Настройка кластера в схеме с двумя провайдерами с использованием IP SLA + Track

Схема:

Задача: Настроить кластер в схеме с двумя провайдерами. С помощью кластера необходимо обеспечить резервирование доступа в интернет для LAN-подсети 192.0.2.0/24. Также с помощью SLA-тестов и track необходимо огранизовать перключение VRRP-мастерства для LAN в зависимости от доступности провайдера, а также переключение машрута по молучанию через резервное соединение gi1/0/3 и 2/0/3.

1. Настройка маршрутизаторов

1) Первичная настройка кластера

Подробная настройка кластера описана в документации ESR-Series. Руководство по эксплуатации в разделе Управление кластеризацией.

Настроим hostname на маршрутизаторах согласно схеме, а также сменим unit id на Standby устройстве и перезагрузим маршрутизатор:

Active:
esr# configure terminal
esr(config)# hostname Active unit 1
esr(config)# hostname Standby unit 2
esr(config)# end
esr# commit
Active# confirm

Standby:
esr# configure terminal
esr(config)# hostname Active unit 1
esr(config)# hostname Standby unit 2
esr(config)# end
esr# commit
Active# confirm
Active#
Active# set unit id 2
Unit ID will be 2 after reboot
Active# reload system
Do you really want to reload system now? (y/N): y ... ... ...

Standby login: admin
Password:

********************************************
* Welcome to ESR-15R *
********************************************

Standby#
Standby#

Перед настройкой кластерного интерфейса предварительно узнаем MAC-адреса устройств:

Active# show system | include MAC
System MAC address: 68:13:E2:7F:55:1A

Standby# show system | include MAC
System MAC address: 68:13:E2:7F:5D:CC

Для синхронизации кластера между устройствами используются интерфейсы маршрутизаторов gi1/0/3 и gi2/0/3.

Сам кластерный интерфейс можно настроить только на bridge, поэтому создадим bridge и привяжем данный bridge к sub-интерфейсу gi1/0/3.10 и gi2/0/3.10.

Для определения Active и Standby между маршрутизаторами используется мастерство VRRP, поэтому для unit 1 настроим VRRP priority больше, чем у unit 2.

Также создадим security-zone Cluster и разрешим протокол vrrp в зону self для синхронизации:

Принцип работ Zone-Based Stateful Firewall описан в статье https://docs.eltex-co.ru/x/VxBeIw

Active# configure
Active(config)# cluster
Active(config-cluster)# cluster-interface bridge 1
Active(config-cluster)# unit 1
Active(config-cluster-unit)# mac-address 68:13:e2:7f:55:1a
Active(config-cluster-unit)# exit
Active(config-cluster)# unit 2
Active(config-cluster-unit)# mac-address 68:13:e2:7f:5d:cc
Active(config-cluster-unit)# exit
Active(config-cluster)# enable
Active(config-cluster)# exit
Active(config)#
Active(config)# security zone Cluster
Active(config-security-zone)# exit
Active(config)#
Active(config)# bridge 1
Active(config-bridge)# vlan 1
Active(config-bridge)# security-zone Cluster
Active(config-bridge)# ip address 198.51.100.2/29 unit 1
Active(config-bridge)# ip address 198.51.100.3/29 unit 2
Active(config-bridge)# vrrp 1
Active(config-vrrp)# ip address 198.51.100.1/29
Active(config-vrrp)# priority 150 unit 1
Active(config-vrrp)# priority 120 unit 2
Active(config-vrrp)# group 1
Active(config-vrrp)# enable
Active(config-vrrp)# exit
Active(config-bridge)# enable
Active(config-bridge)# exit
Active(config)#
Active(config)# interface gigabitethernet 1/0/3.10
Active(config-if-sub)# bridge-group 1
Active(config-if-sub)# exit
Active(config)#
Active(config)# interface gigabitethernet 2/0/3.10
Active(config-if-sub)# bridge-group 1
Active(config-if-sub)# exit
Active(config)#
Active(config)# security zone-pair Cluster self
Active(config-security-zone-pair)# rule 1
Active(config-security-zone-pair-rule)# action permit
Active(config-security-zone-pair-rule)# match protocol vrrp
Active(config-security-zone-pair-rule)# enable
Active(config-security-zone-pair-rule)# exit
Active(config-security-zone-pair)# exit
Active(config)# exit
Active#
Active# commit
Active# confirm

Standby# configure terminal
Standby(config)#
Standby(config)# cluster
Standby(config-cluster)# cluster-interface bridge 1
Standby(config-cluster)# unit 1
Standby(config-cluster-unit)# mac-address 68:13:e2:7f:55:1a
Standby(config-cluster-unit)# exit
Standby(config-cluster)# unit 2
Standby(config-cluster-unit)# mac-address 68:13:e2:7f:5d:cc
Standby(config-cluster-unit)# exit
Standby(config-cluster)# enable
Standby(config-cluster)# exit
Standby(config)#
Standby(config)# security zone Cluster
Standby(config-security-zone)# exit
Standby(config)#
Standby(config)# bridge 1
Standby(config-bridge)# vlan 1
Standby(config-bridge)# security-zone Cluster
Standby(config-bridge)# ip address 198.51.100.2/29 unit 1
Standby(config-bridge)# ip address 198.51.100.3/29 unit 2
Standby(config-bridge)# vrrp 1
Standby(config-vrrp)# ip address 198.51.100.1/29
Standby(config-vrrp)# priority 150 unit 1
Standby(config-vrrp)# priority 120 unit 2
Standby(config-vrrp)# group 1
Standby(config-vrrp)# enable
Standby(config-vrrp)# exit
Standby(config-bridge)# enable
Standby(config-bridge)# exit
Standby(config)#
Standby(config)# interface gigabitethernet 1/0/3.10
Standby(config-if-sub)# bridge-group 1
Standby(config-if-sub)# exit
Standby(config)#
Standby(config)# interface gigabitethernet 2/0/3.10
Standby(config-if-sub)# bridge-group 1
Standby(config-if-sub)# exit
Standby(config)#
Standby(config)# security zone-pair Cluster self
Standby(config-security-zone-pair)# rule 1
Standby(config-security-zone-pair-rule)# action permit
Standby(config-security-zone-pair-rule)# match protocol vrrp
Standby(config-security-zone-pair-rule)# enable
Standby(config-security-zone-pair-rule)# exit
Standby(config-security-zone-pair)# exit
Standby(config)# exit
Standby#
Standby# commit
Standby# confirm

Соединим gi1/0/3 и gi2/0/3 между собой и проверим синхронизацию Cluster:

Active# show cluster status
Unit Hostname Role MAC address State IP address
---- -------------------- ---------- ----------------- -------------- ---------------
1* Active Active 68:13:e2:7f:55:1a Joined 198.51.100.2
2 Standby Standby 68:13:e2:7f:5d:cc Joined 198.51.100.3
Active# show cluster sync status
System part Synced
---------------------- ------
candidate-config Yes
running-config Yes
SW version Yes
licence Yes
licence (After reboot) Yes
date Yes

Standby# show cluster status
Unit Hostname Role MAC address State IP address
---- -------------------- ---------- ----------------- -------------- ---------------
1 Active Active 68:13:e2:7f:55:1a Joined 198.51.100.2
2* Standby Standby 68:13:e2:7f:5d:cc Joined 198.51.100.3
Standby# show cluster sync status
System part Synced
---------------------- ------
candidate-config Yes
running-config Yes
SW version Yes
licence Yes
licence (After reboot) Yes
date Yes

Маршрутизаторы успешно синхронизировались.

