Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-Reliability Operation | 254 KB |
Table of Contents
Chapter 1 Reliability Overview
1.1 Introduction to Reliability
2.2.1 Adding or Deleting a Virtual IP Address
2.2.2 Configuring Priority in a Standby Group
2.2.3 Configuring Preemption Mode and Preemption Delay
2.2.4 Configuring Authentication Mode and Authentication Key
2.2.5 Configuring the Adver_Interval of VRRP
2.2.6 Configuring Interface Tracking
2.2.7 Enabling/Disabling Virtual IP Address Pinging
2.2.8 Enabling/Disabling TTL Check for VRRP Packets
2.3 Displaying and Debugging VRRP
2.4 VRRP Configuration Examples
2.4.1 VRRP Single Standby Group Example 1
2.4.2 VRRP Single Standby Group Example 2
2.4.3 Multi-Standby Group Configuration Example
Chapter 1 Reliability Overview
1.1 Introduction to Reliability
During communication, any software or hardware error, network device or line fault may disrupt the connection, causing transmission failure. To avoid these situations, VRP provides virtual router redundancy protocol (VRRP) and hot backup technologies to ensure availability of a backup scheme when faults occur. This guarantees smooth communication and makes the network more robust and reliable.
VRRP improves reliability of connections to the outside networks and is well suited to multicast or broadcast LANs such as Ethernet. Multiple routers can form a standby group or a virtual router, acting as the only egress gateway for the local network. These routers, however, are transparent to the local network. In the standby group, a router is engaged in packet forwarding, a backup router is ready for replacing the active router, and the other routers are listening. In case that the active router fails, the backup router would take over and the other routers would elect a new backup router. This improves reliability, allowing the local hosts to continue their operation without any modification.
Chapter 2 VRRP Configurations
2.1 Introduction to VRRP
Virtual router redundancy protocol (VRRP) is a fault-tolerant protocol. Normally, you can configure a default route for the hosts on a network, for example, 10.100.10.1 in the following figure. All packets destined to the external network are sent over this default route to Router to gain access to the external networks. When Router fails, all the hosts using Router as the default next-hop router are isolated from the external network.
Figure 2-1 Network diagram for a LAN
VRRP was designed to address this problem on multicast and broadcast LANs, such as Ethernet.
The following figure illustrates how VRRP is implemented.
VRRP combines a group of routers on a LAN (including a master and multiple backup routers) into a virtual router called a standby group.
Figure 2-2 VRRP networking diagram
This virtual router has its own IP address: 10.100.10.1 (it can be the interface address on a router in the standby group). The routers in the standby group also have their own IP addresses: 10.100.10.2 for the master and 10.100.10.3 for a backup router for example.
The hosts on the LAN, however only know the IP address of this virtual router or 10.100.10.1 and as such, use this IP address as the address of the default next-hop router when communicating with the external network.
When the master in the standby group fails, the backup routers in the standby group elects a new master to take over, allowing the hosts on the network to communicate with the external network without interruption.
For more information about VRRP, refer to RFC 2338.
2.2 Configuring VRRP
The basic VRRP configuration tasks are described in the following sections:
l Adding or Deleting a Virtual IP Address
l Configuring Priority in a Standby Group
l Configuring Preemption Mode and Preemption Delay
The advanced VRRP configuration tasks are described in the following sections:
l Configuring Authentication Mode and Authentication Key
l Configuring the Adver_Interval of VRRP
l Configuring Interface Tracking
l Enabling/Disabling Virtual IP Address Pinging
l Enabling/Disabling TTL Check for VRRP Packets
2.2.1 Adding or Deleting a Virtual IP Address
You may assign an IP address on this network segment to a virtual router or standby group or delete the specified or all virtual IP addresses from the virtual address list.
Perform the following configuration in interface view.
