Contents

Configuring stateful failover 1

Overview·· 1

Introduction to stateful failover 1

Stateful failover states· 2

Configuration guidelines· 2

Configuring stateful failover 3

Stateful failover configuration example· 4

 

Configuring stateful failover

Support for this feature depends on the device model. For more information, see About the H3C Access Controllers Web-Based Configuration Guide.

Overview

Introduction to stateful failover

Some customers require their wireless networks to be highly reliable to ensure continuous data transmission. In Figure 1, deploying only one AC (even with high reliability) risks a single point of failure and therefore cannot meet the requirement.

Figure 1 Network with one AC deployed

 

The stateful failover feature (supporting portal, 802.1X, and DHCP services) was introduced to meet the requirement. In Figure 2, two ACs that are enabled with stateful failover are deployed in the network. You need to specify a VLAN on the two ACs as the backup VLAN, and add the interfaces between the ACs to the backup VLAN. The backup VLAN is like a failover link, through which the two ACs exchange state negotiation messages periodically. After the two ACs enter the synchronization state, they back up the service entries of each other to make sure the service entries on them are consistent. If one AC fails, the other AC, which has already backed up the service information, takes over to avoid service interruption.

Figure 2 Network diagram for stateful failover

 

Stateful failover states

Stateful failover includes the following states:

·     Silence—The device has just started, or is transiting from synchronization state to independence state.

·     Independence—The silence timer has expired, but no failover link is established.

·     Synchronization—The device has completed state negotiation with the other device and is ready for data backup.

The following figure shows state relations.

Figure 3 Stateful failover state diagram

 

Configuration guidelines

When you configure stateful failover, follow these guidelines:

·     You must configure the AC and AP to support backup function to make sure the traffic can automatically switch to the other device if one device fails. For more information, see "Advanced settings."

·     To back up portal or 802.1X related information from the active device to the standby device, you must configure portal or 802.1X to support stateful failover besides the configurations described in this chapter. For more information, see About the H3C Access Controllers Web-Based Configuration Guide.

·     Stateful failover can be implemented only between two devices rather than among more than two devices.

Configuring stateful failover

1.     From the navigation tree, select High reliability > Stateful Failover.

The stateful failover configuration page appears.

2.     View the current stateful failover state at the lower part of the page, as described in Table 2.

Figure 4 Stateful failover configuration page

 

3.     Configure stateful failover parameters at the upper part of the page, as described in Table 1.

4.     Click Apply.

Table 1 Configuration items

Item	Description
Enable Stateful Failover	Enable/disable the stateful failover feature.
Backup Type	Select whether to support asymmetric path: ·     Unsupport Asymmetric Path—Sessions enter and leave the internal network through one device. The two devices operate in the active/standby mode. ·     Support Asymmetric Path—Sessions enter and leave the internal network through different devices to achieve load sharing. The two devices operate in the active/active mode.
Backup VLAN	Set the backup VLAN. After a VLAN is configured as a backup VLAN, the interfaces in the VLAN are used to transmit stateful failover packets.  IMPORTANT: ·     A device uses VLAN tag+protocol number to identify stateful failover packets, and broadcasts stateful failover packets to the peer within the backup VLAN. Therefore, H3C recommends that you not configure other services (such as voice VLAN) for a backup VLAN to avoid impact on the operation of stateful failover. ·     An interface added to the backup VLAN can transmit other packets besides stateful failover packets.

 

Table 2 Field description

Field	Description
NAS Device ID	Configure the NAS Device ID used for AAA authentication. Configure the NAS Device IDs of the two devices to 1 and 2. If you modify the NAS Device ID, all online clients on the device are forced offline.

 

Stateful failover configuration example

Network requirements

In Figure 5, the IP address of VLAN-interface 1 on AC 1 is 8.190.1.60/16, and that on AC 2 is 8.190.1.61/16. The client and AP each obtain an IP address from the DHCP server at 8.190.0.13/16, and the ACs perform portal authentication through the IMC server. Configure stateful failover on AC 1 and AC 2 so that when one AC fails, the other AC can take over portal and other services.

Figure 5 Network diagram

 

Configuring AC 1

1.     Configure AC 1 to support link backup between AC and AP to make sure traffic can be switched to AC 2 when AC 1 fails:

a.     From the navigation tree, select Advanced > AC Backup.

The default Setup page appears.

b.     Select IPv4 and enter the IPv4 address of AC 2 (8.190.1.61) as the backup AC address, and select Enable from the Fast Backup Mode list.

c.     Click Apply.

Figure 6 Setup page

 

2.     Configure stateful failover:

a.     Select High reliability > Stateful Failover from the navigation tree.

b.     Select Enable Stateful Failover, select Unsupport Asymmetric Path from the Backup Type list, enter 2 for Backup VLAN, and select 1 for NAS Device ID.

c.     Click Apply.

