LVS load balancing cluster structures (b) - DR mode

(1) .DR mode and a presentation mode TUN

　　Direct Routing (direct routing): director allocation request to a different real server. After the real server response processing request directly to the user, so that the load balancer director process only half of the client connection to the server. Load balancer process only half of the connection, the new performance bottleneck is avoided, also increases the scalability of the system. Direct Routing As a result of the physical layer (MAC address modified) technology, all the servers have to be a segment .

　　IP Tunneling (IP tunnel): director allocation request to a different real server. After the real server response processing request directly to the user, so that the load balancer director process only half of the client connection to the server. IP Tunneling technology greatly improves the processing capability of scheduling director, but also greatly increase the system can accommodate a maximum number of nodes can be more than 100 nodes. real server can run on any LAN or WAN, which means allowing the geographical distribution, which is important in disaster recovery. The server must have a formal public IP address is used to communicate directly with the client , and all servers must support IP tunneling protocol .

　　The biggest difference between the two is that the IP address is in the same physical network segment, also contributed to the DR mode only requires the server to the Internet can be, but TUN mode must have a formal public network IP.

(2) .DR mode works

　　Figure deducted a big brother, a more detailed. The original address: https://blog.csdn.net/gui951753/article/details/80316565#LVS_29

　　I use words to explain:

　　　　DR constant flow pattern throughout the destination address, source address unchanged, since the layer 2 works in the DR mode.

　　　　The first step, a request packet sent from the client, the source address: CIP, destination address: VIP, source MAC: CMAC, the target MAC: VMAC;

　　　　The second step, a request to the load balancer, the real distribution server (modify the MAC), a source address: CIP, destination address: VIP, source MAC: DMAC, the target MAC: RMAC;

　　　　A third step, the real server receives the message, and the response process (the back), a source address: RIP, destination address: CIP, Source MAC: RMAC, the target MAC: CMAC.

　　Description: 1) a data packet based on the MAC forwarding efficiency is the best, but is based on the MAC address table of a switch to achieve;

　　　　　2) 2-layer device does not have a routing function, it also does not have a broadcast function across the route, to achieve all broadcast mac address, must be in the same physical segment;

　　　　　3) vlan broadcast with isolation function, to be able to handle all broadcast mac address, it should be in the same VLAN.

　　It is a total, all equipment should be in the same physical network segment, all devices should be in the same broadcast domain.

(3) Experimental

youxi1 192.168.5.100 (DIP), 192.168.5.100 (VIP) load balancer

youxi2 192.168.5.102 real server 1

youxi3 192.168.5.103 real server 2

　1) generated at the load balancer ens33 youxi1: 1 profile, arranged 192.168.5.101, as VIP

[youxi1 the root @ ~] # CP / etc / sysconfig / Network-scripts / {the ifcfg-ens33,:. 1} 
[youxi1 the root @ ~] # Vim / etc / sysconfig / Network-scripts / ens33 the ifcfg-: // Modify. 1 the following parameters 
NAME = "ens33: 1" 
the DEVICE = "ens33: 1" 
IPADDR = "192.168.5.101" 
GATEWAY = "192.168.5.2" // point to route IP 
// If there HWADDR, then ens33 and ens33: 1 two are not We must be consistent. 
[root @ youxi1 ~] # systemctl restart network // restart 
[root @ youxi1 ~] # ip a sh // Check 
. 1: LO: <the LOOPBACK, the UP, LOWER_UP> UNKNOWN MTU 65536 Group default qdisc allows users to noqueue State of qlen 1000 
Link / Loopback 00: 00: 00: 00: 00: 00 brd 00: 00: 00: 00: 00: 00 
inet 127.0.0.1/8 scope Host LO 
valid_lft Forever Forever preferred_lft 
inet6 :: 1/128 scope Host 
valid_lft Forever Forever preferred_lft
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:0c:29:e6:d6:27 brd ff:ff:ff:ff:ff:ff
inet 192.168.5.100/24 brd 192.168.5.255 scope global noprefixroute ens33
valid_lft forever preferred_lft forever
inet 192.168.5.101/24 brd 192.168.5.255 scope global secondary noprefixroute ens33:1
valid_lft forever preferred_lft forever
inet6 fe80::201:7257:85b:7dc8/64 scope link noprefixroute 
valid_lft forever preferred_lft forever

　2) mounted on the load balancer ipvsadm youxi1, and set the boot from Kai

[root@youxi1 ~]# yum -y install ipvsadm
[root@youxi1 ~]# systemctl enable ipvsadm.service
Created symlink from /etc/systemd/system/multi-user.target.wants/ipvsadm.service to /usr/lib/systemd/system/ipvsadm.service.

