Login
- Table of Contents
-
- 07-System
- 01-High availability group
- 02-VRRP
- 03-Track
- 04-BFD
- 05-NQA
- 06-Basic log settings
- 07-Email server
- 08-Session log settings
- 09-NAT log settings
- 10-AFT log settings
- 11-Sandbox log settings
- 12-Threat log settings
- 13-Application audit log settings
- 14-NetShare log settings
- 15-URL filtering log settings
- 16-Attack defense log settings
- 17-Reputation log settings
- 18-Bandwidth alarm logs
- 19-Configuration log settings
- 20-Security policy log
- 21-Terminal identification logging
- 22-Heartbeat log settings
- 23-WAF log settings
- 24-IP access logs
- 25-MAC access log
- 26-Load balancing logging
- 27-Bandwidth management logs
- 28-Context rate limit logging
- 29-Zero trust logs
- 30-Report settings
- 31-Session settings
- 32-Signature upgrade
- 33-Software upgrade
- 34-License management
- 35-IRF
- 36-IRF advanced settings
- 37-Contexts
- 38-Administrators
- 39-Date and time
- 40-MAC address learning through a Layer 3 device
- 41-SNMP
- 42-Configuration management
- 43-Reboot
- 44-About
- 45-Ping
- 46-Tracert
- 47-Packet capture
- 48-Webpage Diagnosis
- 49-Diagnostic Info
- 50-Packet trace
- 51-Load balancing test
- 52-IPsec diagnosis
- 53-Fast Internet Access
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 35-IRF | 134.52 KB |
IRF
This help contains the following topics:
Introduction
The Intelligent Resilient Framework (IRF) technology virtualizes multiple physical devices at the same layer into one virtual fabric to provide data center class availability and scalability. IRF virtualization technology offers processing power, interaction, unified management, and uninterrupted maintenance of multiple devices.
IRF network model
Figure 1 shows an IRF fabric that has two devices, which appear as a single node to the upper-layer and lower-layer devices.
Figure 1 IRF application scenario
Basic concepts
IRF member roles
IRF uses two member roles: master and standby (also called subordinate).
When devices form an IRF fabric, they elect a master to manage and control the IRF fabric, and all the other devices back up the master. When the master device fails, the other devices automatically elect a new master.
IRF domain ID
One IRF fabric forms one IRF domain. IRF uses IRF domain IDs to uniquely identify IRF fabrics and prevent IRF fabrics from interfering with one another.
IRF member ID
An IRF fabric uses member IDs to uniquely identify and manage its members. This member ID information is included as the first part of interface numbers and file paths to uniquely identify interfaces and files in an IRF fabric. Two devices cannot form an IRF fabric if they use the same member ID. A device cannot join an IRF fabric if its member ID has been used in the fabric.
Member priority
Member priority determines the possibility of a member device to be elected the master. A member with higher priority is more likely to be elected the master.
IRF port
An IRF port is a logical interface that connects IRF member devices. Every IRF-capable device has two IRF ports.
The IRF ports are named IRF-port n/1 and IRF-port n/2, where n is the member ID of the device. The two IRF ports are also referred to as IRF-port 1 and IRF-port 2 for simplicity.
To use an IRF port, you must bind a minimum of one physical interface to it. The physical interfaces assigned to an IRF port automatically form an aggregate IRF link. An IRF port goes down when all its IRF physical interfaces are down.
IRF physical interface
IRF physical interfaces connect IRF member devices and must be bound to an IRF port. They forward traffic between member devices, including IRF protocol packets and data packets that must travel across IRF member devices.
IRF split
IRF split occurs when an IRF fabric breaks up into two IRF fabrics because of IRF link failures, as shown in Figure 2. The split IRF fabrics operate with the same IP address. IRF split causes routing and forwarding problems on the network.
IRF merge
IRF merge occurs when two split IRF fabrics reunite or when two independent IRF fabrics are united, as shown in Figure 3.
Master election
Master election occurs each time the IRF fabric topology changes in the following situations:
· The IRF fabric is established.
· The master device fails or leaves.
· The IRF fabric splits.
· Independent IRF fabrics merge.
|
|
Master election does not occur when split IRF fabrics merge. |
Master election selects a master in descending order:
1. Current master, even if a new member has higher priority.
When an IRF fabric is being formed, all members consider themselves as the master. This rule is skipped.
2. Member with higher priority.
3. Member with the longest system uptime.
Two members are considered to start up at the same time if the difference between their startup times is equal to or less than 10 minutes. For these members, the next tiebreaker applies.
4. Member with the lowest CPU MAC address.
For the setup of a new IRF fabric, the subordinate devices must reboot to complete the setup after the master election.
For an IRF merge, devices must reboot if they are in the IRF fabric that fails the master election.
IRF bridge MAC persistence
By default, an IRF fabric uses the bridge MAC address of the master device as its bridge MAC address. Layer 2 protocols, such as LACP, use this bridge MAC address to identify the IRF fabric. On a switched LAN, the bridge MAC address must be unique.
To avoid duplicate bridge MAC addresses, an IRF fabric can change its bridge MAC address automatically after its bridge MAC owner leaves. However, the change causes temporary traffic disruption.