Table 2-1 Add/delete a virtual IP address
|
Operation |
Command |
|
Add a virtual IP address |
vrrp vrid virtual-router-ID virtual-ip virtual-address |
|
Delete the specified or all virtual IP addresses |
undo vrrp vrid virtual-router-ID virtual-ip virtual-address |
The standby group number virtual-router-ID is in the range 1 to 255. The virtual IP address can be an unassigned address on the network segment to which the standby group belongs, or the IP address of an interface in the standby group. In the latter case, the security gateway with the IP address is called IP address owner.
The system creates a standby group the first time that you assign an IP address to it. When you assign virtual IP addresses to the group after that, the system only adds the addresses to the virtual IP address list of this standby group. You can assign an interface to 14 standby groups, while one standby group can accommodate up to 16 virtual IP addresses.
Note that before you can configure a standby group, you must create it by assigning an IP address to it. Deleting the last virtual IP address from the standby group also deletes the standby group. After that, all its configurations become invalid.
2.2.2 Configuring Priority in a Standby Group
In VRRP, the role that a security gateway plays in a standby group depends on its priority. The security gateway with the highest priority becomes the master.
The priority is in the range 0 to 255. A larger number indicates a higher priority. However, the configurable range is 1 to 254. The priority 0 is reserved for special use and 255 for the IP address owner.
Perform the following configuration in interface view.
Table 2-2 Configure the priority of the interface in the standby group
|
Operation |
Command |
|
Configure the priority of the interface in the standby group |
vrrp vrid virtual-router-ID priority priority-value |
|
Restore the default value |
undo vrrp vrid virtual-router-ID priority |
The priority is 100 by default.
& Note:
The IP address owner has two priorities: configurable and operating. The configurable priority is the one assigned using the vrrp vrid command and the operating priority is always 255 and not configurable.
2.2.3 Configuring Preemption Mode and Preemption Delay
In non-preemption mode, once a security gateway in the standby group becomes the master and operates well, other security gateways, even assigned higher priority later, cannot preempt it. A security gateway working in preemption mode, however, can preempt a lower priority master. Accordingly, the existing master becomes a backup.
When enabling preemption in a standby group, you can configure a delay by using the vrrp vrid command to have the backup wait for a while before preempting the existing master. This is to prevent frequent state transitions on an unstable network where the backup group security gateways cannot receive packets from the master regularly due to network congestion.
The delay ranges from 0 to 255 seconds.
Perform the following configuration in interface view.
Table 2-3 Configure the preemption mode and preemption delay for a standby group
|
Operation |
Command |
|
Enable preemption and configure preemption delay for a standby group |
vrrp vrid virtual-router-ID preempt-mode [ timer delay delay-value ] |
|
Disable preemption in the standby group |
undo vrrp vrid virtual-router-ID preempt-mode |
The default mode is preemption without delay.
& Note:
After you disable preemption, the preemption delay automatically becomes to 0 seconds.
2.2.4 Configuring Authentication Mode and Authentication Key
VRRP provides two authentication modes: simple (simple text authentication) and MD5.
On a secure network, you can use the default where no authentication key is required. It this way, the security gateway will authenticate neither VRRP packets to be sent nor those received.
On a network where potential threats are present, you can set the authentication mode to simple, where the authentication key must not be greater than eight bytes. When the security gateway sends a VRRP packet, it fills the authentication key into the VRRP packet. When the security gateway receives a VRRP packet, it compares the authentication key in the packet with the one it retains. If they are the same, the packet is considered genuine and legitimate. Otherwise, the packet is considered illegitimate and is discarded.
On an unsafe network, you can set the authentication mode to MD5, where the authentication key must not be greater than eight bytes. This allows the security gateway to authenticate VRRP packets using the authentication method provided by authentication header (AH) and the MD5 algorithm. The length of the authentication key can be either less than eight characters or 24 characters. If you input in plain text, the length ranges from one to eight characters, such as 1234567; if you input in encrypted text, the length must be 24 characters, such as _(TT8F]Y\5SQ=^Q`MAF4<1!!.
The security gateway discards the packets that fail authentication and sends traps.
