Manualshelf

HP VPN Firewall Appliances High Availability Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
11121314151617181920
8
IP Address/IPv6 Address—Virtual IPv4 or IPv6 address entry of the VRRP group. The Count IP
Addrs or Count IPv6 Addrs field defines the number of virtual IPv4 or IPv6 addresses.
Authentication Data—Authentication key. This field is used only for simple authentication and is 0
for any other authentication mode.
VRRP principles
Routers in a VRRP group determine their roles by priority. The router with the highest priority is the
master, and the others are the backups. The master periodically sends VRRP advertisements to notify
the backups that it is working correctly, and each of the backups starts a timer to wait for
advertisements from the master.
In preemptive mode, when a backup receives a VRRP advertisement, it compares the priority in the
packet with its own priority. If the priority of the backup is higher, the backup becomes the master.
Otherwise, it remains as a backup. In preemptive mode, a VRRP group always has the router with
the highest priority as the master for forwarding packets.
In non-preemptive mode, a backup with higher priority than the master does not preempt the master
if the master is correctly working. The non-preemptive mode avoids frequent switchover between the
master and backups.
If the timer of a backup expires but the backup still does not receive any VRRP advertisement, it
considers that the master failed. In this case, the backup considers itself as the master and sends
VRRP advertisements to start a new master election.
When multiple routers in a VRRP group declare that they are the master because of inconsistent
configuration or network problems, the one with the highest priority becomes the master. If two
routers have the same priority, the one with the highest IP address becomes the master.
When a backup router receives an advertisement, it compares its priority with the advertised priority.
If its priority is higher, it takes over the master.
VRRP tracking
To enable VRRP tracking, first configure the routers in the VRRP group to operate in preemptive mode, so
that the router with the highest priority always operates as the master for forwarding packets.
1. Tracking a specified interface
The interface tracking function expands the backup functionality of VRRP. It provides backup not
only when the interface to which a VRRP group is assigned fails, but also when other interfaces
(such as uplink interfaces) on the router become unavailable.
If the uplink interface of a router in a VRRP group fails, usually the VRRP group cannot be aware of
the uplink interface failure. If the router is the master of the VRRP group, hosts on the LAN are not
able to access external networks because of the uplink failure. This problem can be solved by
tracking a specified uplink interface. If the tracked uplink Layer 3 interface (configured with an IP
address) is down or removed, the priority of the master is automatically decreased by a specified
value and a higher priority router in the VRRP group becomes the master.
2. Tracking a track entry
By monitoring a track entry, you can do the following:
{ Monitor an uplink and change the priority of the router according to the uplink state.
If the uplink fails, hosts in the LAN cannot access external networks through the router. The state
of the monitored track entry is negative and the priority of the router decreases by a specified
value. Then, a higher priority router in the VRRP group becomes the master to maintain the
proper communication between the hosts in the LAN and external networks.
{ Monitor the master on a backup.