Configuring loopbacks with alternative methods

About this task

Some versions of Linux systems issue ARP responses for any IP address configured on the machine on any interface present on the machine. It may also choose an ARP source IP address for ARP who-has queries based on all IP addresses present on the machine, regardless of the interfaces on which those addresses are configured. This causes all cluster traffic to be directed to a single server in an indeterminate manner.

With Dispatcher's forwarding method, a mechanism must be employed to ensure that cluster-addressed traffic can be accepted by the stacks of the back-end servers.

In most cases, you must alias the cluster address on the loopback; therefore, back-end servers must have the cluster aliased on the loopback. To ensure that Linux systems do not advertise addresses on the loopback, you can use any of these four solutions to make Linux systems compatible.

Procedure

  • Use a kernel that does not advertise the addresses.
    This is the preferred option, as it does not incur a per-packet overhead and it does not require per-kernel reconfiguration.
    • Use the arp_ignore sysctl available in 2.4.25 and 2.6.5 and higher, but note that distributions sometimes backport features. Ensure that it is enabled before aliasing the cluster addresses with the commands: 
      # sysctl -w net.ipv4.conf.all.arp_ignore=3
net.ipv4.conf.all.arp_announce=2
      Clusters must then be aliased with the following command: 
      # ip addr add $CLUSTER_ADDRESS/32 scope host dev lo
      Note: When using sysctl, ensure that these settings survive reboot by adding the settings to the install_root/etc/sysctl.conf file.
  • Use IP tables to redirect all incoming cluster traffic to the localhost.
    If you use this method, do not configure the loopback adapter with an alias. Instead, use the command: 
    # iptables -t nat -A PREROUTING -d $CLUSTER_ADDRESS -j REDIRECT

    This command causes Linux systems to do destination NAT on each packet, converting the cluster address to the interface address. This method has about a 6.4% connections-per-second throughput penalty. This method works on any supported stock distribution; no kernel module or kernel patch+build+install is needed.