Configuring routes for the upstream and downstream devices when VRRP is configured on the firewall

26

The next hop of the upstream and downstream devices points to the virtual IP address of the VRRP group.

Other related questions:
Is the WLAN rate the upstream or downstream rate
WLAN rate refers to the wireless rate of data transmissions between APs and STAs or between bridges and downstream nodes. Devices on both ends work in half-duplex mode, that is, they can only receive or send data at a time. The WLAN rate is the sum of upstream and downstream rates. Common users mainly use Internet access services to browse web pages, most of which is downstream traffic. In this case, the WLAN rate refers to the downstream rate.

On a hot standby network, can upstream and downstream devices be Layer-4 switches
Yes. In this situation, the firewall must use the virtual MAC address to encapsulate service packets. Otherwise, services are interrupted after active/standby switchover. By default, the firewall uses the physical MAC address to encapsulate service packets. On hot standby networks, Layer-4 switches establish a connection status table to record the source MAC address (that is, the MAC address of the service interface on the active firewall) in the packets forwarded by the firewall. Layer-4 switches forward packets based on the connection status table. During active/standby switchover, Layer-4 switches do not automatically refresh MAC addresses in the connection status table. Therefore, packets are sent to the original active firewall if the physical MAC address is used. As a result, services are interrupted. If the virtual MAC address is used, the connection status tables on Layer-4 switches record the virtual MAC address. After active/standby switchover, Layer-4 switches can forward service packets to the new active firewall. Corresponding to the virtual IP address, the virtual MAC address is automatically generated based on the VRID in either of the following formats: -IPv4: 00-00-5E-00-01-{VRID} -IPv6: 00-00-5E-00-02-{VRID} On a service interface of the firewall, you can run the following command to use the virtual MAC address to encapsulate service packets. system-view [sysname] interface GigabitEthernet 1/0/1 [sysname-GigabitEthernet1/0/1] vrrp virtual-mac enable

Configuring VRRP when the firewall has only one public address
Set the interface IP address to any private address. The active and standby interface IP addresses must be on the same network segment. Set the VRRP group address to a public address.

Default routes of firewalls
Default routes are special routes. Generally, administrators can manually configure default static routes. Default routes can also be generated through dynamic routing protocols, such as OSPF and IS-IS. Default routes are described as follows: To put it in a simple way, default routes are used only when packets to be forwarded do not match any routing entry in a routing table. In a routing table, a default route is the route to network 0.0.0.0 (with the mask 0.0.0.0). You can run the display ip routing-table command to check whether a default route is configured. If the destination address of a packet does not match any entry in the routing table, the packet is sent through a default route. If no default route exists and the destination address of the packet does not match any entry in the routing table, the packet is discarded. An Internet Control Message Protocol (ICMP) packet is then sent, informing the originating host that the destination host or network is unreachable.

Configuring reverse route injection on the firewall
Configuring IPSec reverse route injection (RRI) on the USG 1. Configuring IPSec reverse route injection Run the reverse-route enable [ nexthop nexthop-address | preference preference ] command in the IPSec policy template view. 2. Note: If the headquarters needs to establish tunnels with multiple branches, you can configure the RRI function on the headquarters gateway to automatically add the routing information of the branches to the headquarters gateway. The function is similar to configuring a static route to each branch with the next hop being the IP address of the tunnel interface connected to the branch. In tunneling link backup, this configuration is equivalent to specifying the outgoing interface as the tunnel interface. Static routes are required to direct the traffic to the IPSec tunnels between the headquarters and branches. RRI saves the efforts in manual configuration and maintenance of static routes. 3. Configuration examples system-view //Access the system view. [sysname] ipsec policy-template abc 1 //Access the IPSec policy template view. [sysname-ipsec-policy-template-abc-1] reverse-route enable //Enable the RRI function.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top