Hot backup is a device-level HA solution. It enables two devices to back up each other dynamically to ensure user service continuity upon failure of one of the devices.

Hot backup works with H3C proprietary Remote Backup Management (RBM) to manage multiple VRRP groups or adjust the link costs for routing protocols on two member devices to ensure that the devices have consistent roles and states. The hot backup system can synchronize important configuration and service entries between the devices to ensure service continuity. Two devices must have the same software and hardware environments to join a hot backup system.

Application scenario

As shown in Figure 1, typically redundant egress devices are deployed at the border between the external and internal networks to prevent a single point of failure from interrupting traffic forwarding. When one egress device fails, traffic is switched to a different path.

The hot backup system is not used on traditional network devices such as switches and routers as they require only Layer 2 redundancy and route backup to ensure service continuity. It is used on security devices that perform status check and policy-based processing on packets, such as firewalls, IPSs, and network access behavior auditors. These devices check the validity of the first packet of each flow and create a session entry to record the traffic pattern, including the source and destination IP addresses, source and destination ports, and protocol. A security device forwards the subsequent packets of a flow only when the packets match a session entry. To ensure service continuity after traffic is switched between redundant security devices, hot backup is used to synchronize service entries and configuration between the devices through a dedicated channel.

Figure 1 Hot backup network model

Basic hot backup concepts

Basic hot backup concepts are as follows:

· Primary and secondary roles—In the control plane, the primary and secondary roles are assigned to the two devices in a hot backup system to control the configuration synchronization between the devices.

Each hot backup member device adds a prefix to the view prompt to identify its hot backup role. The primary device adds the RBM_P prefix, RBM_P<Sysname> for example. The secondary device adds the RBM_S prefix, RBM_S<Sysname> for example.

· Active and standby states—Determine which device forwards and processes traffic in the data plane. The active device forwards traffic of services and backs up service entries to the standby device in real time. When the active device fails, the standby device takes over the active role to ensure service continuity.

· Hot backup channels—Transmit status information, important configuration, and service entries between the hot backup members.

· Hot backup modes—Include active/standby mode and dual-active mode. In active/standby mode, the active device processes all services. In dual-active mode, both devices process services to increase the capability of the hot backup system and load share traffic.

· Hot backup packets—RBM packets transmitted through TCP over the hot backup channels between the hot backup members.

Operating modes of hot backup

Hot backup supports the active/standby and dual-active modes.

Active/standby mode

In active/standby mode, one device is active to process services, and the other device stands by, as shown in Figure 2. When an interface or link on the active device fails or when the active device fails, the standby device becomes active to process services.

Figure 2 Active/standby mode of hot backup

Dual-active mode

In dual-active mode, both devices process services to increase capability of the hot backup system, as shown in Figure 3. When one device fails, its traffic is switched to the other device for forwarding.

Figure 3 Dual-active mode of hot backup

Hot backup data synchronization

Hot backup packets

Hot backup packets include the following:

· Keepalive packets—Transmitted periodically between the hot backup members for peer availability detection.

· Control packets—Control active/standby switchovers based on the running status.

· Backup packets—Back up configuration and service entries between the hot backup members.

· Configuration consistency check packets—Check whether the hot backup members have consistent configuration.

· Transparent transmission packets—Transmit or replicate asymmetric-path traffic between the hot backup members.

Hot backup channels

Hot backup transmits hot backup status, important configuration, and service entries between the hot backup members through the following channels:

· Control channel—Transmits data by using packets, including hot backup status packets, configuration consistency check packets, and packets used for configuration synchronization.

· Data channel—Transmits backup packets and packets that require transparent transmission. The data channel uses the hardware driver for data transmission and supports only Layer 2 forwarding.

The control channel uses the keepalive mechanism of TCP for reachability detection. Each member device periodically sends hot backup keepalive packets to the hot backup peer over the hot backup control channel. If a device has not received any responses from the peer when the maximum number of hot backup keepalive attempts is reached, the hot backup control channel is disconnected.

Service entry backup

Hot backup backs up the service entries generated on the active device to the standby device to prevent service interruption when an active/standby switchover occurs.

Security devices generate a session entry for each dynamic connection. In the hot backup system, only the active device processes traffic and generates session entries. To ensure service continuity, the active device backs up its session entries to the standby device in real time. After an active/standby switchover, the new active device can forward the packets of the existing services based on the session entries without interruption.

