Hot backup is a device-level HA solution. It enables two devices to back up each other dynamically to ensure user service continuity upon failure of one of the devices.

Application scenario

As shown in Figure 1, typically redundant egress devices are deployed at the border between the external and internal networks to prevent a single point of failure from interrupting traffic forwarding. When one egress device fails, traffic is switched to a different path.

Hot backup is not used on traditional network devices such as switches and routers as they require only Layer 2 redundancy and route backup to ensure service continuity. It is used on security devices that perform status check and policy-based processing on packets, such as firewalls, IPSs, and network access behavior auditors. These devices check the validity of the first packet of each flow and create a session entry to record the traffic pattern, including the source and destination IP addresses, source and destination ports, and protocol. A security device forwards the subsequent packets of a flow only when the packets match a session entry. To ensure service continuity after traffic is switched between redundant security devices, hot backup is used to synchronize service entries and configuration between the devices through a dedicated channel.

Figure 1 Hot backup network model

Operating modes of hot backup

Hot backup supports the active/standby and dual-active modes.

Active/standby mode

In active/standby mode, one device acts as the master to process services, and the other device stands by as a backup, as shown in Figure 2. When an interface or link on the master fails or when the master fails, the backup takes over the master role to process services.

Figure 2 Active/standby mode of hot backup

Dual-active mode

In dual-active mode, both devices process services to increase capability of the hot backup system, as shown in Figure 3. When one device fails, its traffic is switched to the other device for forwarding.

Figure 3 Dual-active mode of hot backup

Comparison between active/standby mode and dual-active mode

Table 1 Comparison between active/standby mode and dual-active mode

Item	Active/standby mode	Dual-active mode
Number of concurrent sessions	Same as a single device.	Same as a single device.
Capability to create new sessions	Lower than a single device because session backup consumes resources.	Higher than active/standby mode if most traffic is symmetric. Lower than active/standby mode if most traffic is asymmetric.
Throughput	Same as a single device.	Twice the throughput in active/standby mode if all traffic is symmetric. Lower than the throughput in active/standby mode if most traffic is asymmetric. To ensure that the traffic size is within the processing capability of one device upon failure of the other device, make sure the throughput of a device does not exceed 50% of its capability.
Switchover duration	Longer than dual-active mode because all traffic is switched.	Short because only part of the traffic is switched.

Hot backup deployment schemes

Hot backup supports the following deployment schemes:

· VRRP hot backup—Relies on Virtual Router Redundancy Protocol (VRRP) and remote backup management (RBM).

· IRF hot backup—Relies on Intelligent Resilient Framework (IRF), Ethernet link aggregation, Reth interfaces, and redundancy groups.

Restrictions and guidelines: Hot backup configuration

You cannot use VRRP hot backup and IRF hot backup together.

A hot backup system can contain a maximum of two devices.

To ensure that the traffic size is within the processing capability of one device upon failure of the other device, make sure the throughput of each device does not exceed 50% of its capability.

Configuring VRRP hot backup

About VRRP hot backup

VRRP hot backup uses VRRP and RBM together to set up a hot backup system. VRRP directs traffic to the member devices in a hot backup system. RBM backs up service entries and configuration between the member devices and controls master switchover of multiple VRRP groups to ensure symmetric forwarding of flows.

For more information about VRRP, see "Configuring VRRP." For more information about RBM, see "Configuring RBM."

ARP and MAC learning in VRRP hot backup

When the members of a VRRP group receive an ARP request for the group's virtual IP address, the master replies with the group's virtual MAC address. This allows the upstream and downstream Layer 2 devices and hosts to learn the virtual MAC address.

Operating modes of VRRP hot backup

VRRP hot backup supports the active/standby and dual-active modes.

Active/standby mode

Figure 4 shows a typical model of a VRRP hot backup system operating in active/standby mode. The hot backup system is directly connected to the upstream and downstream Layer 2 switches by Layer 3 interfaces. To use the active/standby mode, perform the following tasks:

· Establish RBM channels between Device A and Device B.

· On Device A and Device B, create uplink VRRP group 1 and downlink VRRP group 2 and associate them with RBM.

· On Device A, associate VRRP group 1 and VRRP group 2 with the VRRP active group. On Device B, associate VRRP group 1 and VRRP group 2 with the VRRP standby group.

· On Device A and Device B, specify the IP address of Interface A1 on the router (2.1.1.15) as the next hop of the route to the Internet.

· On the router, specify the virtual IP address of VRRP group 1 (2.1.1.3) as the next hop of the route to the host's subnet.

· On the host, specify the virtual IP address of VRRP group 2 (10.1.1.3) as the default gateway.

· On Switch A, assign the interfaces attached to the router, Device A, and Device B to the same VLAN.

· On Switch B, assign the interfaces attached to the host, Device A, and Device B to the same VLAN.

Figure 4 VRRP hot backup system operating in active/standby mode

The following shows how traffic is forwarded when the host accesses the Internet in Figure 4:

1. The host identifies that the destination IP address is on a different subnet and sends an ARP request to obtain the MAC address of the default gateway. In this example, the host does not have the ARP entry for the default gateway.

2. Switch B broadcasts the ARP request and learns the MAC address of the host.

3. Device A and Device B receives the ARP request, and Device A (master) replies with the virtual MAC address of VRRP group 2.

4. Switch B learns the MAC address entry for the virtual MAC address of VRRP group 2 and forwards the ARP reply to the host.

5. The host learns the virtual MAC address and sends the packets destined for the Internet to the default gateway.

6. Switch B forwards the packets to Device A (master). The traffic of the host will be processed and forwarded by Device A as long as it is the master.

7. Device A does not have the ARP entry for the next hop of the route to the Internet and sends an ARP request to obtain the MAC address of the next hop. In the ARP request, the source MAC address is the virtual MAC address of VRRP group 1.

8. Switch A and the router then perform typical forwarding and ARP and MAC address learning.

The forwarding process for the traffic sent from the Internet to the host is similar to the above process.

Dual-active mode

Figure 5 shows a typical model of a VRRP hot backup system operating in dual-active mode. The hot backup system is directly connected to the upstream and downstream Layer 2 switches by Layer 3 interfaces. To use the dual-active mode, perform the following tasks:

· Establish RBM channels between Device A and Device B.

· On Device A and Device B, create two uplink VRRP groups and two downlink VRRP groups.

· Create VRRP group 3 and VRRP group 4 on the downlink interfaces of Device A and Device B.

· On Device A, associate VRRP group 1 and VRRP group 3 with the VRRP active group, and associate VRRP group 2 and VRRP group 4 with the VRRP standby group.

· On Device B, associate VRRP group 1 and VRRP group 3 with the VRRP standby group, and associate VRRP group 2 and VRRP group 4 with the VRRP active group.

· On Device A and Device B, specify the IP address of Interface A1 on the router (2.1.1.15) as the next hop of the route to the Internet.

· On the router, configure routes as follows:

? Specify the virtual IP address of VRRP group 1 (2.1.1.3) as the next hop of the route to Host A's subnet.

? Specify the virtual IP address of VRRP group 2 (2.1.1.4) as the next hop of the route to Host B's subnet.

· On Host A, specify the virtual IP address of VRRP group 3 (10.1.1.3) as the default gateway.

· On Host B, specify the virtual IP address of VRRP group 4 (10.1.1.4) as the default gateway.

· On Switch A, assign the interfaces attached to the router, Device A, and Device B to the same VLAN.

· On Switch B, assign the interfaces attached to the hosts, Device A, and Device B to the same VLAN.

Figure 5 VRRP hot backup system operating in dual-active mode

As shown in Figure 5, the traffic of Host A and Host B is distributed to Device A and Device B, respectively. The traffic forwarding process is similar to that in active/standby mode.

NAT on a VRRP hot backup system

For NAT to operate correctly on a VRRP hot backup system, you must associate NAT features with the VRRP groups. For example, when you use dynamic NAT, static NAT, NAT server, or NAT444, you must associate the feature with the VRRP groups. For more information about NAT features, see NAT Configuration Guide.

NAT features have similar mechanisms, and the operating mode of the VRRP hot backup system does not change the IP address translation process. This section uses dynamic NAT on a VRRP hot backup system in active/standby mode to explain how NAT works on a VRRP hot backup system.

About NAT on a VRRP hot backup system

When receiving an ARP request with a target IP address that belongs to the subnet of the IP address of a NAT interface, a NAT device replies with the MAC address of the NAT interface.

As shown in Figure 6, dynamic NAT is configured on a VRRP hot backup system that is operating in active/standby mode. If dynamic NAT is not associated with any VRRP group, the devices process the traffic as follows when the host accesses the Internet:

1. When receiving the packets sent by the host, Device A translates the source IP address into a public IP address in the NAT address group and forwards the packets to the router. In this example, the public IP address is in the same subnet as the virtual IP address of uplink VRRP group 1.

2. The router receives the return packets and broadcasts an ARP request for the destination public IP address.

3. Device A and Device B receive the ARP request and reply with the MAC address of their respective uplink interface because they have the same NAT address group configuration.

4. The router might send the return packets to the uplink interface of Device A or Device B, which affects service continuity.

For the router to learn the virtual MAC address of the uplink VRRP group, you must associate NAT features with the VRRP group.

Figure 6 NAT not associated with a VRRP group

Traffic forwarding process

The master in a VRRP group relies with the virtual MAC address of the VRRP group to an ARP request if the following requirements are met:

· NAT features are associated with the VRRP group.

· The target IP address belongs to the subnet that contains the IP address of a NAT interface.

As shown in Figure 7, dynamic NAT is configured on a VRRP hot backup system that is operating in active/standby mode. If NAT is associated with the uplink VRRP group, the devices process the traffic as follows when the host accesses the Internet:

2. The router receives the return packets and broadcasts an ARP request for the destination public IP address.

3. Device A and Device B receive the ARP request, and Device A (master) replies with the virtual MAC addresses of the uplink VRRP group.

