Manualshelf

HP VPN Firewall Appliances High Availability Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
31323334353637383940
32
Configuration procedure
1. Configure Firewall A:
<FirewallA> system-view
[FirewallA] interface gigabitethernet 0/1
[FirewallA-GigabitEthernet0/1] ip address 202.38.160.1 255.255.255.0
# Create VRRP group 1 and configure its virtual IP address as 202.38.160.111.
[FirewallA-GigabitEthernet0/1] vrrp vrid 1 virtual-ip 202.38.160.111
# Configure the priority of Firewall A in the VRRP group as 110, which is higher than that of
Firewall B (100), so that Firewall A can become the master.
[FirewallA-GigabitEthernet0/1] vrrp vrid 1 priority 110
# Configure the authentication mode of the VRRP group as simple and authentication key as hello.
[FirewallA-GigabitEthernet0/1] vrrp vrid 1 authentication-mode simple hello
# Configure the master to send VRRP packets every four seconds.
[FirewallA-GigabitEthernet0/1] vrrp vrid 1 timer advertise 4
# Configure Firewall A to operate in preemptive mode, so that it can become the master whenever
it works correctly. Configure the preemption delay as five seconds to avoid frequent status
switchover.
[FirewallA-GigabitEthernet0/1] vrrp vrid 1 preempt-mode timer delay 5
# Set interface GigabitEthernet 0/2 on Firewall A to be tracked. Configure the amount by which
the priority value decreases to be more than 10 (30 in this example). Then when GigabitEthernet
0/2 fails, the priority of Firewall A in VRRP group 1 decreases to a value lower than 100 and
Firewall B can become the master.
[FirewallA-GigabitEthernet0/1] vrrp vrid 1 track interface gigabitethernet 0/2
reduced 30
2. Configure Firewall B:
<FirewallB> system-view
[FirewallB] interface gigabitethernet 0/1
[FirewallB-GigabitEthernet0/1] ip address 202.38.160.2 255.255.255.0
# Create VRRP group 1 and configure its virtual IP address as 202.38.160.111.
[FirewallB-GigabitEthernet0/1] vrrp vrid 1 virtual-ip 202.38.160.111
# Configure the authentication mode of the VRRP group as simple and authentication key as hello.
[FirewallB-GigabitEthernet0/1] vrrp vrid 1 authentication-mode simple hello
# Configure the master to send VRRP packets every four seconds.
[FirewallB-GigabitEthernet0/1] vrrp vrid 1 timer advertise 4
# Configure Firewall B to operate in preemptive mode, so that Firewall B can become the master
after the priority of Firewall A decreases to a value lower than 100. Configure the preemption
delay as five seconds to avoid frequent status switchover.
[FirewallB-GigabitEthernet0/1] vrrp vrid 1 preempt-mode timer delay 5
3. Verify the configuration:
After the configuration, Host B can be pinged successfully on Host A. To verify your configuration,
use the display vrrp verbose command.
# Display the detailed information about VRRP group 1 on Firewall A.
[FirewallA-GigabitEthernet0/1] display vrrp verbose
IPv4 Standby Information:
Run Mode : Standard