US patent 5473599

Thu May 8 11:46:28 UTC 2014

> On 8/05/2014, at 11:09 pm, Henning Brauer <hb-nanog at bsws.de> wrote:
> 
> * Nick Hilliard <nick at foobar.org> [2014-05-08 13:03]:
>>> On 08/05/2014 11:25, Henning Brauer wrote:
>>> you shouldn't see issues but log spam.
>> maybe you misunderstand the problem.  If you have vrrp and carp on the same
>> vlan, using the same vrrp group ID as VHID, then each virtual IP will arp
>> for the same mac address on that vlan.
> 
> correct.
> 
>> This messes up the switch's forwarding table for that particular vlan
>> because it sees multiple entries from different ports for the same mac
>> address.
> 
> correct.
> 
> my switches seem to deal with that, wether they have special handling
> for that mac addr range or not i dunno.

What make and model switches?

I am sure someone here can easily verify their behaviour and if they have some baked in pixie dust to handle this. 

But a pure l2 switch should not be able to mask the issue given all it has to go on is MAC so you would either see excessive flooding of a unicast MAC, or black holing of VRRP or CARP. 

Neither of which are desirable and given that the flooding would lead to serious security issues worries me from such a security focused community as the OpenBSD community professes to be.

> 
> again, stress the fact that afair we have gotten zero reports about
> that "issue" for 10 years, it obviously means that either
> 1) a vast majority of switches deal with it just fine
> 2) people know that vhids shouldn't clash and avoid that
> 
> -- 
> Henning Brauer, hb at bsws.de, henning at openbsd.org
> BS Web Services GmbH, AG Hamburg HRB 128289, http://bsws.de
> Full-Service ISP - Secure Hosting, Mail and DNS Services
> Dedicated Servers, Rootservers, VMs/PVS, Application Hosting