vs/nat
实验环境
- 客户端:
- cip:192.168.10.100:eth1
- lvs:
- vip:192.168.10.101:eth1
- dip:192.168.80.101:eth0
- rs1:
- rip:192.168.80.102:eth0
- rs2:
- rip:192.168.80.103:eth0
lvs共计2块网卡,一块对外,和客户端处于一个局域网,一块对内,和2个realserver组成一个局域网;
准备配置
- lvs对客户端和对realserver都能通信,
- 先配置客户端和2个realserver可以通过指向网关为lvs,实现通信
- 客户端和2个realserver不能直接相互访问
1、lvs对客户端和对realserver都能通信
添加对应网卡后,保持默认即可,lvs有2块网卡分别和2个不同局域网通信;
2、先配置客户端和2个realserver可以通过指向网关为lvs,实现通信
lvs连接2个网段,开启转发功能后,使得变成路由器的角色,而两端又配置了去往对方网段的路由,本例是将默认路由指向了lvs,lvs负责2个网段的转发,数据包有去有回,从而实现了互通
rs1和rs2添加默认路由,指向lvs的80.101地址
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
#默认是有一条指向vmvare workstation的网关路由;
[root@rs2 ~]# route add default gw 192.168.80.101
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
# 添加指向101地址的路由
#rs1同理
[root@rs1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs1 ~]# route add default gw 192.168.80.101
[root@rs1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
客户端添加默认路由指向lvs的10.101,
[root@client ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.10.101 0.0.0.0 UG 0 0 0 eth1
192.168.10.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
[root@client ~]# route add default gw 192.168.10.101
lvs上开启路由转发,
[root@lvs ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
客户端此时,能访问rs1和rs2,rs也能访问客户端
[root@client ~]# ping 192.168.80.103
PING 192.168.80.103 (192.168.80.103) 56(84) bytes of data.
64 bytes from 192.168.80.103: icmp_seq=5 ttl=63 time=0.987 ms
64 bytes from 192.168.80.103: icmp_seq=6 ttl=63 time=1.20 ms
3、客户端和2个realserver不能直接相互访问
客户端,和rs分别删除默认路由;此时2端分别只能访问自己本网段地址,非本网段的由于没有对应的路由信息,和默认路由,一律网络不可达
[root@client ~]# route del default gw 192.168.10.101
[root@client ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
[root@client ~]# ping 192.168.80.103
connect: Network is unreachable
# 客户端
[root@rs2 ~]# route del default gw 192.168.80.101
[root@rs2 ~]# route del default gw 192.168.80.2
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs2 ~]# ping 192.168.10.100
connect: Network is unreachable
# rs2
[root@rs1 ~]# route del default gw 192.168.80.101
[root@rs1 ~]# route del default gw 192.168.80.2
[root@rs1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs1 ~]# ping 192.168.10.100
connect: Network is unreachable
# rs1
此时客户端无法直接访问rs了,只有10本网段的地址可达,此时客户端只能访问lvs的地址
[root@client ~]# ping 192.168.80.103
connect: Network is unreachable
[root@client ~]# ping 192.168.80.102
connect: Network is unreachable
[root@client ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
配置vs/nat
- lvs服务器:
- 启用ipvs模块,(默认已启用)
- 安装ipvsadm管理命令
- lvs服务器上开启ip_forward
- rs服务器
- 安装httpd
- 写入不同主页,并启动
- 网关指向lvs的dip地址,
- lvs服务器
- 配置ipvs规则,
- 对外开放10.101的80端口服务
- 添加后端2个rs节点,做realsever
- 客户端访问lvs的10.101的80端口
1、检查ipvs模块是否启用,安装ipvsadm命令
yum install -y ipvsadm即可 也可编译安装,参见ipvsadm编译安装
[root@lvs ~]# ll /usr/lib/modules/3.10.0-862.el7.x86_64/kernel/net/netfilter/ipvs/
total 112
-rw-r--r--. 1 root root 2160 Apr 21 2018 ip_vs_dh.ko.xz
-rw-r--r--. 1 root root 4084 Apr 21 2018 ip_vs_ftp.ko.xz
-rw-r--r--. 1 root root 59100 Apr 21 2018 ip_vs.ko.xz