4. Router A sends the return packets to Device A.

Figure 7 NAT on a VRRP hot backup system

For more information about VRRP group association with dynamic NAT, static NAT, NAT server, and NAT444, see Layer 3—IP Services Configuration Guide.

VRRP hot backup support for SSL VPN

To back up SSL VPN data, you must use the sslvpn rbm-port command to establish a data backup channel for SSL VPN on the VRRP hot backup system. For more information about the data backup channel and SSL VPN configuration, see VPN Configuration Guide.

A VRRP hot backup system supports SSL VPN only when it is operating in active/standby mode.

Prerequisites for VRRP hot backup configuration

Before you configure VRRP hot backup, verify that the following hardware and software settings are the same on the member devices of the hot backup system:

· Device model.

· Software version.

· IRF member ID.

· Interface for setting up the control channel.

· Interface for setting up the data channel.

· Security zone configuration on the interfaces with the same slot number.

· Location, number, and type of service modules.

· Location, number, and type of interface modules.

Please finish the configuration of the features for which VRRP hot backup does not synchronize configuration, such as the interface and routing features.

VRRP hot backup configuration flow

Figure 8 shows the configuration flow for VRRP hot backup.

Figure 8 VRRP hot backup configuration flow chart

VRRP hot backup configuration examples

Example: Configuring a VRRP hot backup system in active/standby mode

Network configuration

As shown in Figure 9, set up a VRRP hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to operate in active/standby mode.

· Configure Device A and Device B as the primary device and the secondary device, respectively.

Figure 9 Network diagram

Procedure

1. Verify that Device A and Device B meet the requirements described in "Prerequisites for VRRP hot backup configuration."

2. Configure Device A:

# Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)

# Configure interzone policies to permit communication between security zones RBM-zone and Local. This allows Device A and Device B to set up the RBM channels. (Details not shown.)

# Configure interzone policies to permit communication between security zones Untrust and Local and between security zones Trust and Local. This allows Device A and Device B to exchange VRRP packets and elect the master when the RBM channels are unavailable. (Details not shown.)

# Specify 10.2.1.2 as the destination IP address of the RBM control channel. In this example, the default port number 66064 is used.

<DeviceA> system-view

[DeviceA] remote-backup group

[DeviceA-remote-backup-group] remote-ip 10.2.1.2

# Specify 10.2.1.1 as the source IP address of the RBM control channel.

[DeviceA-remote-backup-group] local-ip 10.2.1.1

# Set up an RBM data channel on GigabitEthernet 1/0/3. In this example, the data channel and the control channel share a physical link.

[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3

# Assign the primary role to Device A in the remote backup group.

[DeviceA-remote-backup-group] device-role primary

# Set the operating mode of the hot backup system to active/standby.

[DeviceA-remote-backup-group] undo backup-mode

# Enable RBM hot backup.

[DeviceA-remote-backup-group] hot-backup enable

# Enable automatic configuration synchronization.

[DeviceA-remote-backup-group] configuration auto-sync enable

# Set the configuration consistency check interval to 12 hours.

[DeviceA-remote-backup-group] configuration sync-check interval 12

[DeviceA-remote-backup-group] quit

# Create VRRP group 1 on GigabitEthernet 1/0/1, set its virtual IP address to 2.1.1.3, and associate it with the VRRP active group.

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 2.1.1.3 active

[DeviceA-GigabitEthernet1/0/1] quit

# Create VRRP group 2 on GigabitEthernet 1/0/2, set its virtual IP address to 10.1.1.3, and associate it with the VRRP active group.

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.1.1.3 active

[DeviceA-GigabitEthernet1/0/2] quit

3. Configure Device B:

# Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)

# Configure interzone policies to permit communication between security zones RBM-zone and Local. This allows Device A and Device B to set up the RBM channels. (Details not shown.)

# Specify 10.2.1.1 as the destination IP address of the RBM control channel. In this example, the default port number 66064 is used.

<DeviceB> system-view

[DeviceB] remote-backup group

[DeviceB-remote-backup-group] remote-ip 10.2.1.1

# Specify 10.2.1.2 as the source IP address of the RBM control channel.

[DeviceB-remote-backup-group] local 10.2.1.2

# Set up an RBM data channel on GigabitEthernet 1/0/3. In this example, the data channel and the control channel share a physical link.

[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3

# Assign the secondary role to Device B in the remote backup group.

[DeviceB-remote-backup-group] device-role secondary

# Set the operating mode of the hot backup system to active/standby.

[DeviceB-remote-backup-group] undo backup-mode

# Enable RBM hot backup.

[DeviceB-remote-backup-group] hot-backup enable

# Enable automatic configuration synchronization.

[DeviceB-remote-backup-group] configuration auto-sync enable

# Set the configuration consistency check interval to 12 hours.

[DeviceB-remote-backup-group] configuration sync-check interval 12

[DeviceB-remote-backup-group] quit

# Create VRRP group 1 on GigabitEthernet 1/0/1, set its virtual IP address to 2.1.1.3, and associate it with the VRRP standby group.

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 2.1.1.3 standby

[DeviceB-GigabitEthernet1/0/1] quit

# Create VRRP group 2 on GigabitEthernet 1/0/2, set its virtual IP address to 10.1.1.3, and associate it with the VRRP standby group.

[DeviceB] interface gigabitethernet 1/0/2

[DeviceB-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.1.1.3 standby

[DeviceB-GigabitEthernet1/0/2] quit

4. Configure Switch A:

NOTE:

This step only provides the brief configuration procedure.

# Create VLAN 10.

# Configure the interfaces attached to the hot backup system and the router to operate at Layer 2. Assign them to VLAN 10 as access interfaces.

5. Configure Switch B:

NOTE:

This step only provides the brief configuration procedure.

# Create VLAN 10.

# Configure the interfaces attached to the hot backup system and the host to operate at Layer 2. Assign them to VLAN 10 as access interfaces.

6. Configure the router:

NOTE:

This step only provides the brief configuration procedure.

# Assign 2.1.1.15/24 to GigabitEthernet 1/0/1.

# Configure routes as follows:

? Specify 2.1.1.3 (virtual IP address of VRRP group 1) as the next hop of the route to the internal network.

? Specify the IP address of peer interface attached to the traffic outgoing interface as the next hop of the route to the Internet.

7. Configure security services on Device A (primary). For more information about the security services can be backed up by RBM, see "Configuring RBM."

8. On the host, specify 10.1.1.3 (virtual IP address of VRRP group 2) as the default gateway. (Details not shown.)

Verifying the configuration

1. Verify the configuration on Device A:

# Verify that the RBM channels have been set up.

[DeviceA] display remote-backup-group status

Remote backup group information:

? Backup mode: Active/standby

? Device role: Primary

? Local IP: 10.2.1.1

? Remote IP: 10.2.1.2??? Destination port: 60064

? Control channel status: Connected

? Auto configuration synchronization: Enable

? Configuration consistency check interval: 12 hour

? Vrrp delay-time: 1 min

# Verify that Device A is the master in all VRRP groups.

[DeviceA] display vrrp

IPv4 Virtual Router Information:

?Running mode????? : Standard

?RBM control channel is established

?? VRRP active group status : Master

?? VRRP standby group status: Master

?Total number of virtual routers : 2

?Interface????????? VRID? State??????? Running Adver?? Auth???? Virtual

?????????????????????????????????????? Pri???? Timer?? Type??????? IP

?---------------------------------------------------------------------

?GE1/0/1??????????? 1???? Master?????? 100???? 100???? None???? 2.1.1.3

?GE1/0/2??????????? 2??? ?Master?????? 100???? 100???? None???? 10.1.1.3

# Enable logging for the interzone policy that permits communication between security zones Trust and Untrust. Verity that Device A generates log messages when the host communicates with the Internet. (Details not shown.)

2. Verify the configuration on Device B:

# Verify that the RBM channels have been set up.

[DeviceB] display remote-backup-group status

Remote backup group information:

? Backup mode: Active/standby

? Device role: Secondary

? Local IP: 10.2.1.2

? Remote IP: 10.2.1.1??? Destination port: 60064

? Control channel status: Connected

? Auto configuration synchronization: Enable

? Configuration consistency check interval: 12 hour

? Vrrp delay-time: 1 min

# Verify that Device A is the backup in all VRRP groups.

[DeviceB] display vrrp

IPv4 Virtual Router Information:

?Running mode????? : Standard

?RBM control channel is established

?? VRRP active group status : Backup

?? VRRP standby group status: Backup

?Total number of virtual routers : 2

?Interface????????? VRID? State??????? Running Adver?? Auth???? Virtual

?????? ????????????????????????????????Pri???? Timer?? Type??????? IP

?---------------------------------------------------------------------

?GE1/0/1??????????? 1???? Backup?????? 100???? 100???? None???? 2.1.1.3

?GE1/0/2??????????? 2???? Backup?????? 100???? 100???? None???? 10.1.1.3

# Enable logging for the interzone policy that permits communication between security zones Trust and Untrust. Verity that Device B does not generate log messages when the host communicates with the Internet. (Details not shown.)

Example: Configuring a VRRP hot backup system in dual-active mode

Network configuration

As shown in Figure 10, set up a VRRP hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to operate in dual-active mode.

· Configure Device A and Device B to load share traffic.

Figure 10 Network diagram

Procedure

1. Verify that Device A and Device B meet the requirements described in "Prerequisites for VRRP hot backup configuration."

2. Configure Device A:

# Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)

# Configure interzone policies to permit communication between security zones RBM-zone and Local. This allows Device A and Device B to set up the RBM channels. (Details not shown.)

# Specify 10.2.1.2 as the destination IP address of the RBM control channel. In this example, the default port number 66064 is used.

