Manualshelf

HP VPN Firewall Appliances High Availability Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
41424344454647484950
43
Virtual IP : FE80::10
1::10
Virtual MAC : 0000-5e00-0201
Master IP : FE80::1
The output shows that after Firewall A resumes normal operation, it becomes the master, and
packets sent from Host A to Host B are forwarded by Firewall A.
VRRP interface tracking configuration example
Network requirements
Firewall A and Firewall B belong to VRRP group 1 with the virtual IPv6 addresses of 1::10/64 and
FE80::10.
Host A wants to access Host B on the Internet, and learns 1::10/64 as its default gateway through
RA messages sent by the routers.
When Firewall A operates correctly, Firewall A forwards the packets that Host A sends to Host B. If
interface GigabitEthernet 0/2 through which Firewall A connects to the Internet is not available,
Firewall B forwards the packets that Host A sends to Host B.
To prevent attacks to the VRRP group from illegal users by using spoofed packets, configure the
authentication mode as plain text to authenticate the VRRP packets in VRRP group 1. Specify the
authentication key as hello.
Figure 25 Network diagram
Configuration procedure
1. Configure Firewall A:
<FirewallA> system-view
[FirewallA] ipv6
[FirewallA] interface gigabitethernet0/1
[FirewallA-GigabitEthernet0/1] ipv6 address fe80::1 link-local
[FirewallA-GigabitEthernet0/1] ipv6 address 1::1 64
# Create a VRRP group 1 and set its virtual IPv6 addresses to FE80::10 and 1::10.
[FirewallA-GigabitEthernet0/1] vrrp ipv6 vrid 1 virtual-ip fe80::10 link-local
[FirewallA-GigabitEthernet0/1] vrrp ipv6 vrid 1 virtual-ip 1::10