-rw-r--r--. 1 root root 3952 Apr 21 2018 ip_vs_lblc.ko.xz
-rw-r--r--. 1 root root 4740 Apr 21 2018 ip_vs_lblcr.ko.xz
-rw-r--r--. 1 root root 1728 Apr 21 2018 ip_vs_lc.ko.xz
-rw-r--r--. 1 root root 1752 Apr 21 2018 ip_vs_nq.ko.xz
-rw-r--r--. 1 root root 2972 Apr 21 2018 ip_vs_pe_sip.ko.xz
-rw-r--r--. 1 root root 1928 Apr 21 2018 ip_vs_rr.ko.xz
-rw-r--r--. 1 root root 1740 Apr 21 2018 ip_vs_sed.ko.xz
-rw-r--r--. 1 root root 2532 Apr 21 2018 ip_vs_sh.ko.xz
-rw-r--r--. 1 root root 1760 Apr 21 2018 ip_vs_wlc.ko.xz
-rw-r--r--. 1 root root 2508 Apr 21 2018 ip_vs_wrr.ko.xz
#ipvs模块位置;
[root@lvs ~]# rpm -ql ipvsadm
/etc/sysconfig/ipvsadm-config
/usr/lib/systemd/system/ipvsadm.service
/usr/sbin/ipvsadm
/usr/sbin/ipvsadm-restore
/usr/sbin/ipvsadm-save
/usr/share/doc/ipvsadm-1.27
/usr/share/doc/ipvsadm-1.27/README
/usr/share/man/man8/ipvsadm-restore.8.gz
/usr/share/man/man8/ipvsadm-save.8.gz
/usr/share/man/man8/ipvsadm.8.gz
#ipvsadm软件包文件列表
2、准备rs
159 yum install -y httpd
160 echo rs2:192.168.80.103 > /var/www/html/index.html
161 systemctl start httpd
501 yum install -y httpd
502 echo rs1:192.168.80.102 > /var/www/html/index.html
504 systemctl start httpd
[root@lvs ~]# curl 192.168.80.102
rs1:192.168.80.102
[root@lvs ~]# curl 192.168.80.103
rs2:192.168.80.103
#lvs访问测试成功
3、配置ipvs规则
[root@lvs ~]# ipvsadm -C
# 清空规则,防止干扰
[root@lvs ~]# ipvsadm -A -t 192.168.10.101:80 -s wrr
# 添加一个对外服务,算法选择为wrr,加权轮询,服务在本机vip地址的80端口
[root@lvs ~]# ipvsadm -L
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP lvs:http wrr
# 看到已经添加了一个tcp的http的服务,算法为wrr
[root@lvs ~]# ipvsadm -a -t 192.168.10.101:80 -r 192.168.80.102:80 -m -w 2
[root@lvs ~]# ipvsadm -a -t 192.168.10.101:80 -r 192.168.80.103:80 -m -w 3
# 添加2个rs,
# a为添加 t是tcp协议 m是nat模式,w指定权重
[root@lvs ~]# ipvsadm -L
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP lvs:http wrr
-> 192.168.80.102:http Masq 2 0 0
-> 192.168.80.103:http Masq 3 0 0
# 可以看到一个对外服务,及其后端真实的rs服务器
注意:
- 实验时:lvs上忘记了开启ip_forward
- rs上忘记了配置网关为lvs的dip
- 所以客户端访问不通!因为vs/nat需要lvs做nat,转发,rs处理后需要将数据发给网关即lvs的dip地址
- 补充如下:
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs2 ~]# route add default gw 192.168.80.101
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs1 ~]# route add default gw 192.168.80.101
[root@rs1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@lvs ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@lvs ~]# cat /proc/sys/net/ipv4/ip_forward
1
4、客户端访问
[root@client ~]# curl 192.168.10.101
rs1:192.168.80.102
[root@client ~]# curl 192.168.10.101
rs2:192.168.80.103
[root@client ~]# curl 192.168.10.101
rs1:192.168.80.102
[root@client ~]# curl 192.168.10.101
rs2:192.168.80.103
[root@client ~]# curl 192.168.10.101
rs2:192.168.80.103
[root@client ~]# curl 192.168.10.101
rs1:192.168.80.102
#成功实现调度,比例约为2:3
查看lvs状态信息
[root@lvs ~]# ipvsadm -Ln --stats
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Conns InPkts OutPkts InBytes OutBytes
-> RemoteAddress:Port
TCP 192.168.10.101:80 15 84 48 5496 5712
-> 192.168.80.102:80 6 31 20 2050 2380
-> 192.168.80.103:80 9 53 28 3446 3332
vs/nat实现!
