# Unique variables per node, derived from hostname. # conditional variables must be set initially. It is intended to work on both nodes, so some # read and understand, rather than being cleverly written with # This proof of concept script is intended to be straight forward to It assumes that the network interfaces have The following script will use iptables and iproute to set the network Log analysis or accounting, would have to take this into account In the end, the main application (running on both nodes) would seeĬlients from site A coming from source 10.0.10.0/24, and clientsįrom site B coming from 10.0.20.0/24.
RPDB entries and custom routing tables are set up using iproute2, to ensure that the response packet makes it back the same way it came, through the NETMAP translation and then out the same interface it came in. The packet is handled by the main application, and a response packet is sent back to the source. Either on the way in on the same node, or on the way out to the other node, the packet's source IP is mapped to a unique subnet using the iptables NETMAP target. Mark 20 is loadbalanced to VLAN 20 backends 172.16.20.3 and. Mark 10 is loadbalanced to VLAN 10 backends 172.16.10.3 and. Keepalived/LVS/ipvs is configured to schedule packets based on fwmarks. Incoming packets coming from the client subnet 10.0.0.0/24, destined for the virtual IP 1.2.3.4 on port 80, are marked with an fwmark using iptables with the MARK target. Idea is that packets are handled in the following way on each VLAN: In myĬase, I spent lots of time trying to get that to work on the CiscoĪssuming that traffic reaches the LVS pair on both VLAN 10 and 20, the Have the router do SNAT/masquerading of the incoming packets. Pointing the virtual IP towards the LVS VIP on each VLAN.Īn obvious and easy solution to the overlapping subnets, would be to These VRF instances will in turn have separate routing tables, (virtual routing and forwarding) instance 10, and tunnel B to VRF 20. Short, a crypto map is defined so that tunnel A is mapped to VRF This approach is common in Cisco routers by using VRF-aware IPSec. Separate egress interfaces, or using IPSec VPNs, like in the diagram: Isn't really important the remote sites can be directly connected on The router maps each remote site to its own VLAN. Combine VLANs with interface bonding to achieveĪn even higher degree of resilience against failures. While you can use individual network interfaces, using VLANs saves So in short, it combines a two-node, multi-interface lvs 
To a unique IP range so that users can be identified in application This setup solves the challenge of serving remote users that originateįrom multiple different sites that all use the same overlapping
Netfilter connection tracking for lvs/ipvs (v2.6.37, commit). Netfilter nat INPUT chain, NETMAP changes (v2.6.36, commit). Connection tracking zones (v2.6.34, commit). Accept incoming packets with local source (v2.6.33, commit). In particular, itĭepends on the following recent features: This setup requires kernel version 2.6.37 or newer.
0 kommentar(er)