Hot backup can perform hot backup for the following service entries:

· NAT port blocks.

· AFT port blocks.

· Session entries.

· Session relation entries.

· Entries generated by security service modules.

Configuration backup

Hot backup backs up important configuration from the primary device to the secondary device to prevent service interruption when an active/standby switchover occurs.

· When both devices are operating correctly, the primary device synchronizes configuration to the secondary device. The configuration on the secondary device is overwritten. As a best practice to ensure correct operation of hot backup, enable configuration backup on the primary device.

· When one of the devices reboots, the device that completes reboot obtains configuration from the device that is not rebooted. The configuration on the rebooted device is overwritten.

Hot backup supports both automatic backup and manual backup.

Hot backup can perform configuration backup for the following services:

· Resources—VPN instance, ACL (excluding the acl copy command), object group, time range, security zone, session management, APR, and AAA (excluding the commands for local users and local guests).

· DPI—Application layer inspection engine, IPS, URL filter, data filter, file filter, anti-virus, data analysis center, and WAF.

· Polices—Security policy, ASPF, attack detection and prevention (excluding the blacklist ip command), connection limit, NAT, AFT, load balancing, bandwidth management, application auditing and management, shared network access management, and proxy policy.

· Logs—Fast log output (excluding the customlog host source command) and flow log (excluding the userlog flow export source-ip command).

· VPN—SSL VPN.

· Any other services—VLAN and cloud connection.

Configuration consistency check

Hot backup verifies configuration consistency between the hot backup members by using configuration consistency check packets. If a device detects configuration inconsistency, it generates a log for you to manually synchronize configuration.

Configuration consistency check operates as follows:

1. The primary device sends configuration consistency check packets to the secondary device and collects configuration digests of related modules at the same time.

2. The secondary device receives the packets, encapsulates its configuration digests into configuration consistency check packets, and sends these packets to the primary device.

3. The primary device compares its configuration digests with those of the secondary device. If inconsistency is detected, the primary device generates a log.

Running status switchover

The hot backup role is determined based on configuration. The running status is determined based on hot backup role election and can be switched over.

Running status switchover process

As shown in Figure 4, both devices are primary in the control plane and active in the data plane when the hot backup channels are not established. This is not a correct condition because the hot backup system has not set up.

Figure 4 Hot backup channels not established

As shown Figure 5, when the hot backup channels are established and both devices are operating correctly, the hot backup roles of the devices are determined based on configuration and do not change in any condition. In the data plane, the running status of the devices is consistent with their hot backup roles. In active/standby mode, the primary device is the active device, and the secondary device is the standby device. In dual-active mode, both devices are active.

Figure 5 Hot backup in active/standby mode

As shown in Figure 6, when the uplink or downlink fails on a device, the status of the devices changes in the data plane. The device that operates correctly processes all traffic. In the control plane, the hot backup roles of the devices do not change.

Figure 6 Uplink or downlink failure

As shown in Figure 7, the hot backup role changes in the control plane only when the primary device fails or restarts, and the running status in the data plane will change accordingly. The secondary device will take over the primary role. When the original primary device recovers, it takes over the primary role.

Figure 7 Device failure or restart

Running status switchover triggers

In the hot backup system, an active/standby switchover occurs if one device fails or its links fail. The other device that operates correctly will take over to process all traffic that traverse the hot backup system to ensure service continuity. The following events can trigger an active/standby switchover.

· Disconnection of the hot backup control channel.

If the hot backup control channel is disconnected when both member devices are operating correctly, both devices become active devices. However, the devices will leave the hot backup system in this situation, and forwarding of asymmetric-path traffic will be interrupted.

· Failure of the active device.

· Failure of the interface monitored by hot backup on the active device.

· State change to Negative of any track entry monitored by hot backup on the active device.

This event triggers an active device election. If both member devices have track entries in Negative state, the following rules apply:

¡ In active/standby mode, the primary device is the active device, and the secondary device is the standby device.

¡ In dual-active mode, both member devices are active.

When an active/standby switchover occurs, hot backup collaborates with other modules to direct traffic to the new active device.

· When working with VRRP, hot backup places all VRRP groups on the failed device to backup state.