<DeviceA> system-view

[DeviceA] remote-backup group

[DeviceA-remote-backup-group] remote-ip 10.2.1.2

# Specify 10.2.1.1 as the source IP address of the RBM control channel.

[DeviceA-remote-backup-group] local-ip 10.2.1.1

# Set up an RBM data channel on GigabitEthernet 1/0/3. In this example, the data channel and the control channel share a physical link.

[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3

# Assign the primary role to Device A in the remote backup group.

[DeviceA-remote-backup-group] device-role primary

# Set the operating mode of the hot backup system to dual-active.

[DeviceA-remote-backup-group] backup-mode dual-active

# Enable RBM hot backup.

[DeviceA-remote-backup-group] hot-backup enable

# Enable automatic configuration synchronization.

[DeviceA-remote-backup-group] configuration auto-sync enable

# Set the configuration consistency check interval to 12 hours.

[DeviceA-remote-backup-group] configuration sync-check interval 12

[DeviceA-remote-backup-group] quit

# Create VRRP group 1 on GigabitEthernet 1/0/1, set its virtual IP address to 2.1.1.3, and associate it with the VRRP active group.

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 2.1.1.3 active

# Create VRRP group 2 on GigabitEthernet 1/0/1, set its virtual IP address to 2.1.1.4, and associate it with the VRRP standby group.

[DeviceA-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 2.1.1.4 standby

[DeviceA-GigabitEthernet1/0/1] quit

# Create VRRP group 3 on GigabitEthernet 1/0/2, set its virtual IP address to 10.1.1.3, and associate it with the VRRP active group.

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] vrrp vrid 3 virtual-ip 10.1.1.3 active

# Create VRRP group 4 on GigabitEthernet 1/0/2, set its virtual IP address to 10.1.1.4, and associate it with the VRRP standby group.

[DeviceA-GigabitEthernet1/0/2] vrrp vrid 4 virtual-ip 10.1.1.4 standby

[DeviceA-GigabitEthernet1/0/2] quit

3. Configure Device B:

# Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)

# Configure interzone policies to permit communication between security zones RBM-zone and Local. This allows Device A and Device B to set up the RBM channels. (Details not shown.)

# Specify 10.2.1.1 as the destination IP address of the RBM control channel. In this example, the default port number 66064 is used.

<DeviceB> system-view

[DeviceB] remote-backup group

[DeviceB-remote-backup-group] remote-ip 10.2.1.1

# Specify 10.2.1.2 as the source IP address of the RBM control channel.

[DeviceB-remote-backup-group] local-ip 10.2.1.2

# Set up an RBM data channel on GigabitEthernet 1/0/3. In this example, the data channel and the control channel share a physical link.

[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3

# Assign the secondary role to Device B in the remote backup group.

[DeviceB-remote-backup-group] device-role secondary

# Set the operating mode of the hot backup system to dual-active.

[DeviceB-remote-backup-group] backup-mode dual-active

# Enable RBM hot backup.

[DeviceB-remote-backup-group] hot-backup enable

# Enable automatic configuration synchronization.

[DeviceB-remote-backup-group] configuration auto-sync enable

# Set the configuration consistency check interval to 12 hours.

[DeviceB-remote-backup-group] configuration sync-check interval 12

[DeviceB-remote-backup-group] quit

# Create VRRP group 1 on GigabitEthernet 1/0/1, set its virtual IP address to 2.1.1.3, and associate it with the VRRP standby group.

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 2.1.1.3 standby

# Create VRRP group 2 on GigabitEthernet 1/0/1, set its virtual IP address to 2.1.1.4, and associate it with the VRRP active group.

[DeviceB-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 2.1.1.4 active

[DeviceB-GigabitEthernet1/0/1] quit

# Create VRRP group 3 on GigabitEthernet 1/0/2, set its virtual IP address to 10.1.1.3, and associate it with the VRRP standby group.

[DeviceB] interface gigabitethernet 1/0/2

[DeviceB-GigabitEthernet1/0/2] vrrp vrid 3 virtual-ip 10.1.1.3 standby

# Create VRRP group 4 on GigabitEthernet 1/0/2, set its virtual IP address to 10.1.1.4, and associate it with the VRRP active group.

[DeviceB-GigabitEthernet1/0/2] vrrp vrid 4 virtual-ip 10.1.1.4 active

[DeviceB-GigabitEthernet1/0/2] quit

4. Configure Switch A:

NOTE:

This step only provides the brief configuration procedure.

# Create VLAN 10.

# Configure the interfaces attached to the hot backup system and the router to operate at Layer 2. Assign them to VLAN 10 as access interfaces.

5. Configure Switch B:

NOTE:

This step only provides the brief configuration procedure.

# Create VLAN 10.

# Configure the interfaces attached to the hot backup system and the host to operate at Layer 2. Assign them to VLAN 10 as access interfaces.

6. Configure the router:

NOTE:

This step only provides the brief configuration procedure.

# Assign 2.1.1.15/24 to GigabitEthernet 1/0/1.

# Configure routes as follows:

? Specify 2.1.1.3 (virtual IP address of VRRP group 1) as the next hop of the routes to some subnets of the internal network. Specify 2.1.1.4 (virtual IP address of VRRP group 2) as the next hop of the routes to the other subnets of the internal network.

? Specify the IP address of the peer interface attached to the traffic outgoing interface as the next hop of the route to the Internet.

7. Configure security services on Device A (primary). For more information about the security services can be backed up by RBM, see "Configuring RBM."

8. On some hosts, specify 10.1.1.3 (virtual IP address of VRRP group 3) as the default gateway. On the other hosts, specify 10.1.1.4 (virtual IP address of VRRP group 4) as the default gateway. (Details not shown.)

Verifying the configuration

1. Verify the configuration on Device A:

# # Verify that the RBM channels have been set up.

[DeviceA] display remote-backup-group status

Remote backup group information:

? Backup mode: Dual-active

? Device role: Primary

? Local IP: 10.2.1.1

? Remote IP: 10.2.1.2??? Destination port: 60064

? Control channel status: Connected

? Auto configuration synchronization: Enable

? Configuration consistency check interval: 12 hour

? Vrrp delay-time: 1 min

# Verify that Device A is the master in VRRP groups 1 and 3 and the backup in VRRP groups 2 and 4.

[DeviceA] display vrrp

IPv4 Virtual Router Information:

?Running mode????? : Standard

?RBM control channel is established

?? VRRP active group status : Master

?? VRRP standby group status: Backup

?Total number of virtual routers : 2

?Interface????????? VRID? State??????? Running Adver?? Auth???? Virtual

?????????????????????????????????????? Pri???? Timer?? Type??????? IP

?---------------------------------------------------------------------

?GE1/0/1??????????? 1???? Master?????? 100???? 100? ???None???? 2.1.1.3

?GE1/0/1??????????? 2???? Backup?????? 100???? 100???? None???? 2.1.1.4

?GE1/0/2??????????? 3???? Master?????? 100???? 100???? None???? 10.1.1.3

?GE1/0/2??????????? 4???? Backup?????? 100???? 100???? None???? 10.1.1.4

# Enable logging for the interzone policy that permits communication between security zones Trust and Untrust. Verity that Device A generates log messages when a host for which Device A forwards traffic communicates with the Internet. Verity that Device A does not generate log messages when a host for which Device B forwards traffic communicates with the Internet. (Details not shown.)

2. Verify the configuration on Device B:

# Verify that the RBM channels have been set up.

[DeviceB] display remote-backup-group status

Remote backup group information:

? Backup mode: Dual-active

? Device role: Secondary

? Local IP: 10.2.1.2

? Remote IP: 10.2.1.1??? Destination port: 60064

? Control channel status: Connected

? Auto configuration synchronization: Enable

? Configuration consistency check interval: 12 hour

? Vrrp delay-time: 1 min

# Verify that Device B is the master in VRRP groups 2 and 4 and the backup in VRRP groups 1 and 3.

[DeviceB] display vrrp

IPv4 Virtual Router Information:

?Running mode????? : Standard

?RBM control channel is established

?? VRRP active group status : Master

?? VRRP standby group status: Backup

?Total number of virtual routers : 2

?Interface????????? VRID? State??????? Running Adver?? Auth???? Virtual

?????????????????????????????????????? Pri???? Timer?? Type??????? IP

?---------------------------------------------------------------------

?GE1/0/1??????????? 1???? Backup?????? 100???? 100???? None???? 2.1.1.3

?GE1/0/1??????????? 2???? Master?????? 100???? 100???? None???? 2.1.1.4

?GE1/0/2??????????? 3???? Backup?????? 100???? 100???? None???? 10.1.1.3

?GE1/0/2??????????? 4???? Master?????? 100???? 100???? None???? 10.1.1.4

# Enable logging for the interzone policy that permits communication between security zones Trust and Untrust. Verity that Device B generates log messages when a host for which Device B forwards traffic communicates with the Internet. Verity that Device B does not generate log messages when a host for which Device A forwards traffic communicates with the Internet. (Details not shown.)

Example: Configuring NAT on a VRRP hot backup system in active/standby mode

Network configuration

As shown in Figure 11, set up a VRRP hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to operate in active/standby mode.

· Configure Device A and Device B as the primary device and the secondary device, respectively.

· Configure dynamic NAT to translate the private IP addresses in the internal network into public IP addresses 2.1.1.1 through 2.1.1.10.

Figure 11 Network diagram

Procedure

1. Set up the hot backup system as described in "Example: Configuring a VRRP hot backup system in active/standby mode."

2. Configure dynamic NAT on Device A (primary):

# Create NAT address group 1 and add address range 2.1.1.5 to 2.1.1.10.

<DeviceA> system-view

[DeviceA] nat address-group 1

[DeviceA-address-group-1] address 2.1.1.5 2.1.1.10

# Associate NAT address group 1 with VRRP group 1.

[DeviceA-address-group-1] vrrp vrid 1

[DeviceA-address-group-1] quit

# Configure outbound dynamic NAT to use NAT address group 1 for address translation on GigabitEthernet 1/0/1.

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] nat outbound address-group 1

[DeviceA-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify that the host can communicate with the Internet. (Details not shown.)