　　Temporarily start ipvsadm, because of the need to start / etc / sysconfig / ipvsadm profile.

　3) the ipvsadm command set rules on the load balancer youxi1

[root @ youxi1 ~] # ipvsadm -A 192.168.5.101:80 -s rr // set the IP address of the virtual server -t (VIP) and the port, polling mode 
[root @ youxi1 ~] # ipvsadm -a -t -R & lt 192.168.5.102:80 -g 192.168.5.101:80 
[youxi1 the root @ ~] # 192.168.5.101:80 -R & lt 192.168.5.103:80 the ipvsadm -a -t -g 
[youxi1 the root @ ~] # -Ln the ipvsadm 
Virtual Server Version 1.2.1 IP (size = 4096) 
Prot LocalAddress: Port Scheduler Flags 
  -> RemoteAddress: Port Forward Weight activeconn InActConn 
TCP 192.168.5.101:80 rr 
  -> 192.168.5.102:80 Route 1 0 0          
  -> 192.168.5.103 : the Route. 1 0 80 0          
[youxi1 the root @ ~] # the ipvsadm -S> / etc / sysconfig / the ipvsadm 
-A -s -t youxi1.cn:http RR 
-t youxi1.cn:http -R & lt youxi2.cn:http. 1 -g -a -w
-a -t youxi1.cn:http -r 192.168.5.103:http -g -w 1
[root@youxi1 ~]# systemctl start ipvsadm

　　-g option indicates that DR mode, -m option indicates TUN mode.

　　Note: The three modes LVS, only need to open the routing mode NAT forwarding, DR, and TUN do not need.

　　If you turn on the firewall remember to add the port number

[root@youxi1 ~]# firewall-cmd --permanent --zone=public --add-port=80/tcp && firewall-cmd --reload
success
success

　4) install httpd for testing on a real server youxi2 and youxi3

[root@youxi2 ~]# yum -y install httpd
[root@youxi2 ~]# systemctl start httpd
[root@youxi2 ~]# echo youxi2 > /var/www/html/index.html

[root@youxi3 ~]# yum -y install httpd
[root@youxi3 ~]# systemctl start httpd
[root@youxi3 ~]# echo youxi3 > /var/www/html/index.html

　　If you turn on the firewall open ports remember

[root@youxi2 ~]# firewall-cmd --permanent --zone=public --add-port=80/tcp && firewall-cmd --reload
success
success

[root@youxi3 ~]# firewall-cmd --permanent --zone=public --add-port=80/tcp && firewall-cmd --reload
success
success

　5) Configure loopback interface on a real server youxi2 and youxi3

[root@youxi2 ~]# cp /etc/sysconfig/network-scripts/ifcfg-lo{,:1}
[root@youxi2 ~]# vim /etc/sysconfig/network-scripts/ifcfg-lo:1　　//修改
DEVICE=lo:1
IPADDR=192.168.5.101　　//指向VIP
NETMASK=255.255.255.255
#NETWORK=127.0.0.0
# If you're having problems with gated making 127.0.0.0/8 a martian,
# you can change this to something else (255.255.255.255, for example)
#BROADCAST=127.255.255.255
ONBOOT=yes
NAME=loopback

[root@youxi3 ~]# cp /etc/sysconfig/network-scripts/ifcfg-lo{,:1}
[root@youxi3 ~]# vim /etc/sysconfig/network-scripts/ifcfg-lo:1　　//修改
DEVICE=lo:1
IPADDR=192.168.5.101　　//指向VIP
NETMASK=255.255.255.255
#NETWORK=127.0.0.0
# If you're having problems with gated making 127.0.0.0/8 a martian,
# you can change this to something else (255.255.255.255, for example)
#BROADCAST=127.255.255.255
ONBOOT=yes
NAME=loopback

　　Why disposed on will further port VIP: 1 as the DR mode change only the MAC address without changing the IP address, to the real server to receive the message, it is necessary to configure a and VIP as the IP address; 2 but VIP can not be configured. on the exit card, otherwise it will respond to the ARP request of the client, resulting in client / gateway arp table chaos, cause the entire cluster does not work.

