On a Hot Standby Network, Can Upstream and Downstream Devices Be Layer-4 Switches?
Yes. In this situation, the firewall must use the virtual MAC address to encapsulate service packets. Otherwise, services are interrupted after active/standby switchover.
By default, the firewall uses the physical MAC address to encapsulate service packets. On hot standby networks, Layer-4 switches establish a connection status table to include the source MAC address (that is, the MAC address of the service interface on the active firewall) in the packets forwarded by the firewall. Layer-4 switches forward packets based on the connection status table. During active/standby switchover, Layer-4 switches do not automatically refresh MAC addresses in the connection status table. Therefore, packets are sent to the original active firewall if the physical MAC address is used. As a result, services are interrupted.
If the virtual MAC address is used, the connection status tables on Layer-4 switches include the virtual MAC address. After active/standby switchover, Layer-4 switches can forward service packets to the new active firewall.
Corresponding to the virtual IP address, the virtual MAC address is automatically generated based on the VRID in either of the following formats:
On a service interface of the firewall, you can run the following command to use the virtual MAC address to encapsulate service packets.
[sysname] interface GigabitEthernet 1/0/1
[sysname-GigabitEthernet1/0/1] vrrp virtual-mac enable