概要
|------.1[FW1].1------|
[SW].5 ======| vIP.3 |-------.5[RT]
|------.2[FW2].2------|
|<-------------->| |<--------------->|
NW1 NW2
10.0.10.0/24 10.0.20.0/24
構成
- 機器
- IP情報
- SW
- RT
- FW1
- ge-0/0/0.0 10.0.10.1
- ge-0/0/1.0 10.0.20.1
- FW2
- ge-0/0/0.0 10.0.10.2
- ge-0/0/1.0 10.0.20.2
- VRRP
- VRRP
- Act/Stn
- Priority
- GroupID: 100
- Tracking: FW1 ge-0/0/0
前提設定
SW (CiscoSW)
interface vlan10
ip address 10.0.10.5 255.255.255.0
interface GigabitEthernet0/0/1
switchport mode access
switchport access vlan 10
interface GigabitEthernet0/0/2
switchport mode access
switchport access vlan 10
FW1
set interfaces lo0 unit 0 family inet address 10.0.10.1/32
set interfaces ge-0/0/1 unit 0 family inet address 10.0.20.1/24
set security zones security-zone trust interfaces ge-0/0/1.0
FW2
set interfaces lo0 unit 0 family inet address 10.0.10.1/32
set interfaces ge-0/0/1 unit 0 family inet address 10.0.20.2/24
set security zones security-zone trust interfaces ge-0/0/1.0
確認コマンド
show show vrrp brief
show vrrp track
show vrrp detail
設定
### FW1
set interfaces ge-0/0/1 unit 0 family inet address 10.0.20.1/24 vrrp-group 100 virtual-address 10.0.20.3
set interfaces ge-0/0/1 unit 0 family inet address 10.0.20.1/24 vrrp-group 100 priority 20
set interfaces ge-0/0/1 unit 0 family inet address 10.0.20.1/24 vrrp-group 100 accept-data
set interfaces ge-0/0/1 unit 0 family inet address 10.0.20.1/24 vrrp-group 100 track interface
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
### FW2
set interfaces ge-0/0/1 unit 0 family inet address 10.0.20.2/24 vrrp-group 100 virtual-address 10.0.20.3
set interfaces ge-0/0/1 unit 0 family inet address 10.0.20.2/24 vrrp-group 100 priority 10
set interfaces ge-0/0/1 unit 0 family inet address 10.0.20.2/24 vrrp-group 100 accept-data
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services ping
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols vrrp
詳細
<省略> vrrp-group [ID] virtual-address [VIP] :NextHopで指定するvIPを指定
<省略> vrrp-group [ID] priority [PRIORITY] :Act/Stnを判定するPriorityを指定 (大きいほうがAct)
<省略> vrrp-group [ID] track interface [I/F] priority-cost [COST] :切り替わり監視のI/F指定と障害時にPriorityから減算する値を指定
<省略> vrrp-group [ID] accept-data :通信の宛先としてvIPの指定を許可
<省略> vrrp-group [ID] authentication-key :VRRPグループ認証使用するPWを指定
<省略> vrrp-group [ID] authentication-type :VRRPグループ認証のPW暗号化方式の指定
<省略> vrrp-group [ID] preempt :障害回復時にAct/Stnの機器を切り戻すよう指定
<省略> vrrp-group [ID] preempt hold-time [SEC] :機器を切り戻すまでの待機時間を指定 (不安定な環境で頻繁に切り替わることを防ぐため)
<省略> vrrp-group [ID] advertise-interval [SEC] :Act機器が生きていることを確認する間隔を指定 (いわゆるHello)
<省略> vrrp-group [ID] advertisements-threshold [COUNT] :何回Helloで確認が失敗すればDownしたとみなすかを指定
確認
########## 正常時
### FW1
> show vrrp summary
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 100 master Active A 0.570 lcl 10.0.20.1
vip 10.0.20.3
> show vrrp track
Track Int State Speed VRRP Int Group VR State Current prio
ge-0/0/0.0 up 10g ge-0/0/1.0 100 master 20
### FW2
> show vrrp summary
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 100 backup Active D 3.510 lcl 10.0.20.2
vip 10.0.20.3
mas 10.0.20.1
########## FW1 ge-0/0/0 障害時
### FW1
> show vrrp summary
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 100 backup Active D 3.132 lcl 10.0.20.1
vip 10.0.20.3
mas 10.0.20.2
> show vrrp track
Track Int State Speed VRRP Int Group VR State Current prio
ge-0/0/0.0 down 0 ge-0/0/1.0 100 backup 5
### FW2
> show vrrp summary
Interface State Group VR state VR Mode Timer Type Address
ge-0/0/1.0 up 100 master Active A 0.407 lcl 10.0.20.2
vip 10.0.20.3
