Device HA
Use device HA and Virtual Router Redundancy Protocol (VRRP) to increase network reliability. See the Device HA section for related information on these screens.
Virtual Router Redundancy Protocol (VRRP) Overview
Every computer on a network may send packets to a default gateway, which can become a single point of failure. Virtual Router Redundancy Protocol (VRRP) allows you to create redundant backup gateways to ensure that the default gateway is always available.
Note: The ZyWALL 1050 runs VRRP v2. You can only set up device HA with other ZyWALL 1050s running the same firmware version.
In VRRP, a virtual router represents a number of routers associated with one IP address, the IP address of the default gateway. Each virtual router is identified by a unique 8-bit identification number called a Virtual Router ID (VR ID). In the example below, Router A and Router B are part of virtual router 10 with IP address 192.168.10.254.
Note: Every router in a virtual router must use the same advertisement interval.
If there is more than one backup router, the backup router with the highest priority becomes the master router. The other backup routers remain backup routers.
Additional VRRP Notes
VRRP Group Overview
In the ZyWALL, you should create a VRRP group to add one of its interfaces to a virtual router. You can add any Ethernet or VLAN interface with a static IP address.
Note: You can only use interfaces that have static IP addresses.
You can only enable one VRRP group for each interface, and you can only have one active VRRP group for each virtual router.
You must set up a static IP address for the interface first, and this IP address should be the IP address of the virtual router, not the management IP address. The management IP address is assigned in the VRRP group. When the ZyWALL is the master router, the interface uses its IP address, the IP address of the virtual router. If the ZyWALL is a backup router, the interface uses its management IP address. You can look at the current IP address of the interface in the Status screen.
Note: You can only have one active VRRP group for each interface, and you can only have one active VRRP group for each virtual router (VR ID).
If there is a PPPoE/PPTP interface on top of an interface in a VRRP group, the PPPoE/PPTP interface cannot connect to the ISP until the interface becomes the master in the virtual router.
At the time of writing, the advertisement interval is fixed at one second.
You can also set up authentication for a VRRP group. If you select AH MD5 authentication, the VRRP group uses IP protocol 51 (AH), instead of IP protocol 112 (VRRP).
Link Monitoring
Link monitoring has the master ZyWALL shut down all of its VRRP interfaces if one of its VRRP interface links goes down. This way the backup ZyWALL takes over all of the master ZyWALL's functions.
VRRP and Remote Management
A backup ZyWALL that takes over for an unavailable master ZyWALL takes over all of the master ZyWALL's static IP addresses. This means you can no longer access the original master ZyWALL through one of its static IP addresses (because the backup ZyWALL now uses this address). Do one of the following to still be able to access the original master ZyWALL (assuming it is still functioning).
- Use a DHCP client interface. The DHCP server assigns the backup ZyWALL an IP address that is different from the IP address assigned to the master ZyWALL. So you can still access the original master ZyWALL through its DHCP assigned IP address. You will need to be using DDNS (or have access to the DHCP server) to access the dynamic IP address.
- Use a static IP address on one of the master ZyWALL's interfaces without adding that interface to any VRRP group. Also leave the corresponding port on the backup ZyWALL unconnected. This way the original master ZyWALL still uses the static IP address after the backup ZyWALL takes over for it.
- Connect an external serial modem to the DIAL BACKUP port (or AUX port depending on your model) and configure dial-in management.
VRRP Group Summary
The VRRP Group summary screen provides information about which interfaces are in virtual routers and the role and status of each interface in the virtual router.
VRRP Group Add/Edit
The VRRP Group Add/Edit screen allows you to add VRRP groups to the ZyWALL or to edit the configuration of an existing VRRP group.
