最近配置服务器时遇到在dummy0上宣告的公网地址不能正常访问公网的问题。网络的基本结构为2个网卡分别上联2个交换机,跑OSPF。在dummy0上会单独宣告1个公网的地址。自己通过在zebra内修改路由表使得访问公网时设置自己宣告的公网地址为源IP。
以前这个方案实际线上跑了多次,一直OK。最近有一套服务器安装这样的配置会出现刚启动时是OK的,过段时间就歇菜了。简单地说实际的情况如下:
T1 (192.168.1.2 )–> 交换机A的Port X(192.168.1.1)
T2 (192.168.2.2 )–> 交换机B的Port X(192.168.2.1)
平时默认都走T1,公网的路由表默认学到的网关实际是T2的对端地址。
当本地公网地址不能出去的时候,我自己带源地址(架设公网地址是4.4.4.4)ping,发现发送的ARP请求都是这样
Request who-has 192.168.2.1 tell 4.4.4.4
此时交换机上发现4.4.4.4实际不是和自己一个网段的地址,不会进行回复。就使得这本地这个公网地址出不去。解决这个问题就是加内核参数
net.ipv4.conf.all.arp_announce=1
下面是fix后的情况,可以看到使用的是接口上的IP为源IP发的ARP请求。
附上参数说明
rp_announce - INTEGER
Define different restriction levels for announcing the local
source IP address from IP packets in ARP requests sent on
interface:
0 - (default) Use any local address, configured on any interface
1 - Try to avoid local addresses that are not in the target's
subnet for this interface. This mode is useful when target
hosts reachable via this interface require the source IP
address in ARP requests to be part of their logical network
configured on the receiving interface. When we generate the
request we will check all our subnets that include the
target IP and will preserve the source address if it is from
such subnet. If there is no such subnet we select source
address according to the rules for level 2.
2 - Always use the best local address for this target.
In this mode we ignore the source address in the IP packet
and try to select local address that we prefer for talks with
the target host. Such local address is selected by looking
for primary IP addresses on all our subnets on the outgoing
interface that include the target IP address. If no suitable
local address is found we select the first local address
we have on the outgoing interface or on all other interfaces,
with the hope we will receive reply for our request and
even sometimes no matter the source IP address we announce.
The max value from conf/{all,interface}/arp_announce is used.
Increasing the restriction level gives more chance for
receiving answer from the resolved target while decreasing
the level announces more valid sender's information.