Re: CARP and switches

Sat, 08 Oct 2005 15:02:08 -0700 

On Sat, 1 Oct 2005, Ryan McBride wrote:


On Fri, Sep 30, 2005 at 04:40:26PM +0200, Henning Brauer wrote:

* Charles Sprickman <[EMAIL PROTECTED]> [2005-09-29 22:51]:

The design seems to assume that one MAC address can
only exist on one port at a time, correct?


no, not at all. There have been so-called multicast MAC addresses from
the stone age on, and that is what carp uses.


Actually, the carp virtual mac address is not a multicast address. Only
the carp advertisements use multicast.

The switch knows where to send the packet because the master carp host
sends out gratuitous arp replys and carp advertisements with the carp
virtual address as the source, so unless you have a horribly broken or
misconfigured switch, it Just Works(tm)



Sorry to dig this up (and to ask and run), but I wanted to sit down and 
digest this.



My question is answered, and I appreciate everyone taking the time to 
chime in.  Let me just regurgitate to make sure I've got this:



-No matter how many boxes I've got in an HA setup, there is only one 
virtual MAC address, and that address will stick to one firewall until 
that firewall either fails or is taken out of the CARP group.



-The above means that the switch will see that MAC on only one port during 
normal operation.



-Should a member fail, another box will both be sending gratuitious arp 
replies and carp advertisements with the virtual MAC, and the switch will 
simply see that a MAC has moved from one port to another.  This is no 
different than physically moving a box from one port to another.



Someone also mentioned the arpbalance sysctl.  If I'm reading this 
correctly, that does not complicate the issue at all since we don't have 
the same MAC on more than one host:


from carp(4):
"When the hosts receive an ARP request for 192.168.1.10, the source IP ad-
dress of the request is used to compute which virtual host should answer
the request.  The host which is master of the selected virtual host will
reply to the request, the other(s) will ignore it.

This way, locally connected systems will receive different ARP replies
and subsequent IP traffic will be balanced among the hosts.  If one of
the hosts fails, the other will take over the virtual MAC address, and
begin answering ARP requests on its behalf."

Thanks all,

Charles






















					Reply via email to