SSL HA 4.1.0 PDF

SSL Intercept
Configuring VRRP-A High Availability

Release 4.10
FireEye and the FireEye logo are registered trademarks of FireEye, Incorporated in the United States and other countries. All
other trademarks are the property of their respective owners. FireEye assumes no responsibility for any inaccuracies in this
document. FireEye reserves the right to change, modify, transfer, or otherwise revise this publication without notice.
Copyright © 2016 FireEye, Incorporated. All rights reserved.
FireEye SSL Intercept, Configuring VRRP-A High Availability
Release 4.10
Revision 1
FireEye Contact Information:
Website: www.fireeye.com
Support Email: support@fireeye.com
Phone:
United States: 877.FIREEYE (877.347.3393)
United Kingdom: 44.203.106.4828
Other: 408.321.6300
Table of Contents
Overview of VRRP-A ................................................................................................................................................. 7

VRRP-A Overview.................................................................................................................................................................7
VRRP-A Configuration ........................................................................................................................................................8
Basic VRRP-A Configuration ................................................................................................................................................................ 8
VRRP-A and Virtual Router IDs ........................................................................................................................................................... 9
Leader and Follower VRIDs ........................................................................................................................................................................... 10
VRID Virtual MAC Addresses ........................................................................................................................................................................ 10
VRRP-A, Virtual Router IDs, and Partitions ................................................................................................................................10
VRRP-A Active / Standby Device Selection.............................................................................................................. 11
VRRP-A Active Device Selection Overview .............................................................................................................................11
Event Tracking for Weight and Priority ......................................................................................................................................12
Priority Calculation .................................................................................................................................................................................13
Track Event Delay ....................................................................................................................................................................................13
Preemption .................................................................................................................................................................................................13
Preemption Delay ...................................................................................................................................................................................14
Active Device Selection Examples ...............................................................................................................................................14
VRRP-A Failover ................................................................................................................................................................. 16
Policy-Based Failover ............................................................................................................................................................................17
Dynamic Priority Reduction .............................................................................................................................................................17
Force-Self-Standby .................................................................................................................................................................................17
VRRP-A and Floating IP Addresses.............................................................................................................................. 18
VRRP-A and Configuration Synchronization........................................................................................................... 19
VRRP-A and Session Synchronization........................................................................................................................ 19
VRRP-A Interfaces ............................................................................................................................................................. 19
Explicitly Configured VRRP-A Interfaces ...................................................................................................................................20
VRRP-A Interface Types and VRRP-A State ...............................................................................................................................20
Using the GUI to Configure a VRRP-A Interface ...................................................................................................................20
Using the CLI to Configure a VRRP-A Interface ....................................................................................................................21
Preferred Receive Interface for Session Synchronization ...............................................................................................21
Deploying VRRP-A ..................................................................................................................................................23

Basic VRRP-A Deployment ............................................................................................................................................. 23
Force-Self-Standby Reload or Restart Persistence................................................................................................ 24
Viewing VRRP-A Information ........................................................................................................................................ 24
Configuring Preemption Delays.................................................................................................................................. 24
VRRP-A Configuration Examples................................................................................................................................. 25
Simple Deployment ..............................................................................................................................................................................25
Deployment with Custom Priority Settings ...........................................................................................................................26
page 3 | - 5/4/2016
SSL Intercept—Configuring VRRP-A High Availability
Contents
Configuration of Tracking Options ..............................................................................................................................................27

Ethernet Interface Tracking .......................................................................................................................................................................... 27
Trunk Tracking ...................................................................................................................................................................................................... 28
VLAN Tracking ...................................................................................................................................................................................................... 28
Gateway Tracking ............................................................................................................................................................................................... 28
Route Tracking ..................................................................................................................................................................................................... 29
Preemption Delay .............................................................................................................................................................................................. 29
Increased VLANs for VRRP-A Failover Tracking ................................................................................................................................. 29
VLAN Tracking Configuration Example ................................................................................................................................................. 30
Configuring a Leader and Follower VRID ................................................................................................................. 32
Configuration Example 1 ............................................................................................................................................................................... 32
Configuration Example 2 ............................................................................................................................................................................... 33
VRRP-A Status in CLI Prompt ........................................................................................................................................ 34
VRRP-A Policy-Based Failover Template ..........................................................................................................35

Template Rules and Partitions...................................................................................................................................... 35
Policy-Based Failover Template Rules for the Shared Partition ...................................................................................35
Policy-Based Failover Template Rules for L3V Partitions .................................................................................................36
Preemption and Levels ................................................................................................................................................... 36
Precedence Causing a Failover .................................................................................................................................... 36
Higher Weight Scenario ......................................................................................................................................................................37
Higher Priority Scenario ......................................................................................................................................................................38
Equal Weight and Priority Scenario .............................................................................................................................................38
Events Tracked for Weight via the Templates ......................................................................................................... 39
Configuring VRRP-A Policy-Based Failovers ............................................................................................................ 41
Using the GUI to Configure VRRP-A Policy-Based Failovers ..........................................................................................41
Using the CLI to Create VRRP-A Policy-Based Failovers ...................................................................................................42
Configuring Templates in the Shared Partition: .............................................................................................................................. 42
Configuring Templates in L3V Partition: ............................................................................................................................................... 43
Verifying the Fail-Over Policy Template Configuration ............................................................................................................... 43
VRRP-A CLI Commands .........................................................................................................................................47

VRRP-A Global Configuration Mode Commands .................................................................................................. 48
vrrp-a common ......................................................................................................................................................................................... 48
vrrp-a fail-over-policy-template ...................................................................................................................................................... 48
vrrp-a force-self-standby ..................................................................................................................................................................... 50
vrrp-a force-self-standby-persistent ............................................................................................................................................. 50
vrrp-a interface .......................................................................................................................................................................................... 51
vrrp-a l2-inline-peer-ip .......................................................................................................................................................................... 51
vrrp-a l3-inline-mode ............................................................................................................................................................................ 52
vrrp-a ospf-inline ...................................................................................................................................................................................... 53
vrrp-a peer-group .................................................................................................................................................................................... 53
vrrp-a preferred-session-sync-port ethernet .......................................................................................................................... 53
vrrp-a restart-port-list ............................................................................................................................................................................ 54
vrrp-a vrid ...................................................................................................................................................................................................... 54
vrrp-a vrid-lead .......................................................................................................................................................................................... 54
VRRP-A Common Configuration Mode Commands............................................................................................. 55
- 5/4/2016 | page 4
Contents
arp-retry ......................................................................................................................................................................................................... 56
dead-timer ................................................................................................................................................................................................... 56
device-id ........................................................................................................................................................................................................ 57
disable ............................................................................................................................................................................................................. 57
disable-default-vrid ................................................................................................................................................................................. 57
enable ............................................................................................................................................................................................................. 58
hello-interval ............................................................................................................................................................................................... 58
hostid-append-to-vrid .......................................................................................................................................................................... 58
inline-mode ................................................................................................................................................................................................. 59
preemption-delay ................................................................................................................................................................................... 59
restart-time .................................................................................................................................................................................................. 60
set-id ................................................................................................................................................................................................................ 60
track-event-delay ..................................................................................................................................................................................... 60
VRRP-A VRID Configuration Commands................................................................................................................... 61
blade-parameters .................................................................................................................................................................................... 61
floating-ip ..................................................................................................................................................................................................... 61
follow ............................................................................................................................................................................................................... 62
preempt-mode ......................................................................................................................................................................................... 63
VRRP-A Blade Parameter Configuration Commands ........................................................................................... 63
fail-over-policy-template ..................................................................................................................................................................... 64
priority ............................................................................................................................................................................................................. 64
tracking-options ....................................................................................................................................................................................... 65
VRRP-A Show Commands.............................................................................................................................................. 66
show vrrp-a .................................................................................................................................................................................................. 67
show vrrp-a fail-over-policy-template ........................................................................................................................................ 70
show vrrp-a hostid .................................................................................................................................................................................. 71
show vrrp-a mac ....................................................................................................................................................................................... 71
show vrrp-a setid-monitor ................................................................................................................................................................. 71
show vrrp-a statistics ............................................................................................................................................................................. 71
show vrrp-a vrid-lead ............................................................................................................................................................................ 72
page 5 | - 5/4/2016
Contents
- 5/4/2016 | page 6
Overview of VRRP-A
This chapter provides an overview of VRRP-A high availability.
The following topics are covered:
• VRRP-A Overview
• VRRP-A Configuration
• VRRP-A Active / Standby Device Selection
• VRRP-A Failover
• VRRP-A and Floating IP Addresses
• VRRP-A and Configuration Synchronization
• VRRP-A and Session Synchronization
• VRRP-A Failover
VRRP-A Overview
VRRP-A is the SSL Intercept implementation of high availability that is completely different from the industry-standard imple-
mentation of Virtual Router Redundancy Protocol (VRRP). For purposes of operational familiarity, it borrows concepts from
VRRP, but is significantly different from VRRP. VRRP-A will not inter-operate with VRRP.
VRRP-A simplifies configuration of multi-system redundancy, and allows up to eight SSL Intercept devices to serve as mutual
backups for IP addresses.
VRRP-A is supported only on SSL Intercept devices that are deployed in gateway (route) or one-armed mode. Transparent
mode deployments (inline deployments) are not supported.
VRRP-A can provide redundancy for the following IP resources:
• Virtual server IP addresses (VIPs)
• Floating IP addresses used as default gateways by downstream devices
• IPv6 NAT pools
• IPv4 NAT pools
• IPv4 static range lists and individual mappings for inside source NAT
page 7 | - 5/4/2016
VRRP-A Configuration
This section contains the following:
• Basic VRRP-A Configuration
• VRRP-A and Virtual Router IDs
• VRRP-A, Virtual Router IDs, and Partitions
Basic VRRP-A Configuration

Figure 1 illustrates a basic VRRP-A configuration with two devices.
FIGURE 1 Basic VRRP-A Configuration
This type of configuration is called Active-Standby mode, because only the active device processes traffic.
The elements in this illustration are described in Table 1.
TABLE 1 VRRP-A Basic Configuration Elements

Element Description
Set ID Unique identifier for a set of VRRP-A devices. All devices in the set must in the same Layer 2 broadcast
domain.
Device ID Unique identifier for each device within the VRRP-A set.
- 5/4/2016 | page 8
TABLE 1 VRRP-A Basic Configuration Elements

Element Description
Heartbeat The active SSL Intercept device in the VRID periodically sends hello messages to the standby SSL
Intercept device and other backup devices. The hello messages indicate that the active device for
the VRID is still operating.
If the standby device stops receiving hello messages from the active device, operation for the VRID
fails over to the standby device. The device to which operation fails over becomes the new active
device for the VRID.
VRRP-A sends hello messages to the following addresses:
• IPv4 multicast address 224.0.0.210, MAC address 01:00:5e:00:00:D2

• IPv6 link-local multicast address FF02::D2, MAC address 33:33:00:00:00:D2
To configure the heartbeat, edit the Hello Interval field on the System > VRRP-A > Global page in the
GUI, or use the hello-interval command in the CLI.
Priority Priority is used to help determine the order in which standby devices should become active devices.
For more information, see “VRRP-A Active / Standby Device Selection” on page 11.
VRRP-A and Virtual Router IDs

