On 6/14/11 11:06 AM, Damien Fleuriot wrote:> Hello list,
>
>
>
> Here I am today, setting up CARP interfaces on our backup firewalls, and
> I'm wondering something...
>
>
> Let's take the following scenario:
>
>
> Datacenter PRIM, firewall PRIM:
> - carp13 has public IPs X and Y and is master (advskew 100)
>
> Datacenter PRIM, firewall BACK:
> - carp13 has public IPs X and Y and is backup (advskew 150)
>
>
> Datacenter BACK, firewall PRIM:
> - carp13 has public IPs X, Y, W and Z (advskew 230, down)
>
> Datacenter BACK, firewall BACK:
> - carp13 has public IPs X, Y, W and Z (advskew 250, down)
>
>
>
> If I bring up my carp13 interfaces on the backup datacenter, will they
> become master because the carp interfaces on the primary datacenter is
> lacking 2 public IPs ?
>
> That would be a problem...
>
> Has anyone faced this situation before ?
>
> Also, adding IPs W and Z on my primary datacenter is not an option at
> the moment.
Replying to myself,
I can confirm that this scenario causes problems, see below:
### ON FIREWALL 1 , carp master for carp0, carp1, carp2
carp2: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 192.168.224.254 netmask 0xffffff00
carp: MASTER vhid 224 advbase 1 advskew 50
### ON FIREWALL 2 , carp backup for carp0, carp1, carp2
carp2: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 192.168.234.254 netmask 0xffffff00
carp: BACKUP vhid 234 advbase 1 advskew 100
Now, I add a dummy IP to carp2 on FIREWALL 2, which is supposedly backup:
ifconfig carp2 inet 192.168.234.207 alias
Result:
### ON FIREWALL 1, carp master for carp0, carp1, carp2
carp2: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 192.168.224.254 netmask 0xffffff00
carp: MASTER vhid 224 advbase 1 advskew 50
### ON FIREWALL 2, carp backup for carp0, carp1, but no longer carp2
carp2: flags=49<UP,LOOPBACK,RUNNING> metric 0 mtu 1500
inet 192.168.234.254 netmask 0xffffff00
inet 192.168.234.207 netmask 0xffffff00
carp: MASTER vhid 234 advbase 1 advskew 100
After I remove the extraneous IP, the interface becomes backup again:
# This was a long time ago
carp0: MASTER -> BACKUP (more frequent advertisement received)
carp0: link state changed to DOWN
carp2: MASTER -> BACKUP (more frequent advertisement received)
carp2: link state changed to DOWN
carp1: MASTER -> BACKUP (more frequent advertisement received)
carp1: link state changed to DOWN
carp2: link state changed to DOWN
# This was when I ran my tests
carp2: INIT -> MASTER (preempting)
carp2: link state changed to UP
carp2: MASTER -> BACKUP (more frequent advertisement received)
carp2: link state changed to DOWN
This entails that hosts in a given carp vhid must have the exact same IP
addresses configured on that interface.
While this is perfectly understandable in a master-backup scenario, this
is a bit more annoying for us in a master-backup + backup-backup
scenario with 2 datacenters.
I'll just have to adapt and ensure they have the same IP addresses then.