vs/tun
vs/dr
arp相关内核参数
arp过程中,请求方请求一个ip对应的mac,同时包中填入自己的源ip和源mac,这一对,会被接收方缓存,接收方收到后,发现自己有对方所请求的ip,于是,将自己的ip和mac填入响应包,单播给请求端,想当然的以为,ip和mac一定对应,即ip所在的接口和接口mac一对一对应,其实不然,ip和mac不必对应,尤其是一台主机有多个接口,多个ip,还有lo接口的情况下
arp_ingore决定了回应arp包时,用自己的哪个ip,哪个mac填包,
arp_announce决定了发arp请求时,用自己的哪个ip,哪个mac填包
dr模型下,lvs和rs同处于一个物理网段,在lvs和多个rs都配置了vip的情况下,同个网段多个vip,那么arp广播时,就会导致冲突!
解决办法:
- 前端如router静态绑定,将lvs的某个接口mac和vip静态绑定,写在router的arp表里,但不够灵活
- 每个rs上,使用arptables
- 每个rs上,修改内核参数,使得rs对vip这个地址,的arp回应和通告做一定限制(常用)
arp_ingore
- 默认是0;
- 改为1,表示,仅在arp请求的ip,正好配置在该arp广播进来的接口上时,才回应;
- eg:rs2从eth0接口收到了arp广播,发现请求的是80.200,但是80.200配置的是自己的lo接口,
- 所以不回应该arp广播
- 其他rs一样
- 此时只有lvs可以回应,解决了多个vip冲突问题
arp_announce
- 默认是0
- 尽量避免将接口信息向非直连网络进行通告
- 必须避免将接口信息向非本网络进行通告
一般rs上:arp_ingore设置为1,arp_announce设置为2,还原时,重新设置为0即可
ip neigh flush all
清理所有arp缓存
[root@router ~]# ll /proc/sys/net/ipv4/conf/
total 0
dr-xr-xr-x 1 root root 0 Sep 9 15:23 all
dr-xr-xr-x 1 root root 0 Sep 9 15:23 default
dr-xr-xr-x 1 root root 0 Sep 9 15:27 eth0
dr-xr-xr-x 1 root root 0 Sep 9 15:27 eth1
dr-xr-xr-x 1 root root 0 Sep 9 15:27 lo
[root@router ~]#
all和lo接口都要同时设置
vip、dip、rip同网段
1、准备实验拓扑如下,准备基础网络环境
根据网络拓扑,配置基础路由,ip
#client:
[root@client ~]# route add default gw 192.168.10.101
[root@client ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.10.101 0.0.0.0 UG 0 0 0 eth1
192.168.10.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
#router
# 连接2个网段,开启路由转发,充当router
[root@router ~]# cat /proc/sys/net/ipv4/ip_forward
0
[root@router ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
[root@router ~]# cat /proc/sys/net/ipv4/ip_forward
1
[root@router ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
# rs1
# rs都删除默认的vnet8的默认路由,并指向80.101为默认路由
[root@rs1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs1 ~]# route del default gw 192.168.80.2
[root@rs1 ~]# route add default gw 192.168.80.101
[root@rs1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
# rs2
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs2 ~]# route del default gw 192.168.80.2
[root@rs2 ~]# route add default gw 192.168.80.101
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
# lvs
# lvs只有一个dip,目前,网关也指向了router的80.101
[root@lvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@lvs ~]# route del default gw 192.168.80.2
[root@lvs ~]# route add default gw 192.168.80.101
[root@lvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
2、lvs配置vip
[root@lvs ~]# ip addr add 192.168.80.200/32 dev eth0
[root@lvs ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:55:b3:ea brd ff:ff:ff:ff:ff:ff
inet 192.168.80.104/24 brd 192.168.80.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet 192.168.80.200/32 scope global eth0
valid_lft forever preferred_lft forever
# router可以ping通此时lvs上的vip
[root@router ~]# ping 192.168.80.200
PING 192.168.80.200 (192.168.80.200) 56(84) bytes of data.
