On 2008-03-10, clifford bailey <[EMAIL PROTECTED]> wrote:
>>> router-id 1.2.3.4
>>>
>>> auth-type crypt
>>> auth-md 1 mekmitasdigoat
>>> auth-md-keyid 1
>>>
>>> hello-interval 1
>>> router-dead-time 4
>>>
>>> area 0.0.0.0 {
>>> interface vlan701
>>> interface carp72 { passive }
>>> interface carp42 { passive }
>>> interface carp209 { passive }
>>> interface carp168 { passive }
>>> }
>>>
>>>
>> Is that possible to do? I tried something similar on my setup and as
>> soon as I removed the real interface from the area, nothing was
>> advertised at all. Admittedly I didn't have the interface set as
>> passive before, so that might have been my problem. I'll try that out
>> now. My initial assumption was because I saw in an openospfd doc (by
>> Claudio Jeker if it helps), that it was "impossible to run ospf on a
>> carp interface", so assumed this was the correct behaviour. Anyway, if
>> you're right, that's great news for me!
>> (Thanks for the quick response too!)
>
> Having played around with this for a bit and given it a bit more
> thought, I'm worried I'm wasting my time. If I understand correctly, the
> passive carp statements in your setup above, simply advertise those
> addresses over other interfaces (in your case the vlan701 interface),
> rather than running ospf on them. I wanted to be able to have ospf
> running on the carp interface, rather than the real interface. If I run
> ospf on the real interfaces of both firewalls, advertising the carp
> interface as above, then ospf will decide which firewall to route
> traffic through, not carp
In my example vlan701 faces the rest of the network and participates
fully in OSPF; the carp interfaces face servers/PCs behind this pair
of firewalls (no other OSPF speakers on those networks).
OSPF announcements track the interface state: if an interface is
regarded as down (in the case of carp, backup == down) then its
addresses are not announced. When the interface is carp master it
starts to be announced.
> I don't have any servers directly connecting to
> the firewall, the firewalls sit in the middle of an ospf cloud, rather
> than at the edge of one,
In that case sorry this probably doesn't help you, it seems like
quite an unusual place to have firewalls though..
