Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 02-VRRP Configuration | 409.65 KB |
Specifying a VRRP operating mode
Specifying the type of MAC addresses mapped to virtual IP addresses
Creating a VRRP group and assigning a virtual IP address
Configuring router priority, preemptive mode and tracking function
Configuring VRRP packet attributes
Enabling the trap function for VRRP
Displaying and maintaining VRRP
Single VRRP group configuration example
VRRP interface tracking configuration example
VRRP with multiple VLANs configuration example
The screen frequently displays error prompts
Multiple masters appear in a VRRP group
Frequent VRRP state transition
Configuring VRRP
The term "router" in this document refers to both routers and routing-capable H3C access controllers.
Support for this feature depends on the device model. For more information, see About the H3C Access Controllers Configuration Guides.
The interfaces that VRRP involves can be only VLAN interfaces.
VRRP overview
As shown in Figure 1, you can typically configure a default route with the gateway as the next hop for every host on a LAN. All packets destined to other network segments are sent over the default route to the gateway, which then forwards the packets. However, when the gateway fails, all the hosts that use the gateway as the default next-hop router fail to communicate with external networks.
Configuring a default route for network hosts facilitates your configuration, but also requires high performance stability of the device that acts as the gateway. Using more egress gateways is a common way to improve system reliability, but introduces the problem of routing among the egresses.
Virtual Router Redundancy Protocol (VRRP) is designed to address this problem. VRRP adds a group of routers that can act as network gateways to a VRRP group, which forms a virtual router. Routers in the VRRP group elect a master through the VRRP election mechanism to act as a gateway, and hosts on a LAN only need to configure the virtual router as their default network gateway.
VRRP is an error-tolerant protocol, which improves the network reliability and simplifies configurations on hosts. On a multicast and broadcast LAN such as Ethernet, VRRP provides highly reliable default links without configuration changes (such as route discovery protocols) when a router fails, and prevent network interruption due to a single link failure.
VRRP operates in either of the following modes:
· Standard mode—Includes IETF VRRPv2 for IPv4. For more information, see "VRRP standard mode."
· Load balancing mode—Extends the standard mode and realizes load balancing. For more information, see "VRRP load balancing mode."
VRRP standard mode
VRRP group
VRRP combines a group of routers (including a master and multiple backups) on a LAN into a virtual router called VRRP group.
A VRRP group has the following features:
· A virtual router has a virtual IP address. A host on the LAN only needs to know the IP address of the virtual router and uses the IP address as the next hop of the default route.
· Every host on the LAN communicates with external networks through the virtual router.
· Routers in the VRRP group elect a master that acts as the gateway according to their priorities. The other routers function as the backups. When the master fails, to make sure that the hosts in the network segment can communicate without interruption with the external networks, the backups in the VRRP group elect a new gateway to take the responsibility for the failed master.
As shown in Figure 2, Router A, Router B, and Router C form a virtual router, which has its own IP address. Hosts on the Ethernet use the virtual router as the default gateway.
The router with the highest priority among the three routers is elected as the master to act as the gateway, and the other two are backups.
The IP address of the virtual router can be either an unused IP address on the segment where the VRRP group resides or the IP address of an interface on a router in the VRRP group. In the latter case, the router is called the IP address owner.
Only one IP address owner can be configured for a VRRP group.
Statuses of a router in a VRRP group include master, backup, and initialize.
VRRP determines the role (master or backup) of each router in a VRRP group by priority. A router with a higher priority is more likely to become the master.
VRRP priority is in the range of 0 to 255, and the greater the number, the higher the priority. Priorities 1 to 254 are configurable. Priority 0 is reserved for special uses and priority 255 is for the IP address owner. The router acting as the IP address owner in a VRRP group always has the running priority 255 and acts as the master as long as it works properly.
A router in a VRRP group operates in either of the following modes:
¡ Non-preemptive mode—When a router in the VRRP group becomes the master, it stays as the master as long as it operates normally, even if a backup is assigned a higher priority later.
¡ Preemptive mode—When a backup finds its priority higher than that of the master, the backup sends VRRP advertisements to start a new master election in the VRRP group and becomes the master. Accordingly, the original master becomes a backup.
To avoid attacks from unauthorized users, VRRP member routers add authentication keys in VRRP packets to authenticate one another. VRRP provides the following authentication modes:
¡ simple—Simple text authentication:
The sender fills an authentication key into the VRRP packet, and the receiver compares the received authentication key with its local authentication key. If the two authentication keys are the same, the received VRRP packet is legitimate. Otherwise, the received packet is illegitimate.
¡ md5—MD5 authentication:
The sender computes a digest for the packet to be sent by using the authentication key and MD5 algorithm and saves the result in the authentication header. The receiver performs the same operation by using the authentication key and MD5 algorithm, and compares the result with the content in the authentication header. If the results are the same, the received VRRP packet is legitimate. Otherwise, the received packet is illegitimate.
On a secure network, you can choose to not authenticate VRRP packets.
VRRP timers
VRRP provides the following timers:
1. VRRP advertisement interval
The master in a VRRP group periodically sends VRRP advertisements to inform the other routers in the VRRP group that it operates properly.
You can adjust the interval for sending VRRP advertisements by setting the VRRP advertisement interval. If a backup receives no advertisements in a period three times the interval, the backup regards itself as the master and sends VRRP advertisements to start a new master election.
2. VRRP preemption delay timer
To avoid frequent state changes among members in a VRRP group and provide the backups enough time to collect information (such as routing information), each backup waits for a period of time called the preemption delay time. The backup waits this period of time after it receives an advertisement with the priority lower than the local priority, then it sends VRRP advertisements to start a new master election in the VRRP group and becomes the master.
Packet format
The master periodically multicasts VRRP packets to declare its presence. VRRP packets are also used for checking the parameters of the virtual router and electing the master.
VRRP packets are encapsulated in IP packets, with the protocol number being 112. Figure 3 shows the VRRPv2 packet format.
Figure 3 VRRPv2 packet format
A VRRP packet comprises the following fields:
· Version—Version number of the protocol, 2 for VRRPv2.
· Type—Type of the VRRP packet. It must be VRRP advertisement, represented by 1.
· Virtual Rtr ID (VRID)—ID of the virtual router, in the range of 1 to 255.
· Priority—Priority of the router in the VRRP group, in the range of 0 to 255. A greater value represents a higher priority.
· Count IP Addrs—Number of virtual IP addresses for the VRRP group. A VRRP group can have multiple virtual IP addresses.
· Auth Type—Authentication type. 0 means no authentication, 1 means simple text authentication, and 2 means MD5 authentication.
· Adver Int—Interval for sending advertisement packets, in seconds. The default is 1 second.
· Checksum—16-bit checksum for validating the data in VRRP packets.
· IP Address—Virtual IP address entry of the VRRP group. The Count IP Addrs field defines the number of virtual IP addresses.
