H3C SecPath F1800-A Operation Manual page 571

Operation Manual - Reliability
H3C SecPath F1800-A Firewall
Moreover, you can configure whether the data channel state will affect the state of
each VRRP in the VRRP management group.
Figure 1-6
Trust zone
DMZ zone
A1, A2 and A3 are interfaces of SecPatch A
B1, B2 and B3 are interfaces of SecPath B
S stands for LANSw tich
Figure 1-6 Data channel for transferring VGMP packets
Interfaces connected with each security zone on the master firewall can act as
starting ends of data channels; ending ends are on the backup firewall. Thus, a data
channel comes into being across LAN switch.
In Figure
A2-S-B2 and A3-S-B3 are data channels.
As far as link bandwidth concerned, in some cases, you can directly connect the
master firewall with the backup firewall (multiple lines are allowed) to prevent VRRP
state information from disturbing traffic flow transmission. As a result, you can set up a
data channel named A4-H-B4 between the master firewall and the backup firewall. H
refers to hub.
IV. Relation between VRRP Management Group, Backup Group and Interface
A VRRP backup group is configured for each security zone. One VRRP management
group is defined for each firewall to manage the firewall and backup groups
connected with each security zone. In this way, the state of VRRPs can keep
consistent.
shows the relation between service channels and data channels.
1-6, A and B stand for interfaces. S refers to LAN Switch, and A1-S-B1,
Chapter 1 Route Redundancy Backup
SecPath A
Master
A3
A1
A4
A2
A4-H-B4
Hub
B1
B4
B2
B3
Backup
SecPath B
8-8
Untrust zone
Actual connection
Data channel