Configuration Roadmap
1. Configure VRRP on ARs and configure the virtual IP address of 10.1.1.254/24.
2. Add the Layer 2 interface of the firewall to the same VLAN and configure the IP address of 10.1.1.3/24 for the VLANIF interface.
3. Add physical interfaces of the firewall and the VLANIF interface to a zone and configure an interzone policy.
4. Configure a static route where the next-hop address is the VRRP virtual IP address. When the link from AR1 or AR2 to the firewall is terminated, services can be switched to the other link.
3. Add physical interfaces of the firewall and the VLANIF interface to a zone and configure an interzone policy.
4. Configure a static route where the next-hop address is the VRRP virtual IP address. When the link from AR1 or AR2 to the firewall is terminated, services can be switched to the other link.
Configuration Files
AR1 configuration file
interface GigabitEthernet0/0/0
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet0/0/1
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.254 //Configure the virtual IP address.
vrrp vrid 1 priority 120 //Set the VRRP priority to 120 (the default priority is 100).
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.254 //Configure the virtual IP address.
vrrp vrid 1 priority 120 //Set the VRRP priority to 120 (the default priority is 100).
AR2 configuration file
interface GigabitEthernet0/0/0
ip address 192.168.1.2 255.255.255.0
#
interface GigabitEthernet0/0/2
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.254 //Configure the virtual IP address.
vrrp vrid 1 preempt-mode timer delay 20 //Set the VRRP preemption delay to 20s.
Firewall configuration file
# Create VLAN 2 and configure an IP address for VLANIF 2.
interface Vlanif2
# Create VLAN 2 and configure an IP address for VLANIF 2.
interface Vlanif2
ip address 10.1.1.3 255.255.255.0
# Switch Layer 3 interfaces of the firewall to Layer 2 interfaces and add them to a VLAN.
interface GigabitEthernet0/0/1
portswitch //Switch Layer 3 interfaces of the firewall to Layer 2 interfaces.
port link-type access
port access vlan 2
#
interface GigabitEthernet0/0/2
interface GigabitEthernet0/0/2
portswitch
port link-type access
port access vlan 2
#
interface GigabitEthernet0/0/3
ip address 2.2.2.1 255.255.255.0
# Add interfaces of the firewall to a zone and configure a security policy.
firewall zone trust
set priority 85
add interface GigabitEthernet0/0/1
add interface GigabitEthernet0/0/2
add interface Vlanif2
#
firewall zone untrust
set priority 5
add interface GigabitEthernet0/0/3
add interface GigabitEthernet0/0/3
# Configure a static route where the next-hop address is the VRRP virtual IP address.
ip route-static 192.168.1.0 255.255.255.0 10.1.1.254
ip route-static 0.0.0.0 0.0.0.0 2.2.2.2
Result verification
[AR1]display vrrp
GigabitEthernet0/0/1 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.254
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 0 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2015-03-24 01:15 UTC-08:00