Perform the following configuration in interface view.
Table 2-4 Configure the authentication mode and authentication key
|
Operation |
Command |
|
Configure the authentication mode and authentication key |
vrrp authentication-mode { md5 key | simple key } |
|
Restore the default |
undo vrrp authentication-mode |
By default, the security gateway does not authenticate VRRP packets.
& Note:
For the standby groups on the same interface, you must set the same authentication mode and authentication key.
2.2.5 Configuring the Adver_Interval of VRRP
In a VRRP standby group, the master security gateway tells other security gateways that it is alive by sending VRRP packets regularly. If no VRRP packets are received after a specified period, the backup assumes the master has failed and changes its state to master. The VRRP packet sending interval and the state transition of the backup are controlled by two timers: Adver_Interval and Master_Down_Interval.
The Master_Down_Interval is about three times that of the Adver_Interval. Either enormous traffic or difference of the timer settings on the security gateways can result in abnormal timeout of the Master_Down_Interval, causing state transition. One solution to this problem is to set Adver_Interval (in seconds) to a greater value and/or configure preemption delay.
Perform the following configuration in interface view.
Table 2-5 Configure the Adver_Interval of VRRP
|
Operation |
Command |
|
Configure the Adver_Interval of VRRP |
vrrp vrid virtual-router-ID timer advertise adver-interval |
|
Restore the default |
undo vrrp vrid virtual-router-ID timer advertise |
The adver_interval argument is in the range of 1 to 255 seconds and defaults to 1 second.
2.2.6 Configuring Interface Tracking
The interface tracking function expands the backup functionality of VRRP. It provides backup not only when the interface to which a standby group is assigned fails but also when other interfaces on the security gateway become unavailable. This is achieved by tracking interfaces. When a monitored interface goes down, the priority of the security gateway owning this interface automatically decreases by the value specified by priority-reduced, allowing a higher priority security gateway in the standby group to take over as the master.
Perform the following configuration in interface view.
Table 2-6 Configure interface tracking
|
Operation |
Command |
|
Configure the interface to be tracked |
vrrp vrid virtual-router-ID track interface-type interface-number [ reduced priority-reduced ] |
|
Disable to track the specified interface |
undo vrrp vrid virtual-router-ID track [ interface-type interface-number ] |
The priority-reduced argument defaults to 10.
& Note:
You cannot configure interface tracking on the security gateway that is an IP address owner.
2.2.7 Enabling/Disabling Virtual IP Address Pinging
This configuration enables the users to ping the virtual IP addresses of the standby groups. According to VRRP, users cannot ping the virtual IP addresses of standby groups. In this case, users cannot determine whether an IP address is assigned to a standby group by using the ping command. If a host on the network uses the same IP address of a standby group coincidently, all packets in this network will be forwarded to the host, so that the data in this network segment cannot be forwarded properly.
However, you can use the following configuration to enable users to ping the virtual IP addresses of standby groups.
Perform the following configuration in system view.
Table 2-7 Enable/disable virtual IP address pinging
|
Operation |
Command |
|
Enable virtual IP address pinging |
vrrp ping-enable |
|
Disable virtual IP address pinging |
undo vrrp ping-enable |
By default, virtual IP address pinging is disabled.
Note that you must configure this command before creating standby groups. Once a standby group is created, you cannot use this command and its undo form.
2.2.8 Enabling/Disabling TTL Check for VRRP Packets
This configuration disables the backup switch from checking TTL values for VRRP packets. According to VRRP, the TTL value of VRRP packets must be 255. If detecting that the TTL value of a packet is not 255, the backup switch will drop the packet.
You can use the following configuration to disable TTL check for VRRP packets.
Perform the following configuration in VLAN interface view.
Table 2-8 Enable/Disable TTL check for VRRP packets
|
Operation |
Command |
|
Disable TTL check for VRRP packets |
vrrp un-check ttl |
|
Restore TTL check for VRRP packets |
undo vrrp un-check ttl |
By default, the backup switch checks the TTL value for VRRP packets.
