Рассмотрим схему с резервированием маршрутизатора посредством протокола VRRP (Virtual Router Redundancy Protocol).
Поскольку на маршрутизаторах серии ESR используется Stateful Firewall, то при переключении мастерства активные сессий будут разрываться.
Одноко, если VRRP Buckup будет знать об активных сессиях VRRP Master и автоматически поднимет сессии при переходе в состояние VRRP Master, то разрыва сессий не произойдет.
Для организации отказоустойчивой работы необходимо настроить механизм Firewall failover, рассмотрим на примере вышеприведенной схемы:
################################ R1 ######################################
hostname R1
object-group service FAILOVER
port-range 3333
exit
object-group network OWN_IP
ip address-range 192.168.1.148
exit
ip firewall failover sync-type unicast
ip firewall failover source-address 192.168.1.148
ip firewall failover destination-address 192.168.1.250
ip firewall failover port 3333
ip firewall failover vrrp-group 1
ip firewall failover
security zone trust
exit
interface gigabitethernet 1/0/5.50
security-zone trust
ip address 192.168.1.148/24
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp priority 125
vrrp group 1
vrrp
exit
security zone-pair trust self
rule 2
action permit
match protocol udp
match source-address any
match destination-address OWN_IP
match source-port any
match destination-port FAILOVER
enable
exit
rule 3
action permit
match protocol vrrp
match source-address any
match destination-address any
enable
exit
exit
################################ R2 ######################################
hostname R2
object-group service FAILOVER
port-range 3333
exit
object-group network OWN_IP
ip address-range 192.168.1.250
exit
ip firewall failover sync-type unicast
ip firewall failover source-address 192.168.1.250
ip firewall failover destination-address 192.168.1.148
ip firewall failover port 3333
ip firewall failover vrrp-group 1
ip firewall failover
security zone trust
exit
interface gigabitethernet 1/0/5.50
security-zone trust
ip address 192.168.1.250/24
vrrp id 1
vrrp ip 192.168.1.1/32
vrrp priority 100
vrrp group 1
vrrp
exit
security zone-pair trust self
rule 2
action permit
match protocol udp
match source-address any
match destination-address OWN_IP
match source-port any
match destination-port FAILOVER
enable
exit
rule 3
action permit
match protocol vrrp
match source-address any
match destination-address any
enable
exit
exit
Командой show ip firewall failover проверяем наличие обмена между VRRP нодами:
R1# show vrrp
Virtual router Virtual IP Priority Preemption State
-------------- --------------------------------- -------- ---------- ------
1 192.168.1.1/32 125 Enabled Master
R1# show ip firewall failover
Communication interface: gigabitethernet 1/0/5.50
Status: Running
Bytes sent: 2944
Bytes received: 3584
Packets sent: 225
Packets received: 141
Send errors: 0
Receive errors: 0
R2# show vrrp
Virtual router Virtual IP Priority Preemption State
-------------- --------------------------------- -------- ---------- ------
1 192.168.1.1/32 100 Enabled Backup
R2# show ip firewall failover
Communication interface: gigabitethernet 1/0/5.50
Status: Running
Bytes sent: 1072
Bytes received: 500
Packets sent: 40
Packets received: 30
Send errors: 0
Receive errors: 0