[171654] in North American Network Operators' Group
Re: US patent 5473599
daemon@ATHENA.MIT.EDU (Geraint Jones)
Thu May 8 07:46:40 2014
X-Original-To: nanog@nanog.org
From: Geraint Jones <geraint@koding.com>
In-Reply-To: <20140508110938.GM32502@quigon.bsws.de>
Date: Thu, 8 May 2014 23:46:28 +1200
To: nanog@nanog.org
Errors-To: nanog-bounces@nanog.org
> On 8/05/2014, at 11:09 pm, Henning Brauer <hb-nanog@bsws.de> wrote:
>=20
> * Nick Hilliard <nick@foobar.org> [2014-05-08 13:03]:
>>> On 08/05/2014 11:25, Henning Brauer wrote:
>>> you shouldn't see issues but log spam.
>> maybe you misunderstand the problem. If you have vrrp and carp on the sa=
me
>> vlan, using the same vrrp group ID as VHID, then each virtual IP will arp=
>> for the same mac address on that vlan.
>=20
> correct.
>=20
>> This messes up the switch's forwarding table for that particular vlan
>> because it sees multiple entries from different ports for the same mac
>> address.
>=20
> correct.
>=20
> my switches seem to deal with that, wether they have special handling
> for that mac addr range or not i dunno.
What make and model switches?
I am sure someone here can easily verify their behaviour and if they have so=
me baked in pixie dust to handle this.=20
But a pure l2 switch should not be able to mask the issue given all it has t=
o go on is MAC so you would either see excessive flooding of a unicast MAC, o=
r black holing of VRRP or CARP.=20
Neither of which are desirable and given that the flooding would lead to ser=
ious security issues worries me from such a security focused community as th=
e OpenBSD community professes to be.
>=20
> again, stress the fact that afair we have gotten zero reports about
> that "issue" for 10 years, it obviously means that either
> 1) a vast majority of switches deal with it just fine
> 2) people know that vhids shouldn't clash and avoid that
>=20
> --=20
> Henning Brauer, hb@bsws.de, henning@openbsd.org
> BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, VMs/PVS, Application Hosting
