arp_announce和arp_ignore 详细解说

版本V1.0

时间2012-06-16

版权GPL

作者itnihao

说明,本文档来自网络整理和个人理解综合整理

原文地址http://itnihao.blog.51cto.com/1741976/75247

lvs在DR模式下需要关闭arp,设置参数的意思可以参考下文

arp_announce和arp_ignore

用来屏蔽arp请求,比较难理解,先看看linux核心2.6的定义:

==============================arp_announce=============================

arp_announce - INTEGER Define different restriction levels for announcing the local source IP address from IP packets in ARP requests sent on interface:

0 - (default) Use any local address, configured on any interface

1 - Try to avoid local addresses that are not in the target‘s subnet for this interface. This mode is useful when target hosts reachable via this interface require the source IP address in ARP requests to be part of their logical network configured on the receiving interface. When we generate the request we will check all our subnets  that include the target IP and will preserve the source address if it is from such subnet. If there is no such subnet we select source address according to the rules for level

2 - Always use the best local address for this target. In this mode we ignore the source address in the IP packet and try to select local address that we prefer for talks with the target host. Such local address is selected by looking for primary IP addresses on all our subnets on the outgoing interface that include the target IP address. If no suitable local address is found we select the first local address we have on the outgoing interface or on all other interfaces, with the hope we will receive reply for our request and even sometimes no matter the source IP address we announce. The max value from conf/{all,interface}/arp_announce is used. Increasing the restriction level gives more chance for receiving answer from the resolved target while decreasing the level announces more valid sender‘s information.

#对网络接口上,本地IP地址的发出的,ARP回应,作出相应级别的限制: 确定不同程度的限制,宣布对来自本地源IP地址发出Arp请求的接口

0 - (默认) 在任意网络接口(eth0,eth1,lo)上的任何本地地址

1 -尽量避免不在该网络接口子网段的本地地址做出arp回应. 当发起ARP请求的源IP地址是被设置应该经由路由达到此网络接口的时候很有用.此时会检查来访IP是否为所有接口上的子网段内ip之一.如果改来访IP不属于各个网络接口上的子网段内,那么将采用级别2的方式来进行处理.

2 - 对查询目标使用最适当的本地地址.在此模式下将忽略这个IP数据包的源地址并尝试选择与能与该地址通信的本地地址.首要是选择所有的网络接口的子网中外出访问子网中包含该目标IP地址的本地地址. 如果没有合适的地址被发现,将选择当前的发送网络接口或其他的有可能接受到该ARP回应的网络接口来进行发送.

===========================arp_ignore============================

arp_ignore - INTEGER Define different modes for sending replies in response to received ARP requests that resolve local target IP addresses:

0 - (default): reply for any local target IP address, configured on any interface

1 - reply only if the target IP address is local address configured on the incoming interface

2 - reply only if the target IP address is local address configured on the incoming interface and both with the sender‘s IP address arepart from same subnet on this interface

3 - do not reply for local addresses configured with scope host,only resolutions for global and link addresses are replied

4-7 - reserved

8 - do not reply for all local addresses

The max value from conf/{all,interface}/arp_ignore is used when ARP request is received on the {interface}

定义对目标地址为本地IP的ARP询问不同的应答模式0

0 - (默认值): 回应任何网络接口上对任何本地IP地址的arp查询请求

1 - 只回答目标IP地址是来访网络接口本地地址的ARP查询请求

2 -只回答目标IP地址是来访网络接口本地地址的ARP查询请求,且来访IP必须在该网络接口的子网段内

3 - 不回应该网络界面的arp请求,而只对设置的唯一和连接地址做出回应

4-7 - 保留未使用

8 -不回应所有(本地地址)的arp查询

arp_ignore 设置为1,这个比较好理解,当别人的arp请求过来的时候,如果接收的设备上面没有这个ip,就不响应,默认是0,只要这台机器上面任何一个设备上面有这个ip,就响应arp请求,并发送mac地址应答。

arp_announce 这个就比较难解释了,先看一段英文的:

Assume that a linux box X has three interfaces - eth0, eth1 and eth2. Each interface has an IP address IP0, IP1 and IP2. When a local application tries to send an IP packet with IP0 through the eth2.  Unfortunately, the target node’s mac address is not resolved. Thelinux box X will send the ARP request to know the mac address of the target(or the gateway). In this case what is the IP source address of the “ARP request message”? The IP0- the IP source address of the transmitting IP or IP2 - the outgoing interface?  Until now(actually just 3 hours before) ARP request uses the IP address assigned to the outgoing interface(IP2 in the above example) However the linux’s behavior is a little bit different. Actually the selection of source address in ARP request is totally configurable bythe proc variable “arp_announce”

If we want to use the IP2 not the IP0 in the ARP request, we should change the value to 1 or 2. The default value is 0 - allow IP0 is used for ARP request.

