【vrrp】多机热备VRRP协议,虚拟mac地址
一、 How Is a VRRP Virtual MAC Address Calculated?
A virtual MAC address is generated by the virtual router based on the virtual router ID.
The virtual MAC address format is 00-00-5E-00-01-{VRID} (VRRP) and 00-00-5E-00-02-{VRID} (VRRP6).
VRRP的虚拟MAC地址如何得出?
虚拟MAC地址是虚拟路由器根据其配置的虚拟路由器ID生成的,格式为:00-00-5E-00-01-{VRID}(VRRP);00-00-5E-00-02-{VRID}(VRRP6)。
一个VRRP路由器有唯一的标识:VRID,范围为0—255。
该路由器对外表现为唯一的虚拟MAC地址,地址的格式为00-00-5E-00-01-[VRID]。
主控路由器负责对ARP请求用该MAC地址做应答。
这样,无论如何切换,保证给终端设备的是唯一一致的IP和MAC地址,减少了切换对终端设备的影响。
image.png
image.png
image.png
二、 防火墙双机热备vrrp虚拟mac使用
接口下未配置 vrrp virtual-mac enable
主墙
VRRP通告报文:源MAC以虚MAC地址填充。
免费ARP报文:虚IP使用虚MAC地址填充,实IP使用实MAC地址填充。
ARP应答报文:虚IP使用虚MAC地址填充,实IP使用实MAC地址填充。
转发三层业务:使用接口的实MAC地址封装报文。
备墙
VRRP通告报文:备墙不发送VRRP通告报文。
免费ARP报文:虚IP不发送免费ARP报文,实IP使用实MAC地址填充。
ARP应答报文:虚IP不发送ARP应答报文,实IP使用实MAC地址填充。
转发三层业务:使用接口的实MAC地址封装报文。
接口下配置 vrrp virtual-mac enable
主墙
VRRP通告报文:源MAC以虚MAC地址填充。
免费ARP报文:虚IP使用虚MAC地址填充,实IP使用虚MAC地址填充。
ARP应答报文:虚IP使用虚MAC地址填充,实IP使用虚MAC地址填充。
转发三层业务:使用虚MAC地址封装报文。
备墙
VRRP通告报文:备墙不发送发送VRRP通告报文。
免费ARP报文:虚IP不发送免费ARP报文,实IP使用实MAC地址填充。
ARP应答报文:虚IP不发ARP应答报文,实IP使用实MAC地址填充。
转发三层业务:使用接口的实MAC地址封装报文。
接口下配置vrrp virtual-mac enable命令后,会使得主墙上该接口的MAC地址改成虚MAC地址,所以不管什么报文都会使用虚MAC地址进行填充。
备墙接口不会改成虚MAC地址,但是备墙变成主墙后会改成虚MAC地址;同理,主墙变成备墙后会改回实MAC地址。
三、 vmac mode send out arp request with MAC of physical interface
uname -a
ip addr show BASEINTERFACE
ip addr show MACVLANINTERFACE
ip route
for f in /proc/sys/net/ipv4/conf/{BASEINTERFACE,MACVLANINTERFACE}/arp_*; do echo -n "$f "; cat $f; done
* uname -a
# uname -a
Linux 3.0.23-1-586-vyatta #1 SMP Tue Jul 24 10:13:15 PDT 2012 i686 GNU/Linux
* ip addr show BASEINTERFACE
# ip addr show eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen
1000
link/ether d0:67:e5:f1:01:f9 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.4/24 brd 10.10.10.255 scope global eth0
inet6 fe80::d267:e5ff:fef1:1f9/64 scope link
valid_lft forever preferred_lft forever
* ip addr show MACVLANINTERFACE
# ip addr show eth0v164
eth0v164@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue
state UP
link/ether 00:00:5e:00:01:a4 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.2/24 scope global eth0v164
* ip route list
# ip route list
default via 10.10.10.1 dev eth0 proto zebra
10.10.10.0/24 dev eth0 proto kernel scope link src 10.10.10.4
10.10.10.0/24 dev eth0v164 proto kernel scope link src 10.10.10.2
172.16.0.0/24 dev eth1 proto kernel scope link src 172.16.0.4
127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1
* for f in /proc/sys/net/ipv4/conf/{BASEINTERFACE,MACVLANINTERFACE}/arp_*; do echo -n "$f "; cat $f; done
