Virtual Router Redundancy Protocol (VRRP) is a non-proprietary redundancy protocol described in RFC 3768 designed to increase the availability of the default gateway servicing hosts on the same subnet. This increased reliability is achieved by advertising a "virtual router" (an abstract representation of master and backup routers acting as a group) as a default gateway to the host(s) instead of one physical router. Two or more physical routers are then configured to stand for the virtual router, with only one doing the actual routing at any given time. If the current physical router that is routing the data on behalf of the virtual router fails, an arrangement is made for another physical router to automatically replace it. The physical router that is currently forwarding data on behalf of the virtual router is called the master router. Physical routers standing by to take over from the master router in case something goes wrong are called backup routers.

1. Background

Nokia, one of the most popular gateway security product vendor in the world, has actually implemented VRRP technology into their IPSO system. IPSO is the operating system running on Nokia IP security products. Of course, Nokia routers can work together with other products to create a secure Internet gateway, most notably, Checkpoint. A Nokia router with installed Checkpoint firewalling software gives you an enterprise grade firewall that is easy to managed with an intuitive interface and packed with some of the best features around.

Of course, what good is the best firewall available if it is still a single point of failure when used alone? The solution: a Nokia and Checkpoint firewall combination that uses VRRP for redundancy. It cannot get any better than this! If the only firewall in my network goes kaput, what shall I do? Get another firewall to replace it (manually of course)! What if this can be simplified with the use of two firewalls working together. Imagine this, one firewall goes down, the standby firewall is intelligent enough to know that there has been a failure and seamlessly takes over the role. This process is known as high availability and this can be achieved without much effort in Nokia Checkpoint secure Internet gateways with the use of VRRP. Interested to know how this can be configured? READ ON!: )

2. Lab Setup and Topology

This demo has been built around Nokia IP security gateway with IPSO 4.1 installed. This configuration should still be valid for IPSO 4.2 since not much has changed!

For the purpose of this lab, the following topology with be used:

Guardian01 with an internal IP of 192.168.10.70/24 and an external IP of 172.20.102.4/24.

Guardian02 with an internal IP of 192.168.10.71/24 and an external IP of 172.20.102.5/24.

An internal virtual IP of 192.168.10.75/24 and an external virtual IP of 172.20.102.6/24.