1

I have several physical NICs on one server which should be able to access peer server's physical NICs. I have ip-tunnel devices (currently set as GRE) between each pair of NICs. I'd like to team/bond the tunnel devices to use them for failover.

At the moment the NetworkManager fails saying that the team slaves I'm attempting to define don't have a suitable device. Is there any way to achieve what I earlier described?

Thanks!

immortal
  • 123
  • 5
  • Typically you bond the actual nic's and then *all traffic*, including all tunnelled traffic, using those bonded nic's benefits. – HBruijn Nov 18 '18 at 10:07
  • @HBruijn Unfortunately, the NICs themselves shouldn't be bonded. Only the tunneled traffic. The NICs are used for external communication as well, and are not necessarily in the same subnet. – immortal Nov 18 '18 at 10:16

1 Answers1

2

Tunnels work on different layer and you can't bond them like physical interfaces. For simply failover, your tunnels will work as is: they all have the same routes.

If you need more flexibility for using all the possible throughput of the interfaces, you can:

  1. Use NIC bonding on the interfaces.
  2. Use 802.1Q VLAN tagging for the subnets. This way any subnet can use any NIC.

  3. Use a single VLAN for a single VPN tunnel. As you can see from the picture (where the heights depicts the network capacity in use), your tunnel will be able to exceed the capacity of a single physical NIC despite being a single virtual network interface.

    Graph of phases 1-3

For redundancy, you can configure your tunnel to reconnect on another subnet, if VLAN 1 fails. However, if both servers are connected to a single switch, the only single point of failure would be the switch. If any of the NICs, any switch port or any cable fails, the rest will handle all the L2 subnets including the one having the tunnel.

In other words, while your suggestion tries to add redundancy for this VPN tunnel alone, this solution adds redundancy for all the physical networks, too. The redundancy of your VPN tunnel is now based on this (rather than to the hack suggested in the comments).

Esa Jokinen
  • 46,944
  • 3
  • 83
  • 129
  • Could I try giving all tunnel ifaces the same IP with increasing routing metric, and trust NM to bring down a connection that loses link so that the next in line would take over? I recognize that an ongoing connection will be cut, but otherwise, would that work? – immortal Nov 18 '18 at 14:54
  • That would probably cause conflicting IP address errors. You could e.g. consider some round-robin DNS with a short TTL. – Esa Jokinen Nov 18 '18 at 16:57
  • Would the conflicting addresses be a real issue here, though, considering that they are all on the same machine (just different physical NICs with possibly different MAC addresses) - While also arrive through tunneled traffic? – immortal Nov 19 '18 at 11:33