Applying a rule set to a VRRP interface
When a host sends a packet to the router, the packet ingresses through the VRRP interface. But when the router sends traffic to the host, traffic egresses through the parent interface or virtual interface.
The firewall rule sets for the VRRP interface and the physical interface are independent. Specifically, packet-filtering rules applied to incoming traffic on the parent interface are not applied to traffic arriving on the VRRP interface. When designing firewall rule sets for incoming traffic, make sure you apply an appropriate rule set for your VRRP interface; otherwise, all incoming traffic is unfiltered.
The example in Filtering on source IP address shows how to define a simple firewall rule set, FWTEST-1, which filters on source IP address. The following example shows how to apply the same rule set to inbound traffic on the VRRP interface. In this example, the dp0p1p3 interface is already configured. Specifically:
- It is a member of VRRP group 15.
- It has rule set FWTEST-1 applied for inbound traffic.
To apply the rule set to the VRRP interface, perform the following steps in configuration mode.
Step | Command |
---|---|
View the initial configuration for the interfaces. |
|
Attach the same FW-TEST1 rule set for inbound traffic on the VRRP interface. |
|
Commit the configuration. |
|
Show the configuration. |
|