CARP VHID question

JeGr · Sep 20, 2016, 1:16 PM

Hi,

just wanted to drop a quick question about using unique VHID. Am I correct in assuming, that VHIDs must only be unique on something like the same physical interface or same logical VLAN?

Background: We have a new cluster setup with two WAN uplinks each (WAN1/2), SYNC, Management Interface and DMZ Trunk. The DMZ trunk are two 10gbps lines (LACP LAGG interface) that has multiple VLANs (~50). As we want to deploy dual homing addresses (IPlegacy and IPv6) that would result in around 53*2 CARP VIPs. As the number of VLANs will add up (every new customer project is getting one) the number of VHIDs won't be enough (255).

So we thought about just using VHID 4 and 6 on those project VLANs on the DMZ as those networks are completely controlled by us and no other VRRP/CARP/Multicast Setup should reside there. It was my understanding that the same VHID only causes havoc when they are discovered on the same network (like same VLAN or interface).

Is that a correct assumption and way to roll? On both WAN uplinks I have to deploy another VHID as the other side uses Juniper Switches also using VRRP so I have to check with them for not colliding. Sync doesn't need CARP. So would it be a viable alternative to run the v4 CARP with vhid4 and the v6 CARP with vhid6 on all those pesky VLANs?

Greets
Jens

jimp · Sep 20, 2016, 4:47 PM

Yes, it only has to be unique on each layer 2.

So long as the multicast traffic from CARP does not cross into the other segments, the same VHID can be used on separate interfaces.

The GUI allows this now, but it didn't always do so in the past. We loosened the restrictions at some point, though it's been too many years for me to remember when exactly. :-)

JeGr · Sep 21, 2016, 7:05 AM

So long as the multicast traffic from CARP does not cross into the other segments, the same VHID can be used on separate interfaces.

What would be a possibility for that to cross into other segments?

As said, it will be 2 VIPs for each WAN (physical interfaces each) and around 2*50 VIPs for each VLAN on the Trunk Interface (a LAGG interface consisting of 2 10G NICs). So

ip4@WAN1
ip6@WAN1
ip4@WAN2
ip6@WAN2
and
ip4@VLAN10/LAGG0
ip6@VLAN10/LAGG0
ip4@VLAN11/LAGG0
ip6@VLAN11/LAGG0
…

should be fine that way?

Thanks a lot,
Jens

jimp · Sep 21, 2016, 12:21 PM

As long as each interface is on a separate layer 2, it's OK. It's only if you do something questionable like connect multiple interfaces to the same flat network that would have a problem reusing VHIDs.

JeGr · Sep 21, 2016, 1:40 PM

Ah I see, something like accidentally bridging VLANs together so multiple ones would have the same pf-vhid-based MAC address. Then that setup should be finde I hope. :)

jimp · Sep 21, 2016, 1:54 PM

Thinking more like someone who just plugs in multiple interfaces into the same switch without VLANs, or into multiple access ports on the same VLAN, that sort of thing is a problem for it.

If you have proper physical (separate switches) or virtual (VLAN) segment isolation then you're fine.

JeGr · Sep 23, 2016, 9:49 AM

Just a quick follow-up: we did our FW exchange last night and - at least on the CARP side - things went as expected -> VHIDs seem to work and failover just fine.