This is somewhat off-topic, but the question has really been nagging me ever since someone brought it up at NYCBSDCon (http:// www.nycbsdcon.org/index.php?NAV=Speakers) after Jason Dixon's CARP demo. The demo was really cool, BTW - failover with IPSEC.

Between Jason's demo and my being laid off and thus having more time on my hands, I built a lab to test/build a nice HA firewall. I'm happy to report that (a) it really does work, (b) it is easy to do, (c) best of all I didn't have to waste a real public IP on either of the external facing NICs. Instead they each have private (172.16.x.x) addresses while the IP of the CARP interface associated to those NICs is public and routable. I have a pretty diagram if anyone wants to see it. Email me.

The question that was posed was along the lines of "how does a standard ethernet switch handle carp?". The questioner wasn't too clear and I'm not sure Jason really knew exactly what the guy was asking. So I'll ask it here in the hopes of understanding how this works.

You have two OpenBSD boxes plugged into a switch, and the OBSD boxes are running PF/CARP. Each one has a "real" IP and MAC address, and there is a "virtual" IP and MAC that your hosts plugged into the same switch use as their gateway. Basic failover config.

Now during normal operation with both boxes up, how does the switch deal with seeing the same "virtual" MAC address on two ports? My simple understanding of a dumb switch is that it builds a list of what MAC addresses are on what ports and uses that list to determine which ports to forward traffic to. The design seems to assume that one MAC address can only exist on one port at a time, correct? How does this jibe with CARP's "virtual" IP and MAC? Same question for HSRP or VRRP really.

Am I missing something? Does only one box use the "virtual" MAC address until failover?

Assuming you're not using net.inet.carp.arpbalance (i.e. Jason's demo was not) then only the master carp interface will respond to ARP requests. When the other carp interface becomes master then it will respond to arp requests. Thus no confusion for the switch.

I can't comment on the arp balance and having multiple MAC addresses on a switch port. Probably more a question for the switch vendor(s).


Sorry for posting something so basic, I'm just now getting my feet wet in the more interesting pf features. I generally have been using ipf on FBSD as a simple host firewall, so I'm not up to speed on the neat stuff.