2.3 Displaying and Debugging VRRP
After completing the above configurations, you may execute the display command in any view to view the operating state about VRRP after VRRP configuration, and to verify the effect of the configurations.
Execute the debugging command in user view.
Table 2-9 Display and debug VRRP
|
Operation |
Command |
|
Display state information about VRRP |
display vrrp [ interface type number [ virtual-router-ID ] ] |
|
Enable VRRP packet debugging |
debugging vrrp packet |
|
Disable VRRP packet debugging |
undo debugging vrrp packet |
|
Enable VRRP state debugging |
debugging vrrp state |
|
Disable VRRP state debugging |
undo debugging vrrp state |
You may enable/disable VRRP packet debugging and VRRP state debugging to check VRRP debugging state.
By default, the debugging for VRRP is disabled.
2.4 VRRP Configuration Examples
2.4.1 VRRP Single Standby Group Example 1
I. Network requirements
As shown in Figure 2-3, insert two SecBlade cards into an switch. Two SecBlade cards run VRRP and a virtual IP address is provided for the switch to implement redundant backup. In normal case, the data stream to the Internet passes by Secblade A. When Secblade A fails, all data stream to the Internet passes by Secblade B.
II. Network diagram
Figure 2-3 VRRP network diagram
III. Configuration procedure
1) PC A
IP address: 10.0.0.1/24.
Gateway address: 10.0.0.254.
2) PC B
IP address: 20.0.0.1/24.
Gateway address: 20.0.0.254.
3) Switch
# Divide VLANs.
<Switch> system-view
[Switch] vlan 10
[Switch-vlan10] quit
[Switch] vlan 20
[Switch-vlan20] quit
[Switch] vlan 30
[Switch-vlan30] quit
[Switch] vlan 50
[Switch-vlan50] quit
# Configure the IP addresses.
[Switch] interface vlan-interface 10
[Switch-Vlan-interface10] ip address 10.0.0.254 24
[Switch-Vlan-interface10] quit
[Switch] interface vlan-interface 20
[Switch-Vlan-interface20] ip address 20.0.0.254 24
[Switch-Vlan-interface20] quit
[Switch] interface vlan-interface 30
[Switch-Vlan-interface30] ip address 30.0.0.254 24
[Switch-Vlan-interface30] quit
# Configure the static route. The next hop is the virtual IP address of the VRRP standby group.
[Switch] ip route-static 0.0.0.0 0 30.0.0.100
# Configure aggregation of interfaces on the Secblade A card (the SecBlade card resides in slot 1).
[Switch] secblade aggregation slot 1
# Create module test1 for Secblade A.
[Switch] secblade module test1
# Specify the SecBlade interface VLAN.
[Switch-secblade-test1] secblade-interface vlan-interface 30
# Set the protected VLAN.
[Switch-secblade-test1] security-vlan 50
# Map module test1 for Secblade A to the SecBlade card of slot 1.
[Switch-secblade-test1] map to slot 1
[Switch-secblade-test1] quit
[Switch] quit
# Configure aggregation of interfaces on the Secblade B card (the SecBlade card resides in slot 2).
[Switch] secblade aggregation slot 2
# Create module test2 for Secblade B.
[Switch] secblade module test2
# Specify the Secblade B interface VLAN.
[Switch-secblade-test2] secblade-interface vlan-interface 30
# Set the protected VLAN.
[Switch-secblade-test2] security-vlan 50
# Map the Secblade B module to the SecBlade card of slot 2.
[Switch-secblade-test2] map to slot 2
[Switch-secblade-test2] quit
[Switch] quit
4) Secblade A
# Log in to the Secblade A card of slot 1.
<Switch> secblade slot 1 (Both the default user name and password are SecBlade)
