1. Topology information can be seen in the attachment.
2. Instruction: A. NE16A and NE16B enables VRRP backup group for firewall F.B. Client's L3 switch x only provides VRRP heartbeat channel at layer 2.
C. Generally in VRRP NE16A acts as Master and NE16B Backup.
D. Configure round-trip route for firewall F under NE16A and NE16B. NE16 configures low-priority backup route, detailed route can be seen in the attachment.
3. Problem Description: Cut the link from X to NE16A and route entry of NE16A and FIB entry are not consistent.
1. VRRP virtual interface cannot be always online like logical interface. Before operation similar route is tried in the laboratory and the route can be changeover. The first possibility can be ironed out.
2. Configured NE16B is Master in VRRP group and NE16A is Backup in VRRP group. Cut the link from L3 switch to NE16AB and it is still problematic. Route Version can be ironed out.
3. Analyze route table and FIB and there is one network segment 220.127.116.11/21. When the link is problematic and changeover is realized. The next hop is 18.104.22.168 and the interface is Ethernet10/2/0. For abnormal network segment, the next hop 22.214.171.124 is address among 126.96.36.199/21. For the reason of route iteration, all the next hop at NE16A directs at the route 188.8.131.52 is down at problematic port Ethernet4/2/0, and then it uses 184.108.40.206 as destination network segment and match route table again. Ethernet10/2/0 directs at interface address 220.127.116.11 of Ethernet3/2/0 at NE16B. 18.104.22.168 is Direct of NE16B and it recognizes it can reach. When the link is problematic, NE16A recognizes the next hop 22.214.171.124 can reach. Route table does not changeover, but actual data packet is forwarded by NE16B through Ethernet 10/2/0. NE16A route table displays the next hop is 126.96.36.199 and opposite interface is Ethernet10/2/0. In order to check whether the analysis is correct or not, delete the route from destination network segment 188.8.131.52/21 at NE16A to the next hop 184.108.40.206. And then route entry and FIB entry match.
When the link from L3 switch to NE16A is problematic, checks route entry and FIB entry and there are following questions:
1. When the next hop is 220.127.116.11, the link should be Ethernet4/2/0 not Ethernet10/2/0.
2. When Ethernet10/2/0 at NE16A port is down, the route to the interface should be invalid.
3. Route entry and FIB entry mismatch and the service is not influenced, it is doubted that they do not synchronize.
1. Configure VRRP virtual interface address that is like online logical interface and it will not be down. Route cannot swichover.
2. For the version BUG (NE16A version is 0611 and NE16B 1717.1), route entry and FIB entry do not synchronize.
3. Other reason such as route iteration.
1. Data forwarding of the router is based on FIB. Route table is created according to FIB and displayed.
2. The route 18.104.22.168/21 contains network segment of connected interface. We should avoid route inclusion about network planning.