64 bytes from 192.168.80.200: icmp_seq=1 ttl=64 time=0.915 ms
3、2个rs配置vip,arp相关参数,
配置脚本如下:
根据需求,修改vip即可,start是启用,stop直接清空配置
此脚本,可方便实现rs的上线、下线
[root@rs2 ~]# cat lvs
#!/bin/bash
#
vip=192.168.80.200
mask='255.255.255.255'
case $1 in
start)
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
ifconfig lo:0 $vip netmask $mask broadcast $vip up
route add -host $vip dev lo:0
;;
stop)
ifconfig lo:0 down
echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce
;;
*)
echo "Usage $(basename $0) start|stop"
exit 1
;;
esac
4、lvs配置ipvs规则
[root@lvs ~]# ipvsadm -C
[root@lvs ~]# ipvsadm -A -t 192.168.80.200:80 -g
Illegal 'forwarding-method' option with the 'add-service' command
[root@lvs ~]# ipvsadm -A -t 192.168.80.200:80
[root@lvs ~]# ipvsadm -L
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP lvs:http wlc
[root@lvs ~]# ipvsadm -a -t 192.168.80.200:80 -r 192.168.80.102:80 -g
[root@lvs ~]# ipvsadm -a -t 192.168.80.200:80 -r 192.168.80.103:80 -g
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 192.168.80.200:80 wlc
-> 192.168.80.102:80 Route 1 0 0
-> 192.168.80.103:80 Route 1 0 0
5、客户端访问测试
# 一开始失败,用客户端直接ping rs时不通,排查发现有去程的默认路由,router也开启了转发,再排查到rs,发现rs没有了回10网段的路由,默认路由又重新指向了vnet8的80.2
# 同时多了一条主机ip路由80.200指向自己的环回口,
# 应该是配置vip到自己的lo接口时影响了默认路由?
# 重新指向80.101后,成功,此时客户端能ping通rs直接,
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.80.200 0.0.0.0 255.255.255.255 UH 0 0 0 lo
[root@rs2 ~]# route add default gw 192.168.80.101
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.80.200 0.0.0.0 255.255.255.255 UH 0 0 0 lo
# 再次向lvs的vip请求
# 成功
[root@client ~]# curl 192.168.80.200
rs1:192.168.80.102
[root@client ~]# curl 192.168.80.200
rs2:192.168.80.103
[root@client ~]# curl 192.168.80.200
rs1:192.168.80.102
[root@client ~]# curl 192.168.80.200
rs2:192.168.80.103
注意点:
lvs要配置网关,且可以指定一个同网段,不存在的地址,
原因
[root@lvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
...
rs2:192.168.80.103
curl: (7) Failed connect to 192.168.80.200:80; Connection timed out
# 没有网关时,客户端是curl不通vip的,循环会中断
[root@lvs ~]# route add default gw 192.168.80.222
[root@lvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.222 0.0.0.0 UG 0 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@client ~]# while true; do curl 192.168.80.200; sleep 1;done;
rs2:192.168.80.103
rs1:192.168.80.102
# 有网关时,客户端curl才通,循环继续
# 原因:lvs看似只接收客户端的建立连接的握手包,但是,若没有默认网关,当它接收到来自10网段的数据包时,比对路由信息,发现自己只有本80网段的路由,对10网段一无所知,没有相关路由,也没有默认路由,就认为自己处理不了,于是直接丢弃,不再处理,于是客户端无法curl通;
# 所以一定给lvs配置一个默认网关,指向相同网段,即便是一个不存在的地址
简单总结
- 完成网络拓扑的构建,基础路由,ip的规划,实际中网络结构一般由网络工程师完成
- lvs上:
- 配置vip,dip,
- vip一般就配置在lo接口或lo别名接口,32位掩码,lo接口必须是32位掩码
- vip也可配置在物理接口上,32位或和dip同位掩码都可以
- 无需arp相关参数设置
- 无需ip_forward开启
- lvs也要配置合适的路由;
- rs上:
- vip配置在lo接口,或lo接口的别名接口,
- vip是32位掩码
- /proc/sys/net/ipv4/conf/{all,lo}/arp_ingore设置为1,还原是设置为0
- /proc/sys/net/ipv4/conf/{all,lo}/arp_announce设置为2,还原是设置为0
- 指向自己的默认网关,不执向lvs
- lvs配置规则
- 客户端访问
vip、dip、rip不同网段
1、准备网络拓扑环境如下图,配置基础路由,ip信息
客户端
root@client ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.10.101 0.0.0.0 UG 0 0 0 eth1
192.168.10.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
# 只剩直连10网段的路由,默认路由指向10.101
router
[root@router ~]# route del default gw 192.168.80.2
[root@router ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
192.168.80.0 0.0.0.0 255.255.255.0 U 102 0 0 eth0
[root@router ~]# echo 1 > /proc/sys/net/ipv4/ip_forward
