如何在同一子网上使用第二个弹性网络接口 [英] How to use a second Elastic Network Interface on the same subnet

问题描述

当我在可用区us-east-1a中启动Amazon EC2 CentOS 7服务器时，会自动为该服务器分配eth0上的主要私有IP地址，例如172.31.8.244/20和172.31的网关.0.1。如果随后在eth1上附加了第二个接口，则可以指定地址，该地址必须在172.31.0.0/20子网内（否则将在该子网内自动为我分配一个地址）。 Eth1将具有与eth0相同的网关。假设我被分配了172.31.12.121/20。我在eth0和eth1上都使用了相同的安全组，该安全组只允许SSH输入和输出所有内容。

When I spin up an Amazon EC2 CentOS 7 server in, say, availability zone us-east-1a, the server is automatically assigned a primary private IP address on eth0, such as 172.31.8.244/20 and a gateway of 172.31.0.1. If I then attach a second interface on eth1, I can specify the address, which needs to be within the 172.31.0.0/20 subnet (or one will be assigned to me automatically within that subnet). Eth1 will have the same gateway as eth0. Let's say I am assigned 172.31.12.121/20. I use the same security group on both eth0 and eth1, which allows SSH only in and everything out.

问题是，当我尝试从另一台服务器SSH到eth0时，它工作正常。但是，当我尝试通过SSH连接到eth1时，会超时。 ip addr 和 ip route 显示两个接口都已启动并具有正确的路由。我什至可以在本地SSH到eth1，/ var / log / secure日志显示正确的条目，就像我在SSH上绑定到eth1的eth0一样。要通过SSH从其他服务器连接到任一接口，我需要做什么？

The problem is that when I try to SSH to eth0 from a different server, it works fine. But when I try to SSH to eth1 I get a timeout. ip addr and ip route show that both interfaces are up and have the correct routes. I can even SSH locally to eth1 and the /var/log/secure log shows the correct entries as when I SSH to eth0 bound to eth1. What do I need to do to be able to SSH to either interface from a different server?

推荐答案

问题是不对称路由。对eth1的请求进入eth1，然后出到eth0。 eth0上发出的答复与请求中的IP地址不同，因此将其丢弃在客户端。解决方案是设置规则以允许响应通过eth1路由。

The problem is asymmetric routing. A request to eth1 comes in eth1 and goes out eth0. The reply coming out on eth0 has a different IP address than in the request, and so it is dropped on the client side. The solution is to set up rules that allow responses to route through eth1.

首先，请确保已创建服务器的AMI，因为如果输入错误，在以下步骤中，您可能会失去与服务器的所有连接，并且无法执行任何操作，只能从Amazon控制台网页重新启动它。

First, make sure you have created an AMI of your server, because if you enter the wrong thing in following steps, you may lose all connectivity to the server and be unable to do anything but reboot it from the Amazon console web page.

首先在单独的表中为每个接口设置默认路由：

Start off by setting the default route for each interface in separate tables:

ip route add default via 172.31.0.1 dev eth0 tab 1
ip route add default via 172.31.0.1 dev eth1 tab 2

要检查是否已正确添加，请使用：

To check those were properly added use:

ip route show table 1
ip route show table 2

现在，您需要添加规则，说要使用不同的表，具体取决于源IP地址：

Now you need to add rules that say to use the different tables depending on the source IP address:

ip rule add from 172.31.8.244/32 tab 1
ip rule add from 172.31.12.121/32 tab 2

您可以使用以下命令检查所有规则：

You can check all of the rules with:

ip rule

您应该现在可以从客户端计算机连接到任一IP地址。您还可以使用SSH的 bind 选项从该服务器上的任一接口连接到客户端计算机：

You should now be able to connect to either IP address from a client machine. You can also use the bind option of SSH to connect from either interface on this server to a client machine:

ssh centos@client_ip_address -i mykey.pem  (uses the default, eth0)
ssh -b 172.31.12.121 centos@client_ip_address -i mykey.pem  (uses eth1)
ssh -b 172.31.8.244 centos@client_ip_address -i mykey.pem  (uses eth0)

您可以使用这两个接口连接到同一可用区中的其他EC2服务器，并且对于分配了公共IP的任何接口，您都可以连接到外部世界或同一VPC中的其他EC2服务器，即使它们位于不同的位置

You can use both interfaces to connect to other EC2 servers in the same availability zone and for any interface that has a Public IP assigned to it, you can connect to the outside world or to other EC2 servers in the same VPC, even if they are in different availability zones.

但是，如果您要连接到同一VPC但具有不同可用性区域的其他EC2服务器，该怎么办？换句话说，同一数据中心中的服务器。问题在于，专用IP地址被屏蔽为20位，这将您限制在一个可用区中。因此，对于数据中心us-east-1，您可以：

But what if you want to connect to other EC2 servers that are in the same VPC but different availability zones? In other words, servers in the same data center. The problem is that the Private IP address is masked at 20 bits, which confines you to one availability zone. So for datacenter us-east-1 you have:

us-east-1a:  172.31.0.0/20
us-east-1b:  172.31.16.0/20
us-east-1d:  172.31.48.0/20
us-east-1e:  172.31.32.0/20

要跨一个VPC和一个数据中心中的可用区进行连接，您需要一个16位掩码。 ip addr 将显示：

To connect across availability zones in one VPC and in one datacenter you need a 16-bit mask. ip addr will show:

inet 172.31.12.121/20 brd 172.31.31.255 scope dynamic eth1

如果 losf -n | egrep 172.31.12.121 向您显示该地址未使用，您可以添加新的掩码并删除旧的掩码。请注意，广播地址必须在掩码更改的同时进行更改：

If losf -n | egrep 172.31.12.121 shows you that this address is not in use you can add the new mask and delete the old. Note that the broadcast address has to change at the same time the mask changes:

ip addr add 172.31.12.121/16 dev eth1 brd 172.31.255.255
ip addr del 172.31.12.121/20 dev eth1

现在您应该只要它们位于同一VPC中，即使它们没有公用IP地址，也可以从可用性区域A中的EC2服务器连接到可用性区域B中的另一台主机。

Now you should be able to connect from an EC2 server in availability zone A to another host in availability zone B, so long as they are in the same VPC, even if they do not have Public IP addresses.

故障排除：

如果遇到问题，请尝试重置两个接口，这将删除您所做的任何手动操作。首先将 / etc / sysconfig / network-scripts / ifcfg-eth0 复制到 / etc / sysconfig / network-scripts / ifcfg-eth1 ，编辑第二个文件，将 DEVICE 从 eth0 更改为 eth1 。然后在 / etc / sysconfig / network 中添加一行，其内容为 GATEWAYDEV = eth0 。最后，运行 /etc/init.d/network restart （不，它不应该断开您的连接）。然后从上面的命令开始。

If you are having problems, try resetting both interfaces, which will remove any manual twiddling you have done. First copy /etc/sysconfig/network-scripts/ifcfg-eth0 to /etc/sysconfig/network-scripts/ifcfg-eth1, editing the second file to change the DEVICE from eth0 to eth1. Then add a line to /etc/sysconfig/network which says GATEWAYDEV=eth0. Finally, run /etc/init.d/network restart (no, it should not disconnect you). Then start over with the above commands.

这篇关于如何在同一子网上使用第二个弹性网络接口的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！