其实就是路由器的问题,因为路由器一般是动态学习ARP包的(一般动态配置DHCP的话),当内网的机器要发送一个到外部的ip包,那么它就会请求 路由器的Mac地址,发送一个arp请求,这个arp请求里面包括了自己的ip地址和Mac地址,而linux默认是使用ip的源ip地址作为arp里面 的源ip地址,而不是使用发送设备上面的 ,这样在lvs这样的架构下,所有发送包都是同一个VIP地址,那么arp请求就会包括VIP地址和设备 Mac,而路由器收到这个arp请求就会更新自己的arp缓存,这样就会造成ip欺骗了,VIP被抢夺,所以就会有问题。

arp缓存为什么会更新了,什么时候会更新呢,为了减少arp请求的次数,当主机接收到询问自己的arp请求的时候,就会把源ip和源Mac放入自 己的arp表里面,方便接下来的通讯。如果收到不是询问自己的包(arp是广播的,所有人都收到),就会丢掉,这样不会造成arp表里面无用数据太多导致 有用的记录被删除。

What happens when a host receives an ARP request packet?  The ARP request is received and processed by all the hosts in the network,since it is a broadcast packet. The following steps are carried out when a ARP request packet is received by a host:  If the IP address to be resolved is for this host, then the ARP module sends an ARP reply packet with its Ethernet MAC address.  If the IP address to be resolved is for this host, then the ARP module updates its ARP cache with the source Ethernet MAC address to source IP address mapping present in the ARP request packet. If the entry is already present in the cache, it is overwritten. If it is not present, it is added.  If the IP address to be resolved is not for this host, then the ARP module discards the ARP request packet.  Will a host update its ARP cache upon receiving any ARP request?  A host will update its ARP cache, only if the ARP request is for its IP address. Otherwise, it will discard the ARP request.  What is the disadvantage if a host updates its ARP cache upon receiving any ARP request?  The host will exhaust the ARP cache with a lot of unused ARP entries, if it updates the ARP cache for any ARP request.

如果路由器使用静态ARP表,客户端也使用静态网关ARP的话,基本就不用管这两个值了。  也看了一下vpn,用了pppoe协议,也是不需要处理arp请求的。

查看某个设备上面绑定了多少个ip:>ip addr show dev eth0

绑定多个ip(临时,看操作系统不同加在不同的地方):>ip addr add x.x.x.x/32 dev eth0

临时修改arp_announce和arp_ignore:

echo 1 > /proc/sys/net/ipv4/conf/eth0/arp_ignore

echo 2 > /proc/sys/net/ipv4/conf/eth0/arp_announce

永久修改:

if  /etc/sysctl.conf is used in the system, we have this config in /etc/sysctl.conf

net.ipv4.conf.eth0.arp_ignore = 1

net.ipv4.conf.eth0.arp_announce = 2

在lvs环境中,需要设定以下的参数

echo"1">/proc/sys/net/ipv4/conf/all/arp_ignore

echo"1">/proc/sys/net/ipv4/conf/lo/arp_ignore

echo"2">/proc/sys/net/ipv4/conf/lo/arp_announce

echo"2">/proc/sys/net/ipv4/conf/all/arp_announce

参考文档

http://blog.sina.com.cn/s/blog_6caddb500100qp5v.html

http://hi.baidu.com/li32768/blog/item/83bb13cb803be198c81768d3.html

时间: 2024-10-13 16:29:19

arp_announce和arp_ignore 详细解说的相关文章

LVS-DR负载均衡模式的arp_announce和arp_ignore详解

lvs在DR模式下需要关闭arp,设置参数的意思可以参考下文 arp_announce和arp_ignore 用来屏蔽arp请求,比较难理解,先看看linux核心2.6的定义: ==============================arp_announce============================= arp_announce -INTEGER Define different restriction levels for announcing the local source

arp_announce和arp_ignore 明白解说

LVS realserver lo端口配置中涉及到调整两个网络参数 arp_announce=2 和 arp_ignore=1,忽略官方文档复杂晦涩的表述,其实我们可以这样理解: arp_ignore=2 表示对于网络上发来的arp广播包,realserver的lo端口将会丢弃,因为如果做出应答,根据arp协议,相当于通告网络上其它主机VIP对应的Mac地址是realserver的Mac地址,而不是lvs的Mac地址,这样客户端上就会绕过lvs,直接与后端的realserver通信,负载调度就失