· When working with a routing protocol, hot backup increases the link costs of routes on the failed device.

Associating hot backup with VRRP

About hot backup and VRRP association

You can use hot backup and VRRP in combination to control master/backup switchover for device role consistency (master or backup) in multiple VRRP groups. This ensures that both inbound and outbound traffic can be switched to the new master for symmetric forwarding upon device failure.

Figure 8 illustrates VRRP association with hot backup in active/standby mode.

· As shown in the left, VRRP cannot ensure symmetric forwarding upon failure on a device, which causes traffic interruption.

· As shown in the right, after the hot backup control channel is established, hot backup determines the roles of the devices in all VRRP groups. The master election mechanism of VRRP no longer takes effect. If the hot backup control channel is disconnected, the master election mechanism of VRRP takes effect again.

Figure 8 VRRP and hot backup association

‌

VRRP active/standby group

Hot backup is associated with VRRP by VRRP active and standby groups.

A VRRP active/standby group can be in master or backup state, which determines the state of devices in the associated VRRP groups. For example, if a VRRP active group is in master state, all devices in the associated VRRP groups are masters.

The initial state of a VRRP active/standby group is depends on the hot backup mode.

· Active/Standby mode—On the primary device, the initial state is master for the VRRP active and standby groups. On the secondary device, the initial state is backup for the VRRP active and standby groups.

· Dual-active mode—The state of a VRRP active/standby group is not affected by the hot backup roles. The initial state is master for the VRRP active group and is backup for the VRRP standby group.

VRRP master election in the hot backup environment

After hot backup is associated with VRRP, hot backup determines the roles of the devices in the VRRP groups. As shown in Figure 8, Device A is the master in VRRP group 1 and VRRP group 2, and Device B is the backup in VRRP group 1 and VRRP group 2. When Interface A2 on Device A fails, the following events occur:

1. Hot backup receives an interface failure event and sends the status change information of the VRRP active and standby groups to Device B.

2. Device B sets its role to master in the VRRP standby group and then becomes the master in VRRP group 1 and VRRP group 2.

3. Device B sends a response to Device A after the master/backup switchover.

4. Device A sets its role to backup in the VRRP active group and then becomes the backup in VRRP group 1 and VRRP group 2.

When Interface A2 recovers, hot backup performs another master/backup switchover following the same procedure. Traffic is switched back to Device A after the switchover.

ARP and MAC learning in VRRP

When the members of a VRRP group receive an ARP request for the group's virtual IP address, the master replies with the group's virtual MAC address. This allows the upstream and downstream Layer 2 devices and hosts to learn the virtual MAC address.

Associating hot backup with routing protocols

You can use hot backup to enable the routing protocols on the standby device to advertise modified link cost. The feature ensures that both inbound and outbound traffic can be switched to the new active device for symmetric forwarding.

This feature requires associating hot backup with Track to perform active/standby switchover upon link or interface failures.

Figure 9 illustrates OSPF association with hot backup in active/standby mode.

· As shown in the left, Device A (active device) advertises link cost 1 based on OSPF configuration. Device B (standby device) advertises link cost 65500 modified by hot backup. Both inbound and outbound traffic are forwarded through Device A.

· As shown in the right, when interface A2 fails, Device A and Device B perform an active/standby switchover. After the switchover is complete, Device B (active device) advertises link cost 1 based on OSPF configuration. Device A (standby device) advertises link cost 65500 modified by hot backup. Both inbound and outbound traffic are forwarded through Device B.

Figure 9 OSPF and hot backup association

‌

Transparent in-path deployment of hot backup

When you use this networking scheme, you can use the track vlan or track interface command to enable collaboration between uplink and downlink interfaces. The Track configuration ensures that a group of interfaces have the same status, and uplink and downlink traffic can be switched simultaneously between the member devices.

The following information uses the track vlan setting as an example to describe how interfaces collaborate:

· As shown in Figure 10, when both Device A (active) and Device B (standby) are operating correctly, tracked VLAN 10 is in active state on Device A and in inactive state on Device B. As a result, Device A forwards all traffic that traverses the hot backup system.

· As shown in Figure 10, when downlink Port A2 of Device A fails, Device A and Device B switch their roles. Then, hot backup places VLAN 10 in inactive state on Device A (standby) and in active state on Device B (active). As a result, Device B forwards all traffic that traverses the hot backup system.

