Device HA

Use device HA and Virtual Router Redundancy Protocol (VRRP) to increase network reliability. See the Device HA section for related information on these screens.

Virtual Router Redundancy Protocol (VRRP) Overview

Every computer on a network may send packets to a default gateway, which can become a single point of failure. Virtual Router Redundancy Protocol (VRRP) allows you to create redundant backup gateways to ensure that the default gateway is always available.

Note: The ZyWALL 1050 runs VRRP v2. You can only set up device HA with other ZyWALL 1050s running the same firmware version.

In VRRP, a virtual router represents a number of routers associated with one IP address, the IP address of the default gateway. Each virtual router is identified by a unique 8-bit identification number called a Virtual Router ID (VR ID). In the example below, Router A and Router B are part of virtual router 10 with IP address 192.168.10.254.

Note: Every router in a virtual router must use the same advertisement interval.

If there is more than one backup router, the backup router with the highest priority becomes the master router. The other backup routers remain backup routers.

Additional VRRP Notes

VRRP Group Overview

In the ZyWALL, you should create a VRRP group to add one of its interfaces to a virtual router. You can add any Ethernet or VLAN interface with a static IP address.

Note: You can only use interfaces that have static IP addresses.

You can only enable one VRRP group for each interface, and you can only have one active VRRP group for each virtual router.

You must set up a static IP address for the interface first, and this IP address should be the IP address of the virtual router, not the management IP address. The management IP address is assigned in the VRRP group. When the ZyWALL is the master router, the interface uses its IP address, the IP address of the virtual router. If the ZyWALL is a backup router, the interface uses its management IP address. You can look at the current IP address of the interface in the Status screen.

Note: You can only have one active VRRP group for each interface, and you can only have one active VRRP group for each virtual router (VR ID).

If there is a PPPoE/PPTP interface on top of an interface in a VRRP group, the PPPoE/PPTP interface cannot connect to the ISP until the interface becomes the master in the virtual router.

At the time of writing, the advertisement interval is fixed at one second.

You can also set up authentication for a VRRP group. If you select AH MD5 authentication, the VRRP group uses IP protocol 51 (AH), instead of IP protocol 112 (VRRP).

Link Monitoring

Link monitoring has the master ZyWALL shut down all of its VRRP interfaces if one of its VRRP interface links goes down. This way the backup ZyWALL takes over all of the master ZyWALL's functions.

VRRP and Remote Management

A backup ZyWALL that takes over for an unavailable master ZyWALL takes over all of the master ZyWALL's static IP addresses. This means you can no longer access the original master ZyWALL through one of its static IP addresses (because the backup ZyWALL now uses this address). Do one of the following to still be able to access the original master ZyWALL (assuming it is still functioning).

VRRP Group Summary

The VRRP Group summary screen provides information about which interfaces are in virtual routers and the role and status of each interface in the virtual router.

Device HA > VRRP Group 

Label
Description
Refresh
Click this button to update the information in this screen.
#
This field is a sequential value, and it is not associated with a specific VRRP group.
Name
This field displays the name of the VRRP group.
VRID
This field displays the virtual router ID number.
Role
This field displays which role the interface plays in the virtual router.
Master - This interface is the master interface in the virtual router. The interface always uses its static IP address, not the management IP address of the VRRP group.
Backup - This interface is a backup interface in the virtual router. The interface may use its static IP address or the management IP address of the VRRP group, depending on whether or not the backup has become the master.
Interface
This field displays which interface is part of the virtual router.
HA Status
This field displays the status of the interface in the virtual router.
Active - This interface is the master interface in the virtual router.
Stand-By - This interface is a backup interface in the virtual router.
Fault - This VRRP group is not functioning in the virtual router right now. For example, this might happen if the interface is down.
n/a - This interface is not connected to the virtual router. For example, this might happen when the VRRP group is first set up.
Add icon
This column provides icons to activate, deactivate, add, edit, and remove VRRP groups.
To activate or deactivate a VRRP group, click the Active icon next to the group.
To add a VRRP group, click the Add icon at the top of the column. The VRRP Group Add/Edit screen appears.
To edit a VRRP group, click the Edit icon next to the group. The VRRP Group Add/Edit screen appears.
To delete a VRRP group, click the Remove icon next to the group. The web configurator confirms that you want to delete the VRRP group before doing so.

VRRP Group Add/Edit

The VRRP Group Add/Edit screen allows you to add VRRP groups to the ZyWALL or to edit the configuration of an existing VRRP group.

Device HA > VRRP Group > Edit 

Label
Description
Enable
Select this to make the specified interface part of the virtual router. Clear this to take the specified interface out of the virtual router.
Name
This field is read-only if you are editing the VRRP group. Type the name of the VRRP group. This field must be unique in the ZyWALL, but it is not used in the virtual router. The virtual router uses the VRID. The name can consist of alphanumeric characters, the underscore, and the dash and may be up to fifteen characters long.
VRID
Type the virtual router ID number.
Description
Type the description of the VRRP group. This field is only for your reference. It may be up to sixty printable ASCII characters long.
VRRP Interface
Select the interface in this device that is part of the virtual router. You can only select interfaces that have static IP addresses.
Role
Select the role that you want the interface plays in the virtual router. Choices are:
Master - This interface is the master interface in the virtual router. The interface always uses its static IP address, not the management IP address of the VRRP group.