· Authentication Data—Authentication key. This field is used only for simple authentication and is 0 for any other authentication mode.
VRRP principles
· Routers in a VRRP group determine their roles by priority. The router with the highest priority is the master, and the others are the backups. The master periodically sends VRRP advertisements to notify the backups that it is working properly, and each of the backups starts a timer to wait for advertisements from the master.
· In preemptive mode, when a backup receives a VRRP advertisement, it compares the priority in the packet with its own priority. If the priority of the backup is higher, the backup becomes the master. Otherwise, it remains as a backup. In preemptive mode, a VRRP group always has the router with the highest priority as the master for forwarding packets.
· In non-preemptive mode, a backup with higher priority than the master does not preempt the master if the master is correctly working. The non-preemptive mode avoids frequent switchover between the master and backups.
· If the timer of a backup expires, but the backup still does not receive any VRRP advertisement, it considers that the master failed. In this case, the backup considers itself as the master and sends VRRP advertisements to start a new master election.
· When multiple routers in a VRRP group declare that they are the master because of inconsistent configuration or network problems, the one with the highest priority becomes the master. If two routers have the same priority, the one with the highest IP address becomes the master.
· When a backup router receives an advertisement, it compares its priority with the advertised priority. If its priority is higher, it takes over the master.
VRRP tracking
To enable VRRP tracking, configure the routers in the VRRP group to operate in preemptive mode, so that the router with the highest priority always operates as the master for forwarding packets.
1. Tracking a specified interface
The interface tracking function expands the backup functionality of VRRP. It provides backup not only when the interface to which a VRRP group is assigned fails, but also when other interfaces (such as uplink interfaces) on the router become unavailable.
If the uplink interface of a router in a VRRP group fails, usually the VRRP group cannot be aware of the uplink interface failure. If the router is the master of the VRRP group, hosts on the LAN are not able to access external networks because of the uplink failure. This problem can be solved by tracking a specified uplink interface. If the tracked uplink interface is down or removed, the priority of the master is automatically decreased by a specified value and a higher priority router in the VRRP group becomes the master.
2. Tracking a track entry
By monitoring a track entry, you can do the following:
¡ Monitor an uplink and change the priority of the router according to the uplink state.
If the uplink fails, hosts in the LAN cannot access external networks through the router. The state of the monitored track entry is negative and the priority of the router decreases by a specified value. Then, a higher priority router in the VRRP group becomes the master to maintain the proper communication between the hosts in the LAN and external networks.
¡ Monitor the master on a backup.
When the master fails, the backup immediately takes over to maintain normal communication.
For more information about track entries, see "Configuring Track."
VRRP application
1. Master/backup
In master/backup mode, only the master forwards packets. When the master fails, a new master is elected from the backups. This mode requires only one VRRP group, in which each router holds a different priority and the one with the highest priority becomes the master.
Figure 4 VRRP in master/backup mode
Assume that Router A is acting as the master to forward packets to external networks, and Router B and Router C are backups in listening state. When Router A fails, Router B and Router C elect a new master to forward packets for hosts on the LAN.
2. Load sharing
More than one VRRP group can be created on an interface of a router to allow the router to be the master of one VRRP group but a backup of another at the same time.
In load sharing mode, multiple routers provide services simultaneously. This mode requires two or more VRRP groups, each of which comprises a master and one or more backups. The masters of the VRRP groups are assumed by different routers.
Figure 5 VRRP in load sharing mode
A router can be in multiple VRRP groups and hold a different priority in a different group.
As shown in Figure 5, the following VRRP groups are present:
¡ VRRP group 1—Router A is the master. Router B and Router C are the backups.
¡ VRRP group 2—Router B is the master. Router A and Router C are the backups.
¡ VRRP group 3—Router C is the master. Router A and Router B are the backups.
For load sharing among Router A, Router B, and Router C, hosts on the LAN need to be configured to use VRRP group 1, 2, and 3 as the default gateways, respectively. When configuring VRRP priorities, make sure that each router holds such a priority in each VRRP group so that it will take the expected role in the group.
VRRP load balancing mode
In a standard-mode VRRP group, only the master can forward packets. The backups are in listening state. You can create multiple VRRP groups to share load, but you must assign different gateways to the hosts on the LAN.
Load balancing mode simplifies configuration and improves forwarding efficiency. In load balancing mode, a VRRP group maps its virtual IP address to multiple virtual MAC addresses; one virtual MAC address for each group member. The master uses these virtual MAC addresses of the member routers to respond to IPv4 ARP requests from hosts. Therefore, every router in this VRRP group can forward traffic, and traffic from hosts is distributed across the VRRP group members.
VRRP load balancing mode uses the same master election, preemption, and tracking mechanisms as the standard mode, and adds new mechanisms as described in the following sections.
Assigning virtual MAC addresses
In a load balanced VRRP group, the master assigns virtual MAC addresses to the member routers and answers the ARP requests from different hosts. The backup routers do not answer the ARP requests from the hosts.
A load-balanced VRRP group works as follows:
1. The master assigns virtual MAC addresses to all members, including itself. This example assumes that the virtual IP address of the VRRP group is 10.1.1.1/24, Router A is the master, and Router B is the backup. Router A assigns 000f-e2ff-0011 to itself and 000f-e2ff-0012 to Router B.
Figure 6 Virtual MAC address assignment
2. When an ARP request arrives, the master (Router A) selects a virtual MAC address based on the load balancing algorithm to answer the ARP request. In this example, Router A returns the virtual MAC address of itself in response to the ARP request from Host A. It returns the virtual MAC address of Router B in response to the ARP request from Host B (see Figure 7).
Figure 7 Answering ARP requests
3. Each host sends packets to the returned MAC address. As shown in Figure 8, Host A sends packets to Router A and Host B sends packets to Router B.
Figure 8 Sending packets to different routers for forwarding
Virtual forwarder
1. Creating a virtual forwarder
Virtual MAC addresses enable traffic distribution across the routers in a VRRP group. To enable the routers in the VRRP group to forward the packets, be sure to create virtual forwarders (VFs) on the routers. Each VF associates with a virtual MAC address in the VRRP group and forwards packets sent to this virtual MAC address.
VFs are created on the routers in a VRRP group, as follows:
a. The master assigns virtual MAC addresses to all routers in the VRRP group. Each member router creates a VF for this MAC address and becomes the owner of this VF.
b. Each router advertises its VF information to the other member routers.
c. After receiving the VF advertisement, each of the other routers creates the advertised VF.
Eventually, every member router maintains one VF for each virtual MAC address in the VRRP group.
2. VF weight and priority
The weight of a VF indicates the forwarding capability of a router. A higher weight means higher forwarding capability. When the weight is lower than the lower limit of failure, the router cannot forward packets.
