R3721-F3210-F3171-HP High-End Firewalls High Availability Configuration Guide-6PW101
43
Virtual MAC : 0000-5e00-0201
Master IP : FE80::1
The output shows that after Firewall A resumes normal operation, it becomes the master, and packets sent
from host A to host B are forwarded by Firewall A.
VRRP interface tracking configuration example
Network requirements
• Firewall A and Firewall B belong to VRRP group 1 with the virtual IPv6 addresses of 1::10/64 and
FE80::10.
• Host A wants to access Host B on the Internet, and learns 1::10/64 as its default gateway through
RA messages sent by the routers.
• When Firewall A operates properly, packets sent from Host A to Host B are forwarded by Firewall
A. If interface GigabitEthernet 0/1 through which Firewall A connects to the internet is not available,
packets sent from Host A to Host B are forwarded by Firewall B.
• To prevent attacks to the VRRP group from illegal users by using spoofed packets, configure the
authentication mode as plain text to authenticate the VRRP packets in VRRP group 1, and specify the
authentication key as hello.
Figure 25 Network diagram
Configuring Firewall A
<FirewallA> system-view
[FirewallA] ipv6
[FirewallA] interface gigabitethernet 0/2
[FirewallA-GigabitEthernet0/2] ipv6 address fe80::1 link-local
[FirewallA-GigabitEthernet0/2] ipv6 address 1::1 64
# Create a VRRP group 1 and set its virtual IPv6 addresses to FE80::10 and 1::10.
[FirewallA-GigabitEthernet0/2] vrrp ipv6 vrid 1 virtual-ip fe80::10 link-local
[FirewallA-GigabitEthernet0/2] vrrp ipv6 vrid 1 virtual-ip 1::10
# Configure the priority of Firewall A in VRRP group 1 as 110, which is higher than that of Firewall B (100),
so that Firewall A can become the master.
[FirewallA-GigabitEthernet0/2] vrrp ipv6 vrid 1 priority 110