managed switches and carp

[Christopher Vance <openbsd_(_at_)_nu_(_dot_)_org>]

I've been asked to work on a system which (simplified) looks something like

          fw1          vlans
         / | \  mgd   /
isp--hub-+  |  switches--vlans
         \ | /        \
          fw2          vlans

Traffic to the right of the switches is untagged, with mostly one port
per vlan.  The switches add vlan tags on traffic going L<-R and remove
them on traffic L->R.

There are over 100 vlans, and 7x 26-port switches in a loop running
STP, with the two fw* attached to adjacent switches in the loop.

Traffic between the fw* and switches is all tagged to indicate the
relevant vlans.

Each vlan has a matching carp shared between fw*, which is the only
route outbound for that vlan.

So each fw has

em0	external, to hub & isp
em1	internal, goes to switch	10.1.1.X	/24
sis0	pfsync				10.1.0.X	/24
vlanN	over em1			10.1.N.2 or 3	/24
carpN	over vlanN			10.1.N.1	/32

My issue is that the managed switches we currently use (chosen before
I arrived...) suppress traffic from 'duplicate' MAC addresses, clamped
for a minimum of 300s.  Both fw* think they're master.

Which managed switch brands behave right with carp, allowing traffic from
carp source addresses on multiple ports without duplicate suppression?

I don't care if the switch recognizes carp addresses as special, or if
it lets me label particular ports to allow duplicates, or whatever.

Or do I just need to introduce a new single point of failure to get this:

          fw1                  vlans
         / | \ unmgd    mgd   /
isp--hub-+  |  switch--switches--vlans
         \ | /                \
          fw2                  vlans

which at least lets fw* agree who's master...

:-(

--
Christopher Vance