The priority of a VF determines the VF state. Among the VFs created on different member routers for the same virtual MAC address, the VF with the highest priority, known as the active virtual forwarder (AVF), is in the active state to forward packets. All other VFs listen to the state of the AVF are known as the listening virtual forwarders (LVFs). VF priority ranges from 0 to 255, where 255 is reserved for the VF owner. When the weight of a VF owner is higher than or equal to the lower limit of failure, the priority of the VF owner is 255.
The priority of a VF is calculated based on its weight:
¡ On the router that owns the VF, if the weight of the VF is higher than or equal to the lower limit of failure, the priority of the VF is 255.
¡ On a router that does not own the VF, if the weight of the VF is higher than or equal to the lower limit of failure, the priority of the VF is weight/(number of local AVFs +1).
¡ If the weight of the VF is lower than the lower limit of failure, the priority of the VF is 0.
3. VF backup
The VFs corresponding to a virtual MAC address on different routers in the VRRP group back up each other.
Figure 9 shows the VF table on each router in the VRRP group and how the routers back up one another. The master, Router A, assigns virtual MAC addresses 000f-e2ff-0011, 000f-e2ff-0012, and 000f-e2ff-0013 to itself, Router B, and Router C, and each router creates VF 1, VF 2, and VF 3 for the virtual MAC addresses, respectively. The VFs for the same virtual MAC address on different routers back up one another. For example, the VF 1 instances on Router A, Router B, and Router C back up one another.
¡ The VF 1 instance on Router A (the VF 1 owner) has priority 255 and acts as the AVF to forward the packets sent to virtual MAC address 000f-e2ff-0011.
¡ The VF 1 instances on Router B and Router C have priority 255/(1 + 1) or 127. Because their priorities are lower than the priority of the VF 1 instance on Router A, they act as LVFs to listen to the state of the VF 1 instance on Router A.
¡ When the VF 1 instance on Router A fails, the VF 1 instances on Router B and Router C elect the one with higher priority as the new AVF to forward the packets destined for the virtual MAC address 000f-e2ff-0011.
A VF always operates in preemptive mode. When an LVF finds its priority value higher than the one advertised by the AVF, the LVF declares itself as the AVF.
When the AVF on a router fails, the newly elected AVF on another router creates a redirect timer and a timeout timer for the failed AVF.
¡ Redirect Timer—Before this timer times out, the master still uses the virtual MAC address corresponding to the failed AVF to respond to ARP/ND requests from the hosts. The VF owner can share traffic load if the VF owner resumes normal operation within this time. When this timer times out, the master stops using the virtual MAC address corresponding to the failed AVF to respond to ARP/ND requests from the hosts.
¡ Timeout Timer—Duration that the new AVF takes over the VF owner. Before this timer times out, all the routers in the VRRP group keep the failed AVF, and the new AVF forwards the packets destined for the virtual MAC address corresponding to the failed AVF. When this timer times out, all the routers in the VRRP group remove the failed AVF. The new AVF stops forwarding the packets destined for the virtual MAC address corresponding to the failed AVF.
5. VF tracking
The AVF forwards packets destined to the MAC address of the AVF. If the uplink of the AVF fails and no LVF is notified to take over the AVF role, hosts on the LAN that use the MAC address of the AVF as their gateway MAC address cannot access the external network.
This problem can be solved by the VF tracking function. You can monitor the uplink state by using NQA, and establish the collaboration between the VF and the NQA through the tracking function. When the uplink fails, the state of the monitored track entry changes to negative and the weight of the VF decreases by a specific value. Then, the VF with a higher priority becomes the AVF and forwards packets.
The VF tracking function can also work on an LVF to monitor its corresponding AVF on another router. When the AVF fails, the LVF immediately takes over the AVF to ensure uninterrupted network communications.
Packet types
VRRP standard mode defines only VRRP advertisement. Only the master in a VRRP group periodically sends VRRP advertisements; the backups do not send VRRP advertisements.
VRRP load balancing mode defines the following types of packets:
· Advertisement—VRRP advertises VRRP group state and information about the VF that is in the active state. Both the master and the backups periodically send VRRP advertisements.
· Request—If a backup is not the VF owner, it sends a request to ask the master to assign a virtual MAC address.
· Reply—When receiving a request, the master sends a reply to the backup router to assign a virtual MAC address. After receiving the reply, the backup router creates a VF for the virtual MAC address and becomes the owner of this VF.
· Release—When a VF owner fails, the router that takes over its responsibility sends a release after a specified period of time to notify the other routers in the VRRP group to delete the VF of the failed VF owner.
The format of these packets is similar to that of the advertisement in VRRP standard mode except that a packet used in load balancing mode is appended with an option field, which contains information for load balancing.
Configuring VRRP
VRRP configuration task list
To form a VRRP group, perform the following configurations on each device in the VRRP group.
Complete these tasks to configure VRRP:
|
Task |
Remarks |
|
Optional. |
|
|
Specifying the type of MAC addresses mapped to virtual IP addresses |
Optional. This configuration does not apply to VRRP load balancing mode. |
|
Required. |
|
|
Configuring router priority, preemptive mode and tracking function |
Optional. |
|
Optional. The VF tracking function applies to only the VRRP load balancing mode. |
|
|
Optional. |
|
|
Optional. |
Specifying a VRRP operating mode
A VRRP group operates in one of the following modes:
· Standard mode—Only the master can forward packets.
· Load balancing mode—All members that have an AVF can forward packets.
After the VRRP working mode is specified on a router, all VRRP groups on the router operate in the specified working mode.
To configure the VRRP working mode:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Configure the VRRP working mode. |
· Configure VRRP to operate in standard
mode: · Configure VRRP to operate in load
balancing mode: |
Use either command. By default, VRRP operates in standard mode. |
Specifying the type of MAC addresses mapped to virtual IP addresses
You can configure VRRP in standard mode to map real or virtual MAC addresses to the virtual IP addresses of VRRP groups, so the master in a VRRP group uses the specified type of MAC address as the source MAC address for sending packets and answering ARP requests.
· Virtual MAC to virtual IP mapping—By default, a virtual MAC address is automatically assigned when a VRRP group is created and the virtual IP address of the VRRP group is mapped to the virtual MAC address. In this mapping approach, the hosts do not need to update the gateway IP and MAC mapping entry when the master changes.
· Real MAC address of an interface—If a VRRP group has an IP address owner, configure real MAC to virtual IP mapping to avoid the problem of one IP address mapped to two MAC addresses (the real and the virtual). In this approach, the virtual IP address of the VRRP group is mapped to the real MAC address of the IP address owner, and all packets from hosts are forwarded to the IP address owner.
If VRRP groups with the same ID are created on multiple interfaces, and the VRRP advertisements of these VRRP groups are to be sent across a QinQ network, H3C recommends that you use real MAC to virtual IP mapping to guarantee successful transmission of the VRRP advertisements.
When VRRP operates in load balancing mode, the address mapping setting does not take effect, and virtual IP addresses are always mapped to virtual MAC addresses.
