IPMP
in [Solaris]
|
Prev: picld errors
Next: confusing NIS/NFS/networking issue
From: eeb4u on 27 Sep 2007 22:39 I am setting up a new datacenter and for redundancy have everything connected with a failover path. I had never used IPMP before, but I followed the many guides available and have it working nicely. However, I now notice a ton of new ping messages in the firewall logs. I pushed back the failure detection time to the default setting as it was generating so much "noise" in the logs (Cisco ASA) I had it at less than a second. The in.mpathd man page states that failover can be detected by monitoring the IFF_RUNNING flag or with the echo probe. Can I specify that it should only use the IFF_RUNNING flag? What is a *good* value for failure detection time? We run "near real time" credit card transactions. Solaris 10 on v490's Mike D.
From: James Carlson on 28 Sep 2007 13:19 "eeb4u(a)hotmail.com" <eeb4u(a)hotmail.com> writes: > I am setting up a new datacenter and for redundancy have everything > connected with a failover path. I had never used IPMP before, but I > followed the many guides available and have it working nicely. > However, I now notice a ton of new ping messages in the firewall > logs. I pushed back the failure detection time to the default setting > as it was generating so much "noise" in the logs (Cisco ASA) I had it > at less than a second. The in.mpathd man page states that failover > can be detected by monitoring the IFF_RUNNING flag or with the echo > probe. Can I specify that it should only use the IFF_RUNNING flag? Yes. That's called "link-based failure detection" (as opposed to "probe-based failure detection") in the documentation. To disable probe-based failure detection, just omit the configuration of test (-failover) addresses. > What is a *good* value for failure detection time? We run "near real > time" credit card transactions. It depends on a number of factors, including the network gear in use and the sorts of failures you're worried about -- link-based is near instantaneous, but probe-based is usually on the order of a second or two. You can tune the probes in /etc/default/mpathd. -- James Carlson, Solaris Networking <james.d.carlson(a)sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677
From: eeb4u on 2 Oct 2007 16:13 On Sep 28, 1:19 pm, James Carlson <james.d.carl...(a)sun.com> wrote: > "ee...(a)hotmail.com" <ee...(a)hotmail.com> writes: > > I am setting up a new datacenter and for redundancy have everything > > connected with a failover path. I had never used IPMP before, but I > > followed the many guides available and have it working nicely. > > However, I now notice a ton of new ping messages in the firewall > > logs. I pushed back the failure detection time to the default setting > > as it was generating so much "noise" in the logs (Cisco ASA) I had it > > at less than a second. The in.mpathd man page states that failover > > can be detected by monitoring the IFF_RUNNING flag or with the echo > > probe. Can I specify that it should only use the IFF_RUNNING flag? > > Yes. That's called "link-based failure detection" (as opposed to > "probe-based failure detection") in the documentation. > > To disable probe-based failure detection, just omit the configuration > of test (-failover) addresses. > > > What is a *good* value for failure detection time? We run "near real > > time" credit card transactions. > > It depends on a number of factors, including the network gear in use > and the sorts of failures you're worried about -- link-based is near > instantaneous, but probe-based is usually on the order of a second or > two. You can tune the probes in /etc/default/mpathd. > > -- > James Carlson, Solaris Networking <james.d.carl...(a)sun.com> > Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 > MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 James, thanks for your reply, here is my current config: # # entries for IPMP # 10.221.90.42 dev1 loghost # Primary Interface 10.221.90.142 dev1-ce1 # Failover for IPMP 10.221.90.242 dev1-test # Test address for IP /etc/hostname.ce0 dev1-test netmask + broadcast + group ipmp deprecated -failover up addif prodb netmask + broadcast + failover up /etc/hostname.ce1 dev1-ce1 netmask + broadcast + group ipmp deprecated -failover standby up What should I change my configuration to correct the ping flood I am seeing in my firewall logs. Thanks, Mike
From: Yonah Russ on 2 Oct 2007 16:59 Hi Mike, Just to expand on some of the answers you got- link based detection is problematic because there are several cases where your network card will detect a link but in reality you will not have network connectivity. The simplest example is where you have: [machine]---[switch1]- x -[fw1] '----------[switch2]-----[fw2] The machine sees a link but the path has failed. And you always have the bad network cable which shows a link but mangles every packet. And if that wasn't enough- Link based detection is not supported by every network card AFAIK. Good luck! Yonah On Sep 28, 4:39 am, "ee...(a)hotmail.com" <ee...(a)hotmail.com> wrote: > I am setting up a new datacenter and for redundancy have everything > connected with a failover path. I had never used IPMP before, but I > followed the many guides available and have it working nicely. > However, I now notice a ton of new ping messages in the firewall > logs. I pushed back the failure detection time to the default setting > as it was generating so much "noise" in the logs (Cisco ASA) I had it > at less than a second. The in.mpathd man page states that failover > can be detected by monitoring the IFF_RUNNING flag or with the echo > probe. Can I specify that it should only use the IFF_RUNNING flag? > > What is a *good* value for failure detection time? We run "near real > time" credit card transactions. > > Solaris 10 on v490's > > Mike D.
From: James Carlson on 3 Oct 2007 08:39
Yonah Russ <yonah.russ(a)gmail.com> writes: > Just to expand on some of the answers you got- link based detection is > problematic because there are several cases where your network card > will detect a link but in reality you will not have network > connectivity. The simplest example is where you have: Quite true. That's why probe-based detection exists. But if the user doesn't want to employ the best practice, well, we can accomodate that as well. :-/ > And if that wasn't enough- Link based detection is not supported by > every network card AFAIK. Correct. It depends a bit on Solaris version, as we've been extending link detection to more drivers over time, and it's the sort of RFE that typically does _not_ get backported. We're getting close to the point now (in Nevada) where all drivers support it. To check, just yank the cable and use "ifconfig" to look at the RUNNING flag. If it goes away, then you've got a driver with link detection. -- James Carlson, Solaris Networking <james.d.carlson(a)sun.com> Sun Microsystems / 35 Network Drive 71.232W Vox +1 781 442 2084 MS UBUR02-212 / Burlington MA 01803-2757 42.496N Fax +1 781 442 1677 |