Re: pfsense carp using 2960 switch

empereira · ‎02-18-2023

hi,

Does this switch support the CARP protocol?

We are looking to set up two pfsense appliances with this switch, but I haven't found anything saying that it supports CARP.

balaji.bandi · ‎02-19-2023

Not that i am aware the IOS device has that support. check the feature navigator :

https://cfnng.cisco.com/

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

M02@rt37 · ‎02-19-2023

Hello @empereira

Cisco 2960 is a L2 switch and does not have built-in support for CARP protocol.

It's possible to configure CARP on a L3 device such as a router or firewall, which can be connected to the Cisco 2960 switch. This would allow CARP to be used within the network, with the L3 device providing the necessary functionality.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

empereira · ‎02-19-2023

But that's exactly what I'm doing. The CARP settings I made in pfsense and pfsense is connected to the 2960. In some tests that I did, the mac of the CARP gateways that I configured are not passing. In this 2960 I also configured a LAG between 4 ports.

Need an extra configuration on the switch to pass all MACs?

M02@rt37 · ‎02-19-2023

Hello @empereira

No extra conf. is needed.

Check the LAG configuration: Verify that the LAG between the switch and pfsense appliances is properly configured and that all ports in the LAG are functioning correctly.

Verify the switch's MAC address table: Use the command "show mac address-table" on the switch to see if the MAC addresses of the CARP gateways are listed. If they are not listed, the switch may not be learning the MAC addresses from the pfsense interfaces. Check the LAG configuration to ensure that all ports in the LAG are properly configured.

Disable MAC address filtering or security settings: If you have enabled any MAC address filtering or security settings on the switch, try disabling them temporarily to see if it resolves the issue....

Check for VLAN configuration issues: If you have VLANs configured on the switch or pfsense, ensure that they are properly configured and that traffic is flowing between the VLANs as expected.

Check for potential spanning tree issues: Verify that there are no spanning tree issues causing traffic to be blocked.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

empereira · ‎02-19-2023

normal port config (Gi1/0/1-4):

interface Gi1/0/1
no green-mode energy-detect
channel-group 1 mode active
lacp timeout short
ip dhcp snooping trust
description "LAG-PFMASTER"
spanning-tree portfast
switchport mode trunk
switchport trunk native vlan 4092
exit

port-channel config:

interface port-channel 1
ip dhcp snooping trust
description "LAG-PFMASTER"
switchport mode trunk
switchport general allowed vlan add 900
switchport general allowed vlan add 25-26,40,50-51,53,55,60,77,200 tagged
switchport general allowed vlan add 301-307,331,520,600,700,800,911-912 tagged
switchport trunk native vlan 4092
exit

pfsense VIP CARP

show mac address-table

sw-core2#show mac address-table | include 0000.5E00

1        0000.5E00.0113        Dynamic     Po1
25       0000.5E00.0102        Dynamic     Po1
26       0000.5E00.0101        Dynamic     Po1
40       0000.5E00.0111        Dynamic     Po1
50       0000.5E00.010E        Dynamic     Po1
51       0000.5E00.010F        Dynamic     Po1
53       0000.5E00.0112        Dynamic     Po1
77       0000.5E00.0115        Dynamic     Po1
200      0000.5E00.0104        Dynamic     Po1
301      0000.5E00.0105        Dynamic     Po1
302      0000.5E00.0106        Dynamic     Po1
303      0000.5E00.0107        Dynamic     Po1
304      0000.5E00.0108        Dynamic     Po1
305      0000.5E00.0109        Dynamic     Po1
306      0000.5E00.010A        Dynamic     Po1
307      0000.5E00.010B        Dynamic     Po1
308      0000.5E00.0116        Dynamic     Po1
525      0000.5E00.0114        Dynamic     Po1
610      0000.5E00.0117        Dynamic     Po1
800      0000.5E00.010C        Dynamic     Po1
900      0000.5E00.0118        Dynamic     Po1
911      0000.5E00.010D        Dynamic     Po1
912      0000.5E00.0110        Dynamic     Po1
920      0000.5E00.0119        Dynamic     Po1

- mac filtering is disable
- vlan is ok at first

The normal ports and port-channel is correct?

M02@rt37 · ‎02-19-2023

Ok @empereira

What about STP configuration?