Figure 10 Transparent in-path deployment of hot backup

Restrictions: Hardware compatibility with hot backup

F1000 series	Models	Hot backup compatibility
F1000-X-G5 series	F1000-A-G5, F1000-C-G5, F1000-C-G5-LI, F1000-E-G5, F1000-H-G5, F1000-S-G5	Yes
F1000-X-G3 series	F1000-A-G3, F1000-C-G3, F1000-E-G3, F1000-S-G3	Yes
F1000-X-G2 series	F1000-A-G2, F1000-C-G2, F1000-E-G2, F1000-S-G2	Yes
F1000-9X0-AI series	F1000-9390-AI, F1000-9385-AI, F1000-9380-AI, F1000-9370-AI, F1000-9360-AI, F1000-9350-AI, F1000-9330-AI, F1000-9320-AI, F1000-990-AI, F1000-980-AI, F1000-970-AI, F1000-960-AI, F1000-950-AI, F1000-930-AI, F1000-920-AI , F1000-910-AI, F1000-905-AI	Yes
F1000-C83X0 series	F1000-C8395, F1000-C8390, F1000-C8385, F1000-C8380, F1000-C8370, F1000-C8360, F1000-C8350, F1000-C8330	Yes
F1000-C81X0 series	F1000-C8180, F1000-C8170, F1000-C8160, F1000-C8150, F1000-C8130, F1000-C8120, F1000-C8110	Yes
F1000-7X0-HI series	F1000-770-HI, F1000-750-HI, F1000-740-HI, F1000-730-HI, F1000-720-HI, F1000-710-HI	Yes
F1000-C-X series	F1000-C-EI, F1000-C-HI, F1000-C-XI, F1000-E-XI	Yes
F1000-V series	F1000-E-VG, F1000-S-VG	Yes
SecBlade IV	LSPM6FWD8, LSQM2FWDSC8	Yes

‌

F100 series	Models	Hot backup compatibility
F100-X-G5 series	F100-A-G5, F100-C-G5, F100-E-G5, F100-M-G5, F100-S-G5	Yes
F100-X-G3 series	F100-A-G3, F100-C-G3, F100-E-G3, F100-M-G3, F100-S-G3	Yes
F100-X-G2 series	F100-A-G2, F100-C-G2, F100-E-G2, F100-M-G2, F100-S-G2	Yes
F100-WiNet series	F100-A80-WiNet, F100-C80-WiNet, F100-C60-WiNet, F100-S80-WiNet, F100-A81-WiNet, F100-A91-WiNet, F100-C50-WiNet	Yes
F100-C-A series	F100-C-A6, F100-C-A5, F100-C-A3, F100-C-A2, F100-C-A1	Yes
F100-C-A series	F100-C-A6-WL, F100-C-A5-W, F100-C-A3-W	No
F100-X-XI series	F100-A-EI, F100-A-HI, F100-A-SI, F100-C-EI, F100-C-HI, F100-C-XI, F100-E-EI, F100-S-HI, F100-S-XI	Yes

‌

Restrictions and guidelines: Hot backup configuration

Member device restrictions and guidelines

A hot backup system can contain a maximum of two devices.

To ensure that the traffic size is within the processing capability of one device upon failure of the other device, make sure the throughput of each device does not exceed 50% of its capability.

Configuration synchronization restrictions and guidelines

For the service modules for which hot backup supports configuration synchronization, you need to configure relevant settings only on the primary device. For the service modules that do not support configuration synchronization, you need to configure relevant settings on all devices in the hot backup system. For support of hot backup for configuration synchronization of service modules, see "Configuration backup."

For resource file associated functions or files (such as public key information, ISP address library file, and signature file), you need import the file with the same content to all devices in the hot backup system.

For the features or signature libraries that require licenses, purchase separate licenses and activate them on the hot backup member devices.

Interface restrictions and guidelines

On each member device, you must assign all interfaces that transmit service traffic to security zones and configure security policies to enable inter-zone communication.

Do not use hot backup in combination with the features that obtain IP addresses automatically, DHCP client for example. The interfaces on the hot backup system must use static IP addresses.

If service interfaces work in Layer 2 mode, assign uplink and downlink service interfaces to the same VLAN.