VRRP-A device ID, set ID, and priority can be configured per Virtual Router ID (VRID), as shown in Figure 2.
FIGURE 2 VRRP-A Configuration with VRIDs
The configuration example in Figure 2 is called Active-Active mode, because both devices can potentially process traffic on
different VIPs.
page 9 | - 5/4/2016
A VRID is a logical container grouping functional configuration elements (for example, NAT pools, virtual servers, or floating IP
addresses) together. Those elements, in turn, are picked up and processed by another device in the VRRP-A set in case of a
failover.
By default, the shared partition and each L3V partition has its own VRID. The numerical value for this default VRID is 0.
Admins with write privileges for the partition can assign a floating IP address to the partition’s VRID. Generally, the floating IP
address provides redundancy for the default gateway IP address used by downstream devices. (For more information, see
“VRRP-A and Floating IP Addresses” on page 18.)
Parameters related to selection of the active device and to failover also can be configured.
A total of 512 VRIDs can be configured; 32 on the shared partition (numbered 0-31), and 8 each on each L3V partition (num-
bered 0-7).
Leader and Follower VRIDs

With an increase in the number of configurable VRIDs to 512, you may configure a VRID as a “leader” VRID and some others as
“follower” VRIDs. The benefit of configuring the leader VRID is that when you are run the risk of consuming all your resources,
one VRID can serve as the leader and others can be configured to operate as followers. This means that only on one VRID will
you be able to configure all capabilities, such as configuring the failover policy template, the preempt mode, priority, and
tracking options, while in the follower VRID, you can only configure Floating IP Addresses.
A maximum of 512 VRIDs are supported on one device. Any time this number is exceeded, VRIDs are automatically config-
ured as follower VRIDs or can be explicitly configured to be added as a follower VRID. To configure a leader or a follower VRID.
refer to “Configuring a Leader and Follower VRID” on page 32.
VRID Virtual MAC Addresses

VRRP-A assigns a virtual MAC address to each VRID. The VRRP-A virtual MAC addresses are numbered as follows:
021f.a000.nnnn
The last 2 bytes (nnnn portion) of the address indicate the partition ID, VRRP-A set ID, and VRID.
VRRP-A, Virtual Router IDs, and Partitions

VRRP-A is supported in the shared partition and L3V partitions. Layer 3 Virtualization allows each L3V partition to have its own
VRID, independent from the VRIDs belonging to other partitions.
- 5/4/2016 | page 10
Figure 3 shows an example configuration with VRID instances spanning L3V partitions across separate physical devices.
FIGURE 3 VRRP-A Configuration with Partitions
In this example, a pair of SSL Intercept devices are configured with L3V partitions. The VIPs and other IP resources in each par-
tition are backed up by the partition’s VRID. At any given time, one of the devices is the active device for a VRID and the other
device is the standby for the VRID. For more information about how the active device is selected, see “VRRP-A Active /
Standby Device Selection” on page 11.
VRRP-A Active / Standby Device Selection

• VRRP-A Active Device Selection Overview
• Event Tracking for Weight and Priority
• Priority Calculation
• Track Event Delay
• Preemption
• Preemption Delay
• Active Device Selection Examples
VRRP-A Active Device Selection Overview

Figure 4 shows the flowchart about how a device is selected as the Active device. This process is performed per VRID.
page 11 | - 5/4/2016
FIGURE 4 VRRP-A Device Selection Flowchart
The VRRP-A device selection process consists of two levels of failover considerations:
• The weight assigned to an event.
• Priority value assigned as part of the VRRP-A deployment.
While both weight and priority are factored in to failover decisions, the weight of the VRID takes precedence over the VRID’s
priority.
Each VRID is allocated a fixed, total weight of 65534 and each event is allocated a corresponding, configurable weight of 1-
255. When the event occurs, the configured weight for the event is deducted from the total weight assigned to the VRID.
Some events (for example, when an interface goes down) are considered to be critical for a VRID and will reduce the VRID’s
weight. SSL Intercept devices that are part of the same set periodically exchange their weight information with peer SSL
Intercept devices.
VRRP-A determines the Active or Standby status based on received weight information. Based on the newly computed
weight, a failover will occur from an SSL Intercept device of a lower weight to another SSL Intercept device of a higher
weight. This concept is called preemption.
Preemption based on weight is always enabled. Preemption based on priority can be enabled or disabled.
Event Tracking for Weight and Priority

An SSL Intercept device can be configured to track VRRP-A events for weight or priority or for both. While both weight and
priority can be configured to track the exact same events, such as the state of gateways, trunks, VLANs, interfaces, or routes,
how they are accessed and assigned these values are different.
- 5/4/2016 | page 12
When you configure VRRP-A using the GUI or command line at the VRRP-A configuration level, you can specify the priority
assigned to each event. When the event occurs, the value you assign to the event will be deducted from the priority you
configure from 1-255 for the VRID of a given SSL Intercept device.
However, if you specify a value for a failed event using a VRRP-A failover template, you are configuring the weight assigned to
an event that will be deducted from a fixed total weight of 65534 assigned to every VRID for an SSL Intercept device.
The fixed total weight for a VRID is not user configurable, unlike the priority assigned the VRID for an SSL Intercept device
which is configurable. A failed event will result in a deduction of the weight assigned to the event from the fixed total weight
for the VRID. Since the weight of each VRID is tallied to figure out the weight and/or priority of an SSL Intercept device, when
multiple devices are configured with VRRP-A, this value is used to gauge the device that will serve as the Active or the
Standby device. When the weight for all VRRP-A enabled devices are unequal, the device with the highest weight will serve
as the Active device, the rest will be placed in a Standby state.
Priority Calculation
Every few seconds, VRRP-A recalculates the priority for each VRID on the active device for the VRIDs.
To calculate the priority, VRRP-A subtracts the priority values for all optional failover trigger events that have occurred from
the configured priority value. The lowest value to which the priority can be reduced is 1.
Once the link or server health is restored, the failover trigger event is no longer occurring and the priority value is not sub-
tracted during the next priority calculation.
Track Event Delay

To prevent unnecessary failovers caused by brief, temporary link or server health changes, VRRP-A uses a track event delay.
The track event delay is the number of seconds a failover-causing event must persist before failover occurs.
For example, if the track event delay is 5 seconds, and a tracked link goes down for 3 seconds, then comes back up, no
failover is triggered. Failover is triggered only if the link stays down for at least 5 seconds.
The track event delay can be from 1-tenth second to 10 seconds. The default is 3 seconds.
Preemption
Preemption allows failover to be triggered by manually changing the priority on one or more devices so that the active
device no longer has the highest priority for the VRID.
Preemption is enabled by default. If preemption is disabled, failover is not triggered by manual priority changes.
Preemption can be configured on an individual VRID basis, by shared partition admins and private partition admins.
page 13 | - 5/4/2016
Preemption Delay
If VRRP-A preemption is enabled, failover can be triggered by VRRP-A configuration changes, in addition to network changes.
By default, when preemption is enabled, failover occurs as soon as 3 seconds after an applicable configuration change takes
effect.
This release enables you to configure a delay between VRRP-A configuration changes and the failover that occurs due to the
changes.
Optionally, you can configure a preemption delay value, 1-255. The default VRRP-A preemption delay is 6 seconds (60 units of
100 ms). You can globally set the delay to a value from 100 ms (1 unit of 100 ms) to 25.5 seconds (255 units of 100 ms). Pre-
emption delay is only triggered and used when VRRP-A is configured in a multiple SSL Intercept device setup. Failover is only
triggered through priority changes. When VRRP-A is configured on 2 SSL Intercept devices, with one serving as the Active
device and the other as the Standby device, changing the priority will cause an instant failover within 1 to 3 seconds.
In deployments where many sessions are synchronized, setting the preemption delay to a longer value can help ensure
there is time for session synchronization to be completed before failover.
For more information about configuring preemption delays, see “Configuring Preemption Delays” on page 24.
Active Device Selection Examples

One device in the VRRP-A set can be active at any given time for a given partition’s VRID. The active device for a given VRID is
selected based on VRRP-A priority. The device with the highest VRRP-A priority for a VRID becomes the active device for that
VRID. Each VRID has its own priority value, which can be 1-255. The default is 150. Figure 5 shows an example.
FIGURE 5 Selection of Active Device
In this example, the priority of VRID 0 is set to 255 for the shared partition and partition CorpB on device 1, and for partitions
CorpA and CorpC on device 2. The active/standby state of each VRID on each device is based on these priority settings. The
“A” in the illustration denotes the active
If more than one device has the highest priority value, the device with the lowest device ID becomes the active device. For
example, if the VRID priority is left set to the default value on all devices, device 1 becomes the active device for the VRID.
- 5/4/2016 | page 14
VRRP-A selects the device that has the second-highest priority for a VRID as the standby device for the VRID. In VRRP-A
deployments on more than 2 devices, if more than one device has the second-highest priority value, the device with the
lowest device ID becomes the standby device. Figure 6 shows an example.
FIGURE 6 Selection of Standby Device
The priority for VRID 0 in partition CorpB is set to 255 on device 1 but is left to its default value on the other devices. Since
device 2 is has the lowest device ID number among the remaining devices, device 2 becomes the standby for the VRID
(denoted by “S” in the illustration). The other devices are backups (denoted by “B” in the illustration).
If session synchronization is enabled, sessions are copied from device 1 to device 2. If a failover occurs, device 2 becomes the
active device and device 1 becomes the standby device. Sessions are not synchronized to the backups.
If the standby device becomes unavailable or its priority value is reduced below the priority value on another backup device,
the other device becomes the new standby for the VRID, as shown in Figure 7.
page 15 | - 5/4/2016
FIGURE 7 Selection of New Standby Device
NOTE: In VRRP-A deployments of 3 or more devices, moving the active role to a backup other
than the standby can cause loss of synchronized sessions, since sessions are synchro-
nized only from the active device to the standby device.
To avoid loss of sessions in this case, first change the priority on the backup so that it will
assume the role of standby. Then, when VRRP-A fails over, the standby will have the syn-
chronized sessions.
VRRP-A Failover
Failover of a VRID from the active SSL Intercept device to the standby SSL Intercept device can be triggered by any of the fol-
lowing events:
• The standby SSL Intercept device stops receiving VRRP-A hello messages from the active SSL Intercept device.
• The VRRP-A priority on the active device is dynamically reduced below the priority on the standby device. The priority
can be dynamically reduced when a tracked default gateway, data port, or VLAN goes down, a tracked route is not in
the data route table, or a VIP’s real server fails its health check.
• The VRRP-A priority on the active device is manually reduced below the priority on the standby device by an adminis-
trator, and preemption is enabled.
• The force-self-standby option is used on the active device by an administrator.
- 5/4/2016 | page 16
Policy-Based Failover
VRRP-A provides flexible event tracking and policy-based failover support through configurable templates. This feature
allows policy-based failover even when VRRP-A preemption is disabled and the SSL Intercept device typically would remain
in a Active state, despite VRID priority changes. It allows for event-based failover once a tracked event occurs.
For more information, see “VRRP-A Policy-Based Failover Template” on page 35.
Dynamic Priority Reduction

