H3C Security Devices-Software Upgrade Guide for Member Devices in High Availability Group (V7)-6W100-book.pdf(176.31 KB)
- Released At: 30-04-2024
- Page Views:
- Downloads:
- Table of Contents
- Related Documents
-
|
H3C Security Devices |
Software Upgrade Guide for Member Devices |
in High Availability Group (V7) |
|
Document version: 6W100-20220113
Copyright © 2022 New H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of New H3C Technologies Co., Ltd.
Except for the trademarks of New H3C Technologies Co., Ltd., any trademarks that may be mentioned in this document are the property of their respective owners.
This document provides generic technical information, some of which might not be applicable to your products.
The information in this document is subject to change without notice.
Contents
Software upgrade guide for member devices in a high availability group
Upgrading the secondary device
Verifying the upgrade result on the secondary device
Verifying the upgrade result on the primary device
Software upgrade guide for member devices in a high availability group
Applicable scenarios
This guide applies to the member devices in a high availability group.
Consistency requirements
To set up a high availability (HA) group with two devices, you must ensure hardware and software consistency between the devices.
During software upgrade or rollback, the member devices can run different software versions. As a best practice to ensure correct operation of the HA group, restore software consistency as soon as possible.
Hardware consistency
Before you set up an HA group, verify that the following hardware settings are the same on the candidate member devices:
· Device model.
· Location, number, and type of MPUs.
· Location, number, and type of service modules.
· Location, number, and type of switching fabric modules.
· Location, number, and type of interface modules.
· Number and type of management interfaces, service interfaces, interfaces for setting up the control channel, and interfaces for setting up the data channel. Do not use one interface for multiple purposes.
· Location, number, and type of disks. A device not with disks installed has small log storage and do not support some types of logs or reports.
Software consistency
Before you set up an HA group, verify that the following software settings are the same on the candidate member devices:
· Software environment and version, including boot packages, system packages, feature packages, and patches.
· Licensed signature libraries and features, such as signature library types, signature library version, validation time, and number of licensed resources.
· Interface numbers.
· Type, speed, and number of the interfaces for setting up the control channel. As a best practice, use aggregate interfaces.
· Type, speed, and number of the interfaces for setting up the data channel. As a best practice, use aggregate interfaces.
· Aggregate interface numbers and aggregation member port numbers.
· Security zone configuration on the interfaces at the same location.
· Multi-CPU packet distribution policy (configurable with the forwarding policy command).
Upgrading the software
This guide provides the upgrade procedure for an HA group operating in active/standby mode and in collaboration with VRRP. The upgrade procedure does not differ greatly between the operating modes or collaboration objects.
Restrictions and guidelines
The command output in the upgrade steps is for demonstration only. The command output might vary by device model or software version.
You must use the delay-time command to enable traffic switchover upon failure recovery if the HA group is operating in dual-active mode. If you fail to do so, the member devices will not switch traffic back automatically after software upgrade is finished.
In rare cases, the operating status of the HA group might be incorrect when the member devices are running different software versions during software upgrade. This issue is transient and does not affect service processing. To avoid this issue, shut down the uplink and downlink service interfaces of the member devices before software upgrade, and bring up those interfaces after software upgrade.
Network environment
Network diagram
As shown in Figure 1, Device A and Device B are in an HA group operating in active/standby mode, and Device A and Device B are the primary device and secondary device, respectively. Device A and Device B will be upgraded without changing their HA roles or running status.
