dual-stack IPv4/IPv6 CARP

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

dual-stack IPv4/IPv6 CARP

David Newman
4.9-release

Greetings. I'm looking to configure IPv6 in addition to IPv4 on a
two-box pf setup that uses CARP and pfsync. The systems have multiple
VLANs, which are bound to physical interfaces, and the CARP interfaces
in turn are bound to the VLAN interfaces. There is no dynamic routing
protocol such as OSPF or BGP. This all works OK with IPv4.

Here are my questions:

1. What's the syntax for adding v6 to the CARP interfaces? Is it
sufficient to add an inet6 alias, something like this:

inet 666.1.2.3 255.255.255.0 666.1.2.255 vhid 100 carpdev bge0 advskew 1
pass GoogleMinus
inet6 alias 2011:0:1:2::2 64

Or does each address require carp credentials, like this:

inet 666.1.2.3 255.255.255.0 666.1.2.255 vhid 100 carpdev vlan1001
advskew 1 pass GoogleMinus
inet6 2011:0:1:2::3 64 vhid 100 carpdev bge0 advskew 1 pass GoogleMinus

Or does the v6 address require a separate CARP hostname.carpXX interface?

2. Same question regarding aliases for the VLAN interfaces. Is something
like this sufficient?

inet 666.1.2.4 255.255.255.0 666.1.2.255 vlan 1000 vlandev bge0
inet6 alias 2001:0:f0:0d::82 64

Or do the VLAN interfaces also require something more than an alias?

3. One of the existing CARP interfaces is on a /30 network so there's no
IPv4 address configured on the physical interface it uses. (There's no
VLAN interface in this case, either; the CARP interface is bound to the
physical interface.)

Will the same setup work with a dual stack setup, where v4 and v6 CARP
addresses are bound to an unnumbered physical interface?

Many thanks.

dn

Reply | Threaded
Open this post in threaded view
|

Re: dual-stack IPv4/IPv6 CARP SOLVED

David Newman
OK, this is up and running, but not without some lessons learned along
the way. I hope these notes are helpful for anyone else looking to add
set up dual-stack CARP.

1. IPv4 and IPv6 are syntactically similar on VLAN and CARP interfaces.
For CARP configuration, both protocols can share a common vhid, advskew,
and password.

For example:

inet 666.1.2.3 255.255.255.0 666.1.2.255 vhid 100 carpdev bge0 advskew 1
inet6 2011:0:1:2::3 64 vhid 100 carpdev bge0 advskew 1

2. CARP heartbeat messages use multicast. This means a switch with
dual-stack CARP-attached devices should support not only IGMP snooping
for IPv4 but also MLD snooping for IPv6.

This worked OK on my test setup on VMware, but only because I'd
configured the vSwitch ports in promiscuous mode.

When I tried production pf boxes with a switch without MLD snooping,
CARP state flapped like crazy.

Adding a switch with MLD snooping support fixed that problem.

(Tangent: When a vendor says "we support IPv6" don't take their word for
it. Find out specifically what's meant by that since there are many
differences in terms of multicast support, routing protocols, and
management methods.)

3. CARP interfaces can be bound to VLAN interfaces, which in turn can be
bound to an unnumbered physical interface. This is true for both IPv4
and IPv6 addressing.

dn



On 7/18/11 8:23 PM, David Newman wrote:

> 4.9-release
>
> Greetings. I'm looking to configure IPv6 in addition to IPv4 on a
> two-box pf setup that uses CARP and pfsync. The systems have multiple
> VLANs, which are bound to physical interfaces, and the CARP interfaces
> in turn are bound to the VLAN interfaces. There is no dynamic routing
> protocol such as OSPF or BGP. This all works OK with IPv4.
>
> Here are my questions:
>
> 1. What's the syntax for adding v6 to the CARP interfaces? Is it
> sufficient to add an inet6 alias, something like this:
>
> inet 666.1.2.3 255.255.255.0 666.1.2.255 vhid 100 carpdev bge0 advskew 1
> pass GoogleMinus
> inet6 alias 2011:0:1:2::2 64
>
> Or does each address require carp credentials, like this:
>
> inet 666.1.2.3 255.255.255.0 666.1.2.255 vhid 100 carpdev vlan1001
> advskew 1 pass GoogleMinus
> inet6 2011:0:1:2::3 64 vhid 100 carpdev bge0 advskew 1 pass GoogleMinus
>
> Or does the v6 address require a separate CARP hostname.carpXX interface?
>
> 2. Same question regarding aliases for the VLAN interfaces. Is something
> like this sufficient?
>
> inet 666.1.2.4 255.255.255.0 666.1.2.255 vlan 1000 vlandev bge0
> inet6 alias 2001:0:f0:0d::82 64
>
> Or do the VLAN interfaces also require something more than an alias?
>
> 3. One of the existing CARP interfaces is on a /30 network so there's no
> IPv4 address configured on the physical interface it uses. (There's no
> VLAN interface in this case, either; the CARP interface is bound to the
> physical interface.)
>
> Will the same setup work with a dual stack setup, where v4 and v6 CARP
> addresses are bound to an unnumbered physical interface?
>
> Many thanks.
>
> dn

Reply | Threaded
Open this post in threaded view
|

Re: dual-stack IPv4/IPv6 CARP SOLVED

Jussi Peltola
On Sun, Jul 31, 2011 at 02:16:15PM -0700, David Newman wrote:
> 2. CARP heartbeat messages use multicast. This means a switch with
> dual-stack CARP-attached devices should support not only IGMP snooping
> for IPv4 but also MLD snooping for IPv6.
 
Hmm. carppeer does not seem to like an inet6 address to work around
that. I wonder what happens if you dual-stack a carp interface with a
carppeer - I remember having some mysterious issues after which I've
been running a separate carp if for ipv6. OTOH I have dual-stacked
carppeer-less carp if's that show no problems. Perhaps I can find time
to investigate.

Reply | Threaded
Open this post in threaded view
|

Re: dual-stack IPv4/IPv6 CARP SOLVED

David Newman
On 7/31/11 4:02 PM, Jussi Peltola wrote:

> On Sun, Jul 31, 2011 at 02:16:15PM -0700, David Newman wrote:
>> 2. CARP heartbeat messages use multicast. This means a switch with
>> dual-stack CARP-attached devices should support not only IGMP snooping
>> for IPv4 but also MLD snooping for IPv6.
>  
> Hmm. carppeer does not seem to like an inet6 address to work around
> that. I wonder what happens if you dual-stack a carp interface with a
> carppeer - I remember having some mysterious issues after which I've
> been running a separate carp if for ipv6. OTOH I have dual-stacked
> carppeer-less carp if's that show no problems. Perhaps I can find time
> to investigate.

Can't say; I've never used carppeer.

If it's used with a multicast group address I would think the switch
would need to support MLD for this to work with IPv6. The only exception
I can think of is with a crummy switch that just floods multicast frames
everywhere, same as broadcast.

dn