# 只剩下2个网络的直连路由,
# 开启ip_forward
lvs
[root@lvs ~]# route del default gw 192.168.80.2
[root@lvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.80.0 0.0.0.0 255.255.255.0 U 102 0 0 eth0
# 目前只有dip,一条直连路由
rs1、rs2:
[root@rs1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
0.0.0.0 192.168.80.2 0.0.0.0 UG 102 0 0 eth2
192.168.10.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 102 0 0 eth2
[root@rs1 ~]# ifconfig eth1 donw
^C
[root@rs1 ~]# ifconfig eth1 down
[root@rs1 ~]# ifconfig eth1 down
[root@rs1 ~]# ifconfig eth2 down
[root@rs1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs1 ~]# route del default gw 192.168.80.2
[root@rs1 ~]# route add default gw 192.168.80.101
[root@rs1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs1 ~]#
# 删除原来默认路由,添加一条默认路由指向80.101
# 禁用其他无关网卡,
# 只剩下80网段的直连路由,和指向80.101的默认路由
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
192.168.10.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs2 ~]# ifconfig eth1 down
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs2 ~]# route del default gw 192.168.80.2
[root@rs2 ~]# route del default gw 192.168.80.101
SIOCDELRT: No such process
[root@rs2 ~]# route add default gw 192.168.80.101
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
# 同rs1
2、lvs配置vip
[root@lvs ~]# ip addr add 10.0.0.100/8 dev eth0
[root@lvs ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:55:b3:ea brd ff:ff:ff:ff:ff:ff
inet 192.168.80.104/24 brd 192.168.80.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet 10.0.0.100/8 scope global eth0
[root@lvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
# lvs的eth0上,加上10.0.0.100/8的vip,和dip不同网段;
# 配置后,多出一条直连路由
3、rs配置vip和arp内核参数
# 修改rs配置脚本,改一下vip和掩码,和lvs的vip一致
[root@rs1 ~]# cat lvs-dr-rs
#!/bin/bash
#
vip=10.0.0.100
mask='255.0.0.0'
case $1 in
start)
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
ifconfig lo:0 $vip netmask $mask broadcast $vip up
route add -host $vip dev lo:0
;;
stop)
ifconfig lo:0 down
echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce
;;
*)
echo "Usage $(basename $0) start|stop"
exit 1
;;
esac
# 每个rs上,执行脚本,
# 发现vip已经配置在了还回口,arp参数已经修改
[root@rs2 ~]# sh lvs-dr-rs start
[root@rs2 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 10.0.0.100/8 brd 10.0.0.100 scope global lo:0
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
[root@rs1 ~]# sh lvs-dr-rs start
[root@rs1 ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet 10.0.0.100/8 brd 10.0.0.100 scope global lo:0
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
# 执行脚本后,对路由的影响
# 加了一条主机路由,
# 默认路由又指向了80.2,一会要再改,否则客户端不通、
# 见下方,curl vip不通的情况
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
10.0.0.100 0.0.0.0 255.255.255.255 UH 0 0 0 lo
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
4、lvs配置ipvs规则
[root@lvs ~]# ipvsadm -C
[root@lvs ~]# ipvsadm -A -t 10.0.0.100:80
[root@lvs ~]# ipvsadm -a -t 10.0.0.100:80 -r 192.168.80.102:80
[root@lvs ~]# ipvsadm -a -t 10.0.0.100:80 -r 192.168.80.103:8088
[root@lvs ~]# ipvsadm -Ln
IP Virtual Server version 1.2.1 (size=4096)
Prot LocalAddress:Port Scheduler Flags
-> RemoteAddress:Port Forward Weight ActiveConn InActConn
TCP 10.0.0.100:80 wlc
-> 192.168.80.102:80 Route 1 0 0
-> 192.168.80.103:80 Route 1 0 0
# dr不支持端口映射,故意写成8088也无效
5、客户端访问测试
vip不通解决;
root@client ~]# ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
