Different hot standby networking modes support the mirroring and non-mirroring modes (active/standby backup and load balancing) in different degrees. Before deploying hot standby, familiarize yourself with the networking limitations.
In this networking, hot standby in mirroring mode has the following limitations. For more precautions, see Hot Standby in Mirroring Mode.
If the FWs work in mirroring mode, the VRRP backup group cannot be used to monitor interface faults. If the FWs have VRRP configuration, the mirroring mode is unavailable. After the mirroring mode is enabled, VRRP cannot be configured on the FWs.
If the FWs work in mirroring mode, it cannot use BFD to monitor remote interface faults.
This is because when the FWs work in mirroring mode, the standby FW does not send BFD packets, and the BFD state on the standby FW is always Down. If hot standby is associated with BFD, the priority of the VGMP group on the standby FW decreases by 2. In this case, when the BFD state or an interface of the active FW goes Down, the active/standby switchover is not performed.
If the FWs work in mirroring mode, it cannot use IP-link to monitor remote interface faults.
This is because when the FWs work in mirroring mode, the standby FW does not send IP-link detection packets, and the IP-link state on the standby FW is always Down. If hot standby is associated with IP-link, the priority of the VGMP group on the standby FW decreases by 2. In this case, when the IP-link state or an interface of the active FW goes Down, the active/standby switchover is not performed.
When service interfaces on the FWs work at Layer 3, connect to upstream and downstream routers, and run dynamic routing protocols with the routers, hot standby in mirroring mode can not be configured.
This is because when the FWs work in mirroring mode, the standby FW does not send or receive route negotiation packets. As a result, the dynamic routing neighbor relationship between the FWs and the upstream and downstream routers cannot be established. During the active/standby switchover, the new active FW needs to renegotiate routes with the upstream and downstream routers. As a result, services are interrupted for a long time during the active/standby switchover.
If the FWs work in mirroring mode, it cannot use OSPF or BGP to monitor remote interface faults.
When service interfaces on the FWs work at Layer 2 and connect to switches in the upstream and downstream directions, it is recommended that the FWs work in active/standby mode instead of in load balancing mode.
When the FWs work in load balancing mode, VLANs on the two FWs are enabled and can forward traffic. As a result, a loop occurs on the entire network. In this case, a loop prevention protocol needs to be configured on the switches to eliminate Layer 2 loops.
When service interfaces on the FWs work at Layer 2 and connect to routers in the upstream and downstream directions, the FWs can work in active/standby or load balancing mode. However, in the active/standby networking, the standby FW is not selected by using the hrp standby-device command. Instead, the standby FW is selected by configuring OSPF costs on the upstream and downstream routers to forward traffic through only one FW.
This is because when the standby FW is selected by using the hrp standby-device command, VLANs on the standby FW are disabled, and the upstream and downstream routers cannot communicate with each other. As a result, routes cannot be established. Once an active/standby switchover occurs, the new active FW cannot rapidly take over services, resulting in service interruption.