Thanks to all who considered replying (and may already have in the meantime); issue has been fixed. I threw away the LAG configs on the switch and recreated them without an LACP flag which did it. I also set the multicast thingies back to the switch defaults.
Regards, Arjen. Arjen Van Drie wrote: > Hi List, > > I do not get carp on vlan on trunk working. Hopefully someone can point > me in the right direction. > > OS: OpenBSD 4.2 GENERIC.MP#252 i386 > > On the "External" side (here carp works) > > em0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:15:17:25:ba:3c > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet 172.16.254.1 netmask 0xfffffff0 broadcast 172.16.254.15 > carp0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:00:5e:00:01:01 > carp: MASTER carpdev em0 vhid 1 advbase 1 advskew 0 > groups: carp egress > inet 172.16.128.68 netmask 0xfffffff8 broadcast 172.16.128.71 > > > Connected to the same switch as below in a seperate untagged vlan. > > > > > On the "DMZ" side, carp does not work. A short description: > > Firewall 1 is connected with two UTP cables to port 19 and 20 to a Dell > PowerConnect 6224 switch, both switchports are aggregated (LAG 1) and in > "trunk" mode (this means, in contrast to BSD, that I can add the port to > more than 1 vlan on the switch, the VLAN tag created on the firewall > tells the switch for which vlan the packet is meant). > > Firewall 2 is connected with two UTP cables to port 17 and 18 to the > same Dell PowerConnect 6224 switch, both switchports are aggregated (LAG > 2) and are in "trunk" mode. > > Since CARP advertising is multicast (to 224.0.0.18), I also played with > some multicast settings on the switch to no succes (on request I'll > write some more details about this). > > When the switchports are in Dell's Trunk mode, both carp1 interfaces > have status BACKUP. When I turn off the Trunk mode they both go to MASTER. > > I can ping the vlan3 IP addresses from both hosts. tcpdump also shows me > carp advertisement packets, but I don't think they arrive at the > destination (dunno really how to read those). The working carp setup on > the External side also show RSTP packets; I don't see them on the DMZ side. > > > tcpdump output firewall 1: > > 13:09:28.799534 carp 172.16.254.17 > 224.0.0.18: CARPv2-advertise 36: > vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 9482, > len 56) > 13:09:29.809570 carp 172.16.254.17 > 224.0.0.18: CARPv2-advertise 36: > vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 23484, > len 56) > 13:09:30.819610 carp 172.16.254.17 > 224.0.0.18: CARPv2-advertise 36: > vhid=2 advbase=1 advskew=0 demote=0 (DF) [tos 0x10] (ttl 255, id 1633, > len 56) > etc > > > > tcpdump output firewall 2: > > 13:09:18.833188 carp 172.16.254.18 > 224.0.0.18: CARPv2-advertise 36: > vhid=2 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id > 56314, len 56) > 13:09:20.243270 carp 172.16.254.18 > 224.0.0.18: CARPv2-advertise 36: > vhid=2 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id > 37625, len 56) > 13:09:21.653351 carp 172.16.254.18 > 224.0.0.18: CARPv2-advertise 36: > vhid=2 advbase=1 advskew=100 demote=0 (DF) [tos 0x10] (ttl 255, id > 36905, len 56) > etc > > > This is my config for the "DMZ" side where I would like to use vlans: > > Firewall 1 > em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:15:17:25:ba:3d > trunk: trunkdev trunk0 > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet6 fe80::215:17ff:fe25:ba3d%em1 prefixlen 64 scopeid 0x2 > em2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:15:17:25:ba:3d > trunk: trunkdev trunk0 > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet6 fe80::215:17ff:fe25:b868%em2 prefixlen 64 scopeid 0x3 > trunk0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:15:17:25:ba:3d > trunk: trunkproto loadbalance > trunkport em2 active > trunkport em1 master,active > groups: trunk > media: Ethernet autoselect > status: active > inet6 fe80::215:17ff:fe25:ba3d%trunk0 prefixlen 64 scopeid 0x9 > vlan3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:15:17:25:ba:3d > vlan: 3 priority: 0 parent interface: trunk0 > groups: vlan > inet6 fe80::215:17ff:fe25:ba3d%vlan3 prefixlen 64 scopeid 0xa > inet 172.16.254.17 netmask 0xfffffff0 broadcast 172.16.254.31 > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:00:5e:00:01:02 > carp: BACKUP carpdev vlan3 vhid 2 advbase 1 advskew 0 > groups: carp > inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0xd > inet 172.16.128.94 netmask 0xfffffff0 broadcast 172.16.128.95 > > Firewall 2 > em1: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:15:17:25:ba:59 > trunk: trunkdev trunk0 > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet6 fe80::215:17ff:fe25:ba59%em1 prefixlen 64 scopeid 0x2 > em2: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:15:17:25:ba:59 > trunk: trunkdev trunk0 > media: Ethernet autoselect (1000baseT full-duplex) > status: active > inet6 fe80::215:17ff:fe25:b850%em2 prefixlen 64 scopeid 0x3 > trunk0: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:15:17:25:ba:59 > trunk: trunkproto loadbalance > trunkport em2 active > trunkport em1 master,active > groups: trunk > media: Ethernet autoselect > status: active > inet6 fe80::215:17ff:fe25:ba59%trunk0 prefixlen 64 scopeid 0x9 > vlan3: flags=8943<UP,BROADCAST,RUNNING,PROMISC,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:15:17:25:ba:59 > vlan: 3 priority: 0 parent interface: trunk0 > groups: vlan > inet6 fe80::215:17ff:fe25:ba59%vlan3 prefixlen 64 scopeid 0xa > inet 172.16.254.18 netmask 0xfffffff0 broadcast 172.16.254.31 > carp1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500 > lladdr 00:00:5e:00:01:02 > carp: BACKUP carpdev vlan3 vhid 2 advbase 1 advskew 100 > groups: carp > inet6 fe80::200:5eff:fe00:102%carp1 prefixlen 64 scopeid 0xd > inet 172.16.128.94 netmask 0xfffffff0 broadcast 172.16.128.95 > > Thanks, > Arjen.