Hot backup channel restrictions and guidelines

The hot backup channels are set up over the keepalive link that is a direct link or traverses only Layer 2 switches.

When you select interfaces for hot backup channel setup, follow these restrictions and guidelines:

· Use physical interfaces or aggregate interfaces. Do not use subinterfaces or aggregation member ports.

· As a best practice, use the same physical or logical link to convey the hot backup data and control channels. Use the default MTU on the interfaces used for setting up the link.

When configuration backup is in progress, do not perform active/standby switchovers, remove or install service modules, or change the configuration. To view the backup progress, execute the display remote-backup-group status command.

If the hot backup system performs asymmetric forwarding, use the session aging-time state fin command to set the aging time for TCP sessions in FIN_WAIT state to 15 seconds. This configuration speeds up session entry aging when TCP connections disconnect and thus saves system resources. For more information about the session aging-time state command, see session management commands in Security Command Reference.

Hot backup deployment restrictions and guidelines

When you deploy hot backup, follow the restrictions and guidelines for the network scheme you have chosen.

Routed in-path hot backup deployment between upstream and downstream routers

You can use either active/standby or dual-active mode.

If you use hot backup with a routing protocol, use the adjust-cost enable command to enable hot backup to adjust the link costs for the routing protocol. In addition, associate hot backup with track entries to monitor the status of uplink and downlink interfaces.

If you use hot backup with static routes, use the track interface command to monitor uplink and downlink Layer 3 Ethernet interfaces.

Routed in-path hot backup deployment between upstream and downstream switches

You can use either active/standby or dual-active mode.

You must use hot backup with VRRP and configure hot backup to work with track entries to monitor the status of uplink and downlink interfaces.

Transparent in-path hot backup deployment between upstream and downstream routers

You can use either active/standby or dual-active mode.

You must use the track interface command to enable hot backup to monitor the status of uplink and downlink Layer 2 Ethernet interfaces.

Transparent in-path hot backup deployment between upstream and downstream switches

You can use only active/standby mode.

You must use the track vlan command to enable hot backup to monitor the status of uplink and downlink VLANs.

Feature compatibility restrictions

Compatibility with contexts

You can configure hot backup only on the default context. The configuration will be issued to all non-default contexts.

When an active/standby switchover occurs on any context, the other contexts will perform an active/standby switchover accordingly. As a best practice, place the active member devices of all contexts on the same device.

If you use hot backup on a non-default context, you must assign service interfaces to the non-default context in shared mode.

Compatibility with NAT

When you use NAT on a hot backup system, follow these restrictions:

· Hot backup does not support detecting reachability of NAT address group members or Easy IP.

· NAT address groups cannot contain the IP addresses of any interfaces on the hot backup member devices. If you violate this restriction, both hot backup member devices will respond to the ARP packets that an upstream device sends to request the IP addresses in the NAT address groups. As a result, ARP conflicts occur.

· The source or destination IP address in a NAT policy does not belong to the interface used for setting up the hot backup channels. Violation of this restriction causes keepalive link faults.

· If you cannot ensure that a flow identified by a five-tuple is processed by the same device in one direction, you must use the nat remote-backup port-alloc { primary | secondary } command to specify NAT port ranges for both hot backup member devices.

When you use NAT on a hot backup system operating in dual-active mode, follow these restrictions:

· NAT address groups do not support EIM.

· If NAT operates in PAT mode, you must execute the following commands on the NAT group members, one command on one device:

¡ nat remote-backup port-alloc primary

¡ nat remote-backup port-alloc secondary

These commands divide an address group into two halves to avoid conflicts.

· If NAT operates in NO-PAT mode, you must configure two address groups to avoid resource assignment conflicts.

Compatibility with other protocols

Make sure the control and data packets of a multi-channel protocol such as FTP or SIP are processed by the same hot backup member device.

In the hot backup environment, to process traffic based on the SCTP protocol, make sure both the outbound and inbound packets of the same flow are processed by the same device.

Hardware environment consistency

Before you configure hot backup, verify that the following hardware settings are the same on the devices to be assigned to a hot backup system:

· Device model.

· Number and type of management interfaces, service interfaces, and interfaces for setting up the hot backup channels. Do not use one interface for multiple purposes.

· Location, number, and type of disks. A device not with disks installed has small log storage and do not support some types of logs or reports.

