see problems to use the
"hidden device" feature. Just define VIPs on lo/dummy
devices in the real servers and not on the atm devices.
The ARP in ATM is different but RFC1577 claims
interoparbility. ATMARP is even preferred for LVS: the ARP
request can't raise problems because I don't see such thing
as "source IP address announcement" in the ARP requests to
the ARP server. Considering the fact that LVS works on IP
level I don't expect problems even on ATM. Juts hide the
VIPs in the real servers.
You can't have two hosts that send ARP replies for
one VIP. This is true not only for ATM LIS but also for the
Ethernet.
>
> I though about IP tunnelling (as all the boxes are linux) but the boxes
> will still reply from the VIP (correct?) and so the problem remains.
Yes, remains. This problem exists for LVS/DR and LVS/TUN
when the real servers and the director are on the same shared media.
>
> The key feature for the solution is that there has to be a 1-1 relationship
> between MAC addresses and IP addresses.
This is mandatory! Please, report your results with the
hidden flag, you are the first who plays with ATM on this list :)
>
> Cheers for all your comments.
> Steve.
>
> ----------------------------------------------------------------------------
> Going to church doesn't make you a Christian any more than going to a garage
> makes you a mechanic.
Regards
--
Julian Anastasov <ja@xxxxxx>
|