# cd /proc/sys/net/ipv4/conf
# for f in {all,eth0,eth0v164}/arp_*; do echo -n "$f "; cat $f; done
all/arp_accept 0
all/arp_announce 1
all/arp_filter 0
all/arp_ignore 1
all/arp_notify 0
eth0/arp_accept 0
eth0/arp_announce 0
eth0/arp_filter 1
eth0/arp_ignore 0
eth0/arp_notify 0
eth0v164/arp_accept 0
eth0v164/arp_announce 0
eth0v164/arp_filter 0
eth0v164/arp_ignore 0
eth0v164/arp_notify 0
1. Suppose Virtual IP is 10.10.10.2 and there is a host 10.10.10.x (e.g. the backup) in the network.
2. arp -d 10.10.10.x
3. on 10.10.10.x run " tcpdump -nnq -e arp -i <10.10.10_interface>
4. ping -c2 -I 10.10.10.2 10.10.10.x
The tcpdump should tell which MAC is used in the arp request.
> * uname -a:
Linux 3.0.23-1-586-vyatta #1 SMP Tue Jul 24 10:13:15 PDT 2012 i686 GNU/Linux
> * ip addr show BASEINTERFACE
> ip addr show eth0
eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether d0:67:e5:f1:01:f9 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.4/24 brd 10.10.10.255 scope global eth0
inet6 fe80::d267:e5ff:fef1:1f9/64 scope link
valid_lft forever preferred_lft forever
> * ip addr show MACVLANINTERFACE
> ip addr show eth0v164
eth0v164@eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP
link/ether 00:00:5e:00:01:a4 brd ff:ff:ff:ff:ff:ff
inet 10.10.10.2/24 scope global eth0v164
> * ip route list
default via 10.10.10.1 dev eth0 proto zebra
10.10.10.0/24 dev eth0 proto kernel scope link src 10.10.10.4
10.10.10.0/24 dev eth0v164 proto kernel scope link src 10.10.10.2
172.16.0.0/24 dev eth1 proto kernel scope link src 172.16.0.4
127.0.0.0/8 dev lo proto kernel scope link src 127.0.0.1
> * and the output of for f in /proc/sys/net/ipv4/conf/{eth0,eth0v164}/arp_*; do echo -n "$f "; cat $f; done
In summary, my values are the ones documented by Vyatta:
all.arp_ignore=1,all.arp_announce=1,all.arp_filter=0
but eth0.arp_filter=1
eth0v164.arp_filter=0
Some say value of "rp_filter" matters. It is 0 for {all,eth0,eth0v164}.
> cd /proc/sys/net/ipv4/conf
> for f in {all,eth0,eth0v164}/arp_*; do echo -n "$f "; cat $f; done
all/arp_accept 0
all/arp_announce 1
all/arp_filter 0
all/arp_ignore 1
all/arp_notify 0
eth0/arp_accept 0
eth0/arp_announce 0
eth0/arp_filter 1
eth0/arp_ignore 0
eth0/arp_notify 0
eth0v164/arp_accept 0
eth0v164/arp_announce 0
eth0v164/arp_filter 0
eth0v164/arp_ignore 0
eth0v164/arp_notify 0
> Thanks a lot guys.
四、 关于将VRRP与虚拟MAC地址一起使用的说明
I'm using keepalived 1.1.11 on 2 debian boxes working as a virtual router. Failover works fine, Master - Backup transition is ok, but the MAC address for the virtual ip is always the real MAC of the master.
I think it should be the virtual one (00-00-5E-00-01-{VRID}).
Is there any configuration or compile time option to change this ?
