R3166-R3206-HP High-End Firewalls High Availability Configuration Guide-6PW101
25
• VRRP interface tracking configuration example
• Multiple VRRP groups configuration example
Single VRRP group configuration example
1. Network requirements
• Host A needs to access Host B on the Internet, using 202.38.160.111/24 as its default gateway.
• Firewall A and Firewall B belong to VRRP group 1 with the virtual IP address of 202.38.160.111/24.
• If Firewall A operates normally, packets sent from Host A to Host B are forwarded by Firewall A. If
Firewall A fails, packets sent from Host A to Host B are forwarded by Firewall B.
Figure 13 Network diagram for single VRRP group configuration
2. Configuration procedure
a. Configure Firewall A
<FirewallA> system-view
[FirewallA] interface GigabitEthernet 0/1
[FirewallA-GigabitEthernet0/1] ip address 202.38.160.1 255.255.255.0
# Create VRRP group 1 and configure its virtual IP address as 202.38.160.111.
[FirewallA-GigabitEthernet0/1] vrrp vrid 1 virtual-ip 202.38.160.111
# Configure the priority of Firewall A in the VRRP group 1 as 110, which is higher than that of Firewall B
(100), so that Firewall A can become the master.
[FirewallA-GigabitEthernet0/1] vrrp vrid 1 priority 110
# Configure Firewall A to work in preemptive mode so that it can become the master whenever it works
normally. Configure the preemption delay as five seconds to avoid frequent status switchover.
[FirewallA-GigabitEthernet0/1] vrrp vrid 1 preempt-mode timer delay 5
b. Configure Firewall B
<FirewallB> system-view
[FirewallB] interface GigabitEthernet 0/1
[FirewallB-GigabitEthernet0/1] ip address 202.38.160.2 255.255.255.0
# Create VRRP group 1 and configure its virtual IP address as 202.38.160.111.
[FirewallB-GigabitEthernet0/1] vrrp vrid 1 virtual-ip 202.38.160.111
# Configure Firewall B to work in the preemptive mode, with the preemption delay set to 5 seconds.
[FirewallB-GigabitEthernet0/1] vrrp vrid 1 preempt-mode timer delay 5