To specify the type of MAC addresses mapped to virtual IP addresses:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Specify the type of MAC addresses mapped to virtual IP addresses. |
vrrp method { real-mac | virtual-mac } |
Optional. Virtual MAC address by default. |
Creating a VRRP group and assigning a virtual IP address
Configuration guidelines
· You can configure multiple virtual IP addresses for the VRRP group on an interface that connects to multiple subnets for router backup on different subnets.
· The VRRP group is automatically created when you specify the first virtual IP address. If you later specify another virtual IP address for the VRRP group, the virtual IP address is added to the virtual IP address list of the VRRP group.
· The virtual IP address assigned to the VRRP group must be a legal host address and in the same subnet as the interface IP address. If not, the state of the VRRP group is always initialize and VRRP does not take effect. For example, although you can successfully configure a network address or broadcast address as the virtual IP address of a VRRP group, the group cannot work.
· When VRRP operates in standard mode, the virtual IP address of a VRRP group can be either an unused IP address on the subnet where the VRRP group resides or the IP address of an interface on a router in the VRRP group. In the latter case, the router is called the IP address owner.
· In load balancing mode, the virtual IP address of a VRRP group cannot be the same as the IP address of any interface in the VRRP group.
· A VRRP group is removed after you remove all its virtual IP addresses, and then all of its configurations become invalid.
· Removal of the VRRP group on the IP address owner causes IP address collision. To avoid the collision, change the IP address of the interface on the IP address owner before you remove the VRRP group from the interface.
· The virtual IP address of a VRRP group cannot be 0.0.0.0, 255.255.255.255, loopback addresses, non-class A/B/C addresses, or other illegal IP addresses such as 0.0.0.1.
· Do not create VRRP groups in the VLAN interface of a super VLAN. Otherwise, network performance might be affected.
Configuration prerequisites
Before creating a VRRP group and configuring a virtual IP address on an interface, configure an IP address for the interface and make sure that it is in the same subnet as the virtual IP address.
Configuration procedure
To create a VRRP group and configure a virtual IP address:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter the specified interface view. |
interface interface-type interface-number |
N/A |
|
3. Create a VRRP group and configure a virtual IP address for the VRRP group. |
vrrp vrid virtual-router-id virtual-ip virtual-address |
VRRP group is not created by default. |
|
|
NOTE: The maximum number of VRRP groups on an interface depends on the device model. For more information, see About the H3C Access Controllers Configuration Guides. The maximum number of virtual IP addresses in a VRRP group is 16. |
Configuring router priority, preemptive mode and tracking function
Configuration guidelines
· The running priority of an IP address owner is always 255 and you do not need to configure it. An IP address owner always operates in preemptive mode.
· If you configure an interface to be tracked or a track entry to be monitored on a router that is the IP address owner in a VRRP group, the configuration does not take effect. If the router is not the IP address owner in the VRRP group later, the configuration takes effect.
· If the state of a tracked interface changes from down or removed to up, the priority of the router where the interface resides is automatically restored.
· If the state of a track entry changes from negative or invalid to positive, the priority of the router where the track entry is configured is automatically restored.
Configuration prerequisites
Before you configure router priority, preemptive mode, and tracking function, create a VRRP group on an interface and configure a virtual IP address for it.
Configuration procedure
By configuring router priority, preemptive mode, interface tracking, or a track entry, you can determine which router in the VRRP group serves as the master.
To configure router priority, preemptive mode, and the tracking function:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure router priority in the VRRP group. |
vrrp vrid virtual-router-id priority priority-value |
Optional. The default is 100. |
|
4. Configure the router in the VRRP group to operate in preemptive mode and configure preemption delay. |
vrrp vrid virtual-router-id preempt-mode [ timer delay delay-value ] |
Optional. The router in the VRRP group operates in preemptive mode and the preemption delay is 0 seconds by default. |
|
5. Configure the interface to be tracked. |
vrrp vrid virtual-router-id track interface interface-type interface-number [ reduced priority-reduced ] |
Optional. By default, no interface is being tracked. |
|
6. Configure VRRP to track a specified track entry. |
vrrp vrid virtual-router-id track track-entry-number [ reduced priority-reduced | switchover ] |
Optional. By default, VRRP is not configured to track a specified track entry. |
Configuring VF tracking
Configuration prerequisites
Before you configure the VF tracking function, create a VRRP group and configure a virtual IP address for it.
Configuration procedure
VRRP operates in load balancing mode. Assume that you have configured the VF tracking function to monitor the track entry and specified the value by which the weight decreases. When the status of the track entry becomes negative, the weight values of all VFs on the router decrease by the specified value. When the status of the track entry becomes positive or invalid, the weight values of all VFs on the router restore their original values.
If you configure the VF tracking function on an LVF to monitor its corresponding AVF on a specified router, the LVF can take over the AVF immediately when the status of the track entry becomes negative, to ensure uninterrupted network communications.
You can configure the VF tracking function when VRRP operates in either standard mode or load balancing mode. However, the VF tracking function is effective only when VRRP operates in load balancing mode.
By default, the weight of a VF is 255, and its lower limit of failure is 10.
If the weight of a VF owner is higher than or equal to the lower limit of failure, the priority of the VF owner is always 255 and does not change with the weight value. Therefore, in case of an uplink failure, another VF takes over the VF owner's work and becomes the AVF only when the weight of the VF owner decreases by a properly specified value and becomes lower than the lower limit of failure. In other words, the weight of the VF owner decreases by more than 245.
To configure VF tracking:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter the specified interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure VF tracking. |
· Configure the VF tracking function to monitor
a specified track entry and specify the value by which the weight decreases: · Configure the VF tracking function to monitor an
AVF on a specified router: |
Use either approach. The VF tracking function is not configured by default. |
Configuring VRRP packet attributes
Configuration prerequisites
Before you configure the relevant attributes of VRRP packets, create a VRRP group and configure a virtual IP address for it.
Configuration guidelines
· You might configure different authentication modes and authentication keys for the VRRP groups on an interface. However, the members of the same VRRP group must use the same authentication mode and authentication key.
· Excessive traffic might cause a backup to trigger a change of its status because the backup does not receive any VRRP advertisements for a specified period of time. To solve this problem, increase the time interval to send VRRP advertisements.
· Configuring different intervals for sending VRRP advertisements on the routers in a VRRP group might cause a backup to trigger a change of its status. This is because the backup does not receive any VRRP advertisements for a specified period of time. To solve this problem, configure the same interval for sending VRRP advertisements on each router in the VRRP group.
