Whether the firewall supports the VRRP group virtual IP address and interface address that are on different network segments

53

Can actual interface IP addresses reside on the same network segment as virtual IP addresses in hot standby?
1. You must assign IP addresses to a physical interface before you set the virtual IP address of the VRRP group on the interface.
2. When you configure VRRP groups, ensure that the virtual IP addresses is not the IP address of any physical interface.
3. Invalid address, such as broadcast address, multicast address, or loopback address, cannot be used as the VRRP virtual IP address.
4. If the virtual IP address and the IP address of the physical interface reside on different subnets, you need to specify the subnet mask of the virtual IP address.
5. The VRID of the VRRP group cannot be the same as that configured on any other device in the same VLAN.
6. The VRIDs and virtual IP addresses of VRRP groups configured for the same interfaces on the active and standby USGs shall be the same.


Configuration on the USG6000
[USG6600-1]int vlani2
[USG6600-1-Vlanif2]ip add 172.16.1.1 24
[USG6600-1-Vlanif2]vrrp vrid 1 virtual-ip 10.1.1.1 24 active
[USG6600-1-Vlanif2]dis thi
interface Vlanif2
ip address 172.16.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.1 255.255.255.0 active
Configuration on the USG2000&5000
[USG5500]int vlanif10
[USG5500-Vlanif10]ip add 172.16.1.1 24
[USG5500-Vlanif10]vrrp vrid 1 virtual-ip 10.10.1.1 24 master
[USG5500-Vlanif10]dis this
interface Vlanif10
alias vlanif 10
ip address 172.16.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.10.1.1 255.255.255.0 master
#

Other related questions:
Does the AR support difference of network segments between an interface IP address and a virtual IP address of VRRP
The AR does not support difference of network segments between an interface IP address and a virtual IP address of VRRP. The IP addresses must be set to the same network segment.

For an S series switch, can the virtual IP address of the VRRP group and the secondary interface IP address be on the same network segment
For S series switches (S1700 excluded), the secondary IP address and the VRRP virtual IP address can be on the same network segment.

Whether CE series switches' VLANIF IP addresses and virtual VRRP IP addresses can be on different network segments
No.

Whether USG firewalls support IP addresses in the same network segment configured for different interfaces
The USG2000, USG5000, and USG6000 do not support IP addresses in the same network segment configured for different interfaces. However, primary and secondary IP addresses of the same interface can be in the same network segment.

Whether S series switches support ping to the virtual IP address of the VRRP group
S series switches (S1700 excluded) allow user devices to ping a virtual IP address to serve the following purposes: - Monitors the operating status of the master in a VRRP group. Monitors communication between a user device and a network connected by a default gateway using the virtual IP address. Run the vrrp virtual-ip ping enable command to enable the ping to the virtual IP address.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top