vrid VALUE

Configures the Virtual Router ID.

• Range: 1 - 255
• Default: No default value

authtype {none | simple VALUE}

Configures authentication for the given Virtual Router.

You must use the same authentication method for all Security Gateways in a Virtual Router.

• Range:
  • none - Disables authentication
  • simple <plain-text password> - Authenticates VRRP packets using a plain-text password
• Default: No default value

auto-deactivation {on | off}

When an interface is reported as DOWN, a cluster member's Priority value is reduced by the configured Priority Delta amount. If another cluster member exists with a higher Priority, it will then take over as VRRP Master to heal the network.

By default, some cluster member will be elected as VRRP Master, even if all cluster members have issues and are reporting a Priority of zero.

The auto-deactivation option can be enabled to change this behavior and ensure that no cluster member is elected as VRRP Master, if all cluster members have a Priority of zero.

When this option is enabled (on), Priority Delta should be set equal to the Priority value, so that Priority will become zero, if an interface goes down.

• Range: on, or off
• Default: off

backup-address VALUE

Configures the IPv4 address of the VRRP Backup Security Gateway.

You can define more than one address for a Virtual Router.

The backup address (Virtual IP Address) is the IP address that VRRP backs up, in order to improve network reliability. The Virtual IP Address is typically used as the default gateway for hosts on that network. VRRP ensures this IP address remains reachable, as long as at least one physical machine in the VRRP cluster is functioning and can be elected as the VRRP Master.

vmac-mode {default-vmac | extended-vmac | interface-vmac | static-vmac VALUE}

Configures how the Virtual MAC (VMAC) address is calculated for the given Virtual IP Address.

Each Virtual IP Address for a Virtual Router implies the existence of a virtual network interface.

• Range:
  • default-vmac - Generates the VMAC using the standard method described in Section 7.3 of RFC 3768.
  • extended-vmac - Generates the VMAC using an extended range of uniqueness by dynamically calculating 3 bytes of the VMAC instead of only 1.
  • interface-vmac - Configures the VMAC to use the interface hardware MAC address.
  • static-vmac <VALUE>- Configures the Virtual Router to use a specified static VMAC address.
• Default: default-vmac

Note - If you set the VMAC mode to interface-vmac or static-vmac, syslog error messages show when you restart the computer, or during VRRP failover. This is caused by duplicate IP addresses for the VRRP Master and VRRP Backup. This is expected behavior because the VRRP Master and VRRP Backups temporarily use the same Virtual IP address until they get to the VRRP Master and VRRP Backup statuses.

hello-interval VALUE

The interval in seconds, at which the VRRP Master sends VRRP advertisements. For a given Virtual Router, all VRRP cluster members should have the same value for Hello Interval.

• Range: default, or 1 - 255
• Default: 1

preempt-mode {on | off}

Configures Preempt Mode for the given Virtual Router.

When Preempt Mode is enabled, if the Virtual Router has a higher Priority than the current VRRP Master, it preempts the VRRP Master.

In Preempt Mode is disabled, all Virtual Routers that have monitored interfaces, are participating to avoid potential split-brain network topology.

For more information on the implications of disabling Preempt Mode, see the help text for the set mcvr vrid <VALUE> monitor-vrrp command.

• Range: on, or off
• Default: off

priority VALUE

Configures the Priority to use in the VRRP Master election.

This is the maximum priority that can be achieved when all monitored interfaces are up.

The VRRP cluster member with the highest Priority value will be elected as the VRRP Master. Each cluster member should be given a different Priority value, such that a specific member is the preferred VRRP Master. This will ensure consistency in the outcome of the election process.

• Range: default, or 1 - 254
• Default: 100

priority-delta VALUE

Updates the Priority Delta of the given Virtual Router.

For a given Virtual Router, the VRRP cluster member with the highest Priority is elected as the VRRP Master. For each monitored interface with a status of DOWN, the Priority Delta value is subtracted from the Virtual Router's overall Priority. Thus, the VRRP Master will be the Virtual Router having the best list of working interfaces.

The Priority Delta value should be selected such that the Priority value will not become a negative number when the Priority Delta is subtracted from it for each non-operational interface.

