On a hot standby network, can upstream and downstream devices be Layer-4 switches

1

Yes. In this situation, the firewall must use the virtual MAC address to encapsulate service packets. Otherwise, services are interrupted after active/standby switchover.

By default, the firewall uses the physical MAC address to encapsulate service packets. On hot standby networks, Layer-4 switches establish a connection status table to record the source MAC address (that is, the MAC address of the service interface on the active firewall) in the packets forwarded by the firewall. Layer-4 switches forward packets based on the connection status table. During active/standby switchover, Layer-4 switches do not automatically refresh MAC addresses in the connection status table. Therefore, packets are sent to the original active firewall if the physical MAC address is used. As a result, services are interrupted.

If the virtual MAC address is used, the connection status tables on Layer-4 switches record the virtual MAC address. After active/standby switchover, Layer-4 switches can forward service packets to the new active firewall.

Corresponding to the virtual IP address, the virtual MAC address is automatically generated based on the VRID in either of the following formats:
-IPv4: 00-00-5E-00-01-{VRID}
-IPv6: 00-00-5E-00-02-{VRID}

On a service interface of the firewall, you can run the following command to use the virtual MAC address to encapsulate service packets. system-view
[sysname] interface GigabitEthernet 1/0/1
[sysname-GigabitEthernet1/0/1] vrrp virtual-mac enable

Other related questions:
On a hot standby network, which packets are used by upstream and downstream Layer-2 devices to learn the port for the virtual MAC addresses
The active firewall periodically sends VRRP advertisement messages. The source MAC address of these packets is the virtual MAC address of the VRRP group. The upstream and downstream Layer-2 devices learn the port mapped to the virtual MAC address through the VRRP advertisement messages.

Is the WLAN rate the upstream or downstream rate
WLAN rate refers to the wireless rate of data transmissions between APs and STAs or between bridges and downstream nodes. Devices on both ends work in half-duplex mode, that is, they can only receive or send data at a time. The WLAN rate is the sum of upstream and downstream rates. Common users mainly use Internet access services to browse web pages, most of which is downstream traffic. In this case, the WLAN rate refers to the downstream rate.

Configuring routes for the upstream and downstream devices when VRRP is configured on the firewall
The next hop of the upstream and downstream devices points to the virtual IP address of the VRRP group.

Whether the standby device in hot standby deployment can be configured
By default, configurations that can be backed up can be configured only on the active device and automatically synchronized to the standby device. You cannot configure them on the standby device. After you run the hrp slave config enable command on the active device, the standby device obtains the permission for configuring these commands when this command is backed up to the standby device. The configurations on the standby device are also synchronized to the active device. Configurations that cannot be backed up, such as interface IP addresses, can be configured on the standby device.

On a hot standby network, what do designated active device and designated standby device stand for
On load balancing networks, the two FWs are active. Therefore, if both FWs synchronize commands to each other, command overwrite or conflict problems may occur. To centrally manage the configurations of the two FWs, you need to configure the designated active and standby devices. On load balancing networks, the sender of the configuration backup command is the designated active device (identified by HRP_M), and the receiver is the designated standby device (identified by HRP_S). Configuration commands can be synchronized only from the designated active device to the designated standby device, and status information is mutually backed up between the two devices. On load balancing networks, the FW with a smaller sysname American Standard Code for Information Interchange (ASCII) character is the designated active device. For example, when FW_A and FW_B share load, FW_A is the designated active device.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top