Depending on configuration, failover can be triggered even if the active device is still operational. For each VRID, each device
begins with a statically configured priority for the VRID.
You can configure the priority of a VRID to be dynamically reduced based on changes in system or network conditions. For
example, you can configure link tracking on an Ethernet port. If the link goes down, the VRID priority on the device is
reduced by the configured amount. Figure 8 shows an example.
FIGURE 8 Failover Based on Dynamic Priority Reduction
In this example, link tracking is enabled for Ethernet port 6, and configured to reduce the VRID priority by 155 if the link goes
down. Device 1 has the higher configured priority value for VRID 0 in partition CorpB, and is the active device. However, if the
link on Ethernet port 6 goes down, the priority is dynamically reduced below the priority value on device 2. Device 2 there-
fore becomes the active device for the VRID.
See “Events Tracked for Weight via the Templates” on page 39 for a summary of events that can be tracked.
By default, none of the dynamic failover triggers are configured. They can be configured on an individual partition basis.
Force-Self-Standby
The force-self-standby option provides a simple method to force a failover, without the need to change VRID priorities and
use preemption.
page 17 | - 5/4/2016
The option can be entered by shared partition admins and private partition admins. If entered in the shared partition, the
option applies to all VRIDs on the device. If entered in a private partition, the option applies to all VRIDs within that partition
but does not affect VRIDs in other partitions.
The option remains in effect until one of the other failover triggers occurs or the device is reloaded or rebooted. The option is
not added to the configuration and does not persist across reloads or reboots.
VRRP-A and Floating IP Addresses

VRRP-A supports use of floating IP addresses. Floating IP addresses can reside on any device in the VRRP-A set, and always
reside on the device that is currently active. Because floating IP addresses are always reachable regardless of the VRRP-A
states of individual devices, the floating IP addresses provide network stability.
In a typical VRRP-A deployment, floating IP addresses are configured for each of the SSL Intercept device interfaces that are
used as nexthop interfaces by other devices. Figure 9 shows a simple example.
FIGURE 9 Floating IP Address
In this example, a device uses SSL Intercept device IP address 10.8.8.6 as its default gateway. This address is configured as a
floating IP address on the SSL Intercept device, and always resides on the active VRRP-A device.
Because the address is configured as a floating IP address on the SSL Intercept device, the address remains reachable by the
client even if a VRRP-A failover occurs. For example, if VRRP-A fails over from device 1to device 2, then the floating IP address
also moves to device 2.
NOTE: A floating IP address can not be the same as an address that already belongs to a device.
For example, the IP address of an SSL Intercept device interface can not be a floating IP
address.
- 5/4/2016 | page 18
Advertisement of the Floating IP MAC Address After Failover

When a floating IP address moves from one SSL Intercept device to another following failover, the MAC address associated
with the floating IP address changes.
To help other devices find a floating IP address following failover, the new active SSL Intercept device sends IPv4 gratuitous
ARPs (for an IPv4 floating IP address) or ICMPv6 neighbor advertisements (for an IPv6 floating IP address). The other devices in
the network learn the new MAC address from the gratuitous ARPs or neighbor advertisements.
VRRP-A and Configuration Synchronization

VRRP-A supports the following method of configuration synchronization:
• Manual – See “Configuring Preemption Delays” on page 24.
VRRP-A and Session Synchronization

VRRP-A uses one active device and one standby device for a given VRID. If session synchronization (also called connection
mirroring) is enabled, the active device backs up active sessions on the standby device.
Session synchronization applies primarily to Layer 4 sessions. Session synchronization does not apply to DNS sessions. Since
these sessions are typically very short-lived, there is no benefit to synchronizing them. Likewise, session synchronization does
not apply to NATted ICMP sessions or to any static NAT sessions. Synchronization of these sessions is not needed since the
newly active device will create a new flow for the session following failover.
Session synchronization is disabled by default and can be enabled on individual virtual ports.
VRRP-A Interfaces
VRRP-A sends hello messages and session synchronization messages on the SSL Intercept device’s VRRP-A interfaces.
Each SSL Intercept device providing VRRP-A for a VRID must have at least one Up Ethernet interface that can reach the other
SSL Intercept devices. If an SSL Intercept device can not receive hello messages from the other devices for the VRID, the SSL
Intercept device's VRRP-A state becomes Active. In this case, there is more than one active VRRP-A device for the same VRID,
which is invalid. One of the active VRRP-A devices is the SSL Intercept device that does not have a connection to the other
devices. The other active VRRP-A device is the SSL Intercept device that can still reach the other SSL Intercept devices
(standby VRRP-A devices).
By default, no VRRP-A interfaces are explicitly configured. In this case, VRRP-A uses all Up Ethernet interfaces to send and lis-
ten for hello messages. For an interface that belongs to more than 1 VLAN, the SSL Intercept device uses the lowest VLAN ID
to which the interface belongs.
If a data interface has both IPv4 and IPv6 addresses, the primary IPv4 address is used.
page 19 | - 5/4/2016
Admins with write privileges for the shared partition can explicitly specify the SSL Intercept device interfaces to use as VRRP-
A interfaces. In this case, the specified interfaces are used as VRRP-A interfaces by the shared partition and all L3V parti-
tions.
Explicitly Configured VRRP-A Interfaces

Optionally, you can explicitly configure individual interfaces to act as VRRP-A interfaces. In this case, the SSL Intercept device
uses only the configured VRRP-A interfaces for hello messages.
For individual L3V partitions, the interface requirement differs depending on whether VRRP-A interfaces are explicitly config-
ured:
• If no VRRP-A interfaces are explicitly configured (the default situation), each L3V partition must have at least one
Ethernet interface that can reach the other L3V partitions for the VRID.
• If at least one interface in the shared partition is explicitly configured as an VRRP-A interface, that interface is used for
the shared partition's VRID hello messages, and for the hello messages of all the VRIDs in the L3V partitions.
VRRP-A Interface Types and VRRP-A State

Changes to the state of a VRRP-A interface can trigger a failover. By default, the VRRP-A state of an interface can be Up or
Down. Optionally, you can specify the VRRP-A interface type as one of the following:
• Server interface – A real server can be reached through the interface.
• Router interface – An upstream router (and ultimately, clients) can be reached through the interface.
• Both – Both a server and upstream router can be reached through the interface.
NOTE: In the current release, the interface type is informational only. This setting does not
affect VRRP-A operation or interface tracking.
Using the GUI to Configure a VRRP-A Interface

To use the GUI to configure a VRRP-A interface:
1. Hover over System in the menu bar, the select VRRP-A.
2. Select the VRRP-A Interface tab, then select the interface type you want to enable from the drop-down list.
3. For the interface you want to enable for VRRP-A, click Edit in the Actions column.
4. On the Update VRRP-A Interface page, select the options you want to configure for the VRRP-A interface.
You can enable or disable VRRP-A, or set the interface type and state (see “VRRP-A Interface Types and VRRP-A State” on
page 20).
- 5/4/2016 | page 20
For specific information about the fields on this screen, refer to the online help.
Using the CLI to Configure a VRRP-A Interface

Use the vrrp-a interface command to configure a VRRP-A interface. For example, to configure ethernet interface 2 as the
VRRP-A interface:
hostname(config)#vrrp-a interface ethernet 2

hostname(config-ethernet:2)#
Then, you can configure the interface type and state. The following example allows both upstream routers and real servers to
be reached through this interface, and assign the interface to VLAN 2:
hostname(config-ethernet:2)#both vlan 2
See “vrrp-a interface” on page 51 for more details.
Preferred Receive Interface for Session Synchronization

By default, VRRP-A on a backup device automatically selects the Ethernet interface on which to receive synchronized ses-
sions. The SSL Intercept device provides an option that enables you to specify the Ethernet interface(s) on which it is pre-
ferred to receive synchronized sessions.
Using the GUI to Configure the Session Synchronization Interface for VRRP-A
1. Hover over System in the menu bar, then select VRRP-A.
2. Click the Settings tab and select Global; this should be the active page by default.
3. Near the bottom of the page, expand the Session Sync Port category to display the configuration area for the feature.
page 21 | - 5/4/2016
4. Select “Ethernet” from the Interface Type drop-down list.
5. Specify the interface number in the Interface field.
6. If the interface belongs to more than one VLAN, specify the VLAN ID in the VLAN field.
7. Click Add.
8. Repeat for an additional interfaces.
9. Click OK.
Using the CLI to Configure the Session Synchronization Interface for VRRP-A
To specify the Ethernet interface on which to receive synchronized sessions, use the vrrp-a preferred-session-sync-port eth-
ernet command on the device that you want to receive the session information.
For example, if you want to receive session information on Ethernet port 2 on device HOST-2:
HOST-2(config)#vrrp-a preferred-session-sync-port ethernet 2
- 5/4/2016 | page 22
Deploying VRRP-A
This chapter provides examples of VRRP-A deployment.
The following are covered:
• Basic VRRP-A Deployment
• Force-Self-Standby Reload or Restart Persistence
• Viewing VRRP-A Information
• Configuring Preemption Delays
• VRRP-A Configuration Examples
• Configuring a Leader and Follower VRID
• VRRP-A Status in CLI Prompt
Basic VRRP-A Deployment

Basic VRRP-A deployment requires only the following steps on each SSL Intercept device:
1. Specify the VRRP-A device ID and set ID, then enable VRRP-A using the enable command:
hostname(config)#vrrp-a common
hostname(config-common)#device-id 5
hostname(config-common)#set-id 10
hostname(config-common)#enable
hostname-Active(config-common)#exit
hostname-Active(config)#
You can specify a device ID from 1-8, and a set ID from 1-15. Note that the prompt is updated to reflect whether the
device is a standy device, or the active device.
2. As needed, configure floating IP addresses for individual VRIDs.
The following example configures a floating IP address (192.168.9.9) for VRID 13:
hostname-Active(config)#vrrp-a vrid 13
hostname-Active(config-vrid:13)#floating-ip 192.168.9.9
page 23 | - 5/4/2016
Force-Self-Standby Reload or Restart Persistence

If the force-self-standby option is selected via the CLI, this feature will allow a single partition, multiple partitions, or the
device to remain in a forced self-standby state even though the device or partition goes through a reload or device restart.
To place VRRP-A VRID 2 into a forced-self-standby state, issue the following command:
hostname(config)#vrrp-a force-self-standby vrid 2
To place VRID 2 in a self-standby state even after a restart or reload, use the following command:
hostname(config)#vrrp-a force-self-standby-persistent vrid 2
If you issue the vrrp-a force-self-standby command, the partition or device will not be placed in a force-self-standby state
after the device reload or restart completes. You must configure self-standby with vrrp-a force-self-standby-persistent to
have your device retain its self-standby state after a future reload or restart operation.
To place all VRIDs in partition (partA) in self-standby state even after a restart or reload, execute the following command in
partition “partA:”
hostname[partA](config)#vrrp-a force-self-standby
Viewing VRRP-A Information

To view VRRP-A configuration information and statistics, use the commands described in “VRRP-A Show Commands” on
page 66.
Configuring Preemption Delays

• Using the GUI to Configure VRRP-A Preemption Delay
• Using the CLI to Configure VRRP-A Preemption Delay
Using the GUI to Configure VRRP-A Preemption Delay

1. Hover over System in the menu bar, then select VRRP-A.
2. Verify that the path under the Settings tab is System >> VRRP-A >> Global; if not, click the Settings tab and select
Global from the drop-down list.
3. Edit the value in the Preemption Delay field, to a value from 1-255. The default VRRP-A preemption delay is 6 seconds
(60 units of 100 ms). You can globally set the delay to a value from 100 ms (1 unit of 100 ms) to 25.5 seconds (255 units
of 100 ms).
4. Click OK.
- 5/4/2016 | page 24
Using the CLI to Configure VRRP-A Preemption Delay

To configure the VRRP-A preemption delay, use the preemption-delay command at the VRRP-A common configuration level
of the CLI.
VRRP-A Configuration Examples