# Verify that Device A has generated a NAT session entry.

[DeviceA] display nat session verbose

Slot 1:

Initiator:

? Source????? IP/port: 10.1.1.10/52082

? Destination IP/port: 202.38.1.10/80

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: GigabitEthernet1/0/2

? Source security zone: Trust

Responder:

? Source????? IP/port: 202.38.1.10/80

? Destination IP/port: 2.1.1.5/1036

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: GigabitEthernet1/0/1

? Source security zone: Untrust

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: 2

Rule name: 3

Start time: 2019-1-29 16:16:59? TTL: 9995s

Initiator->Responder:????????? 551 packets????? 32547 bytes

Responder->Initiator:????????? 956 packets??? 1385514 bytes

Total sessions found: 1

Example: Configuring NAT on a VRRP hot backup system in dual-active mode

Network configuration

As shown in Figure 12, set up a VRRP hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to operate in dual-active mode.

· Configure Device A and Device B to load share traffic.

· Configure dynamic NAT to translate the private IP addresses in the internal network into public IP addresses 2.1.1.1 through 2.1.1.10.

Figure 12 Network diagram

Procedure

1. Set up the hot backup system as described in "Example: Configuring a VRRP hot backup system in dual-active mode".

2. Configure dynamic NAT on Device A (primary):

# Create NAT address group 1 and add address range 2.1.1.5 to 2.1.1.7.

<DeviceA> system-view

[DeviceA] nat address-group 1

[DeviceA-address-group-1] address 2.1.1.5 2.1.1.7

# Associate NAT address group 1 with VRRP group 1.

[DeviceA-address-group-1] vrrp vrid 1

[DeviceA-address-group-1] quit

# Create NAT address group 2 and add address range 2.1.1.8 to 2.1.1.10.

[DeviceA] nat address-group 2

[DeviceA-address-group-2] address 2.1.1.8 2.1.1.10

# Associate NAT address group 2 with VRRP group 2.

[DeviceA-address-group-2] vrrp vrid 2

[DeviceA-address-group-2] quit

# Configure ACL 3000 to permit packets from 10.1.1.1/25.

[DeviceA] acl advanced 3000

[DeviceA-ipv4-adv-3000] rule permit ip source 10.1.1.1 0.0.0.127

[DeviceA-ipv4-adv-3000] quit

# Configure ACL 3001 to permit packets from 10.1.1.129/25.

[DeviceA] acl advanced 3001

[DeviceA-ipv4-adv-3001] rule permit ip source 10.1.1.129 0.0.0.127

[DeviceA-ipv4-adv-3001] quit

# Configure outbound dynamic NAT on GigabitEthernet 1/0/1. The source IP addresses of the packets permitted by ACL 3000 are translated into the addresses in NAT address group 1. The source IP addresses of the packets permitted by ACL 3001 are translated into the addresses in NAT address group 2.

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] nat outbound 3000 address-group 1

[DeviceA-GigabitEthernet1/0/1] nat outbound 3001 address-group 2

[DeviceA-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify that Host 1 can communicate with the Internet. (Details not shown.)

# Verify that Device A has generated a NAT session entry.

[DeviceA] display nat session verbose

Slot 1:

Initiator:

? Source????? IP/port: 10.1.1.100/52082

? Destination IP/port: 202.38.1.10/80

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: GigabitEthernet1/0/2

? Source security zone: Trust

Responder:

? Source????? IP/port: 202.38.1.10/80

? Destination IP/port: 2.1.1.5/1036

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: GigabitEthernet1/0/1

? Source security zone: Untrust

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: 2

Rule name: 3

Start time: 2019-1-29 16:16:59? TTL: 9995s

Initiator->Responder:????????? 551 packets????? 32547 bytes

Responder->Initiator:????????? 956 packets??? 1385514 bytes

Total sessions found: 1

# Verify that Host 3 can communicate with the Internet. (Details not shown.)

# Verify that Device B has generated a NAT session entry.

[DeviceB] display nat session verbose

Slot 1:

Initiator:

? Source????? IP/port: 10.1.1.200/52082

? Destination IP/port: 202.38.1.10/80

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface:

? Source security zone: Trust

Responder:

? Source????? IP/port: 202.38.1.10/80

? Destination IP/port: 2.1.1.8/1036

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface:

? Source security zone: Untrust

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: 2

Rule name: 3

Start time: 2019-1-29 16:17:59? TTL: 9995s

Initiator->Responder:????????? 551 packets????? 32547 bytes

Responder->Initiator:????????? 956 packets??? 1385514 bytes

Total sessions found: 1

Configuring IRF hot backup

About IRF hot backup

IRF hot backup enables two IRF member devices to back up each other dynamically to ensure service continuity upon failure of one of the devices. IRF hot backup uses link aggregations, redundancy groups, and Reth interfaces to direct traffic to the member devices.

For more information about IRF, see Virtual Technologies Configuration Guide. For more information about link aggregations, see Layer 2—LAN Switching Configuration Guide. For more information about Reth interfaces and redundancy groups, see "Configuring Reth interfaces" and "Configuring redundancy groups."

IRF hot backup deployment schemes

IRF hot backup supports the following deployment schemes:

· IRF hot backup in active/standby mode with redundancy groups

· IRF hot backup in dual-active mode with redundancy groups

· IRF hot backup in dual-active mode with link aggregations

IRF hot backup in active/standby mode with redundancy groups

Figure 13 shows a typical model of using redundancy groups with IRF hot backup in active/standby mode. The hot backup system is directly connected to the upstream and downstream Layer 3 switches by Layer 3 interfaces. To use this scheme, perform the following tasks:

· Configure Device A and Device B to form an IRF fabric.

· On the IRF fabric, create uplink Reth interface Reth 11 and downlink Reth interface Reth 12. Configure the Reth member interfaces on Device A to be active.

· On the IRF fabric, create redundancy group A and assign Reth 11 and Reth 12 to it. Configure Device A as the high-priority node in the redundancy group.

· On Switch A, perform the following tasks:

? Configure Port A1 and Port A2 to operate at Layer 2, and assign them to VLAN 11 as access interfaces.

? Configure Port A3 to operate at Layer 2, and assign it to VLAN 10 as an access interface.

? Create VLAN-interface 10 and VLAN-interface 11, and assign IP addresses to them.

· On Switch B, perform the following tasks:

? Configure Port B1 and Port B2 to operate at Layer 2, and assign them to VLAN 12 as access interfaces.

? Configure Port B3 to operate at Layer 2, and assign it to VLAN 20 as an access interface.

? Create VLAN-interface 12 and VLAN-interface 20, and assign IP addresses to them.

· On the host, specify the IP address of VLAN-interface 20 on Switch B (10.1.1.1) as the default gateway.

· Configure routes on all devices for them to reach one another.

Figure 13 Network model for using redundancy groups with IRF hot backup in active/standby mode

IRF hot backup in dual-active mode with redundancy groups

Figure 13 shows a typical model of using redundancy groups with IRF hot backup in dual-active mode. The hot backup system is directly connected to the upstream and downstream Layer 3 switches by Layer 3 interfaces. To use this scheme, perform the following tasks:

· Configure Device A and Device B to form an IRF fabric.

· On the IRF fabric, create uplink Reth interfaces Reth 11 and Reth 21 and downlink Reth interfaces Reth 12 and Reth 22. Configure the member interfaces of Reth 11 and Reth 12 on Device A to be active, and configure the member interfaces of Reth 21 and Reth 22 on Device B to be active.

· On the IRF fabric, configure redundancy groups as follows:

? Configure redundancy group A and assign Reth 11 and Reth 12 to it. Configure Device A as the high-priority node in the redundancy group.

? Configure redundancy group B and assign Reth 21 and Reth 22 to it. Configure Device B as the high-priority node in the redundancy group.

· On Switch A, perform the following tasks:

? Configure Port A1 and Port A2 to operate at Layer 2, and assign them to VLAN 11 and VLAN 21 as trunk interfaces.

? Configure Port A3 to operate at Layer 2, and assign it to VLAN 10.

? Create VLAN-interface 10, VLAN-interface 11, and VLAN-interface 12, and assign IP addresses to them.

· On Switch B, perform the following tasks:

? Configure Port B1 and Port B2 to operate at Layer 2, and assign them to VLAN 12 and VLAN 22 as trunk interfaces.

? Configure Port B3 to operate at Layer 2, and assign it to VLAN 20.

? Configure Port B4 to operate at Layer 2, and assign it to VLAN 30.

? Create VLAN-interface 12, VLAN-interface 20, VLAN-interface 22, and VLAN-interface 30, and assign IP addresses to them.

· On Host A, specify the IP address of VLAN-interface 20 on Switch B (10.1.1.1) as the default gateway. On Host B, specify the IP address of VLAN-interface 30 on Switch B (10.10.1.1) as the default gateway.

· Configure routes on all devices for them to reach one another.

· On Switch A and Switch B, configure routing settings to ensure symmetric forwarding of flows and even distribution of traffic among Device A and Device B.

Figure 14 Network model for using redundancy groups with IRF hot backup in dual-active mode

IRF hot backup in dual-active mode with link aggregations

Figure 15 shows a typical model of using link aggregations with IRF hot backup in dual-active mode. The hot backup system is directly connected to the upstream and downstream Layer 3 switches by Layer 3 interfaces. To use this scheme, perform the following tasks:

· Configure Device A and Device B to form an IRF fabric.

· On the IRF fabric, configure link aggregations as follows:

? Create Route-Aggregation 1 and assign the two uplink Layer 3 physical interfaces to the aggregation group.

? Create Route-Aggregation 2 and assign the two downlink Layer 3 physical interfaces to the aggregation group.

? Enable local-first load sharing for link aggregation.

· On Switch A, perform the following tasks:

? Configure Port A1 and Port A2 as Layer 2 access interfaces.