ARP报文与arp_ignore arp_announce

背景: (1)根据缺省的TCP/IP协议栈处理,响应报文的源地址等于请求报文的目的IP. (2)关于ARP表: IP.MAC.网络接口的映射表:列表中的IP都属于本设备所在的网段,发送/转发非本地网段时候是通过网关,所以只需要使用网关对应的MAC即可. (3)ARP条目更新的条件(满足任意一个即可): 1.收到ARP request:目的MAC是广播,且Target IP是本机上的IP:(这里说Target IP是为了与目的IP区分) 2.收到ARP reply:目的MAC是广播或本机MAC,且

LVS 之 DR model arp_announce arp_ignore转

DR模型之 可伸缩Cache服务 DR核心:响应过程不经过Director DR模型 要点:  A.以下3种办法 都能达到:   仅让Director 会响应  Router的 关于VIP 的动态ARP 广播请求,禁止RS上的VIP直接跟前端路由通信 1.修改路由,使用静态ARP: 2.在RS上使用arptables,禁止响应对VIP的ARP广播请求: 3.在RS上修改其内核参数,并向VIP配置在与RIP不同的接口的别名上:        B. Diretor 转交报文 给 Real Serve

Linux 内核参数 arp_ignore & arp_announce 详解

arp_ignore定义了对目标地址为本机IP的ARP询问的不同应答模式. arp_announce对网络接口(网卡)上发出的ARP请求包中的源IP地址作出相应的限制:主机会根据这个参数值的不同选择使用IP数据包的源IP或当前网络接口卡的IP地址作为ARP请求包的源IP地址. arp_ignore 在内核参数中除了每个网卡都有自己的arp_ignore配置外,还有两个(一个是默认default,一个是全局all)需要用到arp_ignore配置.所有配置项如下面的代码段: net.ipv4.co

lvs负载均衡群集搭建(DR)

lvs负载均衡群集搭建(DR) 1:之前有讲过使用NAT技术的lvs的群集搭建接下来使用DR的直接路由模式来搭建负载均衡群集 2:在DR模式中.lvs负载调度器作为群集的访问入口,但不作为网关使用,服务器池中的所有节点来自internet.发送给客户端的web相应数据包不需要经过负载调度器:这种方式入站.出站访问数据分别被处理,因此lvs负载调度器和所有节点服务器都需要配置VIP地址,以便响应整个群集的访问. VIP地址192.168.1.254 负载均衡服务器           web1服务

集群基础之LVS的基础概念

一.集群简介 什么是集群 计算机集群简称集群是一种计算机系统,它通过一组松散集成的计算机软件和/或硬件连接起来高度紧密地协作完成计算工作.在某种意义上,他们可以被看作是一台计算机.集群系统中的单个计算机通常称为节点,通常通过局域网连接,但也有其它的可能连接方式.集群计算机通常用来改进单个计算机的计算速度和/或可靠性.一般情况下集群计算机比单个计算机,比如工作站或超级计算机性能价格比要高得多. 集群就是一组独立的计算机,通过网络连接组合成一个组合来共同完一个任务 LVS在企业架构中的位置: 以上的

lvs持久性工作原理和配置

作者: ISADBA|FH.CN 日期: 06/01/2012 转载请注明: 作者:ISADBA.COM|FH.CN BLOG:http://isadba.com 原文:http://isadba.com/?p=67 LVS持久连接技术 lvs的持久性连接有两方面: 把同一个client的请求信息记录到lvs的hash表里,保存时间使用persistence_timeout控制,单位为秒.persistence_granularity 参数是配合persistence_timeout的,在某些情

LVS Load Balancing Linux Virtual Server

简介:Linux虚拟服务器(Linux Virtual Server. LVS),是一个由章文松开发的自由软件.利用KVS可以实现高可用的.可伸缩缩的Web, Mail, Cache和Medial等网络股务..井在此基 础上开发支持庞大用户数的,可伸缩的,高可用的电子商务应用.LVS1998年发展到现在,已经变得比较成熟,目前广泛应用在各种网络服务和电了商务应用 中.LVS具有很好的伸缩缩性.可靠性和管埋性,通过LVS要实现的最终目标是:利用linux 操作系统和LVS集群软件实现一个高可用.高