• Range: default, or 1 - 254
• Default: No default value

1

In the navigation tree, click High Availability > VRRP.

2

Configure the VRRP Global Settings.

3

In the Virtual Routers section, click Add.

4

In the Add Virtual Router window, configure these parameters:

• Virtual Router ID - Enter a unique ID number for this virtual router. The range of valid values is 1 to 255.
• Priority - Enter the priority value, which selects the Security Gateway that takes over in the event of a failure. The Security Gateway with the highest available priority becomes the new VRRP Master. The range of valid values 1 to 254. The default value is 100.
• Hello Interval - Optional. Enter or select the number of seconds, after which the VRRP Master sends its VRRP advertisements. The valid range is between 1 (default) and 255 seconds.
  All VRRP routers on a Security Gateways must be configured with the same hello interval. Otherwise, more than one Security Gateway can be in the VRRP Master state.
  The Hello interval also defines the failover interval (the time a VRRP Backup router waits to hear from the existing VRRP Master before it takes on the VRRP Master role). The value of the failover interval is three times the value of the Hello interval (default - 3 seconds).
• Authentication:
  • None - To disable authentication of VRRP packets
  • Simple - To authenticate VRRP packets using a plain-text password

    You must use the same authentication method for all Security Gateways in a Virtual Router.

• Priority Delta - Enter the value to subtract from the Priority to create an effective priority when an interface fails. The range is 1-254.
  If an interface fails on the VRRP Backup, the value of the priority delta is subtracted from its priority. This gives a higher effective priority to another Security Gateway member.
  If the effective priority of the current VRRP Master is less than that of the VRRP Backup, the VRRP Backup becomes the VRRP Master for this Virtual Router. If the effective priority for the current VRRP Master and VRRP Backup are the same, the gateway with the highest IP address becomes the VRRP Master.
• Auto-deactivation - When an interface is reported as DOWN, a cluster member's Priority value is reduced by the configured Priority Delta amount. If another cluster member exists with a higher Priority, it will then take over as VRRP Master to heal the network.
  By default, some cluster member will be elected as VRRP Master, even if all cluster members have issues and are reporting a Priority of zero.
  The auto-deactivation option can be enabled to change this behavior and ensure that no cluster member is elected as VRRP Master, if all cluster members have a Priority of zero.
  When this option is enabled, Priority Delta should be set equal to the Priority value, so that Priority will become zero, if an interface goes down.

5

In the Backup Addresses section, click Add.

Configure these parameters in the Add Backup Address window:

• IPv4 address - Enter the interface IPv4 address.
• VMAC Mode - For each Virtual Router, a Virtual MAC (VMAC) address is assigned to the Virtual IP address. The VMAC address is included in all VRRP packets as the source MAC address. The physical MAC address is not used.

  Select one of these Virtual MAC modes:

  • VRRP - Sets the VMAC to use the standard VRRP protocol. It is automatically set to the same value on all Security Gateways in the Virtual Router. This is the default setting.
  • Interface - Sets the VMAC to the local interface MAC address. If you define this mode for the VRRP Master and the VRRP Backup, the VMAC is different for each. VRRP IP addresses are related to different VMACs. This is because they are dependent on the physical interface MAC address of the currently defined VRRP Master.

    Note - If you configure different VMACs on the VRRP Master and VRRP Backup, you must make sure that you select the correct proxy ARP setting for NAT.

  • Static - Manually set the VMAC address. Enter the VMAC address in the applicable field.
  • Extended - Gaia dynamically calculates and adds three bytes to the interface MAC address to generate VMAC address that is more random. If you select this mode, Gaia constructs the same MAC address for VRRP Master and VRRP Backups in the Virtual Router.

    Note - If you set the VMAC mode to Interface or Static, syslog error messages show when you restart the computer, or during VRRP failover. This is caused by duplicate IP addresses for the VRRP Master and VRRP Backup. This is expected behavior because the VRRP Master and VRRP Backups temporarily use the same Virtual IP address until they get to the VRRP Master and VRRP Backup statuses.

Click OK. The new VMAC mode shows in the in the Backup Address table.

6

To remove a Backup Address, select an address and click Delete.

The address is removed from the Backup Address table.

7

Click Save.