Re: [lvs-users] Ignoring ARP on *all* interfaces? Docs seem to say so

To:	lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Subject:	Re: [lvs-users] Ignoring ARP on all interfaces? Docs seem to say so
From:	"L.S. Keijser" <leon@xxxxxxxx>
Date:	Sat, 15 Oct 2011 19:28:59 +0200

On Sat, 2011-10-15 at 06:14 +0000, Henry C. wrote:
> Hi,
> 
> >From the documentation, one way to fix the ARP problem:
> 
> # LVS:  prevent this server from replying to ARP requests for the VIP
> # and bypassing the director.
> net.ipv4.conf.lo.arp_ignore = 1
> net.ipv4.conf.lo.arp_announce = 2
> net.ipv4.conf.all.arp_ignore = 1
> net.ipv4.conf.all.arp_announce = 2
> net.ipv4.conf.tunl0.arp_ignore = 1
> 
> This seems to work well, but I'm curious about the line:
> 
> net.ipv4.conf.all.arp_ignore = 1
> 
> Will this not affect the other non-VIP interfaces on the realserver?  This
> line seems to imply that ALL interfaces will not respond to ARPs...  Also, why
> ignore ARPs on loopback (lo)?
> 
> It just seems counter-intuitive.

Okay, I'll try to explain. In a correctly configured setup, a client
sends a request (ARP who-has) to the VIP on the director. The director
sees this packet and responds (ARP is-at) : "yes, this is my IP, here's
the MAC addr". The client then has a connection to the VIP on the
director, who in turn sends packets to one of the realservers. The
realserver replies back straight to the client.

Now the reason why you'll want to prevent the loopback device on the
realserver from replying when an ARP request is sent, is so
loadbalancing actually works. Consider this scenario where I don't
prevent ARP replies:

0. 1 director, 1 client, 2 realservers (rs-A and B)
1. client sends request for IP 1.2.3.4
2. rs-A sees the request before the director does
3. rs-A has the IP configured at it's loopback device
4. rs-A sends the ARP reply to the client
5. client now has a direct connection to rs-A, bypassing the director

Now all of your clients could do this, or some, or none. In any case,
loadbalancing is effectively disabled/broken.

Some people will ignore ARP for all interfaces. This is wrong.

regards,

Léon

_______________________________________________
Please read the documentation before posting - it's available at:
http://www.linuxvirtualserver.org/

LinuxVirtualServer.org mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to http://lists.graemef.net/mailman/listinfo/lvs-users

<Prev in Thread]	Current Thread	[Next in Thread>
*[lvs-users] Ignoring ARP on all* interfaces? Docs seem to say so*, Henry C.* *Re: [lvs-users] Ignoring ARP on all* interfaces? Docs seem to say so*, L.S. Keijser* <= *Re: [lvs-users] Ignoring ARP on all* interfaces? Docs seem to say so*, Julian Anastasov* *Re: [lvs-users] Ignoring ARP on all* interfaces? Docs seem to say so*, L.S. Keijser* *Re: [lvs-users] Ignoring ARP on all* interfaces? Docs seem to say so*, Henry C.*

Previous by Date:	*[lvs-users] Ignoring ARP on all* interfaces? Docs seem to say so*, Henry C.*
Next by Date:	*Re: [lvs-users] Ignoring ARP on all* interfaces? Docs seem to say so*, Julian Anastasov*
Previous by Thread:	*[lvs-users] Ignoring ARP on all* interfaces? Docs seem to say so*, Henry C.*
Next by Thread:	*Re: [lvs-users] Ignoring ARP on all* interfaces? Docs seem to say so*, Julian Anastasov*
Indexes:	[Date] [Thread] [Top] [All Lists]