Configuration procedure
To configure VRRP packet attributes:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enter the specified interface view. |
interface interface-type interface-number |
N/A |
|
3. Configure the authentication mode and authentication key when the VRRP groups send and receive VRRP packets. |
vrrp vrid virtual-router-id authentication-mode { md5 | simple } [ cipher ] key |
Optional. Authentication is not performed by default. |
|
4. Configure the time interval for the master in the VRRP group to send VRRP advertisements. |
vrrp vrid virtual-router-id timer advertise adver-interval |
Optional. 1 second by default. |
|
5. Disable TTL check on VRRP packets. |
vrrp un-check ttl |
Optional. By default, TTL check on VRRP packets is enabled. You do not need to create a VRRP group before executing this command. |
Enabling the trap function for VRRP
When the trap function is enabled for VRRP, VRRP generates traps with severity level errors to report its key events. The traps are sent to the information center of the device, where you can configure whether to output the trap information and the output destination. For information about configuring the information center, see Network Management and Monitoring Configuration Guide.
To enable the trap function for VRRP:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable the trap function for VRRP. |
snmp-agent trap enable vrrp [ authfailure | newmaster ] |
Optional. By default, the trap function for VRRP is enabled. For more information about the command, see the snmp-agent trap enable command in Network Management and Monitoring Command Reference. |
Displaying and maintaining VRRP
|
Task |
Command |
Remarks |
|
Display VRRP group status. |
display vrrp [ verbose ] [ interface interface-type interface-number [ vrid virtual-router-id ] ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Display VRRP group statistics. |
display vrrp statistics [ interface interface-type interface-number [ vrid virtual-router-id ] ] [ | { begin | exclude | include } regular-expression ] |
Available in any view. |
|
Clear VRRP group statistics. |
reset vrrp statistics [ interface interface-type interface-number [ vrid virtual-router-id ] ] |
Available in user view. |
VRRP configuration examples
Single VRRP group configuration example
Network requirements
· The client will access the host on the Internet by using 202.38.160.111/24 as its default gateway.
· AC 1 and AC 2 form a VRRP group and use the virtual IP address 202.38.160.111/24.
· When AC 1 operates properly, AC 1 forwards packets from the host. If AC 1 fails, AC 2 takes over to forward packets.
Figure 10 Network diagram
Configuration procedure
1. Perform basic configurations according to the topology requirements. (Details not shown.)
2. Configure AC 1:
# Enable port security.
<AC1> system-view
[AC1] port-security enable
# Configure VLAN 2.
<AC1> system-view
[AC1] vlan 2
[AC1-vlan2] quit
[AC1] interface WLAN-ESS 1
[AC1-WLAN-ESS1] port link-type hybrid
[AC1-WLAN-ESS1] undo port hybrid vlan 1
[AC1-WLAN-ESS1] port hybrid vlan 2 untagged
[AC1-WLAN-ESS1] port hybrid pvid vlan 2
[AC1-WLAN-ESS1] port-security port-mode psk
[AC1-WLAN-ESS1] port-security preshared-key pass-phrase 12345678
[AC1-WLAN-ESS1] port-security tx-key-type 11key
[AC1-WLAN-ESS1] quit
[AC1] interface vlan-interface 2
[AC1-Vlan-interface2] ip address 202.38.160.1 255.255.255.0
[AC1-Vlan-interface2] quit
# Configure service template 1 with the crypto type, and bind interface WLAN-ESS 1 to the service template.
[AC1] wlan service-template 1 crypto
[AC1-wlan-st-1] ssid psktest
[AC1-wlan-st-1] bind WLAN-ESS 1
[AC1-wlan-st-1] security-ie rsn
[AC1-wlan-st-1] cipher-suite ccmp
[AC1-wlan-st-1] authentication-method open-system
[AC1-wlan-st-1] service-template enable
[AC1-wlan-st-1] quit
# Create an AP template with name ap1 and model WA3628i-AGN, and configure its serial ID as 210235A29G007C000020.
[AC1] wlan ap ap1 model WA3628i-AGN
[AC1-wlan-ap-ap1] serial-id 210235A29G007C000020
# Map service template 1 to radio 1 of AP 1.
[AC1-wlan-ap-ap1] radio 1 type dot11an
[AC1-wlan-ap-ap1-radio-1] service-template 1
[AC1-wlan-ap-ap1-radio-1] radio enable
[AC1-wlan-ap-ap1-radio-1] quit
[AC1-wlan-ap-ap1] quit
# Create VRRP group 1 on VLAN-interface 2 and set its virtual IP address to 202.38.160.111.
[AC1] interface vlan-interface 2
[AC1-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111
# Assign AC 1 a higher priority than AC 2 in VRRP group 1, so that AC 1 can become the master.
[AC1-Vlan-interface2] vrrp vrid 1 priority 110
# Configure AC 1 to operate in preemptive mode so that it can become the master whenever it works normally, and configure the preemption delay as 5 seconds to avoid frequent status switchover.