From 192.168.10.101 icmp_seq=1 Destination Net Unreachable
From 192.168.10.101 icmp_seq=2 Destination Net Unreachable
^C
--- 10.0.0.100 ping statistics ---
2 packets transmitted, 0 received, +2 errors, 100% packet loss, time 1000ms
# 客户端ping vip时,不通
排查:
1,此时router没有10.0.0.0/8网段的路由,router这就不知道往哪里转发
因此,给router加一个10.0.0.101/8的地址,多了一条直连路由,
[root@router ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
192.168.80.0 0.0.0.0 255.255.255.0 U 102 0 0 eth0
[root@router ~]# ip addr add 10.0.0.101/8 dev eth0
[root@router ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
192.168.10.0 0.0.0.0 255.255.255.0 U 101 0 0 eth1
192.168.80.0 0.0.0.0 255.255.255.0 U 102 0 0 eth0
# 此时还不通
2,再看lvs路由,没有192.168.10段回程路由,有去无回,所以不通
加条默认路由,甩给router
[root@lvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 102 0 0 eth0
[root@lvs ~]# route add default gw 192.168.80.101
[root@lvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 102 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 102 0 0 eth0
3,此时通了
~]# ping 10.0.0.100
PING 10.0.0.100 (10.0.0.100) 56(84) bytes of data.
64 bytes from 10.0.0.100: icmp_seq=1 ttl=63 time=0.892 ms
64 bytes from 10.0.0.100: icmp_seq=2 ttl=63 time=2.07 ms
vip通过,lvs调度不通解决
[root@client ~]# curl 10.0.0.100
^C
[root@client ~]#
# 此时ping vip通,但是访问80端口服务不同,
# 问题出在,客户端和rs的通信上
# 排查2个rs,发现默认路由指向,又成了80.2,客户端能和lvs的vip通信了,但除了请求连接的包,后续的数据通信都是直接和rs通信的,rs没有192.168.10.0的回程路由,所以问题是客户端和rs不通,
# 给rs修改默认路由,指向80.101
[root@rs1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
10.0.0.100 0.0.0.0 255.255.255.255 UH 0 0 0 lo
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs1 ~]# route add default gw 192.168.80.101
[root@rs1 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
10.0.0.100 0.0.0.0 255.255.255.255 UH 0 0 0 lo
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
# 再测,通了
[root@client ~]# curl 10.0.0.100
rs2:192.168.80.103
[root@client ~]# curl 10.0.0.100
rs1:192.168.80.102
[root@client ~]# curl 10.0.0.100
rs2:192.168.80.103
[root@client ~]# curl 10.0.0.100
rs1:192.168.80.102
6、lvs更换网关为router的10.0.0.101
[root@lvs ~]# route add default gw 10.0.0.101
[root@lvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.101 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 102 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 102 0 0 eth0
[root@lvs ~]# route del default gw 192.168.80.101
[root@lvs ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.101 0.0.0.0 UG 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 0 0 0 eth0
10.0.0.0 0.0.0.0 255.0.0.0 U 102 0 0 eth0
192.168.80.0 0.0.0.0 255.255.255.0 U 102 0 0 eth0
此时仍然通,lvs找网关10.0.0.101时,通过10.0.0.0/8的路由可以出去,
7、rs更换网关为router的10.0.0.101
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
10.0.0.100 0.0.0.0 255.255.255.255 UH 0 0 0 lo
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
[root@rs2 ~]# route add default gw 10.0.0.101
[root@rs2 ~]# route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 10.0.0.101 0.0.0.0 UG 0 0 0 lo
0.0.0.0 192.168.80.101 0.0.0.0 UG 0 0 0 eth0
0.0.0.0 192.168.80.2 0.0.0.0 UG 100 0 0 eth0
10.0.0.100 0.0.0.0 255.255.255.255 UH 0 0 0 lo
192.168.80.0 0.0.0.0 255.255.255.0 U 100 0 0 eth0
此时就不通了,因为rs找网关10.0.0.101的时候,没有路由可以找到它
注意点
dr模型,客户端和lvs,客户端和每个rs的路由可达问题,客户端在连接建立、连接断开阶段的数据包是和lvs通信;其他的数据通信阶段都是和rs直接通信,一定注意!排查客户端和lvs,客户端和rs之间的路由可达问题!!!
