Re: Firewall in HA: how VRRP works?

From: Nick (
Date: 12/11/01

From: Nick <>
To: Carmelo Floridia <>
Date: 11 Dec 2001 08:35:23 -0500

OK, in a nutshell...

The 2 devices (in this case FWs) each have their own physical IP
addresses on each interface. Each *pair* of interfaces (DMZ, intranet,
etc...) has one virtual IP address that they both pay attention to.

Which application you are using will determine the method for
configuring this, but one will be defined as *primary* and one as
*backup*. The primary device will answer arp requests for the virtual
IP address. The backup sees, but will not respond to arp requests for
the virtual address that it is monitoring, unless it sees that the
primary is down. The VRRP link is how the primary/backup keep tabs on
health check

Have I forgotten anything? Anybody else chime in...

On Mon, 2001-12-10 at 12:18, Carmelo Floridia wrote:
> Hi guru,
> Assume that i have two firewalls in HA,
> each firewall has 4 interface(internet,intranet, DMZ and VRRP)
> In which way can I monitor connectivity between firewall and other 3
> networks?
> For example, if the interface of DMZ of the master firewall goes down....or
> goes down the link between master firewall and the backup take
> the control?
> best regards
> Carmelo

Network Security Consultant
Lucent Technologies/NPS
Raleigh, NC

_________________________________________________________ Do You Yahoo!? Get your free address at

Relevant Pages

  • Re: Lets talk about firewalls - what do we as a group think a firewall should be/have?
    ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ...
  • Proxy ARP and Routing
    ... some CPE from our ISP connected to a firewall. ... the public IPs on the physical DMZ network. ... packets to the host on the DMZ? ... on the DMZ interface. ...
  • Re: DMZ and VPN
    ... You can have one interface on the public network and the other ... interface on the DMZ. ... considered a firewall itself with it own firewall capabilities. ... DMZs on the same network segment/firewall NIC. ...
  • cannot access DMZ website
    ... DMZ network is ... IP address for outside interface is ... IP address for DMZ interface is ... I know this has to be some kind of firewall issue ...
  • Re: ftp problem
    ... > here is my whole firewall script ... > # No restrictions on Loopback Interface ... > # or from this gateway server destine for the public Internet. ... > # Allow out secure FTP, Telnet, and SCP ...