Manualshelf

HP VPN Firewall Appliances High Availability Configuration Guide

ManualsBrandsHP ManualsComputer AccessoriesHP ProCurve Switch xl Access Controller Module
81828384858687888990
78
Master IP : 10.1.1.2
The output shows that when a fault is on the link between Firewall A and Router A, the priority of Firewall
A decreases to 80. Firewall A becomes the backup, and Firewall B becomes the master. Packets from
Host A to Host B are forwarded through Firewall B.
Configuring BFD for a VRRP backup to monitor the master
The following matrix shows the configuration example and hardware compatibility:
Hardware Com
p
atibilit
y
F1000-A-EI/F1000-S-EI No
F1000-E No
F5000 Yes
F5000-S/F5000-C No
VPN firewall modules No
20-Gbps VPN firewall modules No
Network requirements
As shown in Figure 39, Firewall A and Firewall B belong to VRRP group 1, whose virtual IP address is
192.168.0.10.
The default gateway of the hosts in the LAN is 192.168.0.10. When Firewall A operates correctly, the
hosts in the LAN access the external network through Firewall A. When Firewall A fails, the hosts in the
LAN access the external network through Firewall B.
If BFD is not configured, when the master in a VRRP group fails, the backup cannot become the master
until the configured timeout timer expires. The timeout is generally three to four seconds, which makes the
switchover slow. To solve this problem, VRRP uses BFD to probe the state of the master. Once the master
fails, the backup can become the new master in milliseconds.