Note: Do not set this field to Master for two or more routers in the same virtual router (same VR ID).

Backup - This interface is a backup interface in the virtual router. The interface may use its static IP address or the management IP address of the VRRP group, depending on its current role. The current role depends on the other routers in the virtual router.
Priority
This field is available if the selected interface is a Backup interface. Type the priority of the backup interface. The backup interface with the highest value takes over the role of the master interface if the master interface becomes unavailable. The priority must be between 1 and 254. (The master interface has priority 255.)
Preempt
This field is available if the selected interface is a Backup interface. Select this if the selected interface should become the master interface if a lower-priority interface is the master when this one is enabled. (If the role is Master, the interface preempts by default.)
Manage IP
This field is available if the selected interface is a Backup interface. Enter the IP address of the interface while it is in Stand-By mode. It is recommended that this IP address be in the same subnet as the interface. If it is not in the same subnet, the backup router cannot synchronize with the master via this VRRP interface.
Manage IP Subnet Mask
This field is available if the selected interface is a Backup interface.
Authentication
Select the authentication method used in the virtual router. Every interface in a virtual router must use the same authentication method and password. Choices are:
None - this virtual router does not use any authentication method.
Text - this virtual router uses a plain text password for authentication. Type the password in the field next to the radio button. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ` \ () ), and it can be up to eight characters long.
IP AH(MD5) - this virtual router uses an encrypted MD5 password for authentication. Type the password in the field next to the radio button. The password can consist of alphanumeric characters, the underscore, and some punctuation marks (+-/*= :; .! @$&%#~ ` \ () ), and it can be up to eight characters long.
See Authentication Types for more information about authentication methods.

Synchronization Overview

In a virtual router, backup routers do not automatically get configuration updates from the master router. In this case, the master ZyWALL can send these updates to backup ZyWALLs. This is called synchronization.

During synchronization, the master ZyWALL sends the following information to the backup ZyWALL.

Synchronization does not change the VRRP groups or synchronization settings in the backup ZyWALL, however.

Backup ZyWALLs cannot get updates for services to which they have not subscribed. For example, if a backup ZyWALL has not subscribed to IDP/AppPatrol or AV, it does not get updates from the master ZyWALL.

Synchronization affects the entire device configuration. You can only configure one set of settings for synchronization, regardless of how many VRRP groups you might configure. The ZyWALL uses Secure FTP (on a port number you can change) to synchronize, but it is still recommended that the backup ZyWALL synchronize with a master ZyWALL on a secure network.

Synchronization can be either done manually or scheduled regularly, and it is initiated by the backup ZyWALL. The following restrictions apply.

During synchronization, the backup ZyWALL checks to see if the incoming configuration is different from the existing configuration on the backup. If the incoming configuration is different, the backup ZyWALL applies the entire configuration. The incoming configuration is not applied if it is the same as the existing configuration on the backup.

Note: The backup ZyWALL is not available while it applies the new configuration. This usually takes two or three minutes but can take longer depending on the configuration complexity.

Synchronize Screen

Use this screen if you want the ZyWALL to get or to send updated IDP signatures, and configuration information in the virtual router.

Note: You can only set up synchronization with other ZyWALL 1050s running the same firmware version.

For synchronization, every ZyWALL in a virtual router should usually have the same Password, Synchronize From, and on port values. In addition, the management IP address must be in the same subnet as the interface (in other words, the virtual router).

Network > Device HA > Synchronize 

Label
Description
Password
Enter the password used to verify other ZyWALL routers during synchronization. This password is different than the one that is used for authentication in the VRRP group. Every ZyWALL in the virtual router must use the same password. If you leave this field blank, the password returns to its default setting "1234".
Synchronize From
Enter the IP address or fully-qualified domain name (FQDN) of the router from which to get updated configuration and IDP signatures. Usually, you should enter the IP address or FQDN of a virtual router on a secure network.
on port
Enter the Secure FTP port number used by the ZyWALL you specified in Synchronize From. Usually, every ZyWALL in the virtual router should use the same port number. Otherwise, if the master ZyWALL changes, you might have to change this port number.
Sync. Now
Click this button to get updated certificates, AV signatures, IDP and application patrol signatures, system protect signatures, and configuration information from the specified ZyWALL router.

Note: If the new configuration is different from the existing one on this backup ZyWALL, this backup ZyWALL applies the entire configuration.

Auto Synchronize
Select this to get updated configuration and IDP signatures automatically from the specified ZyWALL according to the specified Interval. The first synchronization begins after the specified Interval; the ZyWALL does not synchronize immediately.
Interval
This field is only available if Auto Synchronize is checked. Type the number of minutes to wait between synchronizations. This value must be a number between 1 and 1440 (one day).