Software environment consistency

Before you configure hot backup, verify that the following software settings are the same on the devices to be assigned to a hot backup system:

· Software environment and version, including boot packages, system packages, feature packages, and patches.

· Licensed signature libraries and features, such as signature library types, signature library version, validation time, and number of licensed resources.

· Interface numbers.

· Type, speed, and number of the interfaces for setting up the hot backup channels. As a best practice, use aggregate interfaces.

· Aggregate interface numbers and aggregation member port numbers.

· Security zone configuration on the interfaces at the same location.

· Multi-CPU packet distribution policy (configurable with the forwarding policy command).

Network interconnection restrictions

Configure security policies for the hot backup members to correctly exchange the packets required in forwarding over the hot backup channels, routing protocol packets for example. As a best practice, make sure only those packets are transmitted between the security zone that accommodates service interfaces and the Local security zone.

The device by default permits the hot backup packets transmitted over the hot backup channels. You do not need to configure security policies for the hot backup packets.

Configure a feature prior to hot backup deployment if hot backup cannot back up configuration of the feature. For more information about the features that can be backed up by hot backup, see "Configuration backup."

Hot backup configuration flow

Figure 11 shows the configuration flow for hot backup.

Figure 11 Hot backup configuration flow chart

‌

Hot backup tasks at a glance

To configure hot backup, perform the following tasks:

1. Configuring the hot backup role

2. Configuring hot backup data synchronization settings

a. Configuring the hot backup control channel

b. Configuring the hot backup data channel

c. Enabling service entry hot backup

d. Configuring hot backup configuration synchronization

3. Enabling traffic switchover upon failure recovery

4. Setting the hot backup mode

Choose one of the following tasks:

¡ Configuring the active/standby mode

¡ Configuring the dual-active mode

5. Configuring hot backup associations

Choose one of the following tasks:

¡ Associating hot backup with VRRP

¡ Associating hot backup with routing protocols

¡ Configuring hot backup transparent in-path deployment

6. (Optional.) Associating hot backup with Track

7. (Optional.) Performing an active/standby switchover

8. (Optional.) Enabling transparent service traffic transmission between the hot backup members

9. (Optional.) Configuring service features on the hot backup system

Configuring the hot backup role

About this task

Hot backup backs up important configuration from the primary device to the secondary device to prevent service interruption when an active/standby switchover occurs. The configuration on the secondary device is overwritten. The unidirectional backup mechanism avoids configuration conflicts, especially in dual-active mode. The hot backup roles can only be manually assigned to devices.

Each hot backup member device adds a prefix to the view prompt to identify its hot backup role.

· The primary device adds the RBM_P prefix, RBM_P<Sysname> for example.

· The secondary device adds the RBM_S prefix, RBM_S<Sysname> for example.

After you assign hot backup roles to the hot backup member devices, both devices add the RBM_P prefix to their view prompts. The devices display view prompt prefixes according to their hot backup roles after they set up the hot backup control channel.

Restrictions and guidelines

You must assign the primary and secondary roles to the two member devices in the hot backup system, respectively.

As a best practice to ensure correct operation of the hot backup system, enable configuration backup on the primary device.

Procedure

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Configure the hot backup role.

device-role { primary | secondary }

By default, the hot backup role is not configured.

Configuring the hot backup control channel

About this task

Hot backup compares the specified local and peer IP address to determine the device role for setting up the control channel. The device with higher IP address acts as the server, and the other device acts as the client to initiate the TCP connection.

If the port number is configured on the server, the port provides services for the client. If the port number is configured on the client, the port serves as the destination port to establish TCP connection to the server. The source port is randomly generated on the client.

Restrictions and guidelines

You can specify only one peer IP address with the same port number on the hot backup member devices. The specified port cannot be the same as the TCP listening port in use.

The local and peer IP addresses used for setting up the control channel cannot be identical.

You can set up an IPv4 control channel or IPv6 control channel, but not both.

Procedure

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Set up a hot backup control channel. Choose one of the following options:

¡ Set up an IPv4 control channel.

- Configure the peer IPv4 address for setting up the hot backup control channel.

remote-ip ipv4-address [ port port-number ]

By default, the peer IPv4 address is not configured.

- Configure the local IPv4 address for setting up the hot backup control channel.

local-ip ipv4-address

By default, the local IPv4 address is not configured.

