1

Delete all existing Virtual Routers.

2

Create new Virtual Routers in accordance with the procedures.

1

Cause a failover to the VRRP Backup.

2

Reduce the priority, or disconnect an interface.

3

Delete the Virtual Router on the interface.

4

Create new Virtual Router using the new IP address.

5

Configure the Virtual Router as before.

1

In the navigation tree, click High Availability >Advanced VRRP.

2

Configure the VRRP Global Settings.

3

In the Virtual Routers section, click Add.

4

In the Add New Virtual Router window, configure these parameters:

4A

Interface - Select the interface for the Virtual Router.

4B

Virtual Router ID - Enter or select the ID number of the Virtual Router.

4C

Priority - Enter or select the priority value.

The priority value determines, which router takes over in the event of a failure. The router with the higher priority becomes the new VRRP Master. The range of values for priority is 1 to 254. The default value is 100.

4D

Hello Interval - Enter or select the number of seconds, at which the VRRP Master sends VRRP advertisements.

The range is 1 to 255 seconds. The default value is 1.

All nodes of a given Virtual Router must have the same hello Interval. If not, VRRP discards the packet and both platforms go to VRRP Master state.

The VRRP Hello interval also determines the failover interval - how long it takes a VRRP Backup router to take over from a failed VRRP Master. If the VRRP Master misses three VRRP Hello advertisements, it is considered to be down, because the minimal VRRP Hello interval is 1 second. Therefore, the minimal failover time is 3 seconds (3 * Hello Interval).

4E

Preempt Mode - If you keep it selected (the default), when the original VRRP Master fails, a VRRP Backup system becomes the acting VRRP Master. When the original VRRP Master returns to service, it becomes VRRP Master again.

If you clear it, when the original VRRP Master fails, a VRRP Backup system becomes the acting VRRP Master, and the original does not become VRRP Master again when it returns to service.

4F

Auto-deactivation - If you clear it (the default), a Virtual Router with the lowest priority available (1) can become VRRP Master, if no other Security Gateways exist on the network.

If you select it, the effective priority can become 0. With this priority, the Virtual Router does not become the VRRP Master, even if there are no other Security Gateways on the network.

If you selected it, you should also configure the Priority and Priority Delta values to be equal, so that the effective priority becomes 0, if there is a VRRP failure.

4G

VMAC Mode - For each Virtual Router, a Virtual MAC (VMAC) address is assigned to the Virtual IP address. The VMAC address is included in all VRRP packets as the source MAC address. The physical MAC address is not used.

Select the mode:

• VRRP - Sets the VMAC to use the standard VRRP protocol. It is automatically set to the same value on all Security Gateways in the Virtual Router. This is the default setting.
• Interface - Sets the VMAC to the local interface MAC address. If you define this mode for the VRRP Master and the VRRP Backup, the VMAC is different for each. VRRP IP addresses are related to different VMACs. This is because they are dependent on the physical interface MAC address of the currently defined VRRP Master.

  Note - If you configure different VMACs on the VRRP Master and VRRP Backup, you must make sure that you select the correct proxy ARP setting for NAT.

• Static - Manually set the VMAC address. Enter the VMAC address in the applicable field.
• Extended - Gaia dynamically calculates and adds three bytes to the interface MAC address to generate VMAC address that is more random. If you select this mode, Gaia constructs the same MAC address for VRRP Master and VRRP Backups in the Virtual Router.

  Note - If you set the VMAC mode to Interface or Static, syslog error messages show when you restart the computer, or during VRRP failover. This is caused by duplicate IP addresses for the VRRP Master and VRRP Backup. This is expected behavior because the VRRP Master and VRRP Backups temporarily use the same Virtual IP address until they get to the VRRP Master and VRRP Backup statuses.

4H

Authentication:

• None - To disable authentication of VRRP packets.
• Simple - To authenticate VRRP packets using a plain-text password.

You must use the same authentication method for all Security Gateways in a Virtual Router.