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

empereira · ‎02-19-2023

sw-core2#show spanning-tree        

Spanning Tree            : Enabled
BPDU Flooding            : Disabled
Portfast BPDU Filtering  : Disabled
Mode                     : rstp
Portfast BPDU Guard      : Disabled
CST Regional Root        : 00:00:E4:F0:04:D8:8F:1E
Regional Root Path Cost  : 0
ROOT ID
              Priority        0
              Address         E4F0.04D8.8F1E
              This Switch is the Root.
              Hello Time: 2s Max Age: 20s Forward Delay: 15s Transmit Hold Count: 6s
              Bridge Max Hops: 20
Interfaces

Name      State    Prio.Nbr  Cost      Sts  Role  Restricted
--------- -------- --------- --------- ---- ----- ----------
Gi1/0/1   Enabled  128.1     0         DIS  Disb  No
Gi1/0/2   Enabled  128.2     0         DIS  Disb  No
Gi1/0/3   Enabled  128.3     0         DIS  Disb  No
Gi1/0/4   Enabled  128.4     0         DIS  Disb  No
Gi1/0/5   Enabled  128.5     0         DIS  Disb  No
Gi1/0/6   Enabled  128.6     0         DIS  Disb  No
Gi1/0/7   Enabled  128.7     0         DIS  Disb  No
Gi1/0/8   Enabled  128.8     0         DIS  Disb  No
Gi1/0/9   Enabled  128.9     0         DIS  Disb  No
Gi1/0/10  Enabled  128.10    0         DIS  Disb  No
Gi1/0/11  Enabled  128.11    0         DIS  Disb  No
Gi1/0/12  Enabled  128.12    0         DIS  Disb  No
Gi1/0/13  Enabled  128.13    0         DIS  Disb  No
Gi1/0/14  Enabled  128.14    0         DIS  Disb  No
Gi1/0/15  Enabled  128.15    0         DIS  Disb  No
Gi1/0/16  Enabled  128.16    0         DIS  Disb  No
Gi1/0/17  Enabled  128.17    0         DIS  Disb  No
Gi1/0/18  Enabled  128.18    0         DIS  Disb  No
Gi1/0/19  Enabled  128.19    0         DIS  Disb  No
Gi1/0/20  Enabled  128.20    0         DIS  Disb  No
Gi1/0/21  Enabled  128.21    0         DIS  Disb  No
Gi1/0/22  Enabled  128.22    0         DIS  Disb  No
Gi1/0/23  Enabled  128.23    0         DIS  Disb  No
Gi1/0/24  Enabled  128.24    0         DIS  Disb  No
Te1/0/1   Enabled  128.25    20000     FWD  Desg  No
Te1/0/2   Enabled  128.26    20000     FWD  Desg  No
Te1/0/3   Enabled  128.27    0         DIS  Disb  No
Te1/0/4   Enabled  128.28    2000      FWD  Desg  No
Po1       Enabled  128.210   5000      FWD  Desg  No

1. Maybe disable STP to test it?

2. Can I keep the vlan settings, dhcp snooping, etc, only on port-channel 1 and leave the normal ports without configuration?

M02@rt37 · ‎02-19-2023

You can try that @empereira.

The config on Port Channel should be applied automaticaly to the physical interface if this interface is part of this port channel. Then no need of configuration on physical interface yes ; just the "channel-group" config. on it.

Best regards
.ı|ı.ı|ı. If This Helps, Please Rate .ı|ı.ı|ı.

empereira · ‎02-21-2023

But that's exactly what I'm doing. the CARP settings I made in pfsense and
pfsense is connected to the 2960.in some tests that I did, the mac of the
CARP gateways that I configured are not passing. In this 2960 I also
configured a LAG between 4 ports. Need an extra configuration on the switch
to pass all MACs?

Karsten Iwen · ‎02-19-2023

No CARP on Cisco devices. This is quite aligned with BSD operating systems. On Cisco Devices we have HSRP, VRRP and GLBP. But for the 2960, IMO even when you enable IP routing these are not supported on this low-end platform. You have to go to the 3k series or higher to get support for these.

empereira · ‎02-19-2023

The CARP settings I made in pfsense and pfsense is connected to the 2960. In some tests that I did, the mac of the CARP gateways that I configured are not passing. In this 2960 I also configured a LAG between 4 ports.

Need an extra configuration on the switch to pass all MACs?