? Configure Port A3 to operate at Layer 2, and assign it to VLAN 10 as an access interface.

? Create Bridge-Aggregation 1 and assign the physical interfaces attached to the IRF fabric to the aggregation group. Assign the aggregate interface to VLAN 11.

? Create VLAN-interface 10 and VLAN-interface 11, and assign IP addresses to them.

· On Switch B, perform the following tasks:

? Configure Port B1 and Port B2 as Layer 2 access interfaces.

? Configure Port B3 to operate at Layer 2, and assign it to VLAN 20 as an access interface.

? Create Bridge-Aggregation 1 and assign the physical interfaces attached to the IRF fabric to the aggregation group. Assign the aggregate interface to VLAN 12.

? Create VLAN-interface 12 and VLAN-interface 20, and assign IP addresses to them.

· On the host, specify the IP address of VLAN-interface 20 on Switch B (10.1.1.1) as the default gateway.

· Configure routes on all devices for them to reach one another.

Figure 15 Network model for using link aggregations with IRF hot backup in dual-active mode

Comparison between the deployment schemes

Table 2 Comparison between the deployment schemes of IRF hot backup

Scheme	Features	Weakness
IRF hot backup in active/standby mode with redundancy groups	· Simple configuration. · Applicable to any networks.	Cannot make full use of resources because only one device forwards traffic.
IRF hot backup in dual-active mode with redundancy groups	· Symmetric traffic forwarding and low traffic load on the IRF link. · Applicable to medium-sized and large networks.	· Complicated configuration. · More configuration when devices are added.
IRF hot backup in dual-active mode with link aggregations	· Simple configuration. · High scalability. · Applicable to small and medium-sized networks.	· Cannot ensure symmetric forwarding of flows. · Heavy traffic on the IRF link when a large amount of asymmetric-path traffic exists.

Restrictions: Hardware compatibility with IRF hot backup

Hardware	IRF hot backup compatibility
F1000-A-G3, F1000-C-G3, F1000-E-G3, F1000-S-G3	Yes
F100-A-G3, F100-E-G3	Yes
F100-C-G3, F100-M-G3, F100-S-G3	No
F1000-E-VG	Yes
F1000-S-VG	No
F1000-A-G2, F1000-C-G2, F1000-E-G2, F1000-S-G2	Yes
F100-A-G2, F100-E-G2	Yes
F100-C-G2, F100-M-G2, F100-S-G2	No
F1000-C-EI, F100-A-EI, F100-A-SI, F100-E-EI	Yes
F100-C-EI	No
F100-A80-WiNet	Yes
F100-C80-WiNet, F100-C60-WiNet, F100-C50-WiNet, F100-S80-WiNet	No
F1000-C8180, F1000-C8170, F1000-C8160	Yes
F1000-C8150, F1000-C8130, F1000-C8120, F1000-C8110	No
F100-C-A6, F100-C-A5, F100-C-A3	No
F100-C-A6-WL, F100-C-A5-W, F100-C-A3-W	No
F1000-C-HI, F100-A-HI	Yes
F100-C-HI, F100-S-HI	No
F1000-990-AI, F1000-980-AI, F1000-970-AI, F1000-960-AI, F1000-950-AI, F1000-930-AI, F1000-920-AI	Yes
LSPM6FWD8, LSQM2FWDSC8	No

Prerequisites for IRF hot backup configuration

Before you configure IRF hot backup, verify that the following hardware and software settings are the same on the member devices of the hot backup system:

· Device model.

· Software version.

· Location, number, and type of service modules.

· Location, number, and type of interface modules.

IRF hot backup configuration flow

Figure 16 shows the configuration flow for IRF hot backup.

Figure 16 IRF hot backup configuration flow chart

IRF hot backup configuration examples

Example: Configuring an IRF hot backup system in active/standby mode with one redundancy group

Network configuration

As shown in Figure 17, set up an IRF hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to operate in active/standby mode.

· Configure Device A and Device B as the primary device and the secondary device, respectively.

Figure 17 Network diagram

Procedure

1. Configure IRF:

? Configure Device A:

# Bind GigabitEthernet 1/0/3 to IRF-port 1/2 and save the configuration.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/3

[DeviceA-GigabitEthernet1/0/3] shutdown

[DeviceA-GigabitEthernet1/0/3] quit

[DeviceA] irf-port 1/2

[DeviceA-irf-port1/2] port group interface gigabitethernet 1/0/3

You must perform the following tasks for a successful IRF setup:

Save the configuration after completing IRF configuration.

Execute the "irf-port-configuration active" command to activate the IRF ports.

[DeviceA-irf-port1/2] quit

[DeviceA] interface gigabitethernet 1/0/3

[DeviceA-GigabitEthernet1/0/3] undo shutdown

[DeviceA-GigabitEthernet1/0/3] quit

[DeviceA] save

[DeviceA] irf-port-configuration active

# Change the member priority of Device A to 2 for it to be elected as the master.

[DeviceA] irf member 1 priority 2

# Activate the IRF port configuration.

[DeviceA] irf-port-configuration active

? Configure Device B:

# Change the member ID of Device B to 2, and reboot the device to have the change take effect.

<DeviceB> system-view

[DeviceB] irf member 1 renumber 2

Renumbering the member ID may result in configuration change or loss. Continue? [Y/N]:y

[DeviceB] quit

<DeviceB> reboot

# Connect Device B to Device A, as shown in Figure 17.

# Log in to Device B. (Details not shown.)

# Bind GigabitEthernet 2/0/3 to IRF port 2/1, and save the configuration.

<DeviceB> system-view

[DeviceB] interface gigabitethernet 2/0/3

[DeviceB-GigabitEthernet2/0/3] shutdown

[DeviceB-GigabitEthernet2/0/3] quit

[DeviceB] irf-port 2/1

[DeviceB-irf-port2/1] port group interface gigabitethernet 2/0/3

You must perform the following tasks for a successful IRF setup:

Save the configuration after completing IRF configuration.

Execute the "irf-port-configuration active" command to activate the IRF ports.

[DeviceB-irf-port2/1] quit

[DeviceB] interface gigabitethernet 2/0/3

[DeviceB-GigabitEthernet2/0/3] undo shutdown

[DeviceB-GigabitEthernet2/0/3] quit

[DeviceB] save

# Activate the IRF port configuration.

[DeviceB] irf-port-configuration active

The two devices perform master election, and the one that has lost the election reboots to form an IRF fabric with the master. In this example, Device B reboots.

2. Configure Track to monitor the status of the uplink and downlink interfaces of the IRF fabric.

<DeviceA> system-view

[DeviceA] track 1 interface gigabitethernet 1/0/1

[DeviceA-track-1] quit

[DeviceA] track 2 interface gigabitethernet 1/0/2

[DeviceA-track-2] quit

[DeviceA] track 3 interface gigabitethernet 2/0/1

[DeviceA-track-3] quit

[DeviceA] track 4 interface gigabitethernet 2/0/2

[DeviceA-track-4] quit

3. Configure Reth interfaces:

# Configure Reth 11.

[DeviceA] interface reth 11

[DeviceA-Reth11] member interface gigabitethernet 1/0/1 priority 100

[DeviceA-Reth11] member interface gigabitethernet 2/0/1 priority 80

[DeviceA-Reth11] ip address 51.1.1.2 255.255.255.0

[DeviceA-Reth11] quit

# Configure Reth 12.

[DeviceA] interface reth 12

[DeviceA-Reth12] member interface gigabitethernet 1/0/2 priority 100

[DeviceA-Reth12] member interface gigabitethernet 2/0/2 priority 80

[DeviceA-Reth12] ip address 52.1.1.2 255.255.255.0

[DeviceA-Reth12] quit

4. Configure a redundancy group:

# Create redundancy group a.

[DeviceA] redundancy group a

# Assign Reth 11 and Reth 12 to redundancy group a.

[DeviceA-redundancy-group-a] member interface reth 11

[DeviceA-redundancy-group-a] member interface reth 12

# Bind Node 1 to Device A, set the priority of the node to 20, and associate track entries 1 and 2 with the node.

[DeviceA-redundancy-group-a] node 1

[DeviceA-redundancy-group-a-node1] bind slot 1

[DeviceA-redundancy-group-a-node1] priority 20

[DeviceA-redundancy-group-a-node1] track 1 interface gigabitethernet 1/0/1

[DeviceA-redundancy-group-a-node1] track 2 interface gigabitethernet 1/0/2

[DeviceA-redundancy-group-a-node1] quit

# Bind Node 2 to Device B, set the priority of the node to 10, and associate track entries 3 and 4 with the node.

[DeviceA-redundancy-group-a] node 2

[DeviceA-redundancy-group-a-node2] bind slot 2

[DeviceA-redundancy-group-a-node2] priority 10

[DeviceA-redundancy-group-a-node2] track 3 interface gigabitethernet 2/0/1

[DeviceA-redundancy-group-a-node2] track 4 interface gigabitethernet 2/0/2

[DeviceA-redundancy-group-a-node2] quit

[DeviceA-redundancy-group-a] quit

5. Enable session synchronization.

[DeviceA] session synchronization enable

6. Enable session active/standby mode.

[DeviceA] undo session dual-active enable

7. Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)

8. Assign Reth 11 to security zone Untrust, and assign Reth 12 to security zone Trust. (Details not shown.)

9. Configure Switch A:

NOTE:

This step only provides the brief configuration procedure.

? Create VLAN 10 and VLAN 11.

? Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to operate at Layer 2, and assign them to VLAN 11 as access interfaces.

? Configure GigabitEthernet 1/0/3 to operate at Layer 2, and assign it to VLAN 10 as an access interface.

? Assign 51.1.1.1/24 and 2.1.1.1/24 to VLAN-interface 11 and VLAN-interface 10, respectively.

