Implementing Hot Standby in Active/Standby Mode Using VRRP

If two FWs need to work in active/standby mode, the status of all VRRP groups on one FW must be set to active, and the status of all VRRP groups on the other FW must be set to standby.

As shown in Figure 1, the state of all VRRP groups on FW_A is set to active, and the state of all VRRP groups on FW_B is set to standby. Normally, the state of the VGMP group is load-balance on the two FWs, and the state of the VRRP group is determined by the configuration. Therefore, the state of the VRRP group of FW_A is Master, and the state of the VRRP group of FW_B is Backup.

Because the gateway is set to the virtual IP address (10.0.0.1) of VRRP group 2 on the hosts on the intranet, these hosts broadcast an ARP request packet when accessing the internet to request the MAC address of 10.0.0.1. VRRP group 2 on FW_A is in Master state and responds to the ARP requests from intranet hosts. VRRP group 2 on FW_B is in Backup state and does not respond to ARP requests from intranet hosts. The MAC address table of the switch and the ARP cache tables of the hosts are updated based on the ARP reply packets from FW_A so that the traffic sent from the hosts to the Internet is diverted to FW_A for processing.

Similarly, the next hop address of the route pointing to the intranet is set to the virtual IP address (10.0.1.1) of VRRP group 1 on R1 and R2. The traffic sent from the Internet to the intranet is also diverted to FW_A for processing.

Figure 1 Active/standby backup using VRRP (the hot standby status is normal)

**Table 1** Configuration of the VRRP groups in the above figure
FW_A	FW_B
# interface GigabitEthernet 0/0/1 vrrp vrid 2 virtual-ip 10.0.0.1 active # interface GigabitEthernet 0/0/3 vrrp vrid 1 virtual-ip 10.0.1.1 active	# interface GigabitEthernet 0/0/1 vrrp vrid 2 virtual-ip 10.0.0.1 standby # interface GigabitEthernet 0/0/3 vrrp vrid 1 virtual-ip 10.0.1.1 standby

Table 1 Configuration of the VRRP groups in the above figure

FW_A

FW_B

#
interface GigabitEthernet 0/0/1
 vrrp vrid 2 virtual-ip 10.0.0.1 active
#
interface GigabitEthernet 0/0/3
 vrrp vrid 1 virtual-ip 10.0.1.1 active

#
interface GigabitEthernet 0/0/1
 vrrp vrid 2 virtual-ip 10.0.0.1 standby
#
interface GigabitEthernet 0/0/3
 vrrp vrid 1 virtual-ip 10.0.1.1 standby

As shown in Figure 2, the upstream service interface of FW_A is faulty, and the state of VRRP group 1 of FW_A changes to Initialize. Meanwhile, the state of VGMP group changes on FW_A and FW_B. The state of the VGMP group on FW_A changes to standby, and the state of the VGMP group on FW_B changes to active. FW_A and FW_B adjust their state of the VRRP group based on the VGMP group status. The state of VRRP group 2 on FW_A changes to Backup. The state of VRRP groups 1 and 2 on FW_B changes to Master.

When the state of the VRRP group on FW_B changes from Backup to Master, gratuitous ARP packets are broadcast. The packets carry the virtual IP address of the VRRP group and the MAC address of the interface (the virtual MAC address if the virtual MAC address function is enabled on the interface). The MAC address table of the switch and the ARP cache tables of the hosts and router are updated based on the gratuitous ARP packets. In this way, the traffic between the intranet and Internet is diverted to FW_B for forwarding.

Figure 2 Active/standby backup using VRRP (FW_A is fault)

In conclusion, only FW_A processes the traffic between the intranet and Internet in normal conditions. FW_A and FW_B work in active/standby mode. FW_A is the active device and FW_B is the standby device. When FW_A is faulty, FW_B automatically takes over the traffic between the intranet and Internet to ensure service continuity.