From: Tore Anderson <tore.anderson@redpill-linpro.com>
To: Thomas Jacob <jacob@internet24.de>
Cc: Eduardo Sachs <edu.sachs@gmail.com>, netfilter@vger.kernel.org
Subject: Re: Choices for virtual IP failover (was Re: Firewall in Load Balance - Active/Active)
Date: Mon, 25 May 2009 16:58:50 +0200 [thread overview]
Message-ID: <4A1AB22A.60807@redpill-linpro.com> (raw)
In-Reply-To: <1243260797.11783.29.camel@enterprise.ims-firmen.de>
Hi,
* Thomas Jacob
> Keepalived does not have IPv6 support (yet, VRRP for IPv6 is fairly
> recent) but otherwise provides all the features and also can watch
> the link states of network devices. The major drawback is that it also
> has a IPVS module which is printing harmless error messages when the
> underlying kernel doesn't support IPVS but I suppose you could prevent
> that if you'd compile keepalived yourself.
I knowthat keepalived has a command line option to only start the VRRP
parts of the code (-P). Perhaps that will silence the warnings?
The lack of IPv6 support is something I miss, too. I plan to deal with
it by adding/removing the HA IPv6 addresses from shell scripts ithat
runs when the state changes (the settings notify_{master,backup,fault}).
I didn't try it yet but I see no reason why it wouldn't work. You'll
need to piggy-back it on an IPv4 VIP though (just use dummy addresses
from 169.254.0.0/16 or RFC1918 space for single-stack IPv6 networks).
> Finally the problem with all these implementations is that they don't
> support virtual MAC addresses in the way VRRP is usually provides
> by router vendors and thus have to send gratuitous ARP requests
> to inform their networks about the new MAC address after a failover.
I think this is due to a limitation in the Linux kernel - it is simply
not possible to have a multiple unicast layer-2 addresses assigned to a
single network interface. Go bug the people on netdev - I'm sure
keepalived will support VMAC immediately after the necessary kernel
changes have been made.
BR,
--
Tore Anderson
Redpill Linpro AS - http://www.redpill-linpro.com/
next prev parent reply other threads:[~2009-05-25 14:58 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-05-25 11:46 Firewall in Load Balance - Active/Active Eduardo Sachs
2009-05-25 12:13 ` Marek Kierdelewicz
2009-05-25 12:29 ` Eduardo Sachs
2009-05-25 14:57 ` Marek Kierdelewicz
2009-05-25 13:04 ` Pablo Neira Ayuso
2009-05-25 13:35 ` Eduardo Sachs
2009-05-25 13:57 ` Покотиленко Костик
2009-05-25 14:13 ` Choices for virtual IP failover (was Re: Firewall in Load Balance - Active/Active) Thomas Jacob
[not found] ` <000b01c9dd44$c81bf5c0$5853e140$@bourke@mobileinternet.com>
2009-05-25 14:31 ` Thomas Jacob
[not found] ` <000001c9dd57$5f2ae630$1d80b290$@bourke@mobileinternet.com>
2009-05-25 17:47 ` Thomas Jacob
2009-05-25 14:58 ` Tore Anderson [this message]
2009-05-25 15:27 ` Thomas Jacob
2009-05-26 18:39 ` Firewall in Load Balance - Active/Active Elvir Kuric
2009-05-26 23:04 ` Thomas Jacob
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4A1AB22A.60807@redpill-linpro.com \
--to=tore.anderson@redpill-linpro.com \
--cc=edu.sachs@gmail.com \
--cc=jacob@internet24.de \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.