Re: carp vs. ospf ?

Mon, 10 Mar 2008 08:42:09 -0700 

clifford bailey wrote:

Stuart Henderson wrote:

On 2008-03-10, clifford bailey <[EMAIL PROTECTED]> wrote:
Having got a nice redundant firewall setup working with openbsd 4.2 pf + carp + pfsync. My next step was to integrate it with ospf. My initial plan was to continue to treat the firewall pair, as a single 'virtual firewall' within the network and use ospf to advertise routes through just the carp interfaces. Looking at a couple of docs for ospf though, I was disappointed to find out I can't do this. 

don't you mean something like this?

router-id 1.2.3.4

auth-type crypt
auth-md 1 mekmitasdigoat
auth-md-keyid 1

hello-interval 1
router-dead-time 4

area 0.0.0.0 {
        interface vlan701
        interface carp72 { passive }
        interface carp42 { passive }
        interface carp209 { passive }
        interface carp168 { passive }
}


  

Is that possible to do? I tried something similar on my setup and as 
soon as I removed the real interface from the area, nothing was 
advertised at all. Admittedly I didn't have the interface set as 
passive before, so that might have been my problem. I'll try that out 
now. My initial assumption was because I saw in an openospfd doc (by 
Claudio Jeker if it helps), that it was "impossible to run ospf on a 
carp interface", so assumed this was the correct behaviour. Anyway, if 
you're right, that's great news for me!

(Thanks for the quick response too!)

Hi,


Having played around with this for a bit and given it a bit more 
thought, I'm worried I'm wasting my time. If I understand correctly, the 
passive carp statements in your setup above, simply advertise those 
addresses over other interfaces (in your case the vlan701 interface), 
rather than running ospf on them. I wanted to be able to have ospf 
running on the carp interface, rather than the real interface. If I run 
ospf on the real interfaces of both firewalls, advertising the carp 
interface as above, then ospf will decide which firewall to route 
traffic through, not carp, and carp will be rendered at best useless and 
at worst a hinderance. I don't have any servers directly connecting to 
the firewall, the firewalls sit in the middle of an ospf cloud, rather 
than at the edge of one, so I've returned to my initial assumption that 
it's not possible to use carp here. Please correct me if I'm wrong 
though, as removing carp from the picture, drastically complicates my 
proposed network layout.

Thanks.























					Reply via email to