Re: [lvs-users] Ignoring ARP on *all* interfaces? Docs seem to say so

To: " users mailing list." <lvs-users@xxxxxxxxxxxxxxxxxxxxxx>
Subject: Re: [lvs-users] Ignoring ARP on *all* interfaces? Docs seem to say so
From: Julian Anastasov <ja@xxxxxx>
Date: Sat, 15 Oct 2011 22:45:07 +0300 (EEST)

On Sat, 15 Oct 2011, L.S. Keijser wrote:

> On Sat, 2011-10-15 at 06:14 +0000, Henry C. wrote:
> > Hi,
> > 
> > >From the documentation, one way to fix the ARP problem:
> > 
> > # LVS:  prevent this server from replying to ARP requests for the VIP
> > # and bypassing the director.
> > net.ipv4.conf.lo.arp_ignore = 1
> > net.ipv4.conf.lo.arp_announce = 2
> > net.ipv4.conf.all.arp_ignore = 1
> > net.ipv4.conf.all.arp_announce = 2
> > net.ipv4.conf.tunl0.arp_ignore = 1

        Henri, arp_ignore and arp_announce for interface "lo" are
not used. Both flags control the ARP traffic on the concerned
interface. This is different from the "hidden" flag that
was used to hide "lo" addresses from other ARP interfaces.

        It seems the above docs are wrong to use "lo" and
should be fixed.

        One place that correctly explains the new flags is:

> > This seems to work well, but I'm curious about the line:
> > 
> > net.ipv4.conf.all.arp_ignore = 1

        See below.

> > Will this not affect the other non-VIP interfaces on the realserver?  This
> > line seems to imply that ALL interfaces will not respond to ARPs...  Also, 
> > why
> > ignore ARPs on loopback (lo)?
> > 
> > It just seems counter-intuitive.
> Okay, I'll try to explain. In a correctly configured setup, a client
> sends a request (ARP who-has) to the VIP on the director. The director
> sees this packet and responds (ARP is-at) : "yes, this is my IP, here's
> the MAC addr". The client then has a connection to the VIP on the
> director, who in turn sends packets to one of the realservers. The
> realserver replies back straight to the client.
> Now the reason why you'll want to prevent the loopback device on the
> realserver from replying when an ARP request is sent, is so
> loadbalancing actually works. Consider this scenario where I don't
> prevent ARP replies:
> 0. 1 director, 1 client, 2 realservers (rs-A and B)
> 1. client sends request for IP
> 2. rs-A sees the request before the director does
> 3. rs-A has the IP configured at it's loopback device
> 4. rs-A sends the ARP reply to the client
> 5. client now has a direct connection to rs-A, bypassing the director
> Now all of your clients could do this, or some, or none. In any case,
> loadbalancing is effectively disabled/broken.
> Some people will ignore ARP for all interfaces. This is wrong.

        Most of the trivial LVS and non-LVS setups can work with
all.arp_ignore = 1, that is how other networking stacks react to
ARP requests - the requested address must be on same interface.
It works when IPs from same subnet are configured only on one
interface. LVS setups can use this restriction to configure VIPs
on lo, dummy or any other interface that is different from
the concerned interface with ARP traffic.


Julian Anastasov <ja@xxxxxx>

Please read the documentation before posting - it's available at: mailing list - lvs-users@xxxxxxxxxxxxxxxxxxxxxx
Send requests to lvs-users-request@xxxxxxxxxxxxxxxxxxxxxx
or go to

<Prev in Thread] Current Thread [Next in Thread>