[AC1-Vlan-interface2] vrrp vrid 1 preempt-mode timer delay 5
3. Configure AC 2:
# Enable port security.
<AC2> system-view
[AC2] port-security enable
# Configure VLAN 2.
<AC2> system-view
[AC2] vlan 2
[AC2-vlan2] quit
[AC2] interface WLAN-ESS 1
[AC2-WLAN-ESS1] port link-type hybrid
[AC2-WLAN-ESS1] undo port hybrid vlan 1
[AC2-WLAN-ESS1] port hybrid vlan 2 untagged
[AC2-WLAN-ESS1] port hybrid pvid vlan 2
[AC2-WLAN-ESS1] port-security port-mode psk
[AC2-WLAN-ESS1] port-security preshared-key pass-phrase 12345678
[AC2-WLAN-ESS1] port-security tx-key-type 11key
[AC2-WLAN-ESS1] quit
[AC2] interface vlan-interface 2
[AC2-Vlan-interface2] ip address 202.38.160.2 255.255.255.0
[AC2-Vlan-interface2] quit
# Configure service template 1 with the crypto type, and bind interface WLAN-ESS 1 to the service template.
[AC2] wlan service-template 1 crypto
[AC2-wlan-st-1] ssid psktest
[AC2-wlan-st-1] bind WLAN-ESS 1
[AC2-wlan-st-1] security-ie rsn
[AC2-wlan-st-1] cipher-suite ccmp
[AC2-wlan-st-1] authentication-method open-system
[AC2-wlan-st-1] service-template enable
[AC2-wlan-st-1] quit
# Create an AP template with name ap2 and model WA3628i-AGN, and configure its serial ID as 210235A29G007C000021.
[AC2] wlan ap ap2 model WA3628i-AGN
[AC2-wlan-ap-ap2] serial-id 210235A29G007C000021
# Map service template 1 to radio 1 of AP 2.
[AC2-wlan-ap-ap2] radio 1 type dot11an
[AC2-wlan-ap-ap2-radio-1] service-template 1
[AC2-wlan-ap-ap2-radio-1] radio enable
[AC2-wlan-ap-ap2-radio-1] quit
[AC2-wlan-ap-ap2] quit
# Create VRRP group 1 on VLAN-interface 2 and set its virtual IP address to 202.38.160.111.
[AC2] interface vlan-interface 2
[AC2-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111
# Configure AC 2 to operate in preemptive mode and set the preemption delay to 5 seconds.
[AC2-Vlan-interface2] vrrp vrid 1 preempt-mode timer delay 5
4. Verify the configuration:
# Ping the host from the client. (Details not shown.)
# Display information about VRRP group 1 on AC 1.
[AC1-Vlan-interface2] display vrrp verbose
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 1
Interface Vlan-interface2
VRID : 1 Adver Timer : 1
Admin Status : Up State : Master
Config Pri : 110 Running Pri : 110
Preempt Mode : Yes Delay Time : 5
Auth Type : None
Virtual IP : 202.38.160.111
Virtual MAC : 0000-5e00-0101
Master IP : 202.38.160.1
# Display information about VRRP group 1 on AC 2.
[AC2-Vlan-interface2] display vrrp verbose
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 1
Interface Vlan-interface2
VRID : 1 Adver Timer : 1
Admin Status : Up State : Backup
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 5
Become Master : 2200ms left
Auth Type : None
Virtual IP : 202.38.160.111
Master IP : 202.38.160.1
The output shows that in VRRP group 1 AC 1 is the master and AC 2 is the backup. AC 1 forwards the packets that the client sends to the host.
# When AC 1 fails, verify that the client can still ping the host.
# Display information about VRRP group 1 on AC 2 is displayed.
[AC2-Vlan-interface2] display vrrp verbose
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 1
Interface Vlan-interface2
VRID : 1 Adver Timer : 1
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 5
Auth Type : None
Virtual IP : 202.38.160.111
Virtual MAC : 0000-5e00-0101
Master IP : 202.38.160.2
The output shows that when AC 1 fails, AC 2 becomes the master, and AC 2 forwards the packets that the client sends to the host.
# After AC 1 resumes normal operation, display information about VRRP group 1 on AC 1.
[AC1-Vlan-interface2] display vrrp verbose
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 1
Interface Vlan-interface2
VRID : 1 Adver Timer : 1
Admin Status : Up State : Master
Config Pri : 110 Running Pri : 110
Preempt Mode : Yes Delay Time : 5
Auth Type : None
Virtual IP : 202.38.160.111
Virtual MAC : 0000-5e00-0101
Master IP : 202.38.160.1
The output shows that after AC 1 resumes normal operation, it becomes the master, and AC 1 forwards the packets that the client sends to the host.
VRRP interface tracking configuration example
Network requirements
· The client wants to access the host on the Internet, using 202.38.160.111/24 as its default gateway.
· AC 1 and AC 2 belong to VRRP group 1 with the virtual IP address of 202.38.160.111/24.
· When AC 1 operates properly, AC 1 forwards the packets that the client sends to the host. If VLAN-interface 3 that AC 1 uses to connect to the Internet is not available, AC 2 will forward the packets that the client sends to the host.
· To prevent attacks to the VRRP group from illegal users by using spoofed packets, configure the authentication mode as plain text to authenticate the VRRP packets in VRRP group 1, and specify the authentication key as hello.
Figure 11 Network diagram
Configuration procedure
1. Perform basic configurations according to the topology requirements. (Details not shown.)
2. Configure AC 1:
# Enable port security.
<AC1> system-view
[AC1] port-security enable
# Configure VLAN 2 and VLAN 3.
<AC1> system-view
[AC1] vlan 2
[AC1-vlan2] quit
[AC1] vlan 3
[AC1-vlan3] quit
[AC1] interface WLAN-ESS 1
[AC1-WLAN-ESS1] port link-type hybrid
[AC1-WLAN-ESS1] undo port hybrid vlan 1
[AC1-WLAN-ESS1] port hybrid vlan 2 untagged
[AC1-WLAN-ESS1] port hybrid pvid vlan 2
[AC1-WLAN-ESS1] port-security port-mode psk
[AC1-WLAN-ESS1] port-security preshared-key pass-phrase 12345678
[AC1-WLAN-ESS1] port-security tx-key-type 11key
[AC1-WLAN-ESS1] quit
[AC1] interface vlan-interface 2
[AC1-Vlan-interface2] ip address 202.38.160.1 255.255.255.0
# Create a VRRP group 1 on VLAN-interface 2 and set its virtual IP address to 202.38.160.111.
[AC1-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111
# Assign AC 1 a higher priority than AC 2 in VRRP group 1, so that AC 1 can become the master.
[AC1-Vlan-interface2] vrrp vrid 1 priority 110
# Configure the authentication mode of the VRRP group as simple and authentication key as hello.
[AC1-Vlan-interface2] vrrp vrid 1 authentication-mode simple hello
# Set the interval for Master to send VRRP advertisement to 4 seconds.
[AC1-Vlan-interface2] vrrp vrid 1 timer advertise 4
# Configure AC 1 to operate in preemptive mode, so that it can become the master whenever it works normally, and set the preemption delay to 5 seconds to avoid frequent status switchover.
[AC1-Vlan-interface2] vrrp vrid 1 preempt-mode timer delay 5
# Set VLAN-interface 3 on AC 1 to be tracked, and configure the amount by which the priority value decreases to be more than 10 (30 in this example), so that when VLAN-interface 3 fails, the priority of AC 1 in VRRP group 1 decreases to a value lower than 100 and thus AC 2 can become the master.
