Virtual IPs

Virtual IPs (VIPs) are IP addresses that do not correspond to a single physical interface. They are used in multiple scenarios:

• Network Address Translation (NAT)
• When fault tolerance is needed, such as failover and CARP setups
• When mobile users need to have a consistent virtual IP address even as their actual (physical) IP address changes.

To begin, navigate to Firewall | Virtual IPs and click on the Add button below the table. There are four options for VIPs: IP Alias, CARP, Proxy ARP, and Other. The following caveats need to be specified about these options:

• CARP and IP Alias can be used to bind to and run services; the others cannot.
• All options except for Other generate layer-2 (ARP) traffic.
• All options except Proxy ARP can be used for clustering, but if IP Alias VIPs are used as part of a CARP VIP, they must be in the same subnet as that CARP VIP.
• Although you can generate a VIP that is in a different subnet than the real interface IP, it is recommended that you keep them on the same subnet to avoid potential issues.
• For IP Alias, the subnet mask should match that of the interface IP, or it should be /32. If the IPs are in different subnets than the original IP address, at least one IP Alias VIP needs to have the correct mask for the subnet.
• CARP and IP Alias VIPs respond to ICMP ping attempts; the others do not.
• CARP and IP Alias VIPs must be added individually; the others can be added as part of a subnet.

Setting up a virtual IP is not difficult. To do so, follow these steps:

1. Select one of the four options mentioned previously.
2. Select a physical interface for the VIP, which you can do in the Interface drop-down box.
3. For the Address type drop-down box, you can select either Single address or Network (you can only select Network with Proxy ARP or Other).
4. In the Address(es) edit box, enter either the VIP or the virtual subnet, as well as the CIDR. There are also several options only available if you selected CARP:
   • You must enter a Virtual IP Password for CARP VIPs.
   • Next is the VHID drop-down box. Each VIP to be shared by multiple nodes needs to use a unique Virtual Host ID (VHID) group. This VHID must be different from any VHIDs in active use on any directly connected network interface. You can use 1 as your VHID if CARP is not set up and you are not using Cisco’s Virtual Router Redundancy Protocol (VRRP). The VHID should automatically increment itself.
   • Next is Advertising Frequency. This value depends on the node's role. The master’s value should be 1, while a backup should be set to 2 or higher.
   • Finally, there is the Skew drop-down box. This value controls how often the node advertises itself as a member of the redundancy group, measured in seconds. Lower values tend to ensure that backup nodes will become master nodes if the master node fails.
5. You can enter a brief description in the Description field.
6. When you are done, click on the Save button at the bottom of the page. When the page reloads, click on Apply Changes.