Manualshelf

HP VPN Firewall Appliances High Availability Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
11121314151617181920
4
Configuring VRRP
The interfaces that VRRP involves can be only Layer 3 Ethernet interfaces and subinterfaces, VLAN
interfaces, and Layer 3 aggregate interfaces unless otherwise specified.
VRRP cannot be configured on an interface of an aggregation group.
The term "router" in this document refers to both routers and routing-capable firewalls and firewall
modules.
VRRP overview
As shown in Figure 1, you can typically configure a default route with the gateway as the next hop for
every host on a LAN. All packets destined to other network segments are sent over the default route to the
gateway, which then forwards the packets. However, when the gateway fails, all the hosts that use the
gateway as the default next-hop router fail to communicate with external networks.
Figure 1 LAN networking
Configuring a default route for network hosts facilitates your configuration, but also requires high
performance stability of the device that acts as the gateway. Using more egress gateways is a common
way to improve system reliability, but introduces the problem of routing among the egresses.
Virtual Router Redundancy Protocol (VRRP) is designed to address this problem. VRRP adds a group of
routers that can act as network gateways to a VRRP group, which forms a virtual router. Routers in the
VRRP group elect a master through the VRRP election mechanism to act as a gateway, and hosts on a
LAN only need to configure the virtual router as their default network gateway.
VRRP is an error-tolerant protocol, which improves the network reliability and simplifies configurations on
hosts. On a multicast and broadcast LAN such as Ethernet, VRRP provides highly reliable default links
without configuration changes (such as dynamic routing protocols, route discovery protocols) when a
router fails, and prevent network interruption due to a single link failure.
VRRP can operate in only standard mode, which includes IETF VRRPv2 for IPv4 and VRRPv3 for IPv6. For
more information, see "VRRP standard mode."