　　In addition VIP can not and RIP, DIP different network segments, lo loopback interface is still so configured.

　6) Close on the real server youxi2 and youixi3 of forwarding ARP

[root @ youxi2 ~] # vim /etc/sysctl.conf // add or modify 
net.ipv4.conf.ens33.arp_ignore. 1 = 
net.ipv4.conf.ens33.arp_announce = 2 
[youxi2 the root @ ~] # sysctl - p // refresh 
net.ipv4.conf.ens33.arp_ignore. 1 = 
net.ipv4.conf.ens33.arp_announce = 2 

[youxi3 the root @ ~] # Vim /etc/sysctl.conf // add or modify 
net.ipv4.conf =. 1 .ens33.arp_ignore 
net.ipv4.conf.ens33.arp_announce = 2 
[youxi2 the root @ ~] # sysctl -p // refresh 
net.ipv4.conf.ens33.arp_ignore. 1 = 
net.ipv4.conf.ens33.arp_announce = 2 

// add or modify the following parameters or 
net.ipv4.conf.ens33.arp_ignore. 1 = 
net.ipv4.conf.ens33.arp_announce = 2 
net.ipv4.conf.all.arp_ignore. 1 = 
net.ipv4.conf.all .arp_announce = 2 
net.ipv4.conf.lo .arp_ignore = 1
net.ipv4.conf.lo.arp_announce = 2

Parameter Description:

　　Arp_ignore effect parameter control system upon receipt of an external request arp, arp whether to return response. Parameter values ​​are mainly used to 8 0,1,2,3 less frequently used:

　　　　0: arp response to a request of the IP address received on any card (including a loopback address on the card), regardless of whether the object in the received IP network card;

　　　　1: Only arp response to the request destination IP address is the local address of the receiving card;

　　　　2: Only arp response request destination IP address is the local address of the receiving card, and the request source IP arp must card receiving network segment;

　　　　3: If the IP address of the ARP request packet corresponding to the requested address of its local scope (scope) for the host (Host), no response to the ARP response packet, if the global scope (global) or link (link) , the response to the ARP response packet;

　　　　4-7: reserved for future use;

　　　　8: arp not respond to all requests.

　　sysctl.conf and contains all eth / lo (specific network card) arp_ignore parameters, wherein whichever is greater effect.

 

　　Arp_announce role is to control the system when it sends a request arp, arp how to select the request source IP address of the packet. (Such as the system is ready to send a data packet through a network card, then a data packet source and destination IP are generally known, and the destination IP routing table, sending the card is determined, it is the source MAC address is known , then sent to determine the destination MAC address while the destination IP wants to obtain the destination MAC address, it needs to send a request destination IP arp request .arp nature is desired to obtain an IP its MAC address, and the source of the request arp IP What is it? the first reaction might be that the data packet is certainly a source IP address, but this is not certain, the source IP arp request is optional, address how to control this option is arp_announce role) arp_announce parameters common values ​​have 0,1,2:

　　　　0: Allow any IP address on the card as the source IP ARP request, use is usually a source of IP packets.

　　　　1: Try to avoid the use of local addresses belonging to the subnet card transmission request as a transmission source IP address arp.

　　　　2: Ignore source IP address of the IP packet, select the most appropriate card transmission source IP address as home address arp request.
　　sysctl.conf and contains all eth / lo (specific network card) arp_ignore parameters, wherein whichever is greater effect.

　　　　

　7) Test

　　Continuous refresh seems to not replace the real server RS, which point polling and NAT is not the same.