Hello all:
I've been reading the LVS pages and my first comment is: Thanks, they (seem
to be) very thorough and quite informative. I'm looking forward to cobbling
together my first LVS system next week...
I do have one nagging lack-of-understanding:
I'd like to setup my real servers with dual NICs, one on the LAN with the
director (LAN A), and the other (the default gw) on another LAN (LAN B) with
internet access; this is how I interpretted the diagram at
http://www.linuxvirtualserver.org/VS-DRouting.html. I have attached a
diagram as plain text. My understanding is that the following happens:
1 A client connects to the VIP on the Director
2 The Director (using DR) mods the MAC to an appropriate value for a
real server, and retransmits on the LAN A
3 The RS picks this packet up, and when it transmits back to the
client, it will go out the default interface (LAN B) - avoiding the LAN A
Here are my questions/impressions:
A I'm under the impression that under VS-DR, the Director does not
finish the TCP session setup - it passes the first packet (SYN?) directly to
the RS and the RS finishes the session setup with the client - is this
correct? Note that I'm only interested in DR.
B Packets sent from the real server for TCP/IP session initiation, as
well as application layer transmission, will always be sent across LAN B -
is this correct?
C Packets from the Client will ALWAYS go through the Director, and be
re-routed to the appropriate real server (through LAN A) - is this correct?
Or will the IP address of the real-server's default interface actually be
'noticed' by the client (perhaps not at the application layer, but inside
the networking stack...) and 100% of client<->RS communications will happen
across LAN B? I'm doubtful of this contingency, since it would seem to my
lay mind as a bit of a security hole, and if the latter actually does happen
- could someone point me to a reference so I can read up on the details?
We would like to partition the networking up like this for both security and
performance reasons - I've obviously left lots of stuff off this description
and the ascii art in the hope of focusing on the critical question.
TIA
#if INCLUDE_SIG && defined( EMAIL_SIG )
Keith E. Hellman khellman@xxxxxxxx
Software Engineer Voice: 303.530.8288 x3106
Colorado MEDtech/RELA
#endif
|