Если маршрутизаторы синхронизировались по Role (в выводе команды show cluster status) как Active и Standby, то для принудительной синхронизации Standby со стороны Active необходимо выполнить команду sync cluster system force, после чего будет происходить синхронизация всех параметров и перезагрузка маршрутизатора со стороны Standby.

Active# sync cluster system force
Unit 2 'Standby': system synchronization was started

После синхронизации маршрутизаторов - конфигурация кластера будет осуществляться только на Active.

2) Настройка кластера в сторону LAN-подсети

Для начала создадим security zone LAN, а также разрешим обработку VRRP-пакетов из зоны LAN в зону self:

Active# configure
Active(config)# security zone LAN
Active(config-security-zone)# exit
Active(config)#
Active(config)# security zone-pair LAN self
Active(config-security-zone-pair)# rule 1
Active(config-security-zone-pair-rule)# action permit
Active(config-security-zone-pair-rule)# match protocol vrrp
Active(config-security-zone-pair-rule)# enable
Active(config-security-zone-pair-rule)# exit
Active(config-security-zone-pair)# exit
Active(config)#

Далее настроим интерфейсы gi1/0/2 и gi2/0/2 согласно схеме.

При настройке VRRP для Active сделаем приоритет ниже, чем у Standby. Приоритет для Active будем повышать с помощью track в 4-ом пункте (Настройка маршрутизации, track и sla-тестов).

Active(config)#
Active(config)# interface gigabitethernet 1/0/2
Active(config-if-gi)# security-zone LAN
Active(config-if-gi)# ip address 192.0.2.2/24
Active(config-if-gi)# vrrp 2
Active(config-vrrp)# ip address 192.0.2.1/24
Active(config-vrrp)# priority 110
Active(config-vrrp)# enable
Active(config-vrrp)# exit
Active(config-if-gi)# exit
Active(config)#
Active(config)# interface gigabitethernet 2/0/2
Active(config-if-gi)# security-zone LAN
Active(config-if-gi)# ip address 192.0.2.3/24
Active(config-if-gi)# vrrp 2
Active(config-vrrp)# ip address 192.0.2.1/24
Active(config-vrrp)# priority 120
Active(config-vrrp)# enable
Active(config-vrrp)# exit
Active(config-if-gi)# exit
Active(config)# exit
Active# commit
Active# confirm

После подключения интерфейсов статусы VRRP-процессов будут следующие:

Active# show vrrp

Unit 1* 'Active'
----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 150 Enabled Master -- 1
2 192.0.2.1/24 110 Enabled Backup -- --

Unit 2 'Standby'
----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 120 Enabled Backup -- 1
2 192.0.2.1/24 120 Enabled Master -- --

3) Настройка кластера в сторону провайдеров

Для начала создадим две security zone WAN_unit_1 и WAN_unit_2. Данные зоны необходимы для фильтрации трафика в сторону ISP, а также для NAT.

Также разрешим прохождение трафика из зоны LAN в зону WAN_unit_1 и в зону WAN_unit_2.

Active# configure
Active(config)#
Active(config)# security zone WAN_unit_1
Active(config-security-zone)# exit
Active(config)#
Active(config)# security zone WAN_unit_2
Active(config-security-zone)# exit
Active(config)#
Active(config)# security zone-pair LAN WAN_unit_1
Active(config-security-zone-pair)# rule 1
Active(config-security-zone-pair-rule)# action permit
Active(config-security-zone-pair-rule)# enable
Active(config-security-zone-pair-rule)# exit
Active(config-security-zone-pair)# exit
Active(config)# security zone-pair LAN WAN_unit_2
Active(config-security-zone-pair)# rule 1
Active(config-security-zone-pair-rule)# action permit
Active(config-security-zone-pair-rule)# enable
Active(config-security-zone-pair-rule)# exit
Active(config-security-zone-pair)# exit
Active(config)#

Настроим интерфейсы gi1/0/1 и gi2/0/1 согласно схеме:

Active(config)#
Active(config)# interface gigabitethernet 1/0/1
Active(config-if-gi)# security-zone WAN_unit_1
Active(config-if-gi)# ip address 203.0.113.2/30
Active(config-if-gi)# exit
Active(config)#
Active(config)# interface gigabitethernet 2/0/1
Active(config-if-gi)# security-zone WAN_unit_2
Active(config-if-gi)# ip address 203.0.113.6/30
Active(config-if-gi)# exit
Active(config)#

Настроим NAT для исходящего трафика из соответствующей зоны:

Более подробные описания команд и настройки NAT есть в документации ESR-Series. Руководство по эксплуатации в разделе Управление сервисами.

Active(config)#
Active(config)# nat source
Active(config-snat)# pool unit_1
Active(config-snat-pool)# ip address-range 203.0.113.2
Active(config-snat-pool)# exit
Active(config-snat)# pool unit_2
Active(config-snat-pool)# ip address-range 203.0.113.6
Active(config-snat-pool)# exit
Active(config-snat)# ruleset s_nat_unit_1
Active(config-snat-ruleset)# to zone WAN_unit_1
Active(config-snat-ruleset)# rule 1
Active(config-snat-rule)# action source-nat pool unit_1
Active(config-snat-rule)# enable
Active(config-snat-rule)# exit
Active(config-snat-ruleset)# exit
Active(config-snat)# ruleset s_nat_unit_2
Active(config-snat-ruleset)# to zone WAN_unit_2
Active(config-snat-ruleset)# rule 1
Active(config-snat-rule)# action source-nat pool unit_2
Active(config-snat-rule)# enable
Active(config-snat-rule)# exit
Active(config-snat-ruleset)# exit
Active(config-snat)# exit
Active(config)# exit
Active#
Active# commit
Active# confirm

4) Настройка маршрутизации, track и sla-тестов

Настроим SLA-тесты для юнитизированных IP-адресов, а также track, к которым будут привязаны данные SLA-тесты.

Предварительно перед настройкой SLA-тестов необходимо создать object-group network, в которой указываются IP-адреса с определенным Unit. Данная object-group network будет использоваться в качестве source ip в конфигурации SLA-тестов.

