Re: LVS-DR, Cisco switch, and ARPtables

[Con Tassios <ct@xxxxxxxxxxx>]

I've used the following arptables configuration on RHEL v.3 real servers in a 
LVS-DR configuration to handle the ARP problem and allow hosts on the same 
subnet to connect to the VIP.
arptables -F
arptables -A IN -d $VIP -j DROP
arptables -A OUT -s $VIP -j mangle --mangle-ip-s $RIP
service arptables_jf save
chkconfig arptables_jf on


> I'm trying to configure a Linux Director for localnode to itself 
> (172.27.21.211:8080) and LVS-DR to another Realserver (172.27.21.212:8080). I'm 
> handling the ARP problem on 172.27.21.210:8080 (the load balanced IP) by using 
> Arptables.
>
> # arptables -L -n
> Chain IN (policy ACCEPT)
> target     source-ip            destination-ip       source-hw          
> destination-hw     hlen   op         hrd        pro
> DROP       0.0.0.0/0            172.27.21.210        00/00              00/00   
>         any    0000/0000  0000/0000  0000/0000
>
> Chain OUT (policy ACCEPT)
> target     source-ip            destination-ip       source-hw          
> destination-hw     hlen   op         hrd        pro
> DROP       0.0.0.0/0            172.27.21.210        00/00              00/00   
>         any    0000/0000  0000/0000  0000/0000
>
> The problem is I can ping 172.27.21.210 from every subnet (all the ones I could 
> try) except the 172.27.21.x.
>
> A client (172.27.21.205) shows 172.27.21.210 with an (Incomplete) for the MAC 
> address.
>
> If I remove 172.27.21.210 on the Director and add it back, issuing a gratuitis 
> ARP, then the client gets the correct MAC address for 172.27.21.210 and is able 
> to ping ok. This lasts for about 2 minutes before it gets an incomplete for the 
> MAC again and I can't ping it.
>
> Is this an arp caching problem on my Cisco switch?  Should I use something 
> other than Arptables to handle the arp problem?