Device HA > VRRP Group > Edit
Label Description Enable Select this to make the specified interface part of the virtual router. Clear this to take the specified interface out of the virtual router. Name This field is read-only if you are editing the VRRP group. Type the name of the VRRP group. This field must be unique in the ZyWALL, but it is not used in the virtual router. The virtual router uses the VRID. The name can consist of alphanumeric characters, the underscore, and the dash and may be up to fifteen characters long. VRID Type the virtual router ID number. Description Type the description of the VRRP group. This field is only for your reference. It may be up to sixty printable ASCII characters long. VRRP Interface Select the interface in this device that is part of the virtual router. You can only select interfaces that have static IP addresses. Role Select the role that you want the interface plays in the virtual router. Choices are:Master - This interface is the master interface in the virtual router. The interface always uses its static IP address, not the management IP address of the VRRP group.Note: Do not set this field to Master for two or more routers in the same virtual router (same VR ID).
Backup - This interface is a backup interface in the virtual router. The interface may use its static IP address or the management IP address of the VRRP group, depending on its current role. The current role depends on the other routers in the virtual router. Priority This field is available if the selected interface is a Backup interface. Type the priority of the backup interface. The backup interface with the highest value takes over the role of the master interface if the master interface becomes unavailable. The priority must be between 1 and 254. (The master interface has priority 255.) Preempt This field is available if the selected interface is a Backup interface. Select this if the selected interface should become the master interface if a lower-priority interface is the master when this one is enabled. (If the role is Master, the interface preempts by default.) Manage IP This field is available if the selected interface is a Backup interface. Enter the IP address of the interface while it is in Stand-By mode. It is recommended that this IP address be in the same subnet as the interface. If it is not in the same subnet, the backup router cannot synchronize with the master via this VRRP interface. Manage IP Subnet Mask This field is available if the selected interface is a Backup interface. Authentication Select the authentication method used in the virtual router. Every interface in a virtual router must use the same authentication method and password. Choices are:None - this virtual router does not use any authentication method.Text - this virtual router uses a plain text password for authentication. Type the password in the field next to the radio button. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ` \ () ), and it can be up to eight characters long.IP AH(MD5) - this virtual router uses an encrypted MD5 password for authentication. Type the password in the field next to the radio button. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ` \ () ), and it can be up to eight characters long.See Authentication Types for more information about authentication methods.
Synchronization Overview
In a virtual router, backup routers do not automatically get configuration updates from the master router. In this case, the master ZyWALL can send these updates to backup ZyWALLs. This is called synchronization.
During synchronization, the master ZyWALL sends the following information to the backup ZyWALL.
Synchronization does not change the VRRP groups or synchronization settings in the backup ZyWALL, however.
Backup ZyWALLs cannot get updates for services to which they have not subscribed. For example, if a backup ZyWALL has not subscribed to IDP/AppPatrol or AV, it does not get updates from the master ZyWALL.
Synchronization affects the entire device configuration. You can only configure one set of settings for synchronization, regardless of how many VRRP groups you might configure. The ZyWALL uses Secure FTP (on a port number you can change) to synchronize, but it is still recommended that the backup ZyWALL synchronize with a master ZyWALL on a secure network.
Synchronization can be either done manually or scheduled regularly, and it is initiated by the backup ZyWALL. The following restrictions apply.
During synchronization, the backup ZyWALL checks to see if the incoming configuration is different from the existing configuration on the backup. If the incoming configuration is different, the backup ZyWALL applies the entire configuration. The incoming configuration is not applied if it is the same as the existing configuration on the backup.
Note: The backup ZyWALL is not available while it applies the new configuration. This usually takes two or three minutes but can take longer depending on the configuration complexity.
Synchronize Screen
Use this screen if you want the ZyWALL to get or to send updated IDP signatures, and configuration information in the virtual router.
Note: You can only set up synchronization with other ZyWALL 1050s running the same firmware version.
For synchronization, every ZyWALL in a virtual router should usually have the same Password, Synchronize From, and on port values. In addition, the management IP address must be in the same subnet as the interface (in other words, the virtual router).