[strongSwan] High availability configuration
ms at sys4.de
Sun Feb 22 14:08:16 CET 2015
Am Sonntag, 22. Februar 2015, 14:57:13 schrieb unite:
> On 2015-02-21 20:52, Noel Kuntze wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA256
> > Hello Aleksey,
> > Currently, strongSwan only supports high-availability in an
> > active-active cluster.
> > However, you can abuse it and make it active-passive by simply not
> > using
> > a multicast mac address and configuration on the the CLUSTERIP rule on
> > the
> > devices. That way, the SAs will be synchronized, but traffic will only
> > be forwarded to
> > one member of the cluster. Failover of the IP needs to be done by a
> > cluster executive.
> > Propagating the new MAC address of the IP needs to be done either by
> > the kernel
> > or the cluster executive. After the IP is assigned to the former
> > passive and now active
> > member, it will process the traffic.
> > In an active-active configuration, the multicast mac address would
> > ensure that the traffic traffic is
> > always received by both nodes. A hash function over the layer three
> > address would decide which host
> > processes it. However, be aware that I had problems with multicast mac
> > addresses with some newer Juniper switches.
> > They do not seem to handle those addresses and forwarding the traffic
> > correctly.
No. They started to handle it correctly. According to the specs a switch
SHOULD NOT learn a multicast MAC adress that belongs to a unicast IP adress.
Cisco always implemented it, but no other manufacturer. It seems that juniper
started to implement it.
If you want to set up such a config, you have to configure the correct MAC
address in the switches in the ports. Atherwise you could have loops and you
will see much traffic.
Mit freundlichen Grüßen,
[*] sys4 AG
http://sys4.de, +49 (89) 30 90 46 64, +49 (162) 165 0044
Franziskanerstraße 15, 81669 München
Sitz der Gesellschaft: München, Amtsgericht München: HRB 199263
Vorstand: Patrick Ben Koetter, Marc Schiffbauer
Aufsichtsratsvorsitzender: Florian Kirstein
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 230 bytes
Desc: This is a digitally signed message part.
More information about the Users