Upgrade workflow
Prerequisites
Perform the following tasks before you upgrade the member devices in the HA group:
1. Verify that the HA group is operating correctly.
# Verify that the HA group configuration is effective on the member devices and they have set up an HA control channel.
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: GigabitEthernet1/0/3
Local IPv4: 1.1.1.1
Remote IPv4: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Consistent
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: GigabitEthernet1/0/3
Local IPv4: 1.1.1.2
Remote IPv4: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Consistent
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
|
NOTE: Each HA group member device adds a prefix to the view prompt to identify its HA role. The primary device adds the RBM_P prefix, and the secondary device adds the RBM_S prefix. |
# Verify that Device A is the VRRP master and Device B is the VRRP backup.
RBM_P[DeviceA] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Master
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
GE1/0/1 1 Master 100 100 None 2.1.1.3
GE1/0/2 2 Master 100 100 None 10.1.1.3
RBM_S[DeviceB] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Backup
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
GE1/0/1 1 Backup 100 100 None 2.1.1.3
GE1/0/2 2 Backup 100 100 None 10.1.1.3
2. Verify that the member devices have finished synchronizing configuration and service entries from Device A. If synchronization is still in progress, wait for it to finish.
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: GigabitEthernet1/0/3
Local IPv4: 1.1.1.1
Remote IPv4: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Consistent
Configuration backup status: Batch backup (Do not operate
the device at will, such as board insertion and removal.)
Session backup status: Batch backup in progress
3. Verify that the member devices have consistent configuration and service entries.
# Perform a one-off configuration consistency check on Device A and verify that the member devices have consistent configuration.
RBM_P[DeviceA] remote-backup group
RBM_P[DeviceA-remote-backup-group] configuration manual-sync-check
%Aug 25 15:22:06:050 2021 Device A RBM/6/RBM_
CFG_COMPARE_START: -Context=1; Started configuration consistency check.
%Aug 25 15:22:06:589 2021 Device A RBM/6/RBM_CFG_COMPARE_FINISH: -Context=1; Fin
ished configuration consistency check.
RBM_P[DeviceA-remote-backup-group] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: GigabitEthernet1/0/3
Local IPv4: 1.1.1.1
Remote IPv4: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Consistent(2021-08-25 15:22:06)
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
# Verify that the devices have the same number of sessions, including the total number of sessions, number of TCP sessions, and number of UDP sessions.
[Device] display session statistics summary
Slot Sessions TCP UDP Rate TCP rate UDP rate
0 10 6 4 0/s 0/s 0/s
4. Save the running configuration to a configuration file on each member device.
[Device] save
Upgrading the secondary device
Upgrade the secondary device as instructed in the software upgrade guide for the device.
Verifying the upgrade result on the secondary device
1. Verify that the software has been upgraded to the target version.
RBM_S[DeviceB] display version
2. Verify that the HA group is united.
# Verify that the HA group configuration is effective on Device B and it has set up the HA control channel.
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: GigabitEthernet1/0/3
Local IPv4: 1.1.1.2
Remote IPv4: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Consistent
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
# Verify that the VRRP role of Device B is still backup.
RBM_S[DeviceB] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Backup
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
GE1/0/1 1 Backup 100 100 None 2.1.1.3
GE1/0/2 2 Backup 100 100 None 10.1.1.3
3. Verify that the member devices have finished synchronizing configuration and service entries from Device A. If synchronization is still in progress, wait for it to finish.
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: GigabitEthernet1/0/3
Local IPv4: 1.1.1.1
Remote IPv4: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Consistent
Configuration backup status: Batch backup (Do not operate
the device at will, such as board insertion and removal.)
Session backup status: Batch backup in progress
4. Verify that the member devices have consistent configuration and service entries.
# Perform a one-off configuration consistency check on Device A and verify that the member devices have consistent configuration.
RBM_P[DeviceA] remote-backup group
RBM_P[DeviceA-remote-backup-group] configuration manual-sync-check
%Aug 25 15:22:06:050 2021 Device A RBM/6/RBM_
CFG_COMPARE_START: -Context=1; Started configuration consistency check.
%Aug 25 15:22:06:589 2021 Device A RBM/6/RBM_CFG_COMPARE_FINISH: -Context=1; Fin
ished configuration consistency check.