? Specify 51.1.1.2 (IP address of Reth 11) as the next hop of the route to the internal network, and specify 2.1.1.2 (an IP address on the router) as the next hop of the route to the Internet.

10. Configure Switch B:

NOTE:

This step only provides the brief configuration procedure.

? Create VLAN 12 and VLAN 20.

? Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to operate at Layer 2, and assign them to VLAN 12 as access interfaces.

? Configure GigabitEthernet 1/0/3 to operate at Layer 2, and assign it to VLAN 20 as an access interface.

? Assign 52.1.1.1/24 and 10.1.1.1/24 to VLAN-interface 12 and VLAN-interface 20.

? Specify 52.1.1.2 (IP address of Reth 12) as the next hop of the route to the Internet.

11. On the host, specify 10.1.1.1 (IP address of VLAN-interface 20 on Switch B) as the default gateway.

Verifying the configuration

# Verify that Device A is the high-priority node in the redundancy group and the member interfaces on both nodes are up when Device A and Device B are operating correctly.

[DeviceA] display redundancy group a

Redundancy group a (ID 1):

? Node ID????? Slot?????? Priority?? Status??????? Track weight

? 1??????????? Slot1????? 20?? ??????Primary??? ???255

? 2??????????? Slot2????? 10 ????????Secondary???? 255

Preempt delay time remained???? : 0??? min

Preempt delay timer setting???? : 60? ?min

Remaining hold-down time??????? : 0??? sec

Hold-down timer setting???????? : 1??? sec

Manual switchover request??? ???: No

Member interfaces:

??? Reth11??????????????? Reth12

Node 1:

? Track info:

??? Track??? Status?????? Reduced weight???? Interface

??? 1??????? Positive???? 255??????????????? GE1/0/1

??? 2??????? Positive???? 255??????????????? GE1/0/2

Node 2:

? Track info:

??? Track??? Status?????? Reduced weight???? Interface

??? 3??????? Positive?????? 255????????????? GE2/0/1

??? 4??????? Positive?????? 255????????????? GE2/0/2

# Shut down GigabitEthernet 1/0/2 on Device A and verify that Device B takes over to forward traffic.

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] shutdown

[DeviceA-GigabitEthernet1/0/2] display redundancy group a

Redundancy group a (ID 1):

? Node ID????? Slot?????? Priority?? Status??????? Track weight

? 1??????????? Slot1????? 20????? ???Secondary???? -255

? 2??????????? Slot2????? 10 ????????Primary?????? 255

Preempt delay time remained???? : 0??? min

Preempt delay timer setting???? : 1??? min

Remaining hold-down time??????? : 0??? sec

Hold-down timer setting???????? : 1??? sec

Manual switchover request???? ??: No

Member interfaces:

??? Reth11??????????????? Reth12

Node 1:

? Track info:

??? Track??? Status???? ???????????Reduced weight???? Interface

?? ?1???????? Negative??? ?????????255??????????????? GE1/0/1

??? 2???????? Negative(Faulty)???? 255??????????????? GE1/0/2

Node 2:

? Track info:

??? Track??? Status?????? Reduced weight???? Interface

??? 3???????? Positive?????? 255????????????? GE2/0/1

??? 4???????? Positive?????? 255????????????? GE2/0/2

Example: Configuring an IRF hot backup system in dual-active mode with two redundancy groups

Network configuration

As shown in Figure 18, set up an IRF hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to operate in dual-active mode.

· Configure Device A and Device B to process the traffic of Host A and Host B, respectively.

Figure 18 Network diagram

Procedure

1. Configure IRF as described in "Example: Configuring an IRF hot backup system in active/standby mode with one redundancy group."

2. Configure Layer 3 Ethernet subinterfaces to terminate the outermost VLAN ID of packets.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1.11

[DeviceA-GigabitEthernet1/0/1.11] vlan-type dot1q vid 11

[DeviceA] interface gigabitethernet 1/0/1.21

[DeviceA-GigabitEthernet1/0/1.21] vlan-type dot1q vid 21

[DeviceA] interface gigabitethernet 1/0/2.12

[DeviceA-GigabitEthernet1/0/2.12] vlan-type dot1q vid 12

[DeviceA] interface gigabitethernet 1/0/2.22

[DeviceA-GigabitEthernet1/0/2.22] vlan-type dot1q vid 22

[DeviceA] interface gigabitethernet 2/0/1.11

[DeviceA-GigabitEthernet2/0/1.11] vlan-type dot1q vid 11

[DeviceA] interface gigabitethernet 2/0/1.21

[DeviceA-GigabitEthernet2/0/1.21] vlan-type dot1q vid 21

[DeviceA] interface gigabitethernet 2/0/2.12

[DeviceA-GigabitEthernet2/0/2.12] vlan-type dot1q vid 12

[DeviceA] interface gigabitethernet 2/0/2.22

[DeviceA-GigabitEthernet2/0/2.22] vlan-type dot1q vid 22

[DeviceA-GigabitEthernet2/0/2.22] quit

3. Configure Track to monitor the status of the uplink and downlink subinterfaces of the IRF fabric.

[DeviceA] track 1 interface gigabitethernet 1/0/1.11

[DeviceA-track-1] quit

[DeviceA] track 2 interface gigabitethernet 1/0/1.21

[DeviceA-track-2] quit

[DeviceA] track 3 interface gigabitethernet 1/0/2.12

[DeviceA-track-3] quit

[DeviceA] track 4 interface gigabitethernet 1/0/2.22

[DeviceA-track-4] quit

[DeviceA] track 5 interface gigabitethernet 2/0/1.11

[DeviceA-track-5] quit

[DeviceA] track 6 interface gigabitethernet 2/0/1.21

[DeviceA-track-6] quit

[DeviceA] track 7 interface gigabitethernet 2/0/2.12

[DeviceA-track-7] quit

[DeviceA] track 8 interface gigabitethernet 2/0/2.22

[DeviceA-track-8] quit

4. Configure Reth interfaces:

# Configure Reth 11.

[DeviceA] interface reth 11

[DeviceA-Reth11] member interface gigabitethernet 1/0/1.11 priority 100

[DeviceA-Reth11] member interface gigabitethernet 2/0/1.11 priority 80

[DeviceA-Reth11] ip address 51.1.1.2 255.255.255.0

[DeviceA-Reth11] quit

# Configure Reth 12.

[DeviceA] interface reth 12

[DeviceA-Reth12] member interface gigabitethernet 1/0/2.12 priority 100

[DeviceA-Reth12] member interface gigabitethernet 2/0/2.12 priority 80

[DeviceA-Reth12] ip address 52.1.1.2 255.255.255.0

[DeviceA-Reth12] quit

# Configure Reth 21.

[DeviceA] interface reth 21

[DeviceA-Reth21] member interface gigabitethernet 1/0/1.21 priority 80

[DeviceA-Reth21] member interface gigabitethernet 2/0/1.21 priority 100

[DeviceA-Reth21] ip address 61.1.1.2 255.255.255.0

[DeviceA-Reth21] quit

# Configure Reth 22.

[DeviceA] interface reth 22

[DeviceA-Reth22] member interface gigabitethernet 1/0/2.22 priority 80

[DeviceA-Reth22] member interface gigabitethernet 2/0/2.22 priority 100

[DeviceA-Reth22] ip address 62.1.1.2 255.255.255.0

[DeviceA-Reth22] quit

5. Configure redundancy groups:

# Create redundancy group a.

[DeviceA] redundancy group a

# Assign Reth 11 and Reth 12 to redundancy group a.

[DeviceA-redundancy-group-a] member interface reth 11

[DeviceA-redundancy-group-a] member interface reth 12

# Bind Node 1 to Device A, set the priority of the node to 20, and associate track entries 1 and 3 with the node.

[DeviceA-redundancy-group-a] node 1

[DeviceA-redundancy-group-a-node1] bind slot 1

[DeviceA-redundancy-group-a-node1] priority 20

[DeviceA-redundancy-group-a-node1] track 1 interface gigabitethernet 1/0/1.11

[DeviceA-redundancy-group-a-node1] track 3 interface gigabitethernet 1/0/2.12

[DeviceA-redundancy-group-a-node1] quit

# Bind Node 2 to Device B, set the priority of the node to 10, and associate track entries 5 and 7 with the node.

[DeviceA-redundancy-group-a] node 2

[DeviceA-redundancy-group-a-node2] bind slot 2

[DeviceA-redundancy-group-a-node2] priority 10

[DeviceA-redundancy-group-a-node2] track 5 interface gigabitethernet 2/0/1.11

[DeviceA-redundancy-group-a-node2] track 7 interface gigabitethernet 2/0/2.12

[DeviceA-redundancy-group-a-node2] quit

[DeviceA-redundancy-group-a] quit

# Create redundancy group b.

[DeviceA] redundancy group b

# Assign Reth 21 and Reth 22 to redundancy group b.

[DeviceA-redundancy-group-b] member interface reth 21

[DeviceA-redundancy-group-b] member interface reth 22

# Bind Node 1 to Device A, set the priority of the node to 10, and associate track entries 2 and 4 with the node.

[DeviceA-redundancy-group-b] node 1

[DeviceA-redundancy-group-b-node1] bind slot 1

[DeviceA-redundancy-group-b-node1] priority 10

[DeviceA-redundancy-group-b-node1] track 2 interface gigabitethernet 1/0/1.21

[DeviceA-redundancy-group-b-node1] track 4 interface gigabitethernet 1/0/2.22

[DeviceA-redundancy-group-b-node1] quit

# Bind Node 2 to Device B, set the priority of the node to 20, and associate track entries 6 and 8 with the node.

[DeviceA-redundancy-group-b] node 2

[DeviceA-redundancy-group-b-node2] bind slot 2

[DeviceA-redundancy-group-b-node2] priority 20

[DeviceA-redundancy-group-b-node2] track 6 interface gigabitethernet 2/0/1.21

[DeviceA-redundancy-group-b-node2] track 8 interface gigabitethernet 2/0/2.22

[DeviceA-redundancy-group-b-node2] quit

[DeviceA-redundancy-group-b] quit

6. Enable session synchronization.

[DeviceA] session synchronization enable

7. Enable session dual-active mode.

[DeviceA] session dual-active enable

8. Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)

9. Assign Reth 11 and Reth 21 to security zone Untrust, and assign Reth 12 and Reth 22 to security zone Trust. (Details not shown.)