Figure 7 Configuring stateful failover

 

3.     Configure RADIUS scheme system:

a.     Select Authentication > RADIUS from the navigation tree.

b.     Click Add.

The RADIUS scheme configuration page appears.

c.     Enter system for Scheme Name, select Extended for Server Type, and select Without domain name for Username Format.

d.     Click Add in the RADIUS Server Configuration field.

The Add RADIUS Server page appears.

e.     Select Primary Authentication for Server Type, specify an IPv4 address 8.1.1.16 and 1812 as the port number.

f.     Enter expert for Key and expert for Confirm Key.

g.     Click Apply.

Figure 8 Configuring a primary RADIUS authentication server

 

h.     Click Add in the RADIUS Server Configuration field.

The Add RADIUS Server page appears.

i.     Select Primary Accounting for Server Type, and specify an IPv4 address 8.1.1.16 and 1813 as the port number.

j.     Enter expert for Key and expert for Confirm Key.

k.     Click Apply.

Figure 9 Configuring a RADIUS accounting server

 

l.     After the configurations are complete, click Apply on the RADIUS scheme configuration page.

Figure 10 RADIUS scheme configuration page

 

4.     Configure AAA authentication scheme for ISP domain system:

a.     Select Authentication > AAA from the navigation tree.

b.     Click the Authentication tab.

c.     Select system from the Select an ISP domain list, select the Default AuthN box, select RADIUS from the list, and select system from the Name list.

d.     Click Apply.

A dialog box appears, showing the configuration progress.

e.     After the configuration is successfully applied, click Close.

Figure 11 Configuring AAA authentication scheme for the ISP domain

 

5.     Configure AAA authorization scheme for ISP domain system:

a.     Click the Authorization tab.

b.     Select system from the Select an ISP domain list, select the Default AuthZ box, select RADIUS from the list, and select system from the Name list.

c.     Click Apply.

A dialog box appears, showing the configuration progress.

d.     After the configuration is successfully applied, click Close.

Figure 12 Configuring AAA authorization scheme for the ISP domain

 

6.     Configure AAA accounting scheme for ISP domain system:

a.     Click the Accounting tab.

b.     Select system from the Select an ISP domain list, and select the Accounting Optional box.

c.     Select Enable from the list, and select the Default Accounting box.

d.     Select RADIUS from the list and system from the Name list.

e.     Click Apply.

A dialog box appears, showing the configuration progress.

f.     After the configuration is successfully applied, click Close.

Figure 13 Configuring AAA accounting scheme for the ISP domain

 

7.     Configure portal authentication:

a.     Select Authentication > Portal from the navigation tree.

The default Portal Server configuration page appears.

b.     Click Add.

c.     Select Vlan-interface1 from the Interface list, Add from the Portal Server list, and Direct from the Method list, and select system for Authentication Domain.

d.     Enter newpt for Server Name, 8.1.1.16 for IP, expert for Key, 50100 for Port, and http://8.1.1.16:8080/portal for URL.

e.     Click Apply.

Figure 14 Configuring a portal server

 

8.     Add a portal-free rule:

a.     Click the Free Rule tab.

b.     Click Add.

c.     Enter 0 for Number, and select Bridge-Aggregation1 as the source interface.

d.     Click Apply.

Figure 15 Adding a portal-free rule

 

9.     Configure portal to support stateful failover at the command line interface (CLI):

# Specify AC 1's device ID to be used in stateful failover mode as 1, and specify portal group 2 for interface VLAN-interface 1.

<AC1>system-view

[AC1]interface Vlan-interface 1

[AC1-Vlan-interface1]portal backup-group 2

# Configure the virtual IP address of VRRP group 1 as 8.190.1.100, and specify the priority of AC 1 as 200. AC 2 uses the default priority.

[AC1-Vlan-interface1]vrrp vrid 1 virtual-ip 8.190.1.100

[AC1-Vlan-interface1]vrrp vrid 1 priority 200

[AC1-Vlan-interface1]quit

# Configure the source IP address for RADIUS packets as 8.190.1.100.

[AC1]radius nas-ip 8.190.1.100

# Configure the source IP address for portal packets as 8.190.1.100 (same as the AC's IP address configured on the IMC server for portal authentication).

[AC1-Vlan-interface1]portal nas-ip 8.190.1.100

Configuring AC 2

Configure AC 2 in the same way you configure AC 1 except that:

·     When you configure AC backup, specify AC 1's IP address as the backup AC address.

·     Specify the NAS device ID to be used in stateful failover mode as 2.

For more information, see the configuration on AC 1.

The portal group configuration on the two stateful failover devices must be consistent.