Depending on the network condition, enable the IRF fabric to retain or change its bridge MAC address after the address owner leaves. Available options include:
· 6 minutes—Bridge MAC address of the IRF fabric remains unchanged for 6 minutes after the address owner leaves. If the owner does not return before the timer expires, the IRF fabric uses the bridge MAC address of the current master as its bridge MAC address. This option avoids unnecessary bridge MAC address changes caused by device reboot, transient link failure, or purposeful link disconnection.
· Always—Bridge MAC address of the IRF fabric does not change after the address owner leaves.
· Not retain—Bridge MAC address of the current master replaces the original one as soon as the owner of the original bridge MAC leaves.
IRF software auto-update
The software auto-update feature automatically synchronizes the current software images of the master to devices that are attempting to join the IRF fabric.
To join an IRF fabric, a device must use the same software images as the master in the fabric.
When you add a device to the IRF fabric, software auto-update compares the startup software images of the device with the current software images of the IRF master. If the two sets of images are different, the device automatically performs the following operations:
1. Downloads the current software images of the master.
2. Sets the downloaded images as its main startup software images.
3. Reboots with the new software images to rejoin the IRF fabric.
You must manually update the new device with the software images running on the IRF fabric if software auto-update is disabled.
|
|
To ensure a successful software auto-update in a multi-user environment, prevent anyone from rebooting member devices during the auto-update process. To inform administrators of the auto-update status, configure Log Settings to output the status messages to configuration terminals. |
Restrictions and guidelines
The following information only provides basic IRF configuration restrictions and guidelines. For more information, see IRF configuration in the configuration guides for the device.
Hardware compatibility with IRF
A firewall can form an IRF fabric only with the firewalls in the same series.
Software requirements for IRF
All IRF member devices must run the same software image version. Make sure the software auto-update feature is enabled on all member devices.
IRF fabric size
A firewall IRF fabric can contain a maximum of two member devices.
Member ID configuration restrictions
If you change the member ID for a member device, the new member ID takes effect at reboot. After the device reboots, the settings on all member ID-related physical resources (including common physical network ports) are removed, regardless of whether you have saved the configuration.
In an IRF fabric, changing IRF member IDs might cause undesirable configuration changes and data loss. Before you do that, back up the configuration, and make sure you fully understand the impact on your network.
Bridge MAC address restrictions for IRF members
When IRF fabrics merge or an IRF fabric is set up, IRF ignores the IRF bridge MAC address and checks the bridge MAC address of each member device. IRF setup or merge fails if any two member devices have the same bridge MAC address.
Candidate IRF physical interfaces
Candidate IRF physical interfaces vary by device model. For more information, see IRF configuration in the configuration guides for the device.
IRF port connection
When you connect two neighboring IRF members, follow these restrictions and guidelines:
· You must connect the physical interfaces of IRF-port 1 on one member to the physical interfaces of IRF-port 2 on the other, as shown in Figure 4.
· An IRF fabric can only use daisy-chain topology. No intermediate devices are allowed between neighboring IRF member devices.
· Make sure the two ends of an aggregate IRF link have the same number of IRF physical interfaces and the IRF physical interfaces are the same type.
Figure 4 Connecting IRF physical interfaces
IRF physical interface configuration restrictions and guidelines
Binding a physical interface in up state to an IRF port causes service interruption on that physical interface.
To temporarily shut down all IRF physical interfaces on the master device, you must make sure the master device has a higher priority than the subordinate device.
You must always shut down the peer interface of a physical interface before you bind the physical interface to an IRF port or removing the binding.
IRF domain ID restrictions
An IRF fabric has only one IRF domain ID. The domain ID takes effect on all IRF member devices. Make sure each IRF fabric in the network has a unique domain ID.
License installation requirements for license-based features
For a license-based feature to run correctly on an IRF fabric, make sure the licenses installed for the feature on all member devices are the same.
Configure IRF
For a successful IRF setup, follow this IRF fabric setup procedure:
1. Plan the IRF fabric setup. Determine the master, member ID assignment, and IRF connection scheme.
2. Perform the following tasks on each member device:
a. Configure basic IRF settings, including a unique member ID and priority.
b. Bind physical interfaces to the IRF ports.
c. Save the configuration to the startup configuration file.
d. Connect the IRF physical interfaces. Make sure the connections are consistent with the IRF port bindings.
e. Reboot the device.
The member ID assignment takes effect at reboot. The member devices perform a master election to form an IRF fabric that contains one master and one subordinate.
3. Log in to the IRF fabric. You can log in to the Web interface of the IRF fabric at the IP address of the management port on the master device.
4. Perform the following tasks:
a. View the IRF fabric topology to verify its correctness.
b. (Optional.) Modify the member ID, priority, or IRF port binding configuration.
|
|
Changing member IDs in an IRF fabric can void member ID-related configuration and cause unexpected problems. Make sure you understand the impact on your live network before you change member IDs. Changing IRF port bindings might cause IRF split. Make sure you understand the impact on your live network before you change IRF port bindings. |
c. Configure advanced IRF settings on the IRF fabric.
d. Save the configuration to the startup configuration file.
On the IRF fabric, you can configure software features as you do on a standalone device.