The following sections show configuration examples for VRRP-A. The first example shows a very basic deployment using the
minimum required commands. The second example includes priority configuration changes and tracking.
Simple Deployment
The following commands deploy VRRP-A on a set of 4 SSL Intercept devices.
Commands on hostname-1
Enter the following commands on hostname-1:
hostname-1(config)#vrrp-a common
hostname-1(config-common)#device-id 1
hostname-1(config-common)#set-id 1
hostname-1(config-common)#enable
hostname-2(config-common)#vrrp-a device-id 2
hostname-2(config-common)#vrrp-a set-id 2
page 25 | - 5/4/2016
Deployment with Custom Priority Settings

The following commands configure VRRP-A on two SSL Intercept devices, with the priority settings shown in Figure 5 on
page 14.
• On device hostname-1, the priority value is set to 255 on the shared partition’s VRID 0 and partition CorpB’s VRID 0.
The priority value is left set to its default (150) for CorpA and CorpC; the priority does not need to be set since this is
the default value.
• On device hostname-2, the priority value is set to 255 on the default VRIDs in partitions CorpA and CorpC. The prior-
ity value is left set to its default (150) for the shared partition and for CorpB; the priority does not need to be set since
this is the default value.
These commands also configure a floating IP address for each VRID. Figure 5 on page 14 does not include the floating IP
addresses. (For more on floating IP addresses, see “VRRP-A and Floating IP Addresses” on page 18.)
hostname-1(config-common)#exit
hostname-1(config)#vrrp-a vrid 0
hostname-1(config-vrid:0)#floating-ip 10.10.10.2
hostname-1(config-vrid:0)#blade-parameters
hostname-1(config-vrid:0-blade-parameters)#priority 255
hostname-1(config-vrid:0-blade-parameters)#exit
hostname-1(config-vrid:0)#exit
hostname-1(config)#
hostname-1(config)#active-partition CorpB
Current active partition: CorpB
hostname-1[CorpB](config)#vrrp-a vrid 0
hostname-1[CorpB](config-vrid:0)#floating-ip 30.30.30.2
hostname-1[CorpB](config-vrid:0)#blade-parameters
hostname-1[CorpB](config-vrid:0-blade-parameters)#priority 255
hostname-1[CorpB](config-vrid:0-blade-parameters)#exit
hostname-1[CorpB](config-vrid:0)#exit
hostname-1[CorpB](config)#
- 5/4/2016 | page 26
hostname-2(config-common)#exit
hostname-2#active-partition CorpA
Current active partition: CorpA
hostname-2[CorpA]#config
hostname-2[CorpA](config)#vrrp-a vrid 0
hostname-2[CorpA](config-vrid:0)#floating-ip 20.20.20.2
hostname-2[CorpA](config-vrid:0)#blade-parameters
hostname-2[CorpA](config-vrid:0-blade-parameters)#priority 255
hostname-2[CorpA](config-vrid:0-blade-parameters)#exit
hostname-2[CorpA](config-vrid:0)#exit
hostname-2[CorpA](config)#
hostname-2[CorpA](config)#active-partition CorpC
Currently active partition: CorpC
hostname-2[CorpC](config)#vrrp-a vrid 0
hostname-2[CorpC](config-vrid:0)#floating-ip 40.40.40.2
hostname-2[CorpC](config-vrid:0)#blade-parameters
hostname-2[CorpC](config-vrid:0-blade-parameters)#priority 255
hostname-2[CorpC](config-vrid:0-blade-parameters)#exit
hostname-2[CorpC](config-vrid:0)#exit
hostname-2[CorpC](config)#
Configuration of Tracking Options

The following commands configure VRRP-A tracking options. For simplicity, commands for only a single device are shown.
More information about these commands can be found in “VRRP-A VRID Configuration Commands” on page 61.
Ethernet Interface Tracking

The following command configures tracking of Ethernet port 1. If the port’s link goes down, 100 is subtracted from the VRID’s
priority value.
hostname(config)#vrrp-a vrid 1
hostname(config-vrid:1)#blade-parameters
hostname(config-vrid:1-blade-parameters)#tracking-options
hostname(config-vrid:1-blade-parameters-track...)#interface ethernet 1 priority-cost 100
page 27 | - 5/4/2016
Trunk Tracking
The following commands configure the SSL Intercept device to track the status of a trunk (but not ports within the trunk).
The VRRP-A protocol will reduce the priority of the device by 100 if the trunk goes down.
hostname(config-vrid:1-blade-parameters-track...)#trunk 1 priority-cost 100
The following commands configure the SSL Intercept device to track the status of a trunk, as well as the status of ports within
the trunk. If trunk 2 goes down, the priority of the associated VRID is reduced by 150. If a port within the trunk goes down,
the priority of the associated VRID is reduced by 40.
hostname(config-vrid:2-blade-parameters-track...)#trunk 2 priority-cost 150 per-port-pri
40
VLAN Tracking
The following command configures tracking of VLAN 69. If the VLAN is quiet for more than 30 seconds, 50 is subtracted from
the VRID priority.
hostname(config-vrid:1-blade-parameters-track...)#vlan 69 timeout 30 priority-cost 50
The current release provides enhanced VLAN tracking capabilities. For details on this capability, refer to “Increased VLANs for
VRRP-A Failover Tracking” on page 29 for details.
Gateway Tracking
The following commands configure tracking of gateway 10.10.10.1. If the gateway stops responding to pings, 100 is sub-
tracted from the VRID’s priority value.
hostname(config)#health monitor gatewayhm1

hostname(config-health:monitor)#method icmp
hostname(config-health:monitor)#exit
hostname(config)#slb server gateway1 10.10.10.1
hostname(config-real server)#health-check gatewayhm1
hostname(config-real server)#exit
- 5/4/2016 | page 28
hostname(config-vrid:0-blade-p[arameters-track...)#gateway 10.10.10.1 priority-cost 100
Route Tracking
The following command configures tracking of routes to destination network 3000::/64. If the IPv6 route table does not con-
tain any routes to the destination, 105 is subtracted from the VRID priority.
hostname(config-vrid:0-blade-parameters-track...)#route 3000::/64 priority-cost 105
The following commands configure tracking of routes to destination network 5000::/64. If the IPv6 route table does not con-
tain any routes to the destination, 80 is subtracted from the VRID priority.
hostname(config-vrid:1-blade-parameters-track...)#route 5000::/64 priority-cost 80
Preemption Delay
The following commands configure the desired preemption delay value of 200 milliseconds:
hostname(config-common)#preemption-delay 200
Increased VLANs for VRRP-A Failover Tracking

The VRRP-A failover tracking feature supports an increased number of VLANs. The weight (as assigned using failover policy
templates—for details refer to “VRRP-A Policy-Based Failover Template” on page 35) or priority assigned to the VLAN tracked
event will be used in calculations that will impact VRRP-A failover decisions. In previous releases, only tracking of 5 VLANs per
partition was possible. Currently, 64 VLANs can be tracked per L3V partition.
If VRRP-A stops detecting traffic on a VLAN, VRRP-A reduces the priority for the VRID. The priority value to subtract can be
specified individually for each VLAN.
To configure VLAN tracking use the following command:
vlan vlan-id timeout timeout-value priority-cost value
SSL Intercept provides two ways to track VLANs for VRRP-A:
• Using the priority tracking option—The tracking option performs failover by decreasing a VRID's priority value.
• Using failover policy templates—The failover policy template performs failover by decreasing a VRID's weight value.
You can track a total of 64 different VLANs in three possible ways:
• Configure all 64 VLANs that can be tracked using tracking options.
page 29 | - 5/4/2016
• Configure all 64 VLANs that can be tracked using a single failover policy template or split over multiple templates.
• Configure a mix of both options mentioned above. That is configure 32 VLANS using the tracking option and config-
ure the remaining 32 VLANs using a failover policy template.
NOTE: Tracking options and the failover policy template can track the same VLANs. For exam-
ple, you configure 64 VLANs using the tracking option. You can also configure tracking
of 64 of the same VLANs using a fail-over-policy template. In essence, you are still only
tracking 64 VLANs.
VLAN Tracking Configuration Example

After you have enabled VRRP-A on the devices, set the VRRP-A VRID, and then to set VLAN tracking-options for 64 VLANs
based on their priority cost:
vrrp-a vrid 31
blade-parameters
tracking-options
vlan 1000 timeout 30 priority-cost 1
- 5/4/2016 | page 30

The following example shows how 11 VLANs of differing timeout values and weights are being tracked in a failover template
called test.
!
vrrp-a fail-over-policy-template test
vlan 222 timeout 50 weight 100
page 31 | - 5/4/2016

!
Configuring a Leader and Follower VRID

Configuration Example 1
To configure a leader VRID, do the following:
1. In the shared partition, configure a vrid-lead:

hostname(config)#vrrp-a vrid-lead lead1
hostname(config-vrid-lead:lead1)#partition shared vrid 1
2. In the L3V partition, configure the VRID you wish to designate as the follower.
a. To do so, enter the partition:

hostname#active-partition p1
b. In the currently active partition, p1, enter the following command:

hostname[p1](config)#vrrp-a vrid 1
hostname[p1](config-vrid:1)#follow vrid-lead lead1
c. Use the show vrrp-a command to view your configuration:

hostname[p1](config-vrid-follow)#show vrrp-a
vrid default
Unit State Weight Priority
1 (Local) Active 65534 150
became Active at: May 20 12:04:05 2013
for 0 Day,22 Hour,54 min
2 (Peer) Standby 65534 150 *
vrid 1 (follow vrid-lead lead1)
- 5/4/2016 | page 32

2 (Peer) Standby 65534 150 *
vrid that is running: 0 1
3. By default, the default-vrid-lead exists in the shared partition:

vrrp-a vrid-lead default-vrid-lead
partition shared vrid 1
Configuration Example 2
To configure a leader in the shared partition, issue the following commands:
1. Define a VRID called myname as the leader:

hostname(config)#vrrp-a vrid-lead myname
hostname(config-vrid-lead:myname)#partition p1 vrid 0
2. Use the following show command to display your VRID leader configuration:
hostname(config)#show vrrp-a vrid-lead
vrrp-a vrid-lead myname
partition p1 vrid 0
3. In the L3V partition, configure the VRID to follow the lead VRID:
hostname[p1](config-vrid:3)#follow vrid-lead myname
4. Observe your configuration using the following command:

hostname[p1](config)#show running-config | sec vrrp-a
vrrp-a vrid 0 follow vrid-lead default-vrid-lead
floating-ip 7.8.0.25
floating-ip 7.0.0.25
floating-ip 7000::25
!
vrrp-a vrid 3 follow vrid-lead myname
!
5. As the Admin, if you want to change the VRID’s role from being a follower to standalone VRID again, issue the following
command:
Change the role of vrid 3 from follower to standalone? (y/n)y
Again, to view your configuration, use the show run command:
hostname[p1](config)#show running-config
!
page 33 | - 5/4/2016
vrrp-a vrid 3
!
If you try to remove a VRID that is configured as a lead VRID and that has other VRIDs that follow it, you will not be allowed to
remove it. You must remove the VRIDs that are configured as followers before you remove the lead VRID.
VRRP-A Status in CLI Prompt

The CLI prompt can be customized to identify the devices that are running VRRP-A configuration.
For information about how to do this, see “VRRP-A Status in Command Prompt” in the Command Line Interface Reference.
- 5/4/2016 | page 34
VRRP-A Policy-Based Failover Template
VRRP-A provides flexible event tracking and policy-based failover support via a template. This feature allows policy-based
failover even when VRRP-A preemption is disabled and the SSL Intercept device typically would remain in an Active state,
despite VRID priority changes. It allows for event-based failover once a tracked event occurs.
The following topics are covered in this chapter:
• Template Rules and Partitions
• Preemption and Levels
• Precedence Causing a Failover
• Events Tracked for Weight via the Templates
• Configuring VRRP-A Policy-Based Failovers
Template Rules and Partitions

• Policy-Based Failover Template Rules for the Shared Partition
• Policy-Based Failover Template Rules for L3V Partitions
Policy-Based Failover Template Rules for the Shared Partition

When creating templates in the shared partition, adhere to the following rules:
• You may create multiple templates, however only one template can be associated with a particular VRID. For example,
if you create two templates called “template1” and “template2,” you can only associate either template1 or template2
with VRID1. Assuming template1 and template2 have different events configured and you want template1 (that
tracks for VLANs and gateways) to also address the events that template2 tracks (for interfaces and routes), edit tem-
plate1 to include the events covered by template2. You cannot associate both templates to VRID1 to have it track all
four events (VLANs, gateways, interfaces, and routes).
• Create templates with unique names, however, the second time you try to create a template with the same name,
you will enter the template module and can edit the events listed in the template.
• You can create a maximum of 32 templates in the shared partition.
page 35 | - 5/4/2016
• You can associate the same template to multiple VRIDs. For example, VRID1 and VRID23 can both be attached to tem-
plate1.
Policy-Based Failover Template Rules for L3V Partitions

When creating policy-based failover templates in an L3V partition, adhere to the following rules:
• You may create multiple templates, however only one template can be associated with a particular VRID. For example,
if you create two templates called “template1” and “template2,” you can only associate either template1 or template2
with VRID1. Assuming template1 and template2 have different events configured and you want template1 (that
tracks for VLANs and gateways) to also address the events that template2 tracks (for interfaces and routes), edit tem-
plate1 to include the events covered by template2. You cannot associate both templates to VRID1 to have it track all
four events (VLANs, gateways, interfaces, and routes).
• Create templates with unique names, however, the second time you try to create a template with the same name,
you will enter the template module and can edit the events listed in the template.
• To associate a template to a private partition, you must switch to an active-partition.
• Associate the template to the default VRID. Private partitions only contain a default VRID. That is, only one template
can be associated to the default VRID.
• Since each private partition can have its own template, and templates cannot be shared across multiple partitions,
template names do not need to be unique. For example, template1 can be the template for private partition1 and
template1 can be the template for private partition2. They can be named the same, but can track different events for
different VRIDs.
• You can create a maximum of 32 templates in the private partition.
Preemption and Levels

Preemption is always enabled on Level 1 (weight) and can be configured to be as enabled or disabled in Level 2 (priority).
With preemption always being enabled on Level 1, the higher weight of an SSL Intercept device will always place it in Active
state and the remaining SSL Intercept devices in Standby state. Level 1 weight assignments for events will result in the
deduction of that weight from the VRID when an event occurs. When the weight is reduced for a particular VRID, it may result
in a failover to another device if its total weight is lower than that of its peer devices. Since preemption works at the VRID
level, any VRID with a higher weight can take over for another VRID in a different SSL Intercept device of a lower weight.
When the original Active device is operational again, its weight is subject to change, and if it has the highest weight amongst
its peers, it will resume its role and take over as the Active device.
Precedence Causing a Failover

The VRRP-A policy failover template provides a flexible way of defining events that will trigger failover of an SSL Intercept
device from Active to Standby state or vice versa. The following briefly summarizes the order in which VRRP-A failover is
determined:
- 5/4/2016 | page 36
• When the SSL Intercept devices in a VRRP-A configuration have unequal weight, the one with the higher weight will
be the Active device. Refer to Higher Weight Scenario“Higher Weight Scenario” on page 37.
• If all SSL Intercept devices have equal weight, the SSL Intercept device with the higher priority will be the Active
device. Refer to Higher Priority Scenario“Higher Priority Scenario” on page 38.
• If the two SSL Intercept devices have equal weight and equal priority, the device with the lower Device ID will be the
Active device. Refer to “Equal Weight and Priority Scenario” on page 38.
Higher Weight Scenario

Use the show vrrp-a command to view the Active/Standby status of the SSL Intercept devices: Note that Unit 1 is the Active
device and its weight is “65534” for VRID1:
hostname(config)#show vrrp-a
vrid default
2 (Local) Standby 65534 150 *
became Standby at: May 20 12:10:05 2013
1 (Peer) Active 65534 150
vrid 1
After an event results in a reduction of the weight, Unit 1 now has a weight of “65334” for VRID1, and a failover was triggered
that placed Unit 1 in a Standby state:
vrid default
vrid 1
2 (Local) Active 65534 150 *
1 (Peer) Standby 65334 200
page 37 | - 5/4/2016
Higher Priority Scenario

Use the show vrrp-a command to view the Active/Standby status of the SSL Intercept devices: Note for VRID1 that Unit 1 is
the Active device and its priority is “200:”
vrid default
vrid 1 became Standby at: May 20 12:10:05 2013

After an event results in a reduction of the priority, Unit 1 now has a priority of “1” for VRID1, and a failover was triggered that
placed Unit 1 in a Standby state:
vrid default
vrid 1
1 (Peer) Standby 65534 1 *
Equal Weight and Priority Scenario

Use the show vrrp-a command to view the Active/Standby status of the SSL Intercept devices: Note that VRID1 has an
unequal weight of “65534” and an equal priority of “150:”
vrid default
- 5/4/2016 | page 38

vrid 1
1 (Peer) Standby 65334 150 *
After an event results in an increase in weight, Unit 1 and Unit 2 both have an equal weight and priority, yet a failover is
triggered based on the device ID. For VRID1, Unit 1 is lower than Unit 2, it is now is in Active state instead of the Standby
state:
vrid default
vrid 1
Events Tracked for Weight via the Templates

Several events can be tracked for weight or priority. However, the failover policy templates only allow you to specify the
weight for each event, not the priority. If configured using the GUI or the CLI, the following events may cause a change in the
VRID and result in an SSL Intercept device failover:
TABLE 2 Configurable Event Tracking

Event Description
Lost link a default gateway. VRRP-A periodically tests connectivity to the IPv4 and IPv6 default gateways connection
to a real server by pinging them. If a gateway stops responding, VRRP-A reduces the
weight or priority for the VRID. The weight value to subtract can be specified individually
for each gateway’s IP address that you configure in the tracking events list.
VLAN inactivity. If VRRP-A stops detecting traffic on a VLAN, VRRP-A reduces the device’s priority for the
VRID. The priority value to subtract can be specified individually for each VLAN.
VLAN tracking is only supported in the shared partition.
page 39 | - 5/4/2016
TABLE 2 Configurable Event Tracking

Event Description
Lost link on a trunk. If the trunk or individual ports in the trunk go down, VRRP-A reduces the device’s priority
for the VRID. The priority value to subtract can be specified for the trunk and for individual
ports within the trunk.
If you track a trunk that does not exist, VRRP-A will not reduce the device priority.
To track a trunk port within an L3V partition, you must verify that the tracked port is actu-
ally being used within that partition (for example, verify that the port is used in a VLAN of
the partition):
• If the tracked trunk is down, VRRP-A reduces the device priority based on the trunk
value and ignores the status of the ports within the trunk.
• If the tracked trunk is up, VRRP-A checks the ports within the trunk, and if any of them
are down, VRRP-A reduces the device priority (1x configured port priority). If two ports
are down, VRRP-A reduces the device priority by twice the priority assigned to the
ports within the trunk (2x configured port priority).
Lost data route. If an IPv4 or IPv6 route matching the specified options is not in the data route table, VRRP-
A reduces the device’s priority for the VRID.
Lost link on an Ethernet port If the link goes down on an Ethernet data port, VRRP-A reduces the device’s priority for
the VRID. The priority value to subtract can be specified individually for each Ethernet
data port.
If a tracked interface is a member of a trunk, only the lead port in the trunk is shown in
the tracking configuration and in statistics. For example, if a trunk contains ports 1-3 and
you configure tracking of port 3, the configuration will show that tracking is enabled on
port 1. Likewise, tracking statistics will show port 1, not port 3. Similarly, if port 1 goes
down but port 3 is still up, statistics still will show that port 1 is up since it is the lead port
for the trunk.
- 5/4/2016 | page 40
The following graphic visually represents where tracking can be enabled for an SSL Intercept device:
Configuring VRRP-A Policy-Based Failovers

This section contains the following topics:
• “Using the GUI to Configure VRRP-A Policy-Based Failovers” on page 41
• “Using the CLI to Create VRRP-A Policy-Based Failovers” on page 42
NOTE: For details on additional template rules, refer to “Template Rules and Partitions” on
page 35.
Using the GUI to Configure VRRP-A Policy-Based Failovers

To configure the policy-based failover feature using the GUI, follow these steps:
1. Go to System > VRRP-A > Failover Policy Template to view the Failover Policy Template page.
2. Click Create to view the Create Failover Policy Template page.
3. Specify a template name in the Template Name field.
page 41 | - 5/4/2016
4. Configure the remainder of the page as needed.
For a description of the different events, see “Events Tracked for Weight via the Templates” on page 39.
When an event occurs, the specified weight will be subtracted from the weight of the VRID, possibly causing a failover.
For more information about this screen, refer to the online help.
5. Click Create when you are finished.
Your failover template will be listed in the Failover Policy Template page.
Using the CLI to Create VRRP-A Policy-Based Failovers

Failover Policy Templates can be configured using the CLI in either the shared or the private partition.
Configuring Templates in the Shared Partition:

To configure the policy-based failover feature in the shared partition using the CLI, follow these steps:
1. Create your failover policy template. For example., create a template with the name template1:
hostname(config)#vrrp-a fail-over-policy-template template1
hostname(config-fail-over-policy-template:template1)#
2. Configure the events you wish to track:
- 5/4/2016 | page 42
a. For gateway tracking, indicate the gateway IP address and assign a weight for the gateway in the event of a failure.
For example, if gateway 10.10.10.1 fails, 50 will be subtracted from the weight of the VRID:
hostname(config-fail-over-policy-template:template1)#gateway 10.10.10.1 weight 50
b. For interface tracking, indicate the interface type, interface number, and assign a weight for that interface in the
event of a failure. For example, if Ethernet interface 1 fails, 35 will be subtracted from the weight of the VRID:
hostname(config-fail-over-policy-template:template1)#interface ethernet 1 weight 35
c. For route tracking, indicate the route number and assign a weight for that route in the event of failure. For example,
if route 20.20.20.5 /24 10.10.10.1 fails, 70 will be subtracted from the weight of the VRID:
hostname(config-fail-over-policy-template:template1)#route 20.20.20.5 /24 10.10.10.1
weight 70
d. For trunk tracking, indicate the trunk identification number and assign a weight for that trunk in the event of failure.
For example, if trunk 4 fails, 25 will be subtracted from the weight of the VRID:
hostname(config-fail-over-policy-template:template1)#trunk 4 weight 25
e. For VLAN tracking, indicate the VLAN identification number, the timeout value, and assign a weight for that trunk in
the event of failure. For example, if VLAN 6 fails, 40 will be subtracted from the weight of the VRID:
hostname(config-fail-over-policy-template:template1)#vlan 6 timeout 30 weight 40
3. Assign a failover template to a VRID from the Global configuration level. For example, to assign template1 to VRID 0:
hostname(config-vrid:0-blade-parameters)#fail-over-policy-template template1
NOTE: Only one template can be assigned to a VRID in any partition.
Configuring Templates in L3V Partition:

To configure the policy-based failover feature in an L3V partition, follow these steps:
1. Switch to the active partition (for example, companyA):

hostname(config)#active-partition companyA id 3
2. Follow the instructions in “Configuring Templates in the Shared Partition:” on page 42.
Verifying the Fail-Over Policy Template Configuration

To view the reason for a failover, the show vrrp-a command on the Active SSL Intercept device will display the template
event that has caused the failover:
vrid default
page 43 | - 5/4/2016

2 (Peer) Standby 65534 150 *
vrid 1
Detected local policy based fail over events:
interface ethernet 1 weight 200
If you specify the name of the template, the show vrrp-a fail-over-policy-template command will display the contents of that
template:
hostname(config)#show vrrp-a fail-over-policy-template template1

vrrp-a fail-over-policy-template template1
gateway 20.20.20.20 weight 200
trunk 1 priority-weight 200
route 20.20.20.0 255.255.255.0 weight 200
Use the show vrrp-a command with the detail option to display comprehensive information on your current VRRP-A config-
uration:
hostname(config)#show vrrp-a detail

vrid default
...
VRRP-A stats
Peer: 1, vrid default
Port 1: received 25685 missed 3
...
Total packets sent for vrid default: 58524

Sent from port 1: 29262
- 5/4/2016 | page 44
...
Peer IP[1]: 7.7.7.1
To view information on all the fail-over policy templates, you can use the show vrrp-a fail-over-policy-template
command;
hostname(config)#show vrrp-a fail-over-policy-template

vrrp-a fail-over-policy-template interface
vrrp-a fail-over-policy-template trunk
vrrp-a fail-over-policy-template gateway
vrrp-a fail-over-policy-template route
route 4.4.4.0 255.255.255.0 weight 200
vrrp-a fail-over-policy-template vlan
route 20.20.20.0 255.255.255.0 weight 200
page 45 | - 5/4/2016
- 5/4/2016 | page 46
VRRP-A CLI Commands
This chapter describes the commands used to configure VRRP-A high availability.
The following topics are covered:
• “VRRP-A Global Configuration Mode Commands” on page 48
• “VRRP-A Common Configuration Mode Commands” on page 55
• “VRRP-A VRID Configuration Commands” on page 61
• “VRRP-A Blade Parameter Configuration Commands” on page 63
• “VRRP-A Show Commands” on page 66
page 47 | - 5/4/2016
VRRP-A Global Configuration Mode Commands

This section describes the VRRP-A commands that are available from Global Configuration mode.
• vrrp-a common
• vrrp-a fail-over-policy-template
• vrrp-a force-self-standby
• vrrp-a force-self-standby-persistent
• vrrp-a interface
• vrrp-a l2-inline-peer-ip
• vrrp-a l3-inline-mode
• vrrp-a ospf-inline
• vrrp-a peer-group
• vrrp-a preferred-session-sync-port ethernet
• vrrp-a restart-port-list
• vrrp-a vrid
• vrrp-a vrid-lead
vrrp-a common
Description Enter VRRP-A configuration mode, where additional VRRP-A commands are available.
For more information about these additional commands, see “VRRP-A Common
Configuration Mode Commands” on page 55.
Syntax vrrp-a common
Mode Global configuration mode
vrrp-a fail-over-policy-template
Description Create a failover policy template for VRRP-A. The template provides a mechanism for event
tracking and can enable a policy-based failover to occur. Using a template, assign weight-
related values per event that will be reduced from the fixed total weight of an SSL Intercept
device of 65534. The weight of a device can determine whether the device will serve as an
- 5/4/2016 | page 48
Active or Standby device. This command allows you to specify the weight value per event
that may cause a device to failover when the event occurs.
Syntax [no] vrrp-a fail-over-policy-template template-name

[gateway | interface | route | trunk | vlan]
Replace template-name with the name that you are assigning for the VRRP-A failover policy
template. This template must be associated to a particular VRID to take effect.
This command changes the CLI to the configuration level for the specified failover-policy
template, where the following commands are available.
Command Description
[no] Specify the IP Address of an IPv4 or IPv6 default gateway. VRRP-A periodically tests
gateway gateway-IP-address connectivity to the IPv4 and IPv6 default gateways connection to a real server by
weight value pinging them. If a gateway stops responding, VRRP-A reduces the weight for the
VRID. The weight value to subtract can be specified individually for each gateway’s
IP address that you configure in the tracking events list.
[no] interface Specify a weight for each interface that you are planning to track. If the link goes
interface-type down on an Ethernet data port, VRRP-A reduces the weight for the VRID. The
interface-number weight value to subtract can be specified individually for each Ethernet data port.
weight value
[no] route Indicate the IPv4 or IPv6 route that you wish to track. If the route matching the
route-number subnet specified options is not in the data route table, VRRP-A reduces the weight for the
weight value VRID.
[no] trunk trunk-id Indicate the trunk you wish to track. If the trunk or individual ports in the trunk go
weight value down, VRRP-A reduces the weight for the VRID. The weight value to subtract can
be specified for the trunk and for individual ports within the trunk.
[no] vlan vlan-id Indicate the VLAN you wish to track. If VRRP-A stops detecting traffic on a VLAN,
timeout timeout-value VRRP-A reduces the weight for the VRID. The weight value to subtract can be spec-
weight value ified individually for each VLAN.
Default None
Usage Use this command on any SSL Intercept device to indicate weight values per tracked event
via a failover policy template.
Example The following commands help you to create a template called “template1” and specify
events that will reduce the weight of the VRID:
hostname(config)#vrrp-a fail-over-policy-template template1

hostname(config-failover-policy)#interface ethernet 1 weight 200
hostname(config-failover-policy)#gateway 20.20.20.20 weight 200
hostname(config-failover-policy)#vlan 10 timeout 2 weight 200
hostname(config-failover-policy)#route 20.20.20.0 /24 weight 200
hostname(config-failover-policy)#trunk 1 weight 200
page 49 | - 5/4/2016
vrrp-a force-self-standby
Description Force the SSL Intercept device to change from active to standby or backup.
Syntax [no] vrrp-a force-self-standby [all-partitions] [vrid num]
Parameter Description
all-partitions Causes all partitions to change to standby state.
vrid num Causes only the specified VRID to change to standby state.
Default N/A
Usage This command provides a simple method to force a failover, without the need to change
VRRP-A configuration settings.
Example Enable the forced standby of VRID 3:
vrrp-a force-self-standby-persistent
Description Force a specific VRID to change from active to standby or backup, and remain in backup state
even after the device is reloaded.
Syntax [no] vrrp-a force-self-standby-persistent [vrid num]
Replace num with the VRID number whose state you want to change.
Default N/A
Usage This command provides a simple method to force a failover, without the need to change
VRRP-A configuration settings.
Example Enable the persistent forced standby of VRID 3:
- 5/4/2016 | page 50
vrrp-a interface
Description Configure a VRRP-A interface.
Syntax [no] vrrp-a interface {ethernet port-num | trunk trunk-num}
port-num Configures the specified interface as the VRRP-A interface.
trunk-num Configures the specified trunk interface as the VRRP-A inter-
face.
This command places you in a configuration sub-mode where you can configure the type
and state of the interface using the following commands:
Command Description
both Configures the interface so that both real servers and upstream
routers can be reached through this interface.
no-heartbeat Prevents heartbeat packets from being sent out on this inter-
face.
router-interface Configures the interface so that upstream routers (and ulti-
mately, clients) can be reached through the interface.
server-interface Configure the interface so that real servers can be reached
through the interface.
vlan vlan-id Configures the interface to be part of the specified VLAN.
Mode All up data interfaces within a partition are VRRP-A interfaces for that partition. If an interface
is a tagged member of multiple VLANs, only the VLAN that has the lowest-numbered IP
address for the interface is used as an VRRP-A interface.
Usage This command is valid only in the shared partition. However, the interface(s) specified by the
command are used by all partitions.
Example Configure ethernet interface 3 as the VRRP-A interface, and configure the interface so that
real servers can be reached:
hostname(config)#vrrp-a interface ethernet 3

hostname(config-ethernet:3)#server-interfaces
vrrp-a l2-inline-peer-ip
Description Configure a peer IP address in Layer 2 inline mode HA deployments.
SSL Intercept devices require a connection mirror IP address to be configured in Layer 2

inline mode VRRP-A deployments. A connection mirror interface is a unicast IP address on
page 51 | - 5/4/2016
the peer SSL Intercept device in the VRRP-A set. This peer IP address is optional in earlier
releases but usually is configured anyway for session synchronization purposes. Specifying a
connection mirror IP address is mandatory for proper operation of SSL Intercept devices in
Layer 2 Inline mode VRRP-A.
The connection mirror IP address is used for session synchronization (also called “connection
mirroring”). Until a connection mirror IP address is specified, the SSL Intercept device remains
in Standby state.
If a connection mirror IP address is not configured, a log message such as the following is
generated every 5 minutes:
Sep 01 2012 03:01:30 Warning [HA]:HA Peer IP is not configured. Peer

IP is required in Inline Mode.
Syntax [no] vrrp-a l2-inline-peer-ip ip-address ipaddr
Default Not configured
Example Configure 192.168.1.1 as the peer IP address.
hostname(config)#vrrp-a l2-inline-peer-ip ip-address 192.168.1.1
vrrp-a l3-inline-mode
Description Enable Layer 3 Inline mode.
Syntax [no] vrrp-a l3-inline-mode
Default Not configured
Example Enable Layer 3 inline mode.
hostname(config)#vrrp-a l3-inline-mode
- 5/4/2016 | page 52
vrrp-a ospf-inline
Description Enable OSPF inline mode.
Syntax [no] vrrp-a ospf-inline vlan vlan-id
Replace vlan-id (1-4094) with the VLAN for which you do not want to filter OSPF packets.
Default Not enabled
Example Enable OSPF inline mode and do not filter packets on VLAN 13.
hostname(config)#vrrp-a ospf-inline vlan 13
vrrp-a peer-group
Description Configure a VRRP-A peer group. This allows you to configure unicast IP/IPv6 addresses
through a layer 3 link (Layer 3 inline mode). Heartbeat messages are routed to the destina-
tion.
Syntax [no] vrrp-a peer-group
This command places you in a sub-configuration mode, where you can configure the peer
address with the peer command:
[no] peer {ipv4-address | ipv6-address}
Replace ipv4-address or ipv6-address with the appropriate IP address of the peer.
Example The following example shows how to configure 192.168.10.10 as a VRRP-A peer:
hostname(config)#vrrp-a peer-group
hostname(config-peer-group)#peer 192.168.10.10
vrrp-a preferred-session-sync-port ethernet

Description Specify the Ethernet interfaces on which to receive synchronized sessions.
Syntax [no] vrrp-a preferred-session-sync-port {

ethernet port-num [vlan vlan-id]
page 53 | - 5/4/2016
trunk trunk-num [vlan vlan-id]

}
port-num Configure the specified ethernet port to receive sync sessions.
trunk-num Configure the specified trunk port to receive sync sessions.
vlan-id If your interface is part of a VLAN, specify the VLAN ID.
Default The default behavior is for VRRP-A (on the backup device) to automatically select the Ether-
net interface on which to receive sync sessions.
Example Configure trunk 3 to receive sync sessions.
hostname(config)#vrrp-a preferred-session-sync-port trunk 3
vrrp-a restart-port-list
Description Causes the ports on the standby system to be restarted after the transition from the standby
mode to active mode.
Beginning with release 4.0.1, you can configure the restart time using “restart-time” on
page 60.
Syntax vrrp-a restart-port-list
vrrp-a vrid
Description Access the configuration level for a VRID.
Syntax [no] vrrp-a vrid num
Specify the VRID (0-31). If configuring a VRID in an L3V partition, you can specify 0-7.)
This command changes the CLI to the configuration level for the specified VRID.
The commands available at this level are summarized in “VRRP-A VRID Configuration
Commands” on page 61.
vrrp-a vrid-lead
Description Configure a VRID as the “leader” VRID, with other VRIDs to operate as followers.
Syntax [no] vrrp-a vrid-lead name
- 5/4/2016 | page 54
Replace name with the name of the VRID. You can enter 1-63 characters.
This command changes the CLI to the configuration level for the specified VRID leader,
where the following command is available:
[no] partition [shared | name] vrid [ID-num | default]
This command designates this VRID as the leader for a specific partition.
Default Not set
Usage For the leader VRID only, you can configure all capabilities, such as configuring the failover
policy template, the preempt mode, priority, and tracking options. For follower VRIDs, you
can only configure Floating IP Addresses.
If you try to remove a VRID that is configured as a lead VRID and that has other VRIDs that
follow it, you will not be allowed to remove it. You must remove the VRIDs that are
configured as followers before you remove the lead VRID.
Example The following command configures a VRID lead in the shared partition:
hostname(config)#vrrp-a vrid-lead lead1

hostname(config-vrid-lead)#partition shared vrid 1
VRRP-A Common Configuration Mode Commands

This section describes the commands available in VRRP-A common configuration mode.
• arp-retry
• dead-timer
• device-id
• disable-default-vrid
• enable
• hello-interval
• hostid-append-to-vrid
• inline-mode
• preemption-delay
• restart-time
• set-id
• track-event-delay
page 55 | - 5/4/2016
VRRP-A common configuration mode is accessed by entering the vrrp-a common command:
arp-retry
Description Change the number of additional gratuitous ARPs, in addition to the first one, an SSL Inter-
cept device sends after transitioning from Standby to Active. These ARPs are sent at intervals
of 500 milliseconds.
Syntax [no] arp-retry num
Replace num with the number of additional gratuitous ARPs to send, after sending the first
one. You can specify 1-255.
Default VRRP-A sends 4 additional gratuitous ARPs by default, for a total of 5.
Mode VRRP-A common configuration mode
Example Send 3 additional gratuitous ARPs when the system becomes active.
hostname(config-common)#arp-retry 3
dead-timer
Description Change the number of hello intervals during which a standby device will wait for a hello
message from the Active VRRP-A device, before declaring the device to be down and begin-
ning failover.
Syntax [no] dead-timer num
Replace num with the maximum number of hello intervals to wait for a hello message. You
can specify 2-255.
Default 5
Usage For information about the hello interval, see “hello-interval” on page 58.
Example Set the number of hello intervals to 25.
hostname(config-common)#dead-timer 25
- 5/4/2016 | page 56
device-id
Description Specify the VRRP-A device ID of the device.
Syntax [no] device-id num

Replace num with the device ID, 1-8.
Default N/A
Example Set the device ID to 7.
hostname(config-common)#device-id 7
disable
Description Disable VRRP-A on the device.
Syntax disable
Default By default, VRRP-A is disabled on any SSL Intercept device.
Example Disable VRRP-A on the device.
hostname(config-common)#disable
hostname(config-common)#
disable-default-vrid
Description Disable the default VRID on the shared partition.
Syntax [no] disable-default-vrid
Default The default VRID is enabled by default.
Usage This command applies only to the shared partition.
Example Disable the default VRID on the shared partition.
hostname(config-common)#disable-default-vrid
page 57 | - 5/4/2016
enable
Description Enable VRRP-A on the device.
Syntax enable
Default By default, VRRP-A is disabled on any SSL Intercept device.
Example Enable VRRP-A on the device.
hostname(config-common)#enable
hostname-Active(config-common)#
hello-interval
Description Change the interval at which the active device sends VRRP-A hello messages out its VRRP-A
interfaces.
Syntax [no] hello-interval 100-ms-units
Replace 100-ms-units with the number of 100 ms (milliseconds) intervals between each
hello message. You can specify 1-255 intervals of 100 ms.
Default 2 (200 ms)
Example Set the hello interval to 4 (400 milliseconds).
hostname(config-common)#hello-interval 4
hostid-append-to-vrid
Description Select a VRID to append a host ID message.
Syntax [no] hostid-append-to-vrid {default | vrid-num}
You can specify default, which is VRID 0, or specify a VRID number from 1-31.
- 5/4/2016 | page 58
inline-mode
Description Enable a specified ethernet port or trunk to be in Layer 2 inline hot standby mode.
Inline deployment allows you to insert a pair of SSL Intercept devices into an existing
network without the need to reconfigure other devices in the network.
Inline support applies specifically to network topologies where inserting a pair of SSL
Intercept switches would cause a Layer 2 loop.
Syntax [no] inline-mode {preferred-port port | preferred-trunk trunk}
port Ethernet port number.
trunk Trunk number.
Default Not configured.
Example Configure ethernet port 2 as the port to be used in the inline deplyment:
hostname(config)#vrrpa-a common
hostname(config-common)#inline-mode preferred-port 2
preemption-delay
Description Configure a delay between VRRP-A configuration changes and the failover that occurs due
to the changes.
Syntax [no] preemption-delay 100-ms
Replace 100-ms with the number of 100-millisecond units to wait before beginning failover.
You can configure the delay to range from 1-255 units, with each unit equal to 100 ms. The
maximum value is 25.5 seconds (255 units of 100ms).
Default 6 seconds (60 units of 100 ms)
Usage If VRRP-A pre-emption is enabled, failover can be triggered by VRRP-A configuration changes
or network changes, and occurs approximately 6 seconds after an applicable configuration
change takes effect. Therefore, it can be helpful to configure a delay between the VRRP-A
configuration changes and the subsequent failover. In deployments where many sessions
are synchronized, setting the pre-emption delay to a longer value can help ensure there will
be enough time for all sessions to finish synchronizing before failover occurs.
Example Configure a pre-emption delay of 30 seconds (30 100-millisecond units).
page 59 | - 5/4/2016
hostname(config-common)#preemption-delay 30
restart-time
Description The amount of time for ports on the standby system to be restarted after the transition from
the standby mode to active mode.
Syntax [no] restart-time seconds
Replace seconds with the number of seconds (1-100).
set-id
Description Specify the VRRP-A set ID.
Syntax [no] set-id num
Replace num with the set ID, 1-15
Default 1
Example Configure a set ID of 4.
hostname(config-common)#set-id 4
track-event-delay
Description Change the delay waited by the SSL Intercept device before beginning failover in response
to priority changes.
Syntax [no] track-event-delay 100-ms-units
Replace 100-ms-units with the number of milliseconds (ms) to wait before beginning
failover. You can specify 1-100 intervals of 100 ms.
Default 30 (3 seconds)
Example Configure a delay of 2 seconds (20 100-millisecond units).
hostname(config-common)#track-event-delay 20
- 5/4/2016 | page 60
VRRP-A VRID Configuration Commands

This section describes the VRRP-A VRID configuration commands.
• blade-parameters
• floating-ip
• follow
• preempt-mode
VRRP-A VRID configuration mode is accessed by entering the vrrp-a vrid command. For example:
hostname(config-vrid:0)#
blade-parameters
Description Enter vBlade configuration mode.
Commands available for configuring blade parameters are described in “VRRP-A Blade
Parameter Configuration Commands” on page 63.
Syntax [no] blade-parameters
Mode VRRP-A VRID configuration mode
Example Enter Vblade configuration mode:
hostname(config-vrid:0-blade-parameters)#
floating-ip
Description Specifies the IP addresses that downstream devices should use as their default IPv4 or IPv6
gateways. Regardless of which device is active for the VRID, downstream devices can reach
their default IPv4 or IPv6 gateway at the floating IP address.
Syntax [no] floating-ip {ipaddr | ipv6addr}
Default N/A
Example The following example configures 10.10.10.8 as the floating IP address for the VRID:
page 61 | - 5/4/2016
hostname(config-vrid:0)#floating-ip 10.10.10.8
follow
Description Configure a follower VRID.
Before you can use this command, you must have configured a leader VRID using the vrrp-a
vrid-lead command.
See “Configuring a Leader and Follower VRID” on page 32 for more information about leader
and follower VRIDs.
NOTE: This command only appears in an L3V partition; it does not appear in the shared
partition.
Syntax [no] follow vrid-lead name
Replace name with the name of the leader VRID.
Example This example shows how to follow the lead VRID called “lead1” from the shared partition “p1”
on VRID 1:
hostname(config)#active-partition p1
Current active partition: p1
hostname[p1](config-vrid:1)#follow vrid-lead lead1
- 5/4/2016 | page 62
preempt-mode
Description Disables ability for failovers to be caused by configuration changes to VRRP-A priority or
device ID.
Syntax [no] preempt-mode {disable | threshold num}
disable Disable preempt mode.
threshold num Controls whether failovers can be caused by configuration
changes to VRRP-A priority or device ID.
The threshold specifies the maximum difference in priority value
that can exist between the active and standby devices without
failover occurring. You can specify 1-255.
The default is 0.
Default Preemption is enabled by default.
Example The following example disables preemption:
hostname(config-vrid:0)#preempt-mode disable
Example
VRRP-A Blade Parameter Configuration Commands

This section describes the VRRP-A blade parameter configuration commands.
• fail-over-policy-template
• priority
• tracking-options
page 63 | - 5/4/2016
VRRP-A Blade parameter configuration mode is accessed by entering the blade-parameters command. For example:
hostname(config-vrid:0-blade-parameters)#
fail-over-policy-template
Description Apply the specified failover policy template to the VRID.
Syntax [no] fail-over-policy-template template-name
Replace template-name with the name of the template you want to apply to this VRID.
Failover policy templates are created with the vrrp-a fail-over-policy-template command.
Default N/A
Mode VRRP-A Blade parameter configuration mode
Example The following example applies the policy template named “template1” to VRID 0:
hostname(config-vrid:0-blade-parameters)#fail-over-policy-template template1
priority
Description Specifies the preference of the device to become the active device for the VRID. The device
that has the highest priority value for the VRID becomes the active device for the VRID.
Syntax [no] priority num
Replace num with the desired priority (1-255).
Default 150
Example The following example sets the priority on VRID 0 to 200:
hostname(config-vrid:0-blade-parameters)#priority 200
- 5/4/2016 | page 64
tracking-options
Description Accesses the configuration level for tracking options. Tracking options can dynamically
reduce the priority value used in dynamic failover.
For detailed information about event tracking, see “Events Tracked for Weight via the
Templates” on page 39.
Syntax [no] tracking-options
The supported tracking options are summarized in the table below.
Option Syntax Description

