Manualshelf

F3726, F3211, F3174, R5135, R3816-HP Firewalls and UTM Devices High Availability Configuration Guide-6PW100

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
81828384858687888990
77
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 5
Auth Type : Simple Key : hello
Virtual IP : 10.1.1.10
Virtual MAC : 0000-5e00-0101
Master IP : 10.1.1.2
The output shows that when a fault is on the link between Firewall A and Router A, the priority of
Firewall A decreases to 80. Firewall A becomes the backup, and Firewall B becomes the master.
Packets from Host A to Host B are forwarded through Firewall B.
128BConfiguring BFD for a VRRP backup to monitor the master
The following matrix shows the configuration example and hardware compatibility:
Hardware Exam
p
le a
pp
licable
F1000-A-EI/F1000-S-EI No
F1000-E No
F5000 Yes
Firewall module No
U200-A No
U200-S No
292BNetwork requirements
As shown in 518HFigure 38, Firewall A and Firewall B belong to VRRP group 1, whose virtual IP address
is 192.168.0.10.
The default gateway of the hosts in the LAN is 192.168.0.10. When Firewall A works normally, the
hosts in the LAN access the external network through Firewall A. When Firewall A fails, the hosts in
the LAN access the external network through Firewall B.
If BFD is not configured, when the master in a VRRP group fails, the backup cannot become the
master until the configured timeout timer expires. The timeout is generally three to four seconds,
which makes the switchover slow. To solve this problem, VRRP uses BFD to probe the state of the
master. Once the master fails, the backup can become the new master in milliseconds.