user: SecBlade
password: SecBlade
<Secblade A> system-view
# Create the sub-interface.
[Secblade A] interface GigabitEthernet0/0.1
[Secblade A-GigabitEthernet0/0.1] vlan-type dot1q vid 30
[Secblade A-GigabitEthernet0/0.1] ip address 30.0.0.1 24
[Secblade A-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 30.0.0.100
[Secblade A-GigabitEthernet0/0.1] vrrp vrid 1 priority 120
[Secblade A-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode
[Secblade A-GigabitEthernet0/0.1] quit
[Secblade A] interface GigabitEthernet0/0.2
[Secblade A-GigabitEthernet0/0.2] vlan-type dot1q vid 50
[Secblade A-GigabitEthernet0/0.2] ip address 50.0.0.1 24
[Secblade A-GigabitEthernet0/0.2] quit
# Quit SecBlade configuration view.
[Secblade A] quit
<Secblade A> quit
[Switch A]
5) Secblade B
# Log in to the Secblade B card of slot 2.
<Switch> secblade slot 2 (Both the default user name and password are SecBlade)
user: SecBlade
password: SecBlade
<Secblade B> system
# Create the sub-interface.
[Secblade B] interface GigabitEthernet0/0.1
[Secblade B-GigabitEthernet0/0.1] vlan-type dot1q vid 30
[Secblade B-GigabitEthernet0/0.1] ip address 30.0.0.2 24
[Secblade B-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 30.0.0.100
[Secblade B-GigabitEthernet0/0.1] quit
[Secblade B] interface GigabitEthernet0/0.2
[Secblade B-GigabitEthernet0/0.2] vlan-type dot1q vid 50
[Secblade B-GigabitEthernet0/0.2] ip address 50.0.0.2 24
[Secblade B-GigabitEthernet0/0.2] quit
# Quit SecBlade configuration view.
[Secblade B] quit
<Secblade B> quit
[Switch B]
2.4.2 VRRP Single Standby Group Example 2
I. Network requirements
The VRRP standby group consisting of Secblade A and Secblade B serves as the default gateway of hosts in VLAN 10. Hosts in VLAN10 access the Internet through their gateway.
About the VRRP standby group: the standby group number is 1; the virtual IP address is 10.0.0.254; Secblade A functions as the Master, while Secblade B as the Backup. Preemption is enabled.
II. Network diagram
Figure 2-4 Network diagram for VRRP configuration
III. Network procedure
1) PC A
IP address: 10.0.0.50/24.
Gateway address: 10.0.0.254 (the virtual IP address of the standby group)
2) PC B
IP address: 10.0.0.60/24.
Gateway address: 10.0.0.254 (the virtual IP address of the standby group)
3) Switch A (Secblade A)
# Divide VLANs.
<Switch A> system-view
[Switch A] vlan 10
[Switch A-vlan10] quit
[Switch A] vlan 50
[Switch A-vlan50] quit
# Configure aggregation of SecBlade interfaces (the SecBlade interface resides in slot 2).
[Switch A] secblade aggregation slot 2
# Create SecBlade module test.
[Switch A] secblade module test
# Set the protected VLAN.
[Switch A-secblade-test] security-vlan 10 50
# Map the SecBlade module to the SecBlade card of the specified slot.
[Switch A-secblade-test] map to slot 2
[Switch A-secblade-test] quit
[Switch A] quit
# Log in to the SecBlade card of the specified slot.
<Switch A> secblade slot 2 (Both the default user name and password are SecBlade)