Active# configure
Active(config)#
Active(config)# object-group network unit_ip_for_sla
Active(config-object-group-network)# ip address-range 203.0.113.2 unit 1
Active(config-object-group-network)# ip address-range 203.0.113.6 unit 2
Active(config-object-group-network)# exit
Active(config)# ip sla logging status
Active(config)# ip sla
Active(config)# ip sla test 1
Active(config-sla-test)# icmp-echo 203.0.113.1 source-ip object-group unit_ip_for_sla
Active(config-sla-test)# enable
Active(config-sla-test)# exit
Active(config)# ip sla test 2
Active(config-sla-test)# icmp-echo 203.0.113.5 source-ip object-group unit_ip_for_sla
Active(config-sla-test)# enable
Active(config-sla-test)# exit
Active(config)# ip sla schedule 1 life forever start-time now
Active(config)# ip sla schedule 2 life forever start-time now
Active(config)#
Active(config)# track 1
Active(config-track)# track sla test 1
Active(config-track)# enable
Active(config-track)# exit
Active(config)# track 2
Active(config-track)# track sla test 2
Active(config-track)# enable
Active(config-track)# exit
Active(config)#

Далее создадим статические маршруты по умолчанию для каждого unit и привяжем к ним соответствующие track:

Active(config)# ip route 0.0.0.0/0 203.0.113.1 track 1 unit 1
Active(config)# ip route 0.0.0.0/0 203.0.113.5 track 2 unit 2
Active(config)#

Далее повысим приоритет VRRP-процесса со стороны Active, чтобы при доступности ISP1 - трафик передавался через Active-маршрутизатор:

Active(config)#
Active(config)# interface gigabitethernet 1/0/2
Active(config-if-gi)# vrrp 2
Active(config-vrrp)# priority track 1 increment 40
Active(config-vrrp)# exit
Active(config-if-gi)# exit
Active(config)# exit
Active#
Active# commit
Active# confirm

В результате, при доступности ISP в таблице маршрутизации появится маршрут по умолчанию, а также Active станет Master для LAN-подсети 192.0.2.0/24:

Active# show ip sla test statistics 1
Test number: 1
Description: --
Test status: Successful
Transmitted packets: 100
Lost packets: 0 (0.00%)
Lost packets in forward direction: --
Lost packets in reverse direction: --
One-way delay forward min/avg/max: --
One-way delay reverse min/avg/max: --
One-way jitter forward: --
One-way jitter reverse: --
Two-way delay min/avg/max: 0.56/0.60/0.81 milliseconds
Two-way jitter min/avg/max: 0.03/0.04/0.06 milliseconds
Duplicate packets: --
Out of sequence packets in forward direction: --
Out of sequence packets in reverse direction: --
Number of successes: 10 (100.00%)
Number of failures: 0 (0.00%)
Active# show track 1
Track 1:
State: Up
Changes count: 1 (last 00,00:12:35)
Mode: And
Delay up: 0s
Delay down: 0s
Description: --

Conditions:

Type ID State Mode Last change (d,h:m:s) VRF
--------- -------------------- ----- -------------- ------------------------- --------------------------------
SLA 1 True State success 00,00:12:35 --

Actions:

Static routes:
0.0.0.0/0 via 203.0.113.1: Installed
VRRPs:
ID 2 priority of the interface gigabitethernet 1/0/2 : 150
Active# show ip route static
S * 0.0.0.0/0 [1/0] via 203.0.113.1 on gi1/0/1 [static 15:35:24]
Active# show vrrp

Unit 1* 'Active'
----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 150 Enabled Master -- 1
2 192.0.2.1/24 150 Enabled Master -- --

Unit 2 'Standby'
----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 120 Enabled Backup -- 1
2 192.0.2.1/24 120 Enabled Backup -- --

Standby# show ip sla test statistics 2
Test number: 2
Description: --
Test status: Successful
Transmitted packets: 100
Lost packets: 0 (0.00%)
Lost packets in forward direction: --
Lost packets in reverse direction: --
One-way delay forward min/avg/max: --
One-way delay reverse min/avg/max: --
One-way jitter forward: --
One-way jitter reverse: --
Two-way delay min/avg/max: 0.52/0.59/0.82 milliseconds
Two-way jitter min/avg/max: 0.03/0.04/0.05 milliseconds
Duplicate packets: --
Out of sequence packets in forward direction: --
Out of sequence packets in reverse direction: --
Number of successes: 10 (100.00%)
Number of failures: 0 (0.00%)
Standby# show track 2
Track 2:
State: Up
Changes count: 1 (last 00,00:06:00)
Mode: And
Delay up: 0s
Delay down: 0s
Description: --

Conditions:

Type ID State Mode Last change (d,h:m:s) VRF
--------- -------------------- ----- -------------- ------------------------- --------------------------------
SLA 2 True State success 00,00:06:00 --

Actions:

Static routes:
0.0.0.0/0 via 203.0.113.5: Installed
Standby# show ip route static
S * 0.0.0.0/0 [1/0] via 203.0.113.5 on gi2/0/1 [static 15:35:23]

5) Настройка gi1/0/3 и gi2/0/3 для резервирования доступа в интернет

Может возникнуть ситуация, когда интерфейсы gi1/0/2 и gi2/0/1 или gi2/0/2 и gi1/0/1 находятся в Down, тогда для передачи транзитного трафика можеи использоваться линк между Active и Standby, а именно gi1/0/3 и gi2/0/3.

Настроим интерфейсы gi1/0/3 и gi2/0/3, а также отнесем данные интерфейсы к security zone LAN и настроим соответствующее разрешающее правило для прохождения трафика из зоны LAN в зону LAN:

Active# configure
Active(config)# interface gigabitethernet 1/0/3
Active(config-if-gi)# security-zone LAN
Active(config-if-gi)# ip address 198.51.100.129/30
Active(config-if-gi)# exit
Active(config)#
Active(config)# interface gigabitethernet 2/0/3
Active(config-if-gi)# security-zone LAN
Active(config-if-gi)# ip address 198.51.100.130/30
Active(config-if-gi)# exit
Active(config)#
Active(config)# security zone-pair LAN LAN
Active(config-security-zone-pair)# rule 1
Active(config-security-zone-pair-rule)# action permit
Active(config-security-zone-pair-rule)# enable
Active(config-security-zone-pair-rule)# exit
Active(config-security-zone-pair)# exit
Active(config)#

Далее настроим маршруты до LAN и IP-адресов ISP, которые находятся за Active и Standby маршрутизаторами, через gi1/0/3 и gi2/0/3:

Active(config)# ip route 192.0.2.0/24 198.51.100.130 unit 1
Active(config)# ip route 192.0.2.0/24 198.51.100.129 unit 2
Active(config)# ip route 203.0.113.5/32 198.51.100.130 unit 1
Active(config)# ip route 203.0.113.1/32 198.51.100.129 unit 2

Настроим аналогичные SLA-тесты с Track и привяжим их к резервным маршрутам по умолчанию с метрикой 10:

Active(config)#
Active(config)# object-group network unit_ip_for_sla_2
Active(config-object-group-network)# ip address-range 198.51.100.129 unit 1
Active(config-object-group-network)# ip address-range 198.51.100.130 unit 2
Active(config-object-group-network)# exit
Active(config)#
Active(config)# ip sla
Active(config)# ip sla test 3
Active(config-sla-test)# icmp-echo 203.0.113.5 source-ip object-group unit_ip_for_sla_2
Active(config-sla-test)# enable
Active(config-sla-test)# exit
Active(config)# ip sla test 4
Active(config-sla-test)# icmp-echo 203.0.113.1 source-ip object-group unit_ip_for_sla_2
Active(config-sla-test)# enable
Active(config-sla-test)# exit
Active(config)# ip sla schedule 3 life forever start-time now
Active(config)# ip sla schedule 4 life forever start-time now
Active(config)#
Active(config)# track 3
Active(config-track)# track sla test 3
Active(config-track)# enable
Active(config-track)# exit
Active(config)# track 4
Active(config-track)# track sla test 4
Active(config-track)# enable
Active(config-track)# exit
Active(config)#
Active(config)# ip route 0.0.0.0/0 198.51.100.130 track 3 10 unit 1
Active(config)# ip route 0.0.0.0/0 198.51.100.129 track 4 10 unit 2
Active(config)#
Active(config)# exit
Active#
Active# commit
Active# confirm

Разрешим прохождение асинхронного трафика с помощью команды ip firewall sessions unknown permit:

Active# configure
Active(config)# ip firewall sessions unknown permit
Active(config)# exit
Active#
Active# commit
Active# confirm

После применения конфигурации и поднятых линков проверим наличия резервного статического маршрута на Active и Standby:

Active# show ip sla test statistics 3
Test number: 3
Description: --
Test status: Successful
Transmitted packets: 100
Lost packets: 0 (0.00%)
Lost packets in forward direction: --
Lost packets in reverse direction: --
One-way delay forward min/avg/max: --
One-way delay reverse min/avg/max: --
One-way jitter forward: --
One-way jitter reverse: --
Two-way delay min/avg/max: 0.98/1.05/1.17 milliseconds
Two-way jitter min/avg/max: 0.03/0.04/0.04 milliseconds
Duplicate packets: --
Out of sequence packets in forward direction: --
Out of sequence packets in reverse direction: --
Number of successes: 10 (100.00%)
Number of failures: 0 (0.00%)
Active# show track 3
Track 3:
State: Up
Changes count: 2 (last 00,00:05:16)
Mode: And
Delay up: 0s
Delay down: 0s
Description: --

Conditions:

Type ID State Mode Last change (d,h:m:s) VRF
--------- -------------------- ----- -------------- ------------------------- --------------------------------
SLA 3 True State success 00,00:05:16 --

Actions:

Static routes:
0.0.0.0/0 via 198.51.100.130 metric 10: Installed
Active# show ip route static
S * 0.0.0.0/0 [1/0] via 203.0.113.1 on gi1/0/1 [static 15:35:24]
S 0.0.0.0/0 [1/10] via 198.51.100.130 on gi1/0/3 [static 17:19:04]
S * 203.0.113.5/32 [1/0] via 198.51.100.130 on gi1/0/3 [static 17:19:01]

Standby# show ip sla test statistics 4
Test number: 4
Description: --
Test status: Successful
Transmitted packets: 100
Lost packets: 0 (0.00%)
Lost packets in forward direction: --
Lost packets in reverse direction: --
One-way delay forward min/avg/max: --
One-way delay reverse min/avg/max: --
One-way jitter forward: --
One-way jitter reverse: --
Two-way delay min/avg/max: 1.00/1.15/1.34 milliseconds
Two-way jitter min/avg/max: 0.04/0.05/0.07 milliseconds
Duplicate packets: --
Out of sequence packets in forward direction: --
Out of sequence packets in reverse direction: --
Number of successes: 10 (100.00%)
Number of failures: 0 (0.00%)
Standby# show track 4
Track 4:
State: Up
Changes count: 2 (last 00,00:06:16)
Mode: And
Delay up: 0s
Delay down: 0s
Description: --

Conditions:

Type ID State Mode Last change (d,h:m:s) VRF
--------- -------------------- ----- -------------- ------------------------- --------------------------------
SLA 4 True State success 00,00:06:16 --

Actions:

Static routes:
0.0.0.0/0 via 198.51.100.129 metric 10: Installed
Standby# show ip route static
S * 0.0.0.0/0 [1/0] via 203.0.113.5 on gi2/0/1 [static 15:35:23]
S 0.0.0.0/0 [1/10] via 198.51.100.129 on gi2/0/3 [static 17:19:02]
S * 203.0.113.1/32 [1/0] via 198.51.100.129 on gi2/0/3 [static 17:18:59]

6) Итоговая конфигурация кластера:

Active# show running-config

cluster
  cluster-interface bridge 1
  unit 1
    mac-address 68:13:e2:7f:55:1a
  exit
  unit 2
    mac-address 68:13:e2:7f:5d:cc
  exit
  enable
exit

hostname esr
hostname Active unit 1
hostname Standby unit 2

object-group network unit_ip_for_sla
  ip address-range 203.0.113.2 unit 1
  ip address-range 203.0.113.6 unit 2
exit
object-group network unit_ip_for_sla_2
  ip address-range 198.51.100.129 unit 1
  ip address-range 198.51.100.130 unit 2
exit

security zone Cluster
exit
security zone LAN
exit
security zone WAN_unit_1
exit
security zone WAN_unit_2
exit

bridge 1
  vlan 1
  security-zone Cluster
  ip address 198.51.100.2/29 unit 1
  ip address 198.51.100.3/29 unit 2
  vrrp 1
    ip address 198.51.100.1/29
    priority 150 unit 1
    priority 120 unit 2
    group 1
    enable
  exit
  enable
exit

interface gigabitethernet 1/0/1
  security-zone WAN_unit_1
  ip address 203.0.113.2/30
exit
interface gigabitethernet 1/0/2
  security-zone LAN
  ip address 192.0.2.2/24
  vrrp 2
    ip address 192.0.2.1/24
    priority 110
    priority track 1 increment 40
    enable
  exit
exit
interface gigabitethernet 1/0/3
  security-zone LAN
  ip address 198.51.100.129/30
exit
interface gigabitethernet 1/0/3.10
  bridge-group 1
exit
interface gigabitethernet 2/0/1
  security-zone WAN_unit_2
  ip address 203.0.113.6/30
exit
interface gigabitethernet 2/0/2
  security-zone LAN
  ip address 192.0.2.3/24
  vrrp 2
    ip address 192.0.2.1/24
    priority 120
    enable
  exit
exit
interface gigabitethernet 2/0/3
  security-zone LAN
  ip address 198.51.100.130/30
exit
interface gigabitethernet 2/0/3.10
  bridge-group 1
exit