¡ Set up an IPv6 control channel.

- Configure the peer IPv6 address for setting up the hot backup control channel.

remote-ipv6 ipv6-address [ port port-number ]

By default, the peer IPv6 address is not configured.

- Configure the local IPv6 address for setting up the hot backup control channel.

local-ipv6 ipv6-address

By default, the local IPv6 address is not configured.

4. Set the interval for sending hot backup keepalive packets.

keepalive interval interval

By default, the device sends hot backup keepalive packets at one-second intervals.

5. Set the maximum number of hot backup keepalive attempts.

keepalive count counts

By default, the maximum number of hot backup keepalive attempts is 10.

Configuring the hot backup data channel

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Configure a hot backup data channel.

data-channel interface interface-type interface-number

By default, no hot backup data channel is configured.

Enabling service entry hot backup

About this task

Service entry hot backup enables the active device to back up service entries to the standby device in real time.

Enable HTTP and DNS backup if asymmetric-path traffic traverses the hot backup system. HTTP and DNS backup ensures that a flow and its return traffic are processed correctly on the hot backup members.

If hot backup active/standby mode is used or only symmetric-path traffic traverses the hot backup system, disabling HTTP and DNS backup can improve performance of the hot backup members at the expense of delayed data synchronization. When you disable HTTP and DNS backup, make sure you are fully aware of the impact on the network. A device removes a DNS or HTTP connection if packet exchange is inactive. When a switchover interrupts a connection, the DNS or HTTP client re-initiates the connection immediately, which has little impact on user services.

Restrictions and guidelines

When the hot backup system is operating stably and is processing traffic, do not execute the reset session table command. If you execute the command, traffic might be interrupted, and the session entries might become inconsistent on the primary and backup devices. For more information about session management, see Security Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Enable service entry hot backup.

hot-backup enable

By default, service entry hot backup is enabled.

4. Enable hot backup for the session entries of application layer protocols.

hot-backup protocol { dns | http } * enable

By default, the hot backup system performs hot backup for the session entries of application layer protocols.

The hot-backup protocol enable command takes effect only on DNS and HTTP. The device automatically backs up the session entries of other application layer protocols after you enable service entry hot backup.

Configuring hot backup configuration synchronization

About this task

The hot backup member devices can synchronize configuration changes in real time and synchronize all configuration in bulk.

· Real-time synchronization—The primary device copies added, deleted, or modified configuration to the secondary device in real time to maintain configuration consistency.

· Bulk synchronization—The primary device backs up important configuration in bulk to the secondary device. The secondary device will delete the settings that are inconsistent with those on the primary device.

Hot backup can perform hot backup configuration synchronization only when automatic configuration synchronization is enabled and the hot backup control channel is set up.

A bulk synchronization is triggered by the following events:

· The hot backup control channel is set up and automatic configuration synchronization is enabled (including the default status) for the first time. The primary device will send all its key configuration in bulk to overwrite the configuration on the secondary device. Hot backup does not perform bulk synchronization afterwards, even if automatic configuration synchronization is enabled again or the hot backup control channel is set up again.

· An hot backup member device reboots, or the hot backup process restarts, and automatic configuration synchronization is enabled on the other device. After the reboot or restart and the hot backup control channel is set up again, the device that does not reboot will send all its key configuration in bulk to overwrite the configuration on the rebooted device.

Restrictions and guidelines

After the hot backup control channel is set up and automatic configuration synchronization is enabled for the first time, do not disable automatic configuration synchronization. If you fail to do so, the devices will not perform bulk configuration, and configuration inconsistency will affect services.

If the amount of configuration to be synchronized is large, bulk synchronization might take one to two hours. To avoid the issue, you can perform one of the following operations:

· Enable automatic configuration synchronization first when you configure the hot backup system.

· Copy the configuration file to the secondary device during initial network deployment and then enable configuration consistency check.

Procedure

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Enable automatic configuration synchronization.

configuration auto-sync enable

By default, automatic configuration synchronization is enabled.

4. Enable configuration consistency check.

configuration sync-check [ interval interval ]

By default, configuration consistency check is enabled.

5. (Optional.) Perform a one-off configuration consistency check.

configuration manual-sync-check

This command applies only to the primary device.

6. (Optional.) Manually synchronize the configuration of the primary device to the secondary device.

configuration manual-sync

This command applies only to the primary device.