user: SecBlade
password: SecBlade
<Secblade A> system-view
# Create the sub-interface.
[Secblade A] interface g0/0.1
[Secblade A-GigabitEthernet0/0.1] vlan-type dot1q vid 10
[Secblade A-GigabitEthernet0/0.1] ip address 10.0.0.1 24
[Secblade A-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.254
[Secblade A-GigabitEthernet0/0.1] vrrp vrid 1 priority 120
[Secblade A-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode
[Secblade A-GigabitEthernet0/0.1] quit
[Secblade A] interface g0/0.2
[Secblade A-GigabitEthernet0/0.2] vlan-type dot1q vid 50
[Secblade A-GigabitEthernet0/0.2] ip address 50.0.0.1 24
[Secblade A-GigabitEthernet0/0.2] quit
# Quit SecBlade configuration view.
[Secblade A] quit
<Secblade A> quit
[Switch A]
4) Switch B (Secblade B)
# Divide VLANs.
<Switch B> system-view
[Switch B] vlan 10
[Switch B-vlan10] quit
[Switch B] vlan 50
[Switch B-vlan50] quit
# Configure aggregation of two GigabitEthernet interfaces of the SecBlade (SecBlade slot number is 2).
[Switch B] secblade aggregation slot 2
# Create SecBlade module test.
[Switch B] secblade module test
# Set the protected VLAN.
[Switch B-secblade-test] security-vlan 10 50
# Map the SecBlade module to the SecBlade card of the specified slot.
[Switch B-secblade-test] map to slot 2
[Switch B-secblade-test] quit
[Switch B] quit
# Log in to the SecBlade card of the specified slot.
<Switch B> secblade slot 2 (Both the default user name and password are SecBlade)
user: SecBlade
password: SecBlade
<Secblade B> system-view
# Create the sub-interface.
[Secblade B] interface g0/0.1
[Secblade B-GigabitEthernet0/0.1] vlan-type dot1q vid 10
[Secblade B-GigabitEthernet0/0.1] ip address 10.0.0.2 24
[Secblade B-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.254
[Secblade B-GigabitEthernet0/0.1] quit
[Secblade B] interface g0/0.2
[Secblade B-GigabitEthernet0/0.2] vlan-type dot1q vid 50
[Secblade B-GigabitEthernet0/0.2] ip address 50.0.0.2 24
[Secblade B-GigabitEthernet0/0.2] quit
# Quit SecBlade configuration view.
[Secblade B] quit
<Secblade B> quit
[Switch B]
In normal cases, Secblade A is responsible for gateway work, unless it is switched off or malfunctioning. And then Secblade B shall take the charge. The preemption mode is configured for Secblade A to resume its gateway function as the Master when it recovers.
2.4.3 Multi-Standby Group Configuration Example
I. Network requirements
Such a multi-standby configuration can implement load sharing. Secblade A serves as the Master of standby group 1 and simultaneously a backup of standby group 2, while Secblade B is quite the contrary, serving as the Master of standby group 2 but a backup of standby group 1. PC A shall take standby group 1 as its gateway, and PC B takes standby group 2 as its gateway. In this way, both purposes of data stream balancing and mutual standby are achieved.
II. Network diagram
Figure 2-5 Network diagram for VRRP configuration
III. Configuration procedure
1) PC A
IP address: 10.0.0.50/24.
Gateway address: 10.0.0.253 (the virtual IP address of standby group 1)
2) PC B
IP address: 10.0.0.60/24.
Gateway address: 10.0.0.254 (the virtual IP address of standby group 2)
3) Switch A (Secblade A)
# Divide VLANs.
<Switch A> system-view
[Switch A] vlan 10
[Switch A-vlan10] quit
[Switch A] vlan 50
[Switch A-vlan50] quit
# Configure aggregation of two GigabitEthernet interfaces of the SecBlade (SecBlade slot number is 2).
[Switch A] secblade aggregation slot 2
# Create SecBlade module test.
[Switch A] secblade module test
# Set the protected VLAN.
[Switch A-secblade-test] security-vlan 10 50
# Map the SecBlade module to the SecBlade card of the specified slot.
[Switch A-secblade-test] map to slot 2
[Switch A-secblade-test] quit
[Switch A] quit
# Log in to the SecBlade card of the specified slot.
<Switch A> secblade slot 2 (Both the default user name and password are SecBlade)
user: SecBlade
password: SecBlade
<Secblade A> system-view
# Create the sub-interface.
[Secblade A] interface g0/0.1
[Secblade A-GigabitEthernet0/0.1] vlan-type dot1q vid 10
[Secblade A-GigabitEthernet0/0.1] ip address 10.0.0.1 24
[Secblade A-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.253
[Secblade A-GigabitEthernet0/0.1] vrrp vrid 1 priority 120
[Secblade A-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode
[Secblade A-GigabitEthernet0/0.1] vrrp vrid 2 virtual-ip 10.0.0.254
[Secblade A-GigabitEthernet0/0.1] quit
[Secblade A] interface g0/0.2
[Secblade A-GigabitEthernet0/0.2] vlan-type dot1q vid 50
[Secblade A-GigabitEthernet0/0.2] ip address 50.0.0.1 24
[Secblade A-GigabitEthernet0/0.2] quit
# Quit SecBlade configuration view.
[Secblade A] quit
<Secblade A> quit
[Switch A]
4) Switch B (Secblade B)
# Divide VLANs.
<Switch B> system-view
[Switch B] vlan 10
[Switch B-vlan10] quit
[Switch B] vlan 50
[Switch B-vlan50] quit
# Configure aggregation of two GigabitEthernet interfaces of the SecBlade (SecBlade slot number is 2).
[Switch B] secblade aggregation slot 2
# Create SecBlade module test.
[Switch B] secblade module test
# Set the protected VLAN.
[Switch B-secblade-test] security-vlan 10 50
# Map the SecBlade module to the SecBlade card of the specified slot.
[Switch B-secblade-test] map to slot 2
[Switch B-secblade-test] quit
[Switch B] quit
# Log in to the SecBlade card of the specified slot.
<Switch B> secblade slot 2 (Both the default user name and password are SecBlade)
user: SecBlade
password: SecBlade
<Secblade B> system-view
# Create the sub-interface.
[Secblade B] interface g0/0.1
[Secblade B-GigabitEthernet0/0.1] vlan-type dot1q vid 10
[Secblade B-GigabitEthernet0/0.1] ip address 10.0.0.2 24
[Secblade B-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.0.0.253
[Secblade B-GigabitEthernet0/0.1] vrrp vrid 2 virtual-ip 10.0.0.254
[Secblade B-GigabitEthernet0/0.1] vrrp vrid 2 priority 120
[Secblade B-GigabitEthernet0/0.1] vrrp vrid 2 preempt-mode
[Secblade B-GigabitEthernet0/0.1] quit
[Secblade B] interface g0/0.2
[Secblade B-GigabitEthernet0/0.2] vlan-type dot1q vid 50
[Secblade B-GigabitEthernet0/0.2] ip address 50.0.0.2 24
[Secblade B-GigabitEthernet0/0.2] quit
# Quit SecBlade configuration view.
[Secblade B] quit
<Secblade B> quit
2.5 VRRP Troubleshooting
The configuration of VRRP is simple. You can locate most of the problems by checking the output of the display command and the debugging command. The following present some troubleshooting cases.
Symptom 1:
The console screen displays error prompts frequently.
Solution:
Check whether the received VRRP packets are correct.
The security gateway may receive an incorrect VRRP packet for two reasons: its configuration is inconsistent with that on another security gateway in the standby group; a device is attempting to send illegitimate VRRP packets. In the first case, modify the configuration. In the second case, you must resort to non-technical measures.
Symptom 2:
Multiple master security gateways are present in the same standby group.
Solution:
If presence of multiple masters lasts a short period, this is normal and requires no manual intervention. If it lasts long, you must check whether these masters can receive VRRP packets and the received packets are legitimate.
Do the following:
Have these masters ping each other.
If they can be pinged, check whether their configurations are consistent, making sure that the same number of virtual IP addresses, the configured virtual IP addresses, timer setting and authentication mode are configured for the same VRRP standby group.
If they cannot be pinged, check for other reasons.
Symptom 3:
Frequent VRRP state transition is present.
Solution:
Set the Adver_Interval of the standby group to a larger value or configure a preemption delay.
