Virtual IP address in HA- Active Passive Mode

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements

Virtual IP address in HA- Active Passive Mode

L2 Linker

Hi Experts,

 

I've query about High Availability Active-Passive. As we know, interface IP addresses are same on both the firewalls and when Active device goes down, secondary firewall will take over by sending gratuitous arp to switches. So switches can learn about the new Mac addresses and traffic start forwarding. But this causes a blip in network traffic forwarding .

 

Is there any way we can configure  floating IP address/ Virtual IP address for each interfaces in Active-Passive mode like HSRP , so traffic can be forwarded without any interruption or this is supported only in Active-Active mode. Please assist.

2 REPLIES 2

L4 Transporter

I forget the name of the option, but in the High Availability settings is a fast switchover option that can be enabled.

The default has the interfaces on the passive firewall marked as "down" so there's no link with the switch. When a fail-over occurs, the interfaces are marked as "up", they negotiate a link with the switch, then do all the ARP stuff. There's about a 2 second pause in traffic while this happens.

With the fast switchover enabled, the interfaces on the passive device are "up", there's a link with the switch, but the firewall drops all traffic on those ports. When a fail-over occurs, it just does the ARP stuff and there's only a 200-400 ms blip where only a few individual packets should be lost (if even that many).

 

Edit:  fixed spelling and typos due to using a phone for the original post.

@fjwcash,

On the HA settings under 'Active/Passive Settings' you can set the 'Passive Link State' to either Shutdown or Auto. By default this will be set to "Shutdown", in this state upstream and downstream devices will not see a valid path until the passive becomes active. 

Auto will bring the interfaces on the firewall into a 'link up' state, but blocks all inbound and outbound traffic to the interfaces until the firewall becomes active. This eliminates a lot of the the failover time. The device in passive sate will not forward traffic or respond to ARP requests until the device is active. 

 

Either option is pretty save regardless of which one you select, but there are a few things to keep in mind when setting things to Auto. Layer 3 depoloyments you obviously have the advantage of GARPs (2 immediately then 8*1sec) that will update the MAC tables. 

Layer2 deplolyments you need to keep RSTP in mind. You'll want to enable RSTP on all switch interfaces that connect to the firewall (layer2 interfaces) to prevent any loops between the firewall HA members. 

  • 8659 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!