security zone-pair Cluster self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
exit
security zone-pair LAN self
  rule 1
    action permit
    match protocol vrrp
    enable
  exit
exit
security zone-pair LAN WAN_unit_1
  rule 1
    action permit
    enable
  exit
exit
security zone-pair LAN WAN_unit_2
  rule 1
    action permit
    enable
  exit
exit
security zone-pair LAN LAN
  rule 1
    action permit
    enable
  exit
exit

ip firewall sessions unknown permit
nat source
  pool unit_1
    ip address-range 203.0.113.2
  exit
  pool unit_2
    ip address-range 203.0.113.6
  exit
  ruleset s_nat_unit_1
    to zone WAN_unit_1
    rule 1
      action source-nat pool unit_1
      enable
    exit
  exit
  ruleset s_nat_unit_2
    to zone WAN_unit_2
    rule 1
      action source-nat pool unit_2
      enable
    exit
  exit
exit

ip route 0.0.0.0/0 203.0.113.1 track 1 unit 1
ip route 192.0.2.0/24 198.51.100.130 unit 1
ip route 203.0.113.5/32 198.51.100.130 unit 1
ip route 0.0.0.0/0 203.0.113.5 track 2 unit 2
ip route 192.0.2.0/24 198.51.100.129 unit 2
ip route 203.0.113.1/32 198.51.100.129 unit 2
ip route 0.0.0.0/0 198.51.100.130 10 track 3 unit 1
ip route 0.0.0.0/0 198.51.100.129 10 track 4 unit 2

ip sla
ip sla logging status
ip sla test 1
  icmp-echo 203.0.113.1 source-ip object-group unit_ip_for_sla
  enable
exit
ip sla test 2
  icmp-echo 203.0.113.5 source-ip object-group unit_ip_for_sla
  enable
exit
ip sla test 3
  icmp-echo 203.0.113.5 source-ip object-group unit_ip_for_sla_2
  enable
exit
ip sla test 4
  icmp-echo 203.0.113.1 source-ip object-group unit_ip_for_sla_2
  enable
exit
ip sla schedule 1 life forever start-time now
ip sla schedule 2 life forever start-time now
ip sla schedule 3 life forever start-time now
ip sla schedule 4 life forever start-time now

track 1
  track sla test 1
  enable
exit
track 2
  track sla test 2
  enable
exit
track 3
  track sla test 3
  enable
exit
track 4
  track sla test 4
  enable
exit

2. Проверка резервирования

После настройки маршрутизаторов и подключения линков трафик будет ходить через Active:

Пустим транзитный трафик со стоны Client в сторону ISP:

Client# ping 77.88.8.8
PING 77.88.8.8 (77.88.8.8) 56 bytes of data.
!!!!!
--- 77.88.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 0.812/0.857/0.903/0.051 ms

Вывод оперативных команд со стороны Active:

Active# show vrrp

Unit 1* 'Active'
----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 150 Enabled Master -- 1
2 192.0.2.1/24 150 Enabled Master -- --

Unit 2 'Standby'
----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 120 Enabled Backup -- 1
2 192.0.2.1/24 120 Enabled Backup -- --

Active# show ip route 0.0.0.0
Codes: C - connected, S - static, R - RIP derived,
O - OSPF derived, IA - OSPF inter area route,
E1 - OSPF external type 1 route, E2 - OSPF external type 2 route,
B - BGP derived, D - DHCP derived, K - kernel route, V - VRRP route,
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area,
H - NHRP, * - FIB route
S * 0.0.0.0/0 [1/0] via 203.0.113.1 on gi1/0/1 [static 09:30:13]
S 0.0.0.0/0 [1/10] via 198.51.100.130 on gi1/0/3 [static 09:36:18]
Active# show ip sla test statistics 1
Test number: 1
Description: --
Test status: Successful
Transmitted packets: 100
Lost packets: 0 (0.00%)
Lost packets in forward direction: --
Lost packets in reverse direction: --
One-way delay forward min/avg/max: --
One-way delay reverse min/avg/max: --
One-way jitter forward: --
One-way jitter reverse: --
Two-way delay min/avg/max: 0.55/0.60/0.75 milliseconds
Two-way jitter min/avg/max: 0.02/0.03/0.05 milliseconds
Duplicate packets: --
Out of sequence packets in forward direction: --
Out of sequence packets in reverse direction: --
Number of successes: 10 (100.00%)
Number of failures: 0 (0.00%)
Active# show ip sla test statistics 3
Test number: 3
Description: --
Test status: Successful
Transmitted packets: 100
Lost packets: 0 (0.00%)
Lost packets in forward direction: --
Lost packets in reverse direction: --
One-way delay forward min/avg/max: --
One-way delay reverse min/avg/max: --
One-way jitter forward: --
One-way jitter reverse: --
Two-way delay min/avg/max: 0.85/1.03/1.19 milliseconds
Two-way jitter min/avg/max: 0.04/0.04/0.05 milliseconds
Duplicate packets: --
Out of sequence packets in forward direction: --
Out of sequence packets in reverse direction: --
Number of successes: 10 (100.00%)
Number of failures: 0 (0.00%)
Active# show track 1
Track 1:
State: Up
Changes count: 7 (last 00,01:25:07)
Mode: And
Delay up: 0s
Delay down: 0s
Description: --

Conditions:

Type ID State Mode Last change (d,h:m:s) VRF
--------- -------------------- ----- -------------- ------------------------- --------------------------------
SLA 1 True State success 00,01:25:07 --

Actions:

Static routes:
0.0.0.0/0 via 203.0.113.1: Installed
VRRPs:
ID 2 priority of the interface gigabitethernet 1/0/2 : 150
Active# show track 3
Track 3:
State: Up
Changes count: 6 (last 00,01:19:06)
Mode: And
Delay up: 0s
Delay down: 0s
Description: --

Conditions:

Type ID State Mode Last change (d,h:m:s) VRF
--------- -------------------- ----- -------------- ------------------------- --------------------------------
SLA 3 True State success 00,01:19:06 --

Actions:

Static routes:
0.0.0.0/0 via 198.51.100.130 metric 10: Installed
Active# show ip firewall sessions protocol icmp inside-source-address 192.0.2.100
Codes: E - expected, U - unreplied,
A - assured, C - confirmed

Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
icmp 29 192.0.2.100 77.88.8.8 203.0.113.2 77.88.8.8 -- -- C
Active# show ip nat translations inside-source-address 192.0.2.100
Prot Inside source Inside destination Outside source Outside destination Pkts Bytes
---- --------------------- --------------------- --------------------- --------------------- ---------- ----------
icmp 192.0.2.100 77.88.8.8 203.0.113.2 77.88.8.8 -- --

Рассмотрим несколько вариантов падения линка с выводом оперативных команд:
1) Падение линка gi1/0/1 или недоступность ISP1:

В таком случае SLA-1 тест перейдет в состояние Fail, после чего track-1 перейдет в состояние down - в результате пропадет маршрут по умолчанию через ISP 1, понизится VRRP-приоритет Active в сторону LAN-подсети и трафик будет ходить через Standby. Также со стороны Standby упадет SLA-4 тест и пропадет резервный маршрут по умолчанию через gi2/0/3.
Вывод оперативных команд со стороны Active после недоступности ISP 1:

2025-08-27T11:08:27+00:00 %IP_SLA-I-STATUS: (test 1) State changed to fail
2025-08-27T11:08:30+00:00 %VRRP-I-INSTANCE: VRRP2 Received higher prio advert 120
2025-08-27T11:08:30+00:00 %VRRP-I-INSTANCE: VRRP2 Entering BACKUP state

Active# show ip sla test statistics 1
Test number: 1
Description: --
Test status: Fail
Transmitted packets: 0
Lost packets: 0 (0.00%)
Lost packets in forward direction: --
Lost packets in reverse direction: --
One-way delay forward min/avg/max: --
One-way delay reverse min/avg/max: --
One-way jitter forward: --
One-way jitter reverse: --
Two-way delay min/avg/max: 0.00/0.00/0.00 milliseconds
Two-way jitter min/avg/max: 0.00/0.00/0.00 milliseconds
Duplicate packets: --
Out of sequence packets in forward direction: --
Out of sequence packets in reverse direction: --
Number of successes: 3 (30.00%)
Number of failures: 7 (70.00%)
Active# show track 1
Track 1:
State: Down
Changes count: 8 (last 00,00:01:07)
Mode: And
Delay up: 0s
Delay down: 0s
Description: --

Conditions:

Type ID State Mode Last change (d,h:m:s) VRF
--------- -------------------- ----- -------------- ------------------------- --------------------------------
SLA 1 False State success 00,00:01:07 --

Actions:

Static routes:
0.0.0.0/0 via 203.0.113.1: Not installed
VRRPs:
ID 2 priority of the interface gigabitethernet 1/0/2 : 110
Active# show vrrp

Unit 1* 'Active'
----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 150 Enabled Master -- 1
2 192.0.2.1/24 110 Enabled Backup -- --

Unit 2 'Standby'
----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 120 Enabled Backup -- 1
2 192.0.2.1/24 120 Enabled Master -- --

Active# show ip route 0.0.0.0
Codes: C - connected, S - static, R - RIP derived,
O - OSPF derived, IA - OSPF inter area route,
E1 - OSPF external type 1 route, E2 - OSPF external type 2 route,
B - BGP derived, D - DHCP derived, K - kernel route, V - VRRP route,
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area,
H - NHRP, * - FIB route
S * 0.0.0.0/0 [1/10] via 198.51.100.130 on gi1/0/3 [static 09:36:18]

Пустим транзитный трафик со стоны Client в сторону ISP:

Client# ping 77.88.8.8
PING 77.88.8.8 (77.88.8.8) 56 bytes of data.
!!!!!
--- 77.88.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4005ms
rtt min/avg/max/mdev = 1.323/1.421/1.480/0.058 ms

Вывод оперативных команд со стороны Standby:

2025-08-27T11:08:23+00:00 %IP_SLA-I-STATUS: (test 4) State changed to fail
2025-08-27T11:08:29+00:00 %VRRP-I-INSTANCE: VRRP2 forcing a new MASTER election
2025-08-27T11:08:30+00:00 %VRRP-I-INSTANCE: VRRP2 Transition to MASTER state
2025-08-27T11:08:31+00:00 %VRRP-I-INSTANCE: VRRP2 Entering MASTER state

Standby# show ip sla test statistics 4
Test number: 4
Description: --
Test status: Fail
Transmitted packets: 0
Lost packets: 0 (0.00%)
Lost packets in forward direction: --
Lost packets in reverse direction: --
One-way delay forward min/avg/max: --
One-way delay reverse min/avg/max: --
One-way jitter forward: --
One-way jitter reverse: --
Two-way delay min/avg/max: 0.00/0.00/0.00 milliseconds
Two-way jitter min/avg/max: 0.00/0.00/0.00 milliseconds
Duplicate packets: --
Out of sequence packets in forward direction: --
Out of sequence packets in reverse direction: --
Number of successes: 0 (0.00%)
Number of failures: 10 (100.00%)
Standby# show track 4
Track 4:
State: Down
Changes count: 11 (last 00,00:06:23)
Mode: And
Delay up: 0s
Delay down: 0s
Description: --

Conditions:

Type ID State Mode Last change (d,h:m:s) VRF
--------- -------------------- ----- -------------- ------------------------- --------------------------------
SLA 4 False State success 00,00:06:23 --

Actions:

Static routes:
0.0.0.0/0 via 198.51.100.129 metric 10: Not installed
Standby# show vrrp

Unit 1 'Active'
---------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 150 Enabled Master -- 1
2 192.0.2.1/24 110 Enabled Backup -- --

Unit 2* 'Standby'
-----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 120 Enabled Backup -- 1
2 192.0.2.1/24 120 Enabled Master -- --

Standby# show ip sla test statistics 2
Test number: 2
Description: --
Test status: Successful
Transmitted packets: 100
Lost packets: 0 (0.00%)
Lost packets in forward direction: --
Lost packets in reverse direction: --
One-way delay forward min/avg/max: --
One-way delay reverse min/avg/max: --
One-way jitter forward: --
One-way jitter reverse: --
Two-way delay min/avg/max: 0.51/0.60/0.81 milliseconds
Two-way jitter min/avg/max: 0.03/0.05/0.08 milliseconds
Duplicate packets: --
Out of sequence packets in forward direction: --
Out of sequence packets in reverse direction: --
Number of successes: 10 (100.00%)
Number of failures: 0 (0.00%)
Standby# show track 2
Track 2:
State: Up
Changes count: 5 (last 00,01:38:44)
Mode: And
Delay up: 0s
Delay down: 0s
Description: --

Conditions:

Type ID State Mode Last change (d,h:m:s) VRF
--------- -------------------- ----- -------------- ------------------------- --------------------------------
SLA 2 True State success 00,01:38:44 --

Actions:

Static routes:
0.0.0.0/0 via 203.0.113.5: Installed
Standby# show ip route 0.0.0.0
Codes: C - connected, S - static, R - RIP derived,
O - OSPF derived, IA - OSPF inter area route,
E1 - OSPF external type 1 route, E2 - OSPF external type 2 route,
B - BGP derived, D - DHCP derived, K - kernel route, V - VRRP route,
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area,
H - NHRP, * - FIB route
S * 0.0.0.0/0 [1/0] via 203.0.113.5 on gi2/0/1 [static 09:36:23]
Standby# show ip firewall sessions protocol icmp inside-source-address 192.0.2.100
Codes: E - expected, U - unreplied,
A - assured, C - confirmed

Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
icmp 29 192.0.2.100 77.88.8.8 203.0.113.6 77.88.8.8 -- -- C
Standby# show ip nat translations inside-source-address 192.0.2.100
Prot Inside source Inside destination Outside source Outside destination Pkts Bytes
---- --------------------- --------------------- --------------------- --------------------- ---------- ----------
icmp 192.0.2.100 77.88.8.8 203.0.113.6 77.88.8.8 -- --

Далее может возникнуть ситуация, когда кроме падения gi1/0/1 или недоступности ISP 1, может упасть линк gi2/0/2:

В таком случае трафик сначало направится на Active, а после на Standby в сторону ISP 2.
Пустим транзитный трафик со стоны Client в сторону ISP:

Client# ping 77.88.8.8
PING 77.88.8.8 (77.88.8.8) 56 bytes of data.
!!!!!
--- 77.88.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 1.839/1.891/1.937/0.057 ms

Вывод оперативных команд со стороны Active:

2025-08-27T11:27:41+00:00 %VRRP-I-INSTANCE: VRRP2 Transition to MASTER state
2025-08-27T11:27:42+00:00 %VRRP-I-INSTANCE: VRRP2 Entering MASTER state
Active# show vrrp

Unit 1* 'Active'
----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 150 Enabled Master -- 1
2 192.0.2.1/24 110 Enabled Master -- --

Unit 2 'Standby'
----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 120 Enabled Backup -- 1
2 192.0.2.1/24 120 Enabled Fault -- --

Active# show ip route 0.0.0.0
Codes: C - connected, S - static, R - RIP derived,
O - OSPF derived, IA - OSPF inter area route,
E1 - OSPF external type 1 route, E2 - OSPF external type 2 route,
B - BGP derived, D - DHCP derived, K - kernel route, V - VRRP route,
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area,
H - NHRP, * - FIB route
S * 0.0.0.0/0 [1/10] via 198.51.100.130 on gi1/0/3 [static 09:36:18]
Active# show ip firewall sessions protocol icmp inside-source-address 192.0.2.100
Codes: E - expected, U - unreplied,
A - assured, C - confirmed

Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
icmp 20 192.0.2.100 77.88.8.8 192.0.2.100 77.88.8.8 -- -- C

Вывод оперативных команд со стороны Standby:

2025-08-27T11:27:38+00:00 %LINK-W-DOWN: gigabitethernet 2/0/2 changed state to down
2025-08-27T11:27:38+00:00 %LINK-W-DOWN: interface vrrp.2 changed state to down
2025-08-27T11:27:38+00:00 %VRRP-I-INSTANCE: VRRP2 Entering FAULT state
2025-08-27T11:27:38+00:00 %VRRP-I-INSTANCE: VRRP2 Now in FAULT state
Standby# show ip firewall sessions protocol icmp inside-source-address 192.0.2.100
Codes: E - expected, U - unreplied,
A - assured, C - confirmed

Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
icmp 7 192.0.2.100 77.88.8.8 203.0.113.6 77.88.8.8 -- -- C
Standby# show ip nat translations inside-source-address 192.0.2.100
Prot Inside source Inside destination Outside source Outside destination Pkts Bytes
---- --------------------- --------------------- --------------------- --------------------- ---------- ----------
icmp 192.0.2.100 77.88.8.8 203.0.113.6 77.88.8.8 -- --

2) Падение линка gi1/0/2:

При таком падении линков будет переключение мастерства на Standby и трафик будет ходить через Standby.
Вывод оперативной информации со стороны Active:

2025-08-27T12:00:38+00:00 %LINK-W-DOWN: gigabitethernet 1/0/2 changed state to down
2025-08-27T12:00:38+00:00 %LINK-W-DOWN: interface vrrp.2 changed state to down
2025-08-27T12:00:38+00:00 %VRRP-I-INSTANCE: VRRP2 Entering FAULT state
2025-08-27T12:00:38+00:00 %VRRP-I-INSTANCE: VRRP2 Now in FAULT state
Active# show vrrp

Unit 1* 'Active'
----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 150 Enabled Master -- 1
2 192.0.2.1/24 150 Enabled Fault -- --

Unit 2 'Standby'
----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 120 Enabled Backup -- 1
2 192.0.2.1/24 120 Enabled Master -- --

Пустим транзитный трафик со стоны Client в сторону ISP:

Client# ping 77.88.8.8
PING 77.88.8.8 (77.88.8.8) 56 bytes of data.
!!!!!
--- 77.88.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4006ms
rtt min/avg/max/mdev = 1.314/1.457/1.851/0.200 ms

Вывод оперативной информации со стороны Standby:

Standby# show vrrp

Unit 1 'Active'
---------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 150 Enabled Master -- 1
2 192.0.2.1/24 150 Enabled Fault -- --

Unit 2* 'Standby'
-----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 120 Enabled Backup -- 1
2 192.0.2.1/24 120 Enabled Master -- --

Standby# show track 2
Track 2:
State: Up
Changes count: 5 (last 00,02:27:09)
Mode: And
Delay up: 0s
Delay down: 0s
Description: --

Conditions:

Type ID State Mode Last change (d,h:m:s) VRF
--------- -------------------- ----- -------------- ------------------------- --------------------------------
SLA 2 True State success 00,02:27:09 --

Actions:

Static routes:
0.0.0.0/0 via 203.0.113.5: Installed
Standby# show track 4
Track 4:
State: Up
Changes count: 12 (last 00,00:08:22)
Mode: And
Delay up: 0s
Delay down: 0s
Description: --

Conditions:

Type ID State Mode Last change (d,h:m:s) VRF
--------- -------------------- ----- -------------- ------------------------- --------------------------------
SLA 4 True State success 00,00:08:22 --

Actions:

Static routes:
0.0.0.0/0 via 198.51.100.129 metric 10: Installed
Standby# show ip firewall sessions protocol icmp inside-source-address 192.0.2.100
Codes: E - expected, U - unreplied,
A - assured, C - confirmed

Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
icmp 21 192.0.2.100 77.88.8.8 203.0.113.6 77.88.8.8 -- -- C
Standby# show ip nat translations inside-source-address 192.0.2.100
Prot Inside source Inside destination Outside source Outside destination Pkts Bytes
---- --------------------- --------------------- --------------------- --------------------- ---------- ----------
icmp 192.0.2.100 77.88.8.8 203.0.113.6 77.88.8.8 -- --

Далее может возникнуть ситуация, когда кроме падения gi1/0/2, может упасть линк gi2/0/1 или станет недоступен ISP 2:

При таком падении линков SLA-2 тест перейдет в состояние Fail, после чего track-2 перейдет в состояние down и пропадет маршрут по умолчанию через ISP 2. Трафик будте ходить сначало на Standby, а после передаваться на Active в сторону ISP 1.
Со стороны Active упадет SLA-3 и, соответственно, пропадет резервный маршрут по умолчанию.
Пустим транзитный трафик со стоны Client в сторону ISP:

Client# ping 77.88.8.8
PING 77.88.8.8 (77.88.8.8) 56 bytes of data.
!!!!!
--- 77.88.8.8 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4003ms
rtt min/avg/max/mdev = 1.220/1.327/1.464/0.092 ms

Вывод оперативной информации со стороны Standby:

2025-08-27T12:12:52+00:00 %IP_SLA-I-STATUS: (test 2) State changed to fail

Standby# show ip sla test statistics 2
Test number: 2
Description: --
Test status: Fail
Transmitted packets: 0
Lost packets: 0 (0.00%)
Lost packets in forward direction: --
Lost packets in reverse direction: --
One-way delay forward min/avg/max: --
One-way delay reverse min/avg/max: --
One-way jitter forward: --
One-way jitter reverse: --
Two-way delay min/avg/max: 0.00/0.00/0.00 milliseconds
Two-way jitter min/avg/max: 0.00/0.00/0.00 milliseconds
Duplicate packets: --
Out of sequence packets in forward direction: --
Out of sequence packets in reverse direction: --
Number of successes: 0 (0.00%)
Number of failures: 10 (100.00%)
Standby# show track 2
Track 2:
State: Down
Changes count: 6 (last 00,00:02:35)
Mode: And
Delay up: 0s
Delay down: 0s
Description: --

Conditions:

Type ID State Mode Last change (d,h:m:s) VRF
--------- -------------------- ----- -------------- ------------------------- --------------------------------
SLA 2 False State success 00,00:02:35 --

Actions:

Static routes:
0.0.0.0/0 via 203.0.113.5: Not installed
Standby# show vrrp

Unit 1 'Active'
---------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 150 Enabled Master -- 1
2 192.0.2.1/24 150 Enabled Fault -- --

Unit 2* 'Standby'
-----------------
Virtual router Virtual IP Priority Preemption State Inherit Sync group ID
-------------- --------------------------------- -------- ---------- ------ ------- -------------
1 198.51.100.1/29 120 Enabled Backup -- 1
2 192.0.2.1/24 120 Enabled Master -- --
Standby# show ip route 0.0.0.0
Codes: C - connected, S - static, R - RIP derived,
O - OSPF derived, IA - OSPF inter area route,
E1 - OSPF external type 1 route, E2 - OSPF external type 2 route,
B - BGP derived, D - DHCP derived, K - kernel route, V - VRRP route,
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area,
H - NHRP, * - FIB route
S * 0.0.0.0/0 [1/10] via 198.51.100.129 on gi2/0/3 [static 11:55:11]
Standby# show ip firewall sessions protocol icmp inside-source-address 192.0.2.100
Codes: E - expected, U - unreplied,
A - assured, C - confirmed

Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
icmp 11 192.0.2.100 77.88.8.8 192.0.2.100 77.88.8.8 -- -- C

Вывод оперативной информации со стороны Active:

2025-08-27T12:12:51+00:00 %IP_SLA-I-STATUS: (test 3) State changed to fail

Active# show ip sla test statistics 3
Test number: 3
Description: --
Test status: Fail
Transmitted packets: 0
Lost packets: 0 (0.00%)
Lost packets in forward direction: --
Lost packets in reverse direction: --
One-way delay forward min/avg/max: --
One-way delay reverse min/avg/max: --
One-way jitter forward: --
One-way jitter reverse: --
Two-way delay min/avg/max: 0.00/0.00/0.00 milliseconds
Two-way jitter min/avg/max: 0.00/0.00/0.00 milliseconds
Duplicate packets: --
Out of sequence packets in forward direction: --
Out of sequence packets in reverse direction: --
Number of successes: 1 (10.00%)
Number of failures: 9 (90.00%)
Active# show track 3
Track 3:
State: Down
Changes count: 7 (last 00,00:01:30)
Mode: And
Delay up: 0s
Delay down: 0s
Description: --

Conditions:

Type ID State Mode Last change (d,h:m:s) VRF
--------- -------------------- ----- -------------- ------------------------- --------------------------------
SLA 3 False State success 00,00:01:30 --

Actions:

Static routes:
0.0.0.0/0 via 198.51.100.130 metric 10: Not installed
Active# show ip route 0.0.0.0
Codes: C - connected, S - static, R - RIP derived,
O - OSPF derived, IA - OSPF inter area route,
E1 - OSPF external type 1 route, E2 - OSPF external type 2 route,
B - BGP derived, D - DHCP derived, K - kernel route, V - VRRP route,
i - IS-IS, L1 - IS-IS level-1, L2 - IS-IS level-2, ia - IS-IS inter area,
H - NHRP, * - FIB route
S * 0.0.0.0/0 [1/0] via 203.0.113.1 on gi1/0/1 [static 11:55:15]

Active# show ip firewall sessions protocol icmp inside-source-address 192.0.2.100
Codes: E - expected, U - unreplied,
A - assured, C - confirmed

Prot Aging Inside source Inside destination Outside source Outside destination Pkts Bytes Status
----- ---------- --------------------- --------------------- --------------------- --------------------- ---------- ---------- ------
icmp 25 192.0.2.100 77.88.8.8 203.0.113.2 77.88.8.8 -- -- C
Active# show ip nat translations inside-source-address 192.0.2.100
Prot Inside source Inside destination Outside source Outside destination Pkts Bytes
---- --------------------- --------------------- --------------------- --------------------- ---------- ----------
icmp 192.0.2.100 77.88.8.8 203.0.113.2 77.88.8.8 -- --

Дерево страниц

Настройка кластера в схеме с двумя провайдерами с использованием IP SLA + Track

Схема:

1. Настройка маршрутизаторов

1) Первичная настройка кластера

2) Настройка кластера в сторону LAN-подсети

3) Настройка кластера в сторону провайдеров

4) Настройка маршрутизации, track и sla-тестов

5) Настройка gi1/0/3 и gi2/0/3 для резервирования доступа в интернет

6) Итоговая конфигурация кластера:

2. Проверка резервирования