Re: CARP and switches

[Chad M Stewart]

On Sep 29, 2005, at 4:26 PM, Charles Sprickman wrote:
Hi,

This is somewhat off-topic, but the question has really been  
nagging me ever since someone brought it up at NYCBSDCon (http:// 
www.nycbsdcon.org/index.php?NAV=Speakers) after Jason Dixon's CARP  
demo.  The demo was really cool, BTW - failover with IPSEC.

Between Jason's demo and my being laid off and thus having more time  
on my hands, I built a lab to test/build a nice HA firewall.  I'm  
happy to report that (a) it really does work, (b) it is easy to do,  
(c) best of all I didn't have to waste a real public IP on either of  
the external facing NICs.  Instead they each have private  
(172.16.x.x) addresses while the IP of the CARP interface associated  
to those NICs is public and routable.   I have a pretty diagram if  
anyone wants to see it. Email me.


The question that was posed was along the lines of "how does a  
standard ethernet switch handle carp?".  The questioner wasn't too  
clear and I'm not sure Jason really knew exactly what the guy was  
asking.  So I'll ask it here in the hopes of understanding how this  
works.

You have two OpenBSD boxes plugged into a switch, and the OBSD  
boxes are running PF/CARP.  Each one has a "real" IP and MAC  
address, and there is a "virtual" IP and MAC that your hosts  
plugged into the same switch use as their gateway.  Basic failover  
config.

Now during normal operation with both boxes up, how does the switch  
deal with seeing the same "virtual" MAC address on two ports?  My  
simple understanding of a dumb switch is that it builds a list of  
what MAC addresses are on what ports and uses that list to  
determine which ports to forward traffic to.  The design seems to  
assume that one MAC address can only exist on one port at a time,  
correct?  How does this jibe with CARP's "virtual" IP and MAC?   
Same question for HSRP or VRRP really.

Am I missing something?  Does only one box use the "virtual" MAC  
address until failover?

Assuming you're not using net.inet.carp.arpbalance (i.e. Jason's demo  
was not) then only the master carp interface will respond to ARP  
requests.  When the other carp interface becomes master then it will  
respond to arp requests.  Thus no confusion for the switch.

I can't comment on the arp balance and having multiple MAC addresses  
on a switch port.  Probably more a question for the switch vendor(s).


-Chad


Sorry for posting something so basic, I'm just now getting my feet  
wet in the more interesting pf features.  I generally have been  
using ipf on FBSD as a simple host firewall, so I'm not up to speed  
on the neat stuff.

Thanks,

Charles

___
Charles Sprickman
NetEng/SysAdmin
Bway.net - New York's Best Internet - www.bway.net
[EMAIL PROTECTED] - 212.655.9344



                                           _\|/_
                                           (o o)
----------------------------------------oOO-(_)-OOo------
Chad M Stewart, GCIH   Phone: 585 202 6643
[EMAIL PROTECTED]         http://balius.com/   Balius Inc.

Unix is very simple, but it takes a genius to
understand the simplicity. (Dennis Ritchie)
---------------------------------------------------------