As we are doing some keepalived work, and looking at groups of IPs, I came across a couple of links worth mentioning:
This link below shows an approach of using a vrrp_sync group for an internal and external network. This is very much along the lines of what we were thinking we wanted to achieve and it was nice to see reassurance that we might be using a sync group as it is intended to be used (given the dirth of use-case documentation on this).
Another link is this one below.
Up to this point I have only been testing the VIP assignment and reassignment by pulling cables and making firewall adjustments (to make sure the VRRP could get through the firewall).
This link below has me concerned that true client testing might (will?) fail. Because indeed, Firewalld and iptables on Linux are, indeed, stateful firewalls. So I may need this link to bail me out.
http://backreference.org/2013/04/03/firewall-ha-with-conntrackd-and-keepalived/
No comments:
Post a Comment