I have setup where central cisco connects downstream to branch office
cisco routers and upstream to the Internet via pair of CARPed firewalls.
Cisco routers speak OSPF between themselves, and I keep them all in area
0 (I don't see any reason to complicate it with more areas). Central cisco
router also speaks OSPF to CARPed firewalls, but not in order to learn
the default route (as the only way to the Internet is through them I
have set it up statically on central cisco router so next-hop IP address
is CARP address), but in order for CARP firewalls to learn routes to
branch offices.
So, on master firewall I have:
router-priority 0
router-id 192.168.228.2
area 0.0.0.0 {
interface bnx0 { metric 100 }
}
On backup firewall I have:
router-priority 0
router-id 192.168.228.3
area 0.0.0.0 {
interface bnx0 { metric 200 }
}
Maybe google translate can help you with translation of my detailed
howto (in Serbian):
https://www.mimar.rs/openbsd-na-obodu-korporacijske-mreze/
--
Marko Cupać
