Yes. If the virtual IP address of the VRRP group is the only public IP address for the intranet, you can add the virtual IP address to the NAT address pool.
Yes. By default, the firewall uses the physical MAC address to encapsulate Layer-3 service packets. To use the virtual MAC address, run the vrrp virtual-mac enable command in the interface view.
Yes. In this situation, the firewall must use the virtual MAC address to encapsulate service packets. Otherwise, services are interrupted after active/standby switchover.
By default, the firewall uses the physical MAC address to encapsulate service packets. On hot standby networks, Layer-4 switches establish a connection status table to record the source MAC address (that is, the MAC address of the service interface on the active firewall) in the packets forwarded by the firewall. Layer-4 switches forward packets based on the connection status table. During active/standby switchover, Layer-4 switches do not automatically refresh MAC addresses in the connection status table. Therefore, packets are sent to the original active firewall if the physical MAC address is used. As a result, services are interrupted.
If the virtual MAC address is used, the connection status tables on Layer-4 switches record the virtual MAC address. After active/standby switchover, Layer-4 switches can forward service packets to the new active firewall.
Corresponding to the virtual IP address, the virtual MAC address is automatically generated based on the VRID in either of the following formats:
<sysname> system-view [sysname] interface GigabitEthernet 0/0/1 [sysname-GigabitEthernet0/0/1] vrrp virtual-mac enable