[AC1-Vlan-interface2] vrrp vrid 1 track interface vlan-interface 3 reduced 30
[AC1-Vlan-interface2] quit
# Configure service template 1 with the crypto type, and bind interface WLAN-ESS 1 to the service template.
[AC1] wlan service-template 1 crypto
[AC1-wlan-st-1] ssid psktest
[AC1-wlan-st-1] bind WLAN-ESS 1
[AC1-wlan-st-1] security-ie rsn
[AC1-wlan-st-1] cipher-suite ccmp
[AC1-wlan-st-1] authentication-method open-system
[AC1-wlan-st-1] service-template enable
[AC1-wlan-st-1] quit
# Create an AP template with name ap1 and model WA3628i-AGN, and configure its serial ID as 210235A29G007C000020.
[AC1] wlan ap ap1 model WA3628i-AGN
[AC1-wlan-ap-ap1] serial-id 210235A29G007C000020
# Map service template 1 to radio 1 of AP 1.
[AC1-wlan-ap-ap1] radio 1 type dot11an
[AC1-wlan-ap-ap1-radio-1] service-template 1
[AC1-wlan-ap-ap1-radio-1] radio enable
3. Configure AC 2:
# Enable port security.
<AC2> system-view
[AC2] port-security enable
# Configure VLAN 2.
<AC2> system-view
[AC2] vlan 2
[AC2-vlan2] quit
[AC2] interface WLAN-ESS 1
[AC2-WLAN-ESS1] port link-type hybrid
[AC2-WLAN-ESS1] undo port hybrid vlan 1
[AC2-WLAN-ESS1] port hybrid vlan 2 untagged
[AC2-WLAN-ESS1] port hybrid pvid vlan 2
[AC2-WLAN-ESS1] port-security port-mode psk
[AC2-WLAN-ESS1] port-security preshared-key pass-phrase 12345678
[AC2-WLAN-ESS1] port-security tx-key-type 11key
[AC2-WLAN-ESS1] quit
[AC2] interface vlan-interface 2
[AC2-Vlan-interface2] ip address 202.38.160.2 255.255.255.0
# Create a VRRP group 1 on VLAN-interface 2 and set its virtual IP address to 202.38.160.111.
[AC2-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.111
# Configure the authentication mode of the VRRP group as simple and authentication key as hello.
[AC2-Vlan-interface2] vrrp vrid 1 authentication-mode simple hello
# Set the interval for master to send VRRP advertisement to 4 seconds.
[AC2-Vlan-interface2] vrrp vrid 1 timer advertise 4
# Configure AC 2 to operate in preemptive mode, so that AC 2 can become the master after the priority of AC 1 decreases to a value lower than 100. Set the preemption delay to 5 seconds to avoid frequent status switchover.
[AC2-Vlan-interface2] vrrp vrid 1 preempt-mode timer delay 5
[AC2-Vlan-interface2] quit
# Configure service template 1 with the crypto type, and bind interface WLAN-ESS 1 to the service template.
[AC2] wlan service-template 1 crypto
[AC2-wlan-st-1] ssid psktest
[AC2-wlan-st-1] bind WLAN-ESS 1
[AC2-wlan-st-1] security-ie rsn
[AC2-wlan-st-1] cipher-suite ccmp
[AC2-wlan-st-1] authentication-method open-system
[AC2-wlan-st-1] service-template enable
[AC2-wlan-st-1] quit
# Create an AP template with name ap2 and model WA3628i-AGN, and configure its serial ID as 210235A29G007C000021.
[AC2] wlan ap ap2 model WA3628i-AGN
[AC2-wlan-ap-ap2] serial-id 210235A29G007C000021
# Map service template 1 to radio 1 of AP 2.
[AC2-wlan-ap-ap2] radio 1 type dot11an
[AC2-wlan-ap-ap2-radio-1] service-template 1
[AC2-wlan-ap-ap2-radio-1] radio enable
4. Verify the configuration:
# Ping the host from the client. (Details not shown.)
# Display information about VRRP group 1 on AC 1.
[AC1-Vlan-interface2] display vrrp verbose
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 1
Interface Vlan-interface2
VRID : 1 Adver Timer : 4
Admin Status : Up State : Master
Config Pri : 110 Running Pri : 110
Preempt Mode : Yes Delay Time : 5
Auth Type : Simple Key : ******
Virtual IP : 202.38.160.111
Virtual MAC : 0000-5e00-0101
Master IP : 202.38.160.1
VRRP Track Information:
Track Interface: Vlan3 State : Up Pri Reduced : 30
# Display information about VRRP group 1 on AC 2.
[AC2-Vlan-interface2] display vrrp verbose
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 1
Interface Vlan-interface2
VRID : 1 Adver Timer : 4
Admin Status : Up State : Backup
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 5
Become Master : 2200ms left
Auth Type : Simple Key : ******
Virtual IP : 202.38.160.111
Master IP : 202.38.160.1
The output shows that in VRRP group 1 AC 1 is the master and AC 2 is the backup. AC 1 forwards the packets that the client sends to the host.
# If VLAN-interface 3 is not available, verify that the client can still ping the host. (Details not shown.)
# Display information about VRRP group 1 on AC 1:
[AC1-Vlan-interface2] display vrrp verbose
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 1
Interface Vlan-interface2
VRID : 1 Adver Timer : 4
Admin Status : Up State : Backup
Config Pri : 110 Running Pri : 80
Preempt Mode : Yes Delay Time : 5
Become Master : 2200ms left
Auth Type : Simple Key : ******
Virtual IP : 202.38.160.111
Master IP : 202.38.160.2
VRRP Track Information:
Track Interface: Vlan3 State : Down Pri Reduced : 30
# Display information about VRRP group 1 on AC 2:
[AC2-Vlan-interface2] display vrrp verbose
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 1
Interface Vlan-interface2
VRID : 1 Adver Timer : 4
Admin Status : Up State : Master
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 5
Auth Type : Simple Key : ******
Virtual IP : 202.38.160.111
Virtual MAC : 0000-5e00-0101
Master IP : 202.38.160.2
The output shows that when VLAN-interface 3 on AC 1 is not available, the priority of AC 1 is reduced to 80 and it becomes the backup. AC 2 becomes the master and packets sent from the client to the host are forwarded by AC 2.
VRRP with multiple VLANs configuration example
Network requirements
· The hosts in VLAN 2 use 202.38.160.100/25 as their default gateway and the hosts in VLAN 3 use 202.38.160.200/25 as their default gateway.
· AC 1 and AC 2 belong to both VRRP group 1 and VRRP group 2. The virtual IP address of VRRP group 1 is 202.38.160.100/25, and that of VRRP group 2 is 202.38.160.200/25.
· In VRRP group 1, AC 1 has a higher priority than AC 2. In VRRP group 2, AC 2 has a higher priority than AC 1. In this case, hosts in VLAN 2 and VLAN 3 can communicate with external networks through AC 1 and AC 2, respectively, and when AC 1 or AC 2 fails, the hosts can use the other switch to communicate with external networks to avoid communication interruption.