Gateway [no] gateway {ipaddr | ipv6addr} Configure tracking for the IPv4 or IPv6 default gateways.
priority-cost num
If a gateway fails, the specific num will be subtracted from
the priority on the VRID. You can specify a priority cost from
1-255.
Interface [no] interface ethernet num Configure tracking for a specified interface.
priority-cost num
If the interface fails, the specific num will be subtracted from
the priority on the VRID. You can specify a priority cost from
1-255.
Route [no] route {ipaddr | ipv6addr} Configure tracking for the specified route.
{/mask-length | subnet-mask}
{next-hop-addr} If the specified route is missing, the specific num will be sub-
[distance num] tracted from the priority on the VRID. You can specify a pri-
[priority-cost num] ority cost from 1-255.
[protocol The distance parameter specifies the route’s administra-
{any | static | dynamic}]
tive distance; if not specified, any distance is matched.
The protocol parameter matches the route protocol:
• any - match any routing protocol (default)
• static - match only user-specified static routes
• dynamic - match only routes added by dynamic routing
protocols (for example, OSPF)
page 65 | - 5/4/2016
Option Syntax Description

Trunk [no] trunk num priority-cost num Configure tracking for a specified trunk.
[per-port-pri num]
If the trunk or individual ports on the trunk fail, the specified
priority cost num will be subtracted from the priority on the
VRID. You can specify a priority cost from 1-255.
The per-port-pri option tracks individual ports in the
trunk. The VRID’s priority is reduced by the per-port-pri
amount for each port that fails. You can specify 1-255.
VLAN [no] vlan vlan-id Configure tracking for the specified VLAN.
timeout seconds
priority-cost num If traffic is no longer detected on the specified VLAN, the
specific num will be subtracted from the priority on the
VRID. You can specify a priority cost from 1-255.
The timeout option configures the number of seconds a
VLAN can remain idle without triggering a failover and pri-
ority cost reduction.
Default N/A
Usage See “Configuration of Tracking Options” on page 27.
VRRP-A Show Commands

This section describes the VRRP-A show commands. These commands are available at any level in the CLI.
• show vrrp-a
• show vrrp-a fail-over-policy-template
• show vrrp-a hostid
• show vrrp-a mac
• show vrrp-a setid-monitor
• show vrrp-a statistics
• show vrrp-a vrid-lead
- 5/4/2016 | page 66
show vrrp-a
Description Display VRRP-A information.
Syntax show vrrp-a [detail]
Mode All
Example The following example shows sample output for the show vrrp-a command.
hostname#show vrrp-a
vrid 0
became Active at: Aug 7 10:40:19 2014
for 1 Day, 0 Hour,12 min
2 (Peer) Standby 65534 199
*
vrid 1
1 (Local) Standby 65534 200
*
became Standby at: Aug 7 10:52:54 2014
Example The following example shows sample output for the show vrrp-a detail command.
hostname[corpa](config)#show vrrp-a detail

vrid 0
became Active at: Aug 7 10:40:19 2014
2 (Peer) Standby 65534 199 *
vrid 1
became Standby at: Aug 7 10:52:54 2014
VRRP-A stats
Peer: 2, vrid 0
page 67 | - 5/4/2016

Heartbeat missed: 0
Peer: 2, vrid 1
Heartbeat missed: 0
Total packets received from peer: 468672
Conn Sync Pkts: Sent 0 Received 0

Conn Query Pkts: Sent 0 Received 0
Conn Sync Create Session Pkts: Sent 0 Received 0

Conn Sync Update Age Pkts: Sent 0 Received 0
Conn Sync Delete Session Pkts: Sent 0 Received 0
Conn Sync Create Persist Session Pkts: Sent 0 Received 0

Conn Sync Update Persist Age Pkts: Sent 0 Received 0
Conn Sync Delete Persist Session Pkts: Sent 0 Received 0
Conn Sync Update LSN RADIUS: Sent 0 Received 0
Conn Sync Update LSN Fullcone: Sent 0 Received 0
Total packets sent for vrid 0: 234335

Total packets sent for vrid 1: 234336

Dup device id: 0 Set id mismatch: 0

Version mismatch: 0 Error partition id: 0
Error port: 0 Error device id: 0
Peer IP[2]: 192.168.110.2

Vrid default tracking:
- 5/4/2016 | page 68
The following table describes the fields in the preceding command outputs.
Field Description
vrid Virtual router ID
Unit VRRP-A device ID.
“Local” indicates this SSL Intercept device. “Peer” indicates another SSL Intercept
device in the same VRRP-A set.
State VRRP-A state:
• Active
• Standby
Weight Current VRRP-A weight of this device.
Priority Current VRRP-A priority of this device.
vrid that is running VRID that is currently running on the partition.
VRRP-A Stats
The following information is listed for each VRRP-A peer device.
Peer Device ID of the peer device, and the VRID.
Port Data port that connects this device (the Local device) to the peer device.
The received counter indicates the number of Hello packets received for the VRID
from the peer on this port.
The missed counter indicates the number of Hello packets that were expected for
the VRID but did not arrive from the peer on this port.
Heartbeat missed Number of Hello packets that were expected for the VRID from the peer but did
not arrive on any port.
Total packets received from peer Total number of Hello packets received from the peer.
Detail Fields
Note: The following fields appear only if you use the detail option.
Conn Sync Pkts Number of connection (session) synchronization packets sent by this partition for
the VRID.
Conn Query Pkts Number of session synchronization query packets sent by this partition for the
VRID. Query packets are sent by the standby device to request session information.
Conn Sync Create Session Pkts Number of creation packets for synchronized connections sent by this partition for
the VRID.
Conn Sync Update Age Pkts Number of update packets for synchronized connections sent by this partition for
the VRID.
Conn Sync Delete Session Pkts Number of delete packets for synchronized connections sent by this partition for
the VRID.
Total packets sent for vrid N Total number of Hello packets sent by this partition for the VRID. Separate counters
are listed for each data port used by this partition to send the packets.
Dup device ID Number of incoming hello packets that had the same device ID as this device (the
local device).
page 69 | - 5/4/2016
Field Description
Set ID mismatch Number of incoming hello packets in which the VRRP-A set ID was different from
this device’s set ID.
Version mismatch Number of incoming hello packets that had a different VRRP-A software version
that the one running on this device.
Error port Number of hello messages received from a non-existent port.
Error device ID Number of hello messages received from an invalid device ID (any device ID higher
than 8).
Switch to active, switch to standby Number of times the partition transitioned to Active or Standby for the VRID.
Peer IP IP address of the active peer for the VRID. The active peer is the device to which
this device (the local device) sends sessions for synchronization.
show vrrp-a fail-over-policy-template

Description Display the VRRP-A fail-over policy template details.
Syntax show vrrp-a fail-over-policy-template
Mode All
Example The following command shows VRRP-A information for all the fail-over policy templates:
hostname(config)#show vrrp-a fail-over-policy-template

vrrp-a fail-over-policy-template interface
vrrp-a fail-over-policy-template trunk
vrrp-a fail-over-policy-template gateway
vrrp-a fail-over-policy-template route
route 4.4.4.0 255.255.255.0 weight 200
vrrp-a fail-over-policy-template vlan
route 20.20.20.0 255.255.255.0 weight 200
If you specify the name of the template, the show vrrp-a fail-over-policy template
command displays the contents of that template only.
- 5/4/2016 | page 70
show vrrp-a hostid

Description View the VRRP-A device serial number or SoftAX UUID.
Syntax show vrrp-a hostid
Mode All
Example Below is an example output for this command:
hostname#show vrrp-a hostid

Vrrp-a Set id is 1
device 1 2B77D39BBAF7DBAE9C3404E7B2D060372FFFF2DE
hostname#
show vrrp-a mac

Description Display the virtual MAC addresses of the VRIDs.
Syntax show vrrp-a mac
Mode All
Example The following command shows the virtual MAC addresses for the default VRID (0) and VRIDs
1 and 2:
hostname#show vrrp-a mac

VRRP-A vrid MACs
0 021f.a000.0020
1 021f.a000.0021
2 021f.a000.0022
show vrrp-a setid-monitor

Description Display the VRRP-A set information.
Syntax show vrrp-a setid-monitor
Mode All
show vrrp-a statistics

Description View VRRP-A statistics.
Syntax show vrrp-a statistics
Mode All
page 71 | - 5/4/2016
show vrrp-a vrid-lead

Description View the lead VRID configuration on the system.
Syntax show vrrp-a vrid-lead
Mode All
Example Below is an example output for this command:
hostname#show vrrp-a vrid-lead

vrrp-a vrid-lead lead1
hostname(NOLICENSE)#
This example shows that two lead VRIDs are configured; the “default-vrid-lead” on the shared
partition, and also “lead1” on the shared partition.
- 5/4/2016 | page 72

SSL HA 4.1.0 PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

SSL HA 4.1.0 PDF

Uploaded by

Copyright:

Available Formats

SSL Intercept

Configuring VRRP-A High Availability

Copyright © 2016 FireEye, Incorporated. All rights reserved.

FireEye SSL Intercept, Configuring VRRP-A High Availability

FireEye Contact Information:

Support Email: support@fireeye.com

United States: 877.FIREEYE (877.347.3393)

United Kingdom: 44.203.106.4828

Overview of VRRP-A ................................................................................................................................................. 7

Deploying VRRP-A ..................................................................................................................................................23

Configuration of Tracking Options ..............................................................................................................................................27

VRRP-A Policy-Based Failover Template ..........................................................................................................35

VRRP-A CLI Commands .........................................................................................................................................47

This chapter provides an overview of VRRP-A high availability.

The following topics are covered:

• VRRP-A Active / Standby Device Selection

• VRRP-A and Floating IP Addresses

• VRRP-A and Configuration Synchronization

• VRRP-A and Session Synchronization

VRRP-A can provide redundancy for the following IP resources:

• Virtual server IP addresses (VIPs)

• Floating IP addresses used as default gateways by downstream devices

• IPv6 NAT pools

• IPv4 NAT pools

• Basic VRRP-A Configuration

• VRRP-A and Virtual Router IDs

• VRRP-A, Virtual Router IDs, and Partitions

Basic VRRP-A Configuration

FIGURE 1 Basic VRRP-A Configuration

The elements in this illustration are described in Table 1.

TABLE 1 VRRP-A Basic Configuration Elements

TABLE 1 VRRP-A Basic Configuration Elements

VRRP-A sends hello messages to the following addresses:

• IPv4 multicast address 224.0.0.210, MAC address 01:00:5e:00:00:D2

VRRP-A and Virtual Router IDs

FIGURE 2 VRRP-A Configuration with VRIDs

Leader and Follower VRIDs

VRID Virtual MAC Addresses

VRRP-A, Virtual Router IDs, and Partitions

FIGURE 3 VRRP-A Configuration with Partitions

VRRP-A Active / Standby Device Selection

• VRRP-A Active Device Selection Overview

• Event Tracking for Weight and Priority

• Track Event Delay

• Active Device Selection Examples

VRRP-A Active Device Selection Overview

FIGURE 4 VRRP-A Device Selection Flowchart

• The weight assigned to an event.

• Priority value assigned as part of the VRRP-A deployment.

Event Tracking for Weight and Priority

Track Event Delay

Active Device Selection Examples

FIGURE 5 Selection of Active Device

FIGURE 6 Selection of Standby Device

FIGURE 7 Selection of New Standby Device

• The force-self-standby option is used on the active device by an administrator.

Dynamic Priority Reduction

FIGURE 8 Failover Based on Dynamic Priority Reduction

VRRP-A and Floating IP Addresses

FIGURE 9 Floating IP Address

Advertisement of the Floating IP MAC Address After Failover

VRRP-A and Configuration Synchronization

• Manual – See “Configuring Preemption Delays” on page 24.