10. Configure the static routes to the external network. Specify the next hop of the route to 10.1.1.0/24 as 52.1.1.1(IP address of VLAN-interface 12 on Switch B). Specify the next hop of the route to 10.10.1.0/24 as 62.1.1.1 (IP address of VLAN-interface 22 on Switch B).

[DeviceA] ip route-static 10.1.1.0 24 52.1.1.1

[DeviceA] ip route-static 10.10.1.0 24 62.1.1.1

11. Configure PBR policies for the traffic sent from the internal network to reach the Internet.

# Configure ACL 2000 to permit the packets from 10.1.1.0/24.

[DeviceA] acl basic 2000

[DeviceA-acl-ipv4-basic-2000] rule 10 permit source 10.1.1.0 0.0.0.255

[DeviceA-acl-ipv4-basic-2000] quit

# Configure ACL 2001 to permit the packets from 10.10.1.0/24.

[DeviceA] acl basic 2001

[DeviceA-acl-ipv4-basic-2001] rule 10 permit source 10.10.1.0 0.0.0.255

[DeviceA-acl-ipv4-basic-2001] quit

# Configure PBR policy aaa to specify 51.1.1.1 (IP address of VLAN-interface 11 on Switch A) as the next hop of the packets from 10.1.1.0/24.

[DeviceA] policy-based-route aaa permit node 0

[DeviceA-pbr-aaa-0] if-match acl 2000

[DeviceA-pbr-aaa-0] apply next-hop 51.1.1.1

[DeviceA-pbr-aaa-0] quit

# Configure PBR policy bbb to specify 61.1.1.1 (IP address of VLAN-interface 21 on Switch B) as the next hop of the packets from 10.10.1.0/24.

[DeviceA] policy-based-route bbb permit node 0

[DeviceA-pbr-bbb-0] if-match acl 2001

[DeviceA-pbr-bbb-0] apply next-hop 61.1.1.1

[DeviceA-pbr-bbb-0] quit

# Apply PBR policy aaa to Reth 12 for Device A to forward the traffic sent from 10.1.1.0/24 to the Internet.

[DeviceA] interface reth 12

[DeviceA-Reth12] ip policy-based-route aaa

[DeviceA-Reth12] quit

# Apply PBR policy bbb to Reth 22 for Device B to forward the traffic sent from 10.10.1.0/24 to the Internet.

[DeviceA] interface reth 22

[DeviceA-Reth22] ip policy-based-route bbb

[DeviceA-Reth22] quit

12. Configure Switch A:

NOTE:

This step only provides the brief configuration procedure.

a. Create VLAN 10, VLAN 11, and VLAN 21.

b. Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to operate at Layer 2, and assign them to VLAN 11 and VLAN 21 as trunk interfaces.

c. Configure GigabitEthernet 1/0/3 to operate at Layer 2, and assign it to VLAN 10 as an access interface.

d. Assign 51.1.1.1/24, 61.1.1.1/24, and 2.1.1.1/24 to VLAN-interface 11, VLAN-interface 21, and VLAN-interface 10, respectively.

e. Configure routes as follows:

- Specify 51.1.1.2 (IP address of Reth 11) as the next hop of the route to 10.1.1.0/24.

- Specify 61.1.1.2 (IP address of Reth 21) as the next hop of the route to 10.10.1.0/24.

- Specify 2.1.1.2 (IP address of the peer interface of VLAN-interface 10) as the next hop of the route to the Internet.

13. Configure Switch B:

NOTE:

This step only provides the brief configuration procedure.

a. Create VLAN 12, VLAN 20, VLAN 22, and VLAN 30.

b. Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to operate at Layer 2, and assign them to VLAN 12 and VLAN 22 as trunk interfaces.

c. Configure GigabitEthernet 1/0/3 to operate at Layer 2, and assign it to VLAN 20 as an access interface.

d. Configure GigabitEthernet 1/0/4 to operate at Layer 2, and assign it to VLAN 30 as an access interface.

e. Assign 52.1.1.1/24, 62.1.1.1/24, 10.1.1.1/24, and 10.10.1.1/24 to VLAN-interface 12, VLAN-interface 22, VLAN-interface 20, and VLAN-interface 30, respectively.

f. Configure PBR policies as follows:

- Specify 52.1.1.2 (IP address of Reth 12) as the next hop of the packets from 10.1.1.0/24.

- Specify 62.1.1.2 (IP address of Reth 22) as the next hop of the packets from 10.10.1.0/24.

14. On Host A, specify 10.1.1.1 (IP address of VLAN-interface 20 on Switch B) as the default gateway. On Host B, specify 10.10.1.1 (IP address of VLAN-interface 30 on Switch B) as the default gateway.

Verifying the configuration

1. Verify the configuration when both Device A and Device B are operating correctly.

# Verify that Device A is the high-priority node in redundancy group a and the member interfaces on both nodes are up.

[DeviceA] display redundancy group a

Redundancy group a (ID 2):

? Node ID????? Slot????????? Priority?? Status??????? Track weight

? 1???? ???????Slot1???????? 20???????? Primary?????? 255

? 2??????????? Slot2???????? 10???????? Secondary???? 255

Preempt delay time remained???? : 0??? sec

Preempt delay timer setting???? : 60?? sec

Remaining hold-down time??????? : 0??? sec

Hold-down timer setting???????? : 1??? sec

Manual switchover request?????? : No

Member interfaces:

??? Reth11??????????????? Reth12

Node 1:

? Track info:

??? Track??? Status?????????? Reduced weight???? Interface

??? 1??????? Positive???????? 255??????????????? GE1/0/1.11

??? 3??????? Positive???????? 255??????????????? GE1/0/2.12

Node 2:

? Track info:

??? Track??? Status?????????? Reduced weight???? Interface

??? 5?? ?????Positive???????? 255??????????????? GE2/0/1.11

??? 7??????? Positive???????? 255??????????????? GE2/0/2.12

# Verify that Device B is the high-priority node in redundancy group b and the member interfaces on both nodes are up.

[DeviceA] display redundancy group b

Redundancy group b (ID 3):

? Node ID????? Slot????????? Priority?? Status??????? Track weight

? 1??????????? Slot1???????? 10???????? Secondary?? ??255

? 2??????????? Slot2???????? 20???????? Primary?????? 255

Preempt delay time remained???? : 0??? sec

Preempt delay timer setting???? : 60?? sec

Remaining hold-down time??????? : 0??? sec

Hold-down timer setting???????? : 1??? sec

Manual switchover request?????? : No

Member interfaces:

??? Reth21??????????????? Reth22

Node 1:

? Track info:

??? Track??? Status?????????? Reduced weight???? Interface

??? 2??????? Positive???????? 255??????????????? GE1/0/1.21

??? 4??????? Positive???????? 255??????????????? GE1/0/2.22

Node 2:

? Track info:

??? Track??? Status?????????? Reduced weight???? Interface

??? 6??????? Positive???????? 255??????????????? GE2/0/1.21

??? 8??????? Positive???????? 255??????????????? GE2/0/2.22

2. Verify the configuration when Device A is down.

# Shut down GigabitEthernet 1/0/2 on Device A.

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] shutdown

# Verify that Device B takes over to forward traffic in redundancy group a.

[DeviceA-GigabitEthernet1/0/2] display redundancy group a

Redundancy group a (ID 2):

? Node ID????? Slot????????? Priority?? Status??????? Track weight

? 1 ???????????Slot1???????? 20???????? Secondary???? -255

? 2??????????? Slot2???????? 10???????? Primary?????? 255

Preempt delay time remained???? : 0??? sec

Preempt delay timer setting???? : 60?? sec

Remaining hold-down time??????? : 0??? sec

Hold-down timer setting???????? : 1??? sec

Manual switchover request?????? : No

Member interfaces:

??? Reth11??????????????? Reth12

Node 1:

? Track info:

??? Track??? Status?????????? Reduced weight???? Interface

??? 1??????? Negative???????? 255??????????????? GE1/0/1.11

??? 3??????? Negative(Faulty) 255??????????????? GE1/0/2.12

Node 2:

? Track info:

??? Track??? Status?????????? Reduced weight???? Interface

??? 5?? ?????Positive???????? 255??????????????? GE2/0/1.11

??? 7??????? Positive???????? 255??????????????? GE2/0/2.12

# Verify that Device B is the high-priority node in redundancy group b and the member interfaces on Node 2 are up.

[DeviceA-GigabitEthernet1/0/2] display redundancy group b

Redundancy group b (ID 3):

? Node ID????? Slot????????? Priority?? Status?????? ?Track weight

? 1??????????? Slot1???????? 10???????? Secondary???? 0

? 2??????????? Slot2???????? 20???????? Primary?????? 255

Preempt delay time remained???? : 0??? sec

Preempt delay timer setting???? : 60?? sec

Remaining hold-down time??????? : 0??? sec

Hold-down timer setting???????? : 1??? sec

Manual switchover request?????? : No

Member interfaces:

??? Reth21??????????????? Reth22

Node 1:

? Track info:

??? Track??? Status?????????? Reduced weight???? Interface

??? 2??????? Positive???????? 255??????????????? GE1/0/1.21

??? 4??????? Negative???????? 255??????????????? GE1/0/2.22

Node 2:

? Track info:

??? Track??? Status?????????? Reduced weight???? Interface

??? 6??????? Positive???????? 255??????????????? GE2/0/1.21

??? 8??????? Positive???????? 255??????????????? GE2/0/2.22

Example: Configuring an IRF hot backup system in dual-active mode with link aggregations

Network configuration

As shown in Figure 19, set up an IRF hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to operate in dual-active mode.