Figure 12 Network diagram
Configuration procedure
1. Perform basic configurations according to the topology requirements. (Details not shown.)
2. Configure AC 1:
# Enable port security.
<AC1> system-view
[AC1] port-security enable
# Configure VLAN 2.
<AC1> system-view
[AC1] vlan 2
[AC1-vlan2] quit
[AC1] interface WLAN-ESS 1
[AC1-WLAN-ESS1] port link-type hybrid
[AC1-WLAN-ESS1] undo port hybrid vlan 1
[AC1-WLAN-ESS1] port hybrid vlan 2 untagged
[AC1-WLAN-ESS1] port hybrid pvid vlan 2
[AC1-WLAN-ESS1] port-security port-mode psk
[AC1-WLAN-ESS1] port-security preshared-key pass-phrase 12345678
[AC1-WLAN-ESS1] port-security tx-key-type 11key
[AC1-WLAN-ESS1] quit
[AC1] interface vlan-interface 2
[AC1-Vlan-interface2] ip address 202.38.160.1 255.255.255.128
[AC1-Vlan-interface2] quit
# Configure service template 1 with the crypto type, and bind interface WLAN-ESS 1 to the service template.
[AC1] wlan service-template 1 crypto
[AC1-wlan-st-1] ssid psktest
[AC1-wlan-st-1] bind WLAN-ESS 1
[AC1-wlan-st-1] security-ie rsn
[AC1-wlan-st-1] cipher-suite ccmp
[AC1-wlan-st-1] authentication-method open-system
[AC1-wlan-st-1] service-template enable
[AC1-wlan-st-1] quit
# Create an AP template with name ap1 and model WA3628i-AGN, and configure its serial ID as 210235A29G007C000020.
[AC1] wlan ap ap1 model WA3628i-AGN
[AC1-wlan-ap-ap1] serial-id 210235A29G007C000020
# Map service template 1 to radio 1 of AP 1.
[AC1-wlan-ap-ap1] radio 1 type dot11an
[AC1-wlan-ap-ap1-radio-1] service-template 1
[AC1-wlan-ap-ap1-radio-1] radio enable
[AC1-wlan-ap-ap1-radio-1] quit
[AC1-wlan-ap-ap1] quit
# Create a VRRP group 1 on VLAN-interface 2 and set its virtual IP address to 202.38.160.100.
[AC1] interface vlan-interface 2
[AC1-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.100
# Set the priority of AC 1 to 110 in VRRP group 1, which is higher than that of AC 2 (100), so that AC 1 can become the master in VRRP group 1.
[AC1-Vlan-interface2] vrrp vrid 1 priority 110
[AC1-Vlan-interface2] quit
# Configure VLAN 3.
[AC1] vlan 3
[AC1-vlan3] quit
[AC1] interface WLAN-ESS 2
[AC1-WLAN-ESS2] port link-type hybrid
[AC1-WLAN-ESS2] undo port hybrid vlan 1
[AC1-WLAN-ESS2] port hybrid vlan 3 untagged
[AC1-WLAN-ESS2] port hybrid pvid vlan 3
[AC1-WLAN-ESS2] quit
[AC1] interface vlan-interface 3
[AC1-Vlan-interface3] ip address 202.38.160.130 255.255.255.128
# Create a VRRP group 2 and set its virtual IP address to 202.38.160.200.
[AC1-Vlan-interface3] vrrp vrid 2 virtual-ip 202.38.160.200
3. Configure AC 2:
# Configure VLAN 2.
<AC2> system-view
[AC2] vlan 2
[AC2-vlan2] quit
[AC2] interface WLAN-ESS 1
[AC2-WLAN-ESS1] port link-type hybrid
[AC2-WLAN-ESS1] undo port hybrid vlan 1
[AC2-WLAN-ESS1] port hybrid vlan 2 untagged
[AC2-WLAN-ESS1] port hybrid pvid vlan 2
[AC2-WLAN-ESS1] quit
[AC2] interface vlan-interface 2
[AC2-Vlan-interface2] ip address 202.38.160.2 255.255.255.128
# Create a VRRP group 1 on VLAN-interface 2 and set its virtual IP address to 202.38.160.100.
[AC2-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.100
[AC2-Vlan-interface2] quit
# Configure VLAN 3.
[AC2] vlan 3
[AC2-vlan3] quit
[AC2] interface WLAN-ESS 2
[AC2-WLAN-ESS2] port link-type hybrid
[AC2-WLAN-ESS2] undo port hybrid vlan 1
[AC2-WLAN-ESS2] port hybrid vlan 3 untagged
[AC2-WLAN-ESS2] port hybrid pvid vlan 3
[AC2-WLAN-ESS2] quit
[AC2] interface vlan-interface 3
[AC2-Vlan-interface3] ip address 202.38.160.131 255.255.255.128
# Create a VRRP group 2 on VLAN-interface 3 and set its virtual IP address to 202.38.160.200.
[AC2-Vlan-interface3] vrrp vrid 2 virtual-ip 202.38.160.200
# Assign AC 2 a higher priority than AC 1 (100) in VRRP group 2, so that AC 2 can become the master in VRRP group 2.
[AC2-Vlan-interface3] vrrp vrid 2 priority 110
4. Verify the configuration:
# Display information about the VRRP group on AC 1.
[AC1-Vlan-interface3] display vrrp verbose
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 2
Interface Vlan-interface2
VRID : 1 Adver Timer : 1
Admin Status : Up State : Master
Config Pri : 110 Running Pri : 110
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 202.38.160.100
Virtual MAC : 0000-5e00-0101
Master IP : 202.38.160.1
Interface Vlan-interface3
VRID : 2 Adver Timer : 1
Admin Status : Up State : Backup
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Become Master : 2200ms left
Auth Type : None
Virtual IP : 202.38.160.200
Master IP : 202.38.160.131
# Display information about the VRRP group on AC 2.
[AC2-Vlan-interface3] display vrrp verbose
IPv4 Standby Information:
Run Mode : Standard
Run Method : Virtual MAC
Total number of virtual routers : 2
Interface Vlan-interface2
VRID : 1 Adver Timer : 1
Admin Status : Up State : Backup
Config Pri : 100 Running Pri : 100
Preempt Mode : Yes Delay Time : 0
Become Master : 2200ms left
Auth Type : None
Virtual IP : 202.38.160.100
Master IP : 202.38.160.1
Interface Vlan-interface3
VRID : 2 Adver Timer : 1
Admin Status : Up State : Master
Config Pri : 110 Running Pri : 110
Preempt Mode : Yes Delay Time : 0
Auth Type : None
Virtual IP : 202.38.160.200
Virtual MAC : 0000-5e00-0102
Master IP : 202.38.160.131
The output shows that in VRRP group 1, AC 1 is the master, AC 2 is the backup, and the hosts with the default gateway of 202.38.160.100/25 access the Internet through AC 1. In VRRP group 2, AC 1 is the backup, AC 2 is the master, and the hosts with the default gateway of 202.38.160.200/25 access the Internet through AC 2.
Troubleshooting VRRP
The screen frequently displays error prompts
Symptom
The screen frequently displays error prompts.
Analysis
This error is probably caused by:
· Inconsistent configuration of the devices in the VRRP group.
· A device is attempting to send illegitimate VRRP packets.
Solution
· In the first case, modify the configuration.
· In the latter case, resort to non-technical measures.
Multiple masters appear in a VRRP group
Symptom
Multiple masters are present in the same VRRP group.
Analysis
· Multiple masters coexist for a short period. This is normal and requires no manual intervention.
· Multiple masters coexist for a long period. This is because devices in the VRRP group cannot receive VRRP packets or the received VRRP packets are illegal.
Solution
Ping between these masters and do the following:
· If the ping fails, check network connectivity.
· If the ping succeeds, check that their configurations are consistent in terms of number of virtual IP addresses, virtual IP addresses, advertisement interval, and authentication.
Frequent VRRP state transition
Symptom
Frequent VRRP state transition.
Analysis
The VRRP advertisement interval is set too short.
Solution
Increase the interval for sending VRRP advertisements or configure a preemption delay.
