On 8/05/2014, at 11:09 pm, Henning Brauer <hb-nanog@bsws.de> wrote:
* Nick Hilliard <nick@foobar.org> [2014-05-08 13:03]:
On 08/05/2014 11:25, Henning Brauer wrote: you shouldn't see issues but log spam. maybe you misunderstand the problem. If you have vrrp and carp on the same vlan, using the same vrrp group ID as VHID, then each virtual IP will arp for the same mac address on that vlan.
correct.
This messes up the switch's forwarding table for that particular vlan because it sees multiple entries from different ports for the same mac address.
correct.
my switches seem to deal with that, wether they have special handling for that mac addr range or not i dunno.
What make and model switches? I am sure someone here can easily verify their behaviour and if they have some baked in pixie dust to handle this. But a pure l2 switch should not be able to mask the issue given all it has to go on is MAC so you would either see excessive flooding of a unicast MAC, or black holing of VRRP or CARP. Neither of which are desirable and given that the flooding would lead to serious security issues worries me from such a security focused community as the OpenBSD community professes to be.
again, stress the fact that afair we have gotten zero reports about that "issue" for 10 years, it obviously means that either 1) a vast majority of switches deal with it just fine 2) people know that vhids shouldn't clash and avoid that
-- Henning Brauer, hb@bsws.de, henning@openbsd.org BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, VMs/PVS, Application Hosting