关于将VRRP与虚拟MAC地址一起使用的说明
为了减少对接管的影响,某些网络环境将要求使用带有VMAC地址的VRRP。
为了实现该目标,Keepalived VRRP框架通过调用配置文件中的“ use_vmac”关键字来实现VMAC支持。
在内部,Keepalived代码将启动虚拟接口,每个接口专用于特定的virtual_router。
Keepalived使用Linux内核macvlan驱动程序来定义这些接口,然后必须使用通过macvlan支持编译的内核。
此外,VRRP VMAC 仅适用于包含以下补丁的内核:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=729e72a10930ef765c11a5a35031ba47f18221c4
默认情况下,MACVLAN接口处于VEPA模式,该模式会过滤掉接收到的MAC源地址与MACVLAN接口的地址匹配的数据包,将MACVLAN接口设置为私有模式将不会基于源MAC地址进行过滤。
或者,你可以指定“ vmac_xmit_base”,这将导致VRRP消息在基础接口上发送和接收,而ARP将从VMAC接口发生。
您可能还需要调整物理接口,以解决众所周知的ARP问题。
如果遇到问题,请尝试以下配置:
1.全局配置:
net.ipv4.conf.all.arp_ignore = 1
net.ipv4.conf.all.arp_announce = 1
net.ipv4.conf.all.arp_filter = 0
2.物理接口配置
对于运行VRRP实例的物理以太网接口,请使用:
net.ipv4.conf.eth0.arp_filter = 1
3.VMAC接口
考虑以下VRRP配置:
vrrp_instance instance1 {
state BACKUP
interface eth0
virtual_router_id 250
use_vmac
vmac_xmit_base # Transmit VRRP adverts over physical interface
priority 150
advert_int 1
virtual_ipaddress {
10.0.0.254
}
}
该use_vmac关键字将驱动器的keepalived代码来创建一个名为macvlan接口vrrp.250
默认内部范例VRRP {} virtual_router_id,您只需提供一个参数“use_vmac”关键字,如覆盖此命名:use_vmac vrrp250 。
然后,您需要使用以下命令配置接口:
net.ipv4.conf.vrrp.250.arp_filter = 0
net.ipv4.conf.vrrp.250.accept_local = 1(对于地址所有者,这是必需的)
net.ipv4.conf.vrrp.250.rp_filter = 0
您可以创建notify_master脚本为您自动执行此配置步骤:
vrrp_instance instance1 {
state BACKUP
interface eth0
virtual_router_id 250
use_vmac
priority 150
advert_int 1
virtual_ipaddress {
10.0.0.254
}
notify_master "/usr/local/bin/vmac_tweak.sh vrrp.250"
}
五、参考
Linux 虚拟网卡技术:Macvlan
https://cloud.tencent.com/developer/article/1495440
keepalived/doc/NOTE_vrrp_vmac.txt
https://github.com/acassen/keepalived/blob/master/doc/NOTE_vrrp_vmac.txt
Ubuntu 16.04, Keepalived VMAC
https://serverfault.com/questions/825631/ubuntu-16-04-keepalived-vmac
关于将VRRP与虚拟MAC地址一起使用的说明
https://www.cnblogs.com/huixst/p/11595548.html
keepalived 软件设计
https://keepalived-doc.readthedocs.io/zh_CN/latest/%E8%BD%AF%E4%BB%B6%E8%AE%BE%E8%AE%A1.html
双机热备技术——VRRP协议介绍
https://mp.weixin.qq.com/s/j6IThLYpy-AqUbA4u3zlPg
Home >> Knowledgebase >> TCP/IP >> IPv4 multicast MAC Addresses
https://www.omnisecu.com/tcpip/ipv4-multicast-mac-addresses.php
防火墙双机热备vrrp虚拟mac使用详解
https://forum.huawei.com/enterprise/zh/thread-801979.html
keepalived vmac mode send out arp request with MAC of physical interface
https://sourceforge.net/p/keepalived/mailman/keepalived-devel/thread/CAHO7rrdt0g-OXj8V%3DP4yHp1C9eDSnKQv5RseSnQ4jsxrHZi-bg%40mail.gmail.com
How to get virtual mac address of a physical nic?
https://communities.vmware.com/t5/vSphere-Management-SDK/How-to-get-virtual-mac-address-of-a-physical-nic/td-p/349717
Keepalived的virtual_router_id – 它应该是唯一的每个节点?
https://yo.zgserver.com/keepalivedvirtual_router_id.html
Virtual MAC Address vs Physical MAC Address
https://www.rfwireless-world.com/Terminology/Virtual-MAC-Address-vs-Physical-MAC-Address.html
Question concerning virtual mac address
https://keepalived-devel.narkive.com/DeUzUmGK/question-concerning-virtual-mac-address