5

In the Backup Addresses section:

1. Click Add.
2. In the IPv4 address field, enter the IPv4 address.
3. Click Ok.

To change a Backup Address, select a Backup IP address and click Edit.

To remove a Backup Address, select a Backup IP address and click Delete.

6

In the Monitored Interfaces section:

1. Click Add.

   Gaia shows a warning that adding a Monitored Interface will lock the Interface for this Virtual Router.

2. Click OK to confirm.
3. In the Interface field, select the interface.
4. In Priority Delta field, enter or select the number to subtract from the priority.

   This creates an effective priority when an interface related to the VRRP Backup fails.

   The range is 1-254.

5. Click Ok.

To change a Monitored Interface, select a Monitored Interface and click Edit.

To remove a Monitored Interface, select a Monitored Interface and click Delete.

7

Click Save.

accept-connections {on | off}

Controls the Accept Connections option.

This option causes packets destined to VRRP Virtual IP Address(es) to be accepted, and any required responses be generated.

Enabling this option enhances VRRP's interaction with network management tools, which in turn allows for faster failure detection.

This option is required for High Availability applications (for example, routing protocols), whose service is tied to a Virtual IP Address.

• Range: on, or off
• Default: off

coldstart-delay VALUE

Specifies the number of seconds to wait after a system cold start before VRRP becomes active, and this cluster member can be elected as VRRP Master.

• Range: 0 - 3600
• Default: 0

disable-all-virtual-routers {on | off}

Enables or disables all IPv4 VRRP Virtual Routers.

If disabled, the VRRP configuration is preserved and can be enabled again.

• Range: on, or off
• Default: off

monitor-firewall {on | off}

Enables or disables VRRP monitoring of the Security Gateway state.

If this option is enabled, and the Firewall is not ready, the cluster member will refuse to be the VRRP Master.

• Range: on, or off
• Default: on

interface-delay VALUE

The Interface Delay controls how long to wait (in seconds) after receiving an interface UP notification before VRRP assesses whether or not the related VRRP cluster member should increase its priority, and possibly become the new VRRP Master. The delay ensures that VRRP does not attempt to respond to interfaces, which are only momentarily active.

Note - Same value should be configured for both VRRPv2 and VRRPv3 if both protocols are configured.

• Range: 0 - 3600
• Default: 0

interface VALUE

The name of the interface, on which to enable the VRRP.

authtype {none | simple VALUE}

Configures authentication for the given Virtual Router.

You must use the same authentication method for all Security Gateways in a Virtual Router.

• Range:
  • none - Disables authentication
  • simple <plain-text password> - Authenticates VRRP packets using a plain-text password
• Default: No default value

monitored-circuit vrid VALUE

Configures the Virtual Router ID.

• Range: 1 - 255
• Default: No default value

monitored-circuit vrid VALUE auto-deactivation {on | off}

When an interface is reported as DOWN, a cluster member's Priority value is reduced by the configured Priority Delta amount. If another cluster member exists with a higher Priority, it will then take over as VRRP Master to heal the network.

By default, some cluster member will be elected as VRRP Master, even if all cluster members have issues and are reporting a Priority of zero.

The auto-deactivation option can be enabled to change this behavior and ensure that no cluster member is elected as VRRP Master, if all cluster members have a Priority of zero.

When this option is enabled (on), Priority Delta should be set equal to the Priority value, so that Priority will become zero, if an interface goes down.

• Range: on, or off
• Default: off

monitored-circuit vrid VALUE backup-address VALUE {on | off}

Configures the IPv4 address of the VRRP Backup Security Gateway.

You can define more than one address for a Virtual Router.

The backup address (Virtual IP Address) is the IP address that VRRP backs up, in order to improve network reliability. The Virtual IP Address is typically used as the default gateway for hosts on that network. VRRP ensures this IP address remains reachable, as long as at least one physical machine in the VRRP cluster is functioning and can be elected as the VRRP Master.

monitored-circuit vrid VALUE hello-interval VALUE

The interval in seconds, at which the VRRP Master sends VRRP advertisements. For a given Virtual Router, all VRRP cluster members should have the same value for Hello Interval.

