Re: CARP multicast and ADSL bridge
* Brian [EMAIL PROTECTED] [2008-10-10 05:58]: The problems are that the multicast CARP packets are getting forwarded over the bridge with carp and worse so with vrrp/hsrp/younameit and (r)stp, you really really want to make sure only trusted parties see the announcements. carp now allows a carppeer to be specified which at least means no multicast; it should be good enough in most situations. i have a small writeup about the problems and solutions at http://bulabula.org/carp-and-stp-meet-switch-security.html -- Henning Brauer, [EMAIL PROTECTED], [EMAIL PROTECTED] BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting - Hamburg Amsterdam
Re: CARP multicast and ADSL bridge
Am Thu, 09 Oct 2008 19:45:01 -0700 schrieb Brian [EMAIL PROTECTED]: Hello, After much reading of man pages, FAQs and googling, I have come up against a dead end. I have a dual redundant CARP setup on 2 sparc64 boxes running 4.3, with an Ovislink OV303 ADSL bridge for internet connectivity. All ports are connected to the bridge with a procurve 1800-24g semi-intelligent switch. The problems are that the multicast CARP packets are getting forwarded over the bridge and running up my very limited bandwidth cap (which, of course, is no one's problem but my own) and more importantly is causing my ADSL connection to be dropped every 10-15 minutes. The tech at the ISP diagnosed the problem, and I wouldn't have believed it if I hadn't verified the behaviour myself. As soon as I disable CARP on the external interface and the CARP announce packets stop, the connection stays up for days. With CARP running, I would sometimes be down for hours, with the ADSL connection going up for a second, and dropping right away. I tried to do multicast filtering on the ADSL port, but my switch isn't intelligent enough, and the ADSL device won't filter in bridge mode. The only thing I could think to do is to put the 2 CARP ports on a seperate VLAN and route the CARP multicast packets through that, but my attempts to use pf to rdr the multicast packets to a separate vlan0 interface have not been successful. Is there a magical way to resolve my situation without buying a more expensive switch? I thought it would be worth asking before shutting up and hacking together a possibly stupid VLAN tagging solution in ip_carp. Thanks for your patience. -Brian Marshall Hi Brian, did You try to avoid multicast by setting up the carppeers directly? See man ifconfig: carppeer peer_address If the driver is a carp(4) pseudo-device, send the carp adver- tisements to a specified point-to-point peer or multicast group instead of sending the messages to the default carp multicast group. The peer_address is the IP address of the other host tak- ing part in the carp cluster. With this option, carp(4) traffic can be protected using ipsec(4) and it may be desired in networks that do not allow or have problems with IPv4 multicast traffic. Regards Uwe [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: CARP multicast and ADSL bridge
On 2008-10-10, Brian [EMAIL PROTECTED] wrote: Hello, After much reading of man pages, FAQs and googling, I have come up against a dead end. I have a dual redundant CARP setup on 2 sparc64 boxes running 4.3, with an Ovislink OV303 ADSL bridge for internet connectivity. All ports are connected to the bridge with a procurve 1800-24g semi-intelligent switch. The problems are that the multicast CARP packets are getting forwarded over the bridge and running up my very limited bandwidth cap (which, of course, is no one's problem but my own) and more importantly is causing my ADSL connection to be dropped every 10-15 minutes. The tech at the ISP diagnosed the problem, and I wouldn't have believed it if I hadn't verified the behaviour myself. As soon as I disable CARP on the external interface and the CARP announce packets stop, the connection stays up for days. With CARP running, I would sometimes be down for hours, with the ADSL connection going up for a second, and dropping right away. I tried to do multicast filtering on the ADSL port, but my switch isn't intelligent enough, and the ADSL device won't filter in bridge mode. The only thing I could think to do is to put the 2 CARP ports on a seperate VLAN and route the CARP multicast packets through that, but my attempts to use pf to rdr the multicast packets to a separate vlan0 interface have not been successful. Is there a magical way to resolve my situation without buying a more expensive switch? I thought it would be worth asking before shutting up and hacking together a possibly stupid VLAN tagging solution in ip_carp. Thanks for your patience. -Brian Marshall Maybe you can do something with carppeer. It's described in ifconfig(8). If it works, please share your final config with the list :)
Re: CARP multicast and ADSL bridge
Thank you all for the kind advice. Carppeer is exactly what I need. I'll implement it as soon as I have an opportunity to upgrade to 4.4, since it doesn't seem to be in 4.3. I'll post config once I verify that I have it set up properly. -Brian Marshall
CARP multicast and ADSL bridge
Hello, After much reading of man pages, FAQs and googling, I have come up against a dead end. I have a dual redundant CARP setup on 2 sparc64 boxes running 4.3, with an Ovislink OV303 ADSL bridge for internet connectivity. All ports are connected to the bridge with a procurve 1800-24g semi-intelligent switch. The problems are that the multicast CARP packets are getting forwarded over the bridge and running up my very limited bandwidth cap (which, of course, is no one's problem but my own) and more importantly is causing my ADSL connection to be dropped every 10-15 minutes. The tech at the ISP diagnosed the problem, and I wouldn't have believed it if I hadn't verified the behaviour myself. As soon as I disable CARP on the external interface and the CARP announce packets stop, the connection stays up for days. With CARP running, I would sometimes be down for hours, with the ADSL connection going up for a second, and dropping right away. I tried to do multicast filtering on the ADSL port, but my switch isn't intelligent enough, and the ADSL device won't filter in bridge mode. The only thing I could think to do is to put the 2 CARP ports on a seperate VLAN and route the CARP multicast packets through that, but my attempts to use pf to rdr the multicast packets to a separate vlan0 interface have not been successful. Is there a magical way to resolve my situation without buying a more expensive switch? I thought it would be worth asking before shutting up and hacking together a possibly stupid VLAN tagging solution in ip_carp. Thanks for your patience. -Brian Marshall
