Manualshelf

R3721-F3210-F3171-HP High-End Firewalls High Availability Configuration Guide-6PW101

ManualsBrandsHP ManualsComputer AccessoriesHP 7100/7200 IPsec dl Module
81828384858687888990
80
Run Method : Virtual MAC
Total number of virtual routers : 1
Interface GigabitEthernet0/1
VRID : 1 Adver Timer : 5
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 5
Auth Type : Simple Key : hello
Virtual IP : 10.1.1.10
Virtual MAC : 0000-5e00-0101
Master IP : 10.1.1.2
The output shows that when a fault is on the link between Firewall A and Router A, the priority of
Firewall A decreases to 80. Firewall A becomes the backup, and Firewall B becomes the master.
Packets from Host A to Host B are forwarded through Firewall B.
Configuring BFD for a VRRP backup to monitor the master
Network requirements
As shown in Figure 43, Firewall A and Firewall B belong to VRRP group 1, whose virtual IP address
is 192.168.0.10.
The default gateway of the hosts in the LAN is 192.168.0.10. When Firewall A works properly, the
hosts in the LAN access the external network through Firewall A. When Firewall A fails, the hosts in
the LAN access the external network through Firewall B.
If BFD is not configured, when the master in a VRRP group fails, the backup cannot become the
master until the configured timeout timer expires. The timeout is generally three to four seconds,
which makes the switchover slow. To solve this problem, VRRP uses BFD to probe the state of the
master. Once the master fails, the backup can become the new master in milliseconds.