Enabling traffic switchover upon failure recovery

About this task

After an active/standby switchover occurs, if the original active device recovers, traffic will not be switched back by default. Perform this task to enable traffic switchover to the original active device upon failure recovery. You can set a delay timer to ensure smooth service switchover.

Restrictions and guidelines

In dual-active mode, you must enable this feature to ensure that both devices can operate after the failure is recovered.

This feature does not take effect on ongoing traffic switchovers. It applies only to subsequent traffic switchovers.

Procedure

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Enable traffic switchover upon failure recovery.

delay-time delay-time

By default, traffic switchover upon failure recovery is disabled.

Configuring the active/standby mode

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Configure the active/standby mode.

undo backup-mode dual-active

By default, the hot backup mode is active/standby.

Configuring the dual-active mode

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Configure the dual-active mode.

backup-mode dual-active

By default, the hot backup mode is active/standby.

Associating hot backup with VRRP

Restrictions and guidelines

You can associate only VRRP groups operating in standard mode with hot backup.

Use hot backup in combination with VRRP groups only for in-path hot backup deployment between upstream and downstream switches. As a best practice, assign the primary device to the VRRP active group, and assign the secondary device to the VRRP standby group.

You can assign multiple virtual IP addresses to a VRRP group associated with hot backup. Make sure the interfaces in the VRRP group do not own the virtual IP addresses.

You cannot associate a VRRP group with both hot backup and Track.

You cannot use the track vlan command in conjunction with the track interface command.

For an IPv6 VRRP group to work correctly, you must assign it a link-local address and a global unicast address as virtual IPv6 addresses.

Procedure

1. Enter system view.

system-view

2. Enter interface view.

interface interface-type interface-number

3. Associate hot backup with VRRP. Choose one of the following options:

¡ Create an IPv4 VRRP group and associate it with hot backup.

vrrp vrid virtual-router-id virtual-ip virtual-address [ mask | mask-length ] { active | standby }

By default, no IPv4 VRRP groups exist.

¡ Create an IPv6 VRRP group and associate it with hot backup. Assign a link-local address and a global unicast address as virtual IPv6 addresses to the VRRP group.

vrrp ipv6 vrid virtual-router-id virtual-ip virtual-address [ prefix-length ] link-local { active | standby }

vrrp ipv6 vrid virtual-router-id virtual-ip virtual-address

By default, no IPv6 VRRP groups exist.

Associating hot backup with routing protocols

Enabling hot backup to adjust the link cost for a routing protocol

About this task

When you use hot backup together with a routing protocol, you can enable hot backup to adjust the link cost for a routing protocol on the standby device. This feature applies to the scenario where the hot backup member devices run the same routing protocol. If you configure this feature, the active device advertises the original link costs for a routing protocol, and the standby device advertises one of the following link costs:

· Absolute cost—The device advertises an absolute link cost for the routing protocol.

· Calculated cost—The device advertises the original link cost plus the configured increment cost for the specified routing protocol.

The feature takes effect on only the standby device.

Restrictions and guidelines

This feature applies to the scenario where the hot backup member devices run the same routing protocol.

To ensure switchover of both uplink and downlink traffic to the new active device, configure this feature with the same parameters on both hot backup member devices.

Do not use the silent-backup-interface and adjust-cost enable commands together.

On a hot backup system in dual-active mode and in collaboration with a routing protocol, configure per-flow load sharing for IP forwarding on both the uplink and downlink devices as a best practice.

Procedure

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Enable hot backup to adjust the link cost for the specified routing protocol on the standby device.

adjust-cost { bgp | isis | ospf | ospfv3 } enable { absolute [ absolute-cost ] | increment [ increment-cost ] }

By default, hot backup does not adjust the link cost for the specified routing protocol on the standby device.

Disabling the standby device from sending or receiving protocol packets of a routing protocol.

This feature applies to the scenario where the hot backup member devices run multiple routing protocols. As shown in Figure 12, IBGP and OSPF have different default priorities. When the link between Device A and Router C fails, traffic destined for the hosts might be forwarded to Device A as OSPF has higher priority than IBGP. To resolve this issue, disable Device A from sending or receiving OSPF protocol packets to disconnect its OSPF neighbors. Then, Device B will forward all uