managed switches and carp

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

managed switches and carp

Christopher Vance-2
I've been asked to work on a system which (simplified) looks something like

           fw1          vlans
          / | \  mgd   /
isp--hub-+  |  switches--vlans
          \ | /        \
           fw2          vlans

Traffic to the right of the switches is untagged, with mostly one port
per vlan.  The switches add vlan tags on traffic going L<-R and remove
them on traffic L->R.

There are over 100 vlans, and 7x 26-port switches in a loop running
STP, with the two fw* attached to adjacent switches in the loop.

Traffic between the fw* and switches is all tagged to indicate the
relevant vlans.

Each vlan has a matching carp shared between fw*, which is the only
route outbound for that vlan.

So each fw has

em0 external, to hub & isp
em1 internal, goes to switch 10.1.1.X /24
sis0 pfsync 10.1.0.X /24
vlanN over em1 10.1.N.2 or 3 /24
carpN over vlanN 10.1.N.1 /32

My issue is that the managed switches we currently use (chosen before
I arrived...) suppress traffic from 'duplicate' MAC addresses, clamped
for a minimum of 300s.  Both fw* think they're master.

Which managed switch brands behave right with carp, allowing traffic from
carp source addresses on multiple ports without duplicate suppression?

I don't care if the switch recognizes carp addresses as special, or if
it lets me label particular ports to allow duplicates, or whatever.

Or do I just need to introduce a new single point of failure to get this:

           fw1                  vlans
          / | \ unmgd    mgd   /
isp--hub-+  |  switch--switches--vlans
          \ | /                \
           fw2                  vlans

which at least lets fw* agree who's master...

:-(

--
Christopher Vance

Reply | Threaded
Open this post in threaded view
|

Re: managed switches and carp

tony sarendal
> My issue is that the managed switches we currently use (chosen before
> I arrived...) suppress traffic from 'duplicate' MAC addresses, clamped
> for a minimum of 300s.  Both fw* think they're master.
>
> Which managed switch brands behave right with carp, allowing traffic from
> carp source addresses on multiple ports without duplicate suppression?

"duplicate suppression", makes the lack of per-vlan mac-address tables
sound like a feature.

Get switches with per-vlan mac-address tables, even old cisco 3500 has this.

/Tony

--
Tony Sarendal - [hidden email]
IP/Unix
       -= The scorpion replied,
               "I couldn't help it, it's my nature" =-

Reply | Threaded
Open this post in threaded view
|

Re: managed switches and carp

Christopher Vance-2
On Thu, Dec 01, 2005 at 08:08:27AM +0000, tony sarendal wrote:
>> Which managed switch brands behave right with carp, allowing traffic from
>> carp source addresses on multiple ports without duplicate suppression?
>
>"duplicate suppression", makes the lack of per-vlan mac-address tables
>sound like a feature.
>
>Get switches with per-vlan mac-address tables, even old cisco 3500 has this.

Both firewalls are on all vlans, and I want both firewalls to be able
use the same source MAC address (a separate address per vlan, but
shared by both firewalls) and see each other's carp multicasts.

Even with per-vlan tables, I need CARP source addresses to be an
exception (although Cisco will think they are V*RP).

--
Christopher Vance

Reply | Threaded
Open this post in threaded view
|

Re: managed switches and carp

tony sarendal
On 01/12/05, Christopher Vance <[hidden email]> wrote:

> On Thu, Dec 01, 2005 at 08:08:27AM +0000, tony sarendal wrote:
> >> Which managed switch brands behave right with carp, allowing traffic from
> >> carp source addresses on multiple ports without duplicate suppression?
> >
> >"duplicate suppression", makes the lack of per-vlan mac-address tables
> >sound like a feature.
> >
> >Get switches with per-vlan mac-address tables, even old cisco 3500 has this.
>
> Both firewalls are on all vlans, and I want both firewalls to be able
> use the same source MAC address (a separate address per vlan, but
> shared by both firewalls) and see each other's carp multicasts.
>
> Even with per-vlan tables, I need CARP source addresses to be an
> exception (although Cisco will think they are V*RP).
>

I use carp, hsrp, routers with same mac-address on all vlan interfaces,
cases where the same mac-address goes different ways in the network
depending on which vlan it is on.

Even on old 3500 it works.

/Tony

--
Tony Sarendal - [hidden email]
IP/Unix
       -= The scorpion replied,
               "I couldn't help it, it's my nature" =-

Reply | Threaded
Open this post in threaded view
|

Re: managed switches and carp

Henning Brauer
In reply to this post by Christopher Vance-2
* Christopher Vance <[hidden email]> [2005-12-01 06:50]:
> My issue is that the managed switches we currently use (chosen before
> I arrived...) suppress traffic from 'duplicate' MAC addresses, clamped
> for a minimum of 300s.  Both fw* think they're master.

wow. what fucked up equipment is that? tell us so we can avoid it :)

> Which managed switch brands behave right with carp, allowing traffic from
> carp source addresses on multiple ports without duplicate suppression?

I am using pretty much the setup you describe with extreme summits
without problems. there's even a few older cisco crappies in the mix.

--
BS Web Services, http://www.bsws.de/
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)

Reply | Threaded
Open this post in threaded view
|

Re: managed switches and carp

Christopher Vance-2
On Thu, Dec 01, 2005 at 05:53:36PM +0100, Henning Brauer wrote:
>wow. what fucked up equipment is that? tell us so we can avoid it :)

Alloy.  We call them 'Annoy'.  :-(

Anyway, we now appear to have working switches of a different brand.
Thanks, all.

--
Christopher Vance