• Range: default, or 1 - 255
• Default: 1

monitored-interface VALUE {on | off | priority-delta <default | 1 - 254>}

Configures the list of monitored interfaces names for the given Virtual Router.

• on - Creates a VRRP Virtual Router
• off - Removes a VRRP Virtual Router
• priority-delta - Configures the Priority Delta value

When an interface fails, VRRP causes the backup cluster member to take over for that interface. The VRRP interface should also fail over when a different interface fails (if traffic is routed between the interfaces).

Otherwise, network destinations will become unreachable, etc. This coordinated failover is achieved by adding all dependent interfaces to the list of monitored interfaces.

The relative importance of each monitored interface is expressed by its Priority Delta value. More important interfaces should have higher Priority Deltas. Priority Delta causes the correct failover decision, if both cluster members are experiencing failures on different interfaces.

Refer to the following commands for additional details:

• set vrrp interface <VALUE> monitored-circuit vrid <VALUE> priority
• set vrrp interface <VALUE> monitored-circuit vrid <VALUE> monitored-interface <VALUE> priority-delta

monitored-circuit vrid VALUE {on | off}

Creates (on) or removes (off) a VRRP Virtual Router.

monitored-circuit vrid VALUE preempt-mode {on | off}

Configures Preempt Mode for the given Virtual Router.

When Preempt Mode is enabled, if the Virtual Router has a higher Priority than the current VRRP Master, it preempts the VRRP Master.

In Preempt Mode is disabled, all Virtual Routers that have monitored interfaces, are participating to avoid potential split-brain network topology.

For more information on the implications of disabling Preempt Mode, see the help text for the set mcvr vrid <VALUE> monitor-vrrp command.

• Range: on, or off
• Default: off

monitored-circuit vrid VALUE priority VALUE

Configures the Priority to use in the VRRP Master election.

This is the maximum priority that can be achieved when all monitored interfaces are up.

The VRRP cluster member with the highest Priority value will be elected as the VRRP Master. Each cluster member should be given a different Priority value, such that a specific member is the preferred VRRP Master. This will ensure consistency in the outcome of the election process.

• Range: default, or 1 - 254
• Default: 100

monitored-circuit vrid VALUE vmac-mode {default-vmac | extended-vmac | interface-vmac | static-vmac VALUE}

Configures how the Virtual MAC (VMAC) address is calculated for the given Virtual IP Address.

Each Virtual IP Address for a Virtual Router implies the existence of a virtual network interface.

• Range:
  • default-vmac - Generates the VMAC using the standard method described in Section 7.3 of RFC 3768.
  • extended-vmac - Generates the VMAC using an extended range of uniqueness by dynamically calculating 3 bytes of the VMAC instead of only 1.
  • interface-vmac - Configures the VMAC to use the interface hardware MAC address.
  • static-vmac <VALUE>- Configures the Virtual Router to use a specified static VMAC address.
• Default: default-vmac

set vrrp interface VALUE off

Deletes all Virtual Routers from the interface.

set virtual-router legacy off

Disables legacy VRRPv2 configuration.

Legacy Virtual Router configuration may exist due to an upgrade from an older IPSO OS configuration. For reference purposes, these settings may be preserved after upgrade, but are not supported.

Hence, you must replace all legacy virtual-router configuration commands using the equivalent monitored-circuit configuration commands.

1

In SmartConsole, create a new cluster object using the Classic mode.

2

Enter the Virtual IP address as the main IP address.

3

On the Cluster Members page, add the physical Security Gateways included in the Virtual Router.

4

On the ClusterXL and VRRP page, select High Availability and then select VRRP from the list.

5

Select all of the options in the Advanced settings section, including Use State Synchronization.

6

On the Topology page, configure the cluster and member Security Gateway interfaces as required.

Make sure that you configure the synchronization interfaces.

7

Configure other cluster parameters as necessary.

8

Click OK.

9

Install the Access Control Policy.