· Configure Device A and Device B to load share traffic.

· Connect the hot backup system to the upstream and downstream devices by using link aggregations.

Figure 19 Network diagram

Procedure

1. Configure IRF as described in "Example: Configuring an IRF hot backup system in active/standby mode with one redundancy group."

2. Configure Layer 3 aggregate interfaces:

# Create uplink aggregate interface Route-Aggregation 1 and assign it IP address 51.1.1.2/24.

<DeviceA> system-view

[DeviceA]interface route-aggregation 1

[DeviceA-Route-Aggregation1] ip address 51.1.1.2 24

[DeviceA-Route-Aggregation1] quit

# Create downlink aggregate interface Route-Aggregation 2 and assign it IP address 52.1.1.2/24.

<DeviceA> system-view

[DeviceA]interface route-aggregation 2

[DeviceA-Route-Aggregation2] ip address 52.1.1.2 24

[DeviceA-Route-Aggregation2] quit

# Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/1 and GigabitEthernet 2/0/1 to aggregation group 1.

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] port link-aggregation group 1

[DeviceA-GigabitEthernet1/0/1] quit

[DeviceA] interface gigabitethernet 2/0/1

[DeviceA-GigabitEthernet2/0/1] port link-aggregation group 1

[DeviceA-GigabitEthernet2/0/1] quit

# Assign Layer 3 Ethernet interfaces GigabitEthernet 1/0/2 and GigabitEthernet 2/0/2 to aggregation group 2.

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] port link-aggregation group 2

[DeviceA-GigabitEthernet1/0/2] quit

[DeviceA] interface gigabitethernet 2/0/2

[DeviceA-GigabitEthernet2/0/2] port link-aggregation group 2

[DeviceA-GigabitEthernet2/0/2] quit

3. Enable session synchronization.

[DeviceA] session synchronization enable

4. Enable session dual-active mode.

[DeviceA] session dual-active enable

5. Assign IP addresses to interfaces and configure routes, security zones, zone pairs, and interzone policies. Make sure the network connections are available. (Details not shown.)

6. Assign Route-Aggregation 1 to security zone Untrust, and assign Route-Aggregation 2 to security zone Trust. (Details not shown.)

7. Configure Switch A:

NOTE:

This step only provides the brief configuration procedure.

a. Create VLAN 10 and VLAN 11.

b. Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as Layer 2 access interfaces.

c. Create Layer 2 aggregate interface Bridge-Aggregation 1, assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to its aggregation group, and assign Bridge-Aggregation 1 to VLAN 11.

d. Configure GigabitEthernet 1/0/3 to operate at Layer 2, and assign it to VLAN 10 as an access interface.

e. Assign 51.1.1.1/24 and 2.1.1.1/24 to VLAN-interface 11 and VLAN-interface 10, respectively.

f. Configure routes as follows:

- Specify 51.1.1.2 (IP address of Route-Aggregate 1 on the IRF fabric) as the next hop of the route to the internal network.

- Specify 2.1.1.2 (an IP address on the router) as the next hop of the route to the Internet.

8. Configure Switch B:

NOTE:

This step only provides the brief configuration procedure.

a. Create VLAN 12 and VLAN 20.

b. Configure GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 as Layer 2 access interfaces.

c. Create Layer 2 aggregate interface Bridge-Aggregation 1, assign GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 to its aggregation group, and assign Bridge-Aggregation 1 to VLAN 12.

d. Configure GigabitEthernet 1/0/3 to operate at Layer 2, and assign it to VLAN 20 as an access interface.

e. Assign 52.1.1.1/24 and 10.1.1.1/24 to VLAN-interface 12 and VLAN-interface 20, respectively.

f. Specify 52.1.1.2 (IP address of Route-Aggregation 2 on the IRF fabric) as the next hop of the route to the Internet.

9. On the host, specify 10.1.1.1 (IP address of VLAN-interface 20 on Switch B) as the default gateway.

Verifying the configuration

1. Verify that both Device A and Device B have session entries when they are operating correctly. How traffic is distributed among the member interfaces of an aggregation group depends on the load sharing mode.

[DeviceA] display session table ipv4 verbose

Slot 1:

Initiator:

? Source????? IP/port: 10.1.1.1/19401

? Destination IP/port: 123.125.115.110/80

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation1

? Source security zone: Trust

Responder:

? Source????? IP/port: 123.125.115.110/80

? Destination IP/port: 10.1.1.1/19401

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation2

? Source security zone: Untrust

State: INACTIVE

Application: HTTP

Rule ID: 2

Rule name: 3

Start time: 2018-01-21 15:59:58? TTL: 295s

Initiator->Responder:????????? 0 packets?????? 0 bytes

Responder->Initiator:????????? 0 packets?????? 0 bytes

Initiator:

? Source????? IP/port: 10.1.1.1/19400

? Destination IP/port: 123.125.115.110/443

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation1

? Source security zone: Trust

Responder:

? Source????? IP/port: 123.125.115.110/443

? Destination IP/port: 10.1.1.1/19400

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation2

? Source security zone: Untrust

State: INACTIVE

Application: HTTPS

Rule ID: 2

Rule name: 3

Start time: 2018-01-21 15:59:58? TTL: 295s

Initiator->Responder:????????? 110 packets?????? 4493 bytes

Responder->Initiator:????????? 178 packets?????? 9065 bytes

Total sessions found: 2

Slot 2:

Initiator:

? Source????? IP/port: 10.1.1.1/19401

? Destination IP/port: 123.125.115.110/80

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation1

? Source security zone: Trust

Responder:

? Source????? IP/port: 123.125.115.110/80

? Destination IP/port: 10.1.1.1/19401

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation2

? Source security zone: Untrust

State: INACTIVE

Application: HTTP

Rule ID: 2

Rule name: 3

Start time: 2018-01-21 15:59:58? TTL: 295s

Initiator->Responder:????????? 1110 packets?????? 5493 bytes

Responder->Initiator:????????? 1718 packets?????? 8065 bytes

Initiator:

? Source????? IP/port: 10.1.1.1/19400

? Destination IP/port: 123.125.115.110/443

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation1

? Source security zone: Trust

Responder:

? Source????? IP/port: 123.125.115.110/443

? Destination IP/port: 10.1.1.1/19400

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation2

? Source security zone: Untrust

State: INACTIVE

Application: HTTPS

Rule ID: 2

Rule name: 3

Start time: 2018-01-21 15:59:58? TTL: 295s

Initiator->Responder:????????? 0 packets?????? 0 bytes

Responder->Initiator:????????? 0 packets?????? 0 bytes

Total sessions found: 2

2. Verify that only Device B has session entries after GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2 on Device A fail.

[DeviceA] display session table ipv4 verbose

Slot 1:

Initiator:

? Source????? IP/port: 10.1.1.1/19401

? Destination IP/port: 123.125.115.110/80

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation1

? Source security zone: Trust

Responder:

? Source????? IP/port: 123.125.115.110/80

? Destination IP/port: 10.1.1.1/19401

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation2

? Source security zone: Untrust

State: INACTIVE

Application: HTTP

Rule ID: 2

Rule name: 3

Start time: 2018-01-21 16:10:58? TTL: 295s

Initiator->Responder:????????? 0 packets?????? 0 bytes

Responder->Initiator:????????? 0 packets?????? 0 bytes

Initiator:

? Source????? IP/port: 10.1.1.1/19400

? Destination IP/port: 123.125.115.110/443

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation1

? Source security zone: Trust

Responder:

? Source????? IP/port: 123.125.115.110/443

? Destination IP/port: 10.1.1.1/19400

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation2

? Source security zone: Untrust

State: INACTIVE

Application: HTTPS

Rule ID: 2

Rule name: 3

Start time: 2018-01-21 16:10:58? TTL: 295s

Initiator->Responder:????????? 0 packets?????? 0 bytes

Responder->Initiator:????????? 0 packets?????? 0 bytes

Total sessions found: 2

Slot 2:

Initiator:

? Source????? IP/port: 10.1.1.1/19401

? Destination IP/port: 123.125.115.110/80

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation1

? Source security zone: Trust

Responder:

? Source????? IP/port: 123.125.115.110/80

? Destination IP/port: 10.1.1.1/19401

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation2

? Source security zone: Untrust

State: INACTIVE

Application: HTTP

Rule ID: 2

Rule name: 3

Start time: 2018-01-21 16:10:58? TTL: 295s

Initiator->Responder:????????? 1110 packets?????? 5493 bytes

Responder->Initiator:????????? 1718 packets?????? 8065 bytes

Initiator:

? Source????? IP/port: 10.1.1.1/19400

? Destination IP/port: 123.125.115.110/443

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation1

? Source security zone: Trust

Responder:

? Source????? IP/port: 123.125.115.110/443

? Destination IP/port: 10.1.1.1/19400

? DS-Lite tunnel peer: -

? VPN instance/VLAN ID/Inline ID: -/-/-

? Protocol: TCP(6)

? Inbound interface: Route-Aggregation2

? Source security zone: Untrust

State: INACTIVE

Application: HTTPS

Rule ID: 2

Rule name: 3

Start time: 2018-01-21 16:10:58? TTL: 295s

Initiator->Responder:????????? 110 packets?????? 4493 bytes

Responder->Initiator:????????? 178 packets?????? 9065 bytes

Total sessions found: 2

16-High Availability Configuration Guide

Hot backup overview

Operating modes of hot backup

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Example: Configuring an IRF hot backup system in active/standby mode with one redundancy group

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Cloud & AI

InterConnect

Intelligent Terminal Products

Product Support Services

Technical Service Solutions

Resource Center

Policy

Online Help

Become a Partner

Partner Resources

Partner Business Management

Company Information

News & Events

Contact Us