[LARTC] failover with conntrackd

[LARTC] failover with conntrackd

[Abhijit Menon-Sen]

Hi.

Is anyone using conntrack-tools to implement gateway failover on a
network with windows clients?

I set it up with ucarp and keepalived, and found that gratuitous ARP
doesn't always seem to update the cache on Windows machines. It works
the first time, but if a second failover happens, the client continues
to send stuff to the wrong MAC address. Linux machines work fine.

I've noticed similar reports from other people, but nothing that seemed
like a solution.

Has anyone experimented with doing MAC address takeover too? That seems
like it ought to work, but I haven't tried it out because neither ucarp
nor keepalived seem to implement it; and I wondered if I was missing
something. What do other people do?

-- ams
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc

Re: [LARTC] failover with conntrackd

[Grant Taylor]

On 10/10/07 05:35, Abhijit Menon-Sen wrote:
> Is anyone using conntrack-tools to implement gateway failover on a 
> network with windows clients?

No, not as of yet.  Sorry.

> I set it up with ucarp and keepalived, and found that gratuitous ARP 
> doesn't always seem to update the cache on Windows machines. It works 
> the first time, but if a second failover happens, the client 
> continues to send stuff to the wrong MAC address. Linux machines work 
> fine.

Um, why are you not using the same MAC address for the gateway and 
having the systems decide who is actively using the MAC at any given time?

> I've noticed similar reports from other people, but nothing that 
> seemed like a solution.

*nod*

> Has anyone experimented with doing MAC address takeover too?  That 
> seems	like it ought to work, but I haven't tried it out because 
> neither ucarp	nor keepalived seem to implement it; and I wondered if 
> I was missing	something. What do other people do?

Virtual Router Redundancy Protocol (VRRP) comes to mind.  There is a 
very simple VRRP daemon (vrrpd) for Linux / Unix that will achieve this. 
  To my knowledge it works by creating a new MAC address that is used 
for the VRRP router.  The VRRP router is a virtual router that is traded 
back and forth between two or more possible real routers.

Technically VRRP creates a new virtual MAC address 00:00:5E:00:01:XX 
that the IP is associated with.  The "XX" is the virtual redundant 
router ID, usually 1 unless you have multiple virtual redundant routers 
in your network.  The active virtual router will claim the 
00:00:5E:00:01:XX MAC address and send out GARPs to update switch / 
bridge tables for the new location of the same MAC address.  The two or 
more VRRP routers will heart beat each other (I think by multicast (?)) 
and if the active does not heartbeat with in a timeout the next router 
in the chain takes over, GARPs to updates switch / bridge tables and 
clients continue using the same MAC address.

I've set up VRRP on a couple of test systems just long enough to say 
"Yep, that works." but did not do any thing further.  I used vrrpd which 
was ridiculesly easy to set up.  Be aware that VRRP is only meant for 
routers and not for hosts that have things bound to the virtual 
interface / IP, you want some sort of load balancing / failover scenario 
in that case.



Grant. . . .
_______________________________________________
LARTC mailing list
LARTC@mailman.ds9a.nl
http://mailman.ds9a.nl/cgi-bin/mailman/listinfo/lartc