[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

CARP and switches


This is somewhat off-topic, but the question has really been nagging me ever since someone brought it up at NYCBSDCon (http://www.nycbsdcon.org/index.php?NAV=Speakers) after Jason Dixon's CARP demo. The demo was really cool, BTW - failover with IPSEC.

The question that was posed was along the lines of "how does a standard ethernet switch handle carp?". The questioner wasn't too clear and I'm not sure Jason really knew exactly what the guy was asking. So I'll ask it here in the hopes of understanding how this works.

You have two OpenBSD boxes plugged into a switch, and the OBSD boxes are running PF/CARP. Each one has a "real" IP and MAC address, and there is a "virtual" IP and MAC that your hosts plugged into the same switch use as their gateway. Basic failover config.

Now during normal operation with both boxes up, how does the switch deal with seeing the same "virtual" MAC address on two ports? My simple understanding of a dumb switch is that it builds a list of what MAC addresses are on what ports and uses that list to determine which ports to forward traffic to. The design seems to assume that one MAC address can only exist on one port at a time, correct? How does this jibe with CARP's "virtual" IP and MAC? Same question for HSRP or VRRP really.

Am I missing something? Does only one box use the "virtual" MAC address until failover?

Sorry for posting something so basic, I'm just now getting my feet wet in the more interesting pf features. I generally have been using ipf on FBSD as a simple host firewall, so I'm not up to speed on the neat stuff.



Charles Sprickman
Bway.net - New York's Best Internet - www.bway.net
[email protected] - 212.655.9344