Using policy routing to disable ARP

Jump to: navigation, search


The classic TCP/IP routing algorithms used today make their routing decisions based only on the destination address of IP packets. However, we often find ourselves wanting to route IP packets depending not only on the destination addresses, but also on other packet fields such as the source address, the IP protocol, the transport protocol ports, or even data within the packet payload. This type of IP routing is referred to as "policy routing".

Disable ARP for VIP

Julian suggested to use the advanced policy routing approach to get around the ARP problem of the real servers in the LVS/DR and LVS/TUN clusters. For example, is the VIP address, and the commands are as follows:

# Block  access from the  LAN to the  real server's VIP.  By
# this  way we ignore the router's ARP probes. The drawback:
# we  ignore the  client's probes too.   We have  to do this
# because the client on the LAN can receive replies from all
# real servers
ip rule add prio 99 from 172.26.20/24 table 99
ip route add table 99 blackhole
# Now  accept  locally  any  other  traffic,  i.e.  not from
# 172.26.20/24
ip rule add prio 100 table 100
ip route add table 100 local dev lo

Policy routing is faster than the REDIRECT approach, but the client on the same LAN cannot access the virtual service on the VIP. The real servers ignore the traffic from the LAN to the VIP, in order to discard the ARP request for the VIP too.