vs和rs配置参考脚本
VS的配置脚本:
#!/bin/bash
#
vip='10.1.0.5'
iface='eno16777736:0'
mask='255.255.255.255'
port='80'
rs1='10.1.0.7'
rs2='10.1.0.8'
scheduler='wrr'
type='-g'
case $1 in
start)
ifconfig $iface $vip netmask $mask broadcast $vip up
iptables -F
ipvsadm -A -t ${vip}:${port} -s $scheduler
ipvsadm -a -t ${vip}:${port} -r ${rs1} $type -w 1
ipvsadm -a -t ${vip}:${port} -r ${rs2} $type -w 1
;;
stop)
ipvsadm -C
ifconfig $iface down
;;
*)
echo "Usage $(basename $0) start|stop"
exit 1
;;
esac
根据需求,修改vip即可,start是启用,stop直接清空配置
此脚本,可方便实现rs的上线、下线
[root@rs2 ~]# cat lvs
#!/bin/bash
#
vip=192.168.80.200
mask='255.255.255.255'
case $1 in
start)
echo 1 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 1 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 2 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 2 > /proc/sys/net/ipv4/conf/lo/arp_announce
ifconfig lo:0 $vip netmask $mask broadcast $vip up
route add -host $vip dev lo:0
;;
stop)
ifconfig lo:0 down
echo 0 > /proc/sys/net/ipv4/conf/all/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_ignore
echo 0 > /proc/sys/net/ipv4/conf/all/arp_announce
echo 0 > /proc/sys/net/ipv4/conf/lo/arp_announce
;;
*)
echo "Usage $(basename $0) start|stop"
exit 1
;;
esac
arp抓包分析
一个结论:lvs的vip会回应,其他rs也回回应,但是回应的都是lvs上某个接口的mac,抓包发现的
# lvs在eth0上,配置了32位的192.168.80.200的vip后,
# router 开始ping vip
[root@router ~]# ping 192.168.80.200
PING 192.168.80.200 (192.168.80.200) 56(84) bytes of data.
64 bytes from 192.168.80.200: icmp_seq=1 ttl=64 time=1.14 ms
64 bytes from 192.168.80.200: icmp_seq=2 ttl=64 time=0.841 ms
64 bytes from 192.168.80.200: icmp_seq=3 ttl=64 time=0.934 ms
# lvs在eth0上抓arp包
# 看到lvs回复了,回应的mac是b3:ea,查看此为eth0上的mac
[root@lvs ~]# tcpdump -i eth0 -nn arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
...
11:25:07.684940 ARP, Request who-has 192.168.80.200 tell 192.168.80.101, length 46
11:25:07.684955 ARP, Reply 192.168.80.200 is-at 00:0c:29:55:b3:ea, length 28
# router上的arp缓存,200对应的正在lvs上,eth0的mac地址
[root@router ~]# arp -n
Address HWtype HWaddress Flags Mask Iface
192.168.80.200 ether 00:0c:29:55:b3:ea C eth0
# rs上也配置vip,且配置arp相关内核参数
# rs抓包,发现不回应,
# 只有lvs的vip回应,
# router ping仍然正常
# 把lvs的vip拿掉后,router的ping会中断,因为此时只有rs有vip,但由设置了arp内核参数,是不会回应router的arp广播的,
实验现象:rs会将lvs的vip所在的mac回应给router?why
[root@rs1 ~]# tcpdump -i eth0 -nn arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
12:55:22.885770 ARP, Request who-has 192.168.80.200 tell 192.168.80.101, length 46
12:55:22.885893 ARP, Reply 192.168.80.200 is-at 00:0c:29:55:b3:ea, length 46
[root@rs2 ~]# tcpdump -i eth0 -nn arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
12:54:33.665591 ARP, Request who-has 192.168.80.200 tell 192.168.80.101, length 46
12:54:33.665604 ARP, Reply 192.168.80.200 is-at 00:0c:29:55:b3:ea, length 46
rs1和2都是,回复的mac:b3:ea是lvs上配置了vip的eth0网卡的mac
[root@lvs ~]# ip a
...