RBM_P[DeviceA-remote-backup-group] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: GigabitEthernet1/0/3
Local IPv4: 1.1.1.1
Remote IPv4: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Consistent(2021-08-25 15:27:06)
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
# Verify that the devices have the same number of sessions, including the total number of sessions, number of TCP sessions, and number of UDP sessions.
[Device] display session statistics summary
Slot Sessions TCP UDP Rate TCP rate UDP rate
0 10 6 4 0/s 0/s 0/s
5. Save the running configuration to a configuration file on each member device.
[Device] save
Upgrading the primary device
Upgrade the primary device as instructed in the software upgrade guide for the device.
Verifying the upgrade result on the primary device
1. Verify that the software has been upgraded to the target version.
RBM_P[DeviceA] display version
2. Verify that the role and running status of each member device are the same as those before software upgrade and the member devices have set up the HA control channel. As a best practice, perform this task after traffic is switched back to Device A. The following output shows that Device A is still in standby state as traffic has not been switched back to it.
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Standby
Data channel interface: GigabitEthernet1/0/3
Local IPv4: 1.1.1.1
Remote IPv4: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Consistent
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Active
Data channel interface: GigabitEthernet1/0/3
Local IPv4: 1.1.1.2
Remote IPv4: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Consistent
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
3. Verify that the member devices have finished synchronizing configuration and service entries from Device A. If synchronization is still in progress, wait for it to finish.
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Standby
Data channel interface: GigabitEthernet1/0/3
Local IPv4: 1.1.1.1
Remote IPv4: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Consistent
Configuration backup status: Batch backup (Do not operate
the device at will, such as board insertion and removal.)
Session backup status: Batch backup in progress
4. Verify that the member devices have consistent configuration and service entries.
# Perform a one-off configuration consistency check on Device A and verify that the member devices have consistent configuration.
RBM_P[DeviceA] remote-backup group
RBM_P[DeviceA-remote-backup-group] configuration manual-sync-check
%Aug 25 15:22:06:050 2021 Device A RBM/6/RBM_
CFG_COMPARE_START: -Context=1; Started configuration consistency check.
%Aug 25 15:22:06:589 2021 Device A RBM/6/RBM_CFG_COMPARE_FINISH: -Context=1; Fin
ished configuration consistency check.
RBM_P[DeviceA-remote-backup-group] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Standby
Data channel interface: GigabitEthernet1/0/3
Local IPv6: 3005::1
Remote IPv6: 3005::2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Consistent(2021-08-25 15:22:06)
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
# Verify that the devices have the same number of sessions, including the total number of sessions, number of TCP sessions, and number of UDP sessions.
[Device] display session statistics summary
Slot Sessions TCP UDP Rate TCP rate UDP rate
0 10 6 4 0/s 0/s 0/s
5. Verify that traffic has been switched back to Device A after the traffic switchover delay expires.
# Verify that the HA group configuration is effective on Device A and Device B and they has set up the HA control channel. Verify that the running status of Device A is active and Device B is in standby state.
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: GigabitEthernet1/0/3
Local IPv4: 1.1.1.1
Remote IPv4: 1.1.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Consistent
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: GigabitEthernet1/0/3
Local IPv4: 1.1.1.2
Remote IPv4: 1.1.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 24 hour
Configuration consistency check result: Consistent
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 1 min
# Verify that Device A is the VRRP master and Device B is the VRRP backup.
RBM_P[DeviceA] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Master
VRRP standby group status: Master
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
GE1/0/1 1 Master 100 100 None 2.1.1.3
GE1/0/2 2 Master 100 100 None 10.1.1.3
RBM_S[DeviceB] display vrrp
IPv4 Virtual Router Information:
Running mode : Standard
RBM control channel is established
VRRP active group status : Backup
VRRP standby group status: Backup
Total number of virtual routers : 2
Interface VRID State Running Adver Auth Virtual
Pri Timer Type IP
---------------------------------------------------------------------
GE1/0/1 1 Backup 100 100 None 2.1.1.3
GE1/0/2 2 Backup 100 100 None 10.1.1.3