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:55:b3:ea brd ff:ff:ff:ff:ff:ff
inet 192.168.80.104/24 brd 192.168.80.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet 192.168.80.200/32 scope global eth0
现象:将lvs上eth0上的vip删除,后router就ping不通vip了,此时尽管2个rs上的lo接口有vip,但因为设置了arp-ingore,不会应答关于vip的 arp的请求包
[root@lvs ~]# ip addr del 192.168.80.200/32 dev eth0
[root@lvs ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:55:b3:ea brd ff:ff:ff:ff:ff:ff
inet 192.168.80.104/24 brd 192.168.80.255 scope global noprefixroute eth0
valid_lft forever preferred_lft forever
inet6 fe80::6247:1fa9:b7d7:84b9/64 scope link tentative dadfailed
valid_lft forever preferred_lft forever
[root@router ~]# ping 192.168.80.200
PING 192.168.80.200 (192.168.80.200) 56(84) bytes of data.
^C
--- 192.168.80.200 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 3999ms
# rs上,收到了关于vip200的请求,但不回应,因为arp_ingore内核参数的设置
[root@rs1 ~]# tcpdump -i eth0 -nn arp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on eth0, link-type EN10MB (Ethernet), capture size 262144 bytes
13:01:47.706964 ARP, Request who-has 192.168.80.200 tell 192.168.80.101, length 46
13:01:48.708097 ARP, Request who-has 192.168.80.200 tell 192.168.80.101, length 46
13:01:49.710453 ARP, Request who-has 192.168.80.200 tell 192.168.80.101, length 46
实验结果:
1、将80.200/32设置在lo接口,vip仍然起作用,且回复arp是用的eth0的mac
2、vip配置为24位时,(位数根据实际情况,即和dip同网段即可),物理接口行,lo接口不行会断开网络,一般设置lo接口并32位就行了,当是32位时,设置在物理接口和lo接口都可以,
3、rs的vip一般设置在lo接口,且是32位
[root@lvs ~]# ip add add 192.168.80.200/24 dev lo
不行
[root@lvs ~]# ip add add 192.168.80.200/24 dev eth0
行
[root@lvs ~]# ip add add 192.168.80.200/32 dev eth0
行
[root@lvs ~]# ip add add 192.168.80.200/32 dev lo
行
dr和tun,rs上vip的作用
dr时
收:
lvs转发时只修改了二层mac,ip层,还是cip-》vip,rs根据修改的mac收到二层包,拆到三层发现目的是vip,而自己的lo接口有vip,于是收下该包,进行处理,
发:
发响应包,ip封包是,vip-cip,vip此处还有填充源ip的作用;
tun时
收:
lvs转发时,修改了原包的ip头部,原来的cip-vip,之前又加了一个头部dip-某个rip,tun时,lvs还不需要开启ip_forward,rs是靠着外部ip头,dip-rip接收到包,且靠ip寻址,自然可以跨网段,跨广域网,这里收包先是靠着自己的rip收到,进行隧道拆分时,发现原始的头部,再看cip-vip,目的还是自己,自己的接口上还是有vip,所以此处vip还是用来收包之用的
发:
发响应包时,ip封包,是vip-vip,vip此处用来填充源ip
总结
dr和tun模式,rs上配置的vip都有确认收下数据包之用,只不过,tun模式,分2两次,第一次靠的是rs上的rip收下的,第二层头部,才是靠自己接口的vip收下的,也都用发响应包时,填充源ip之用,
tun模式,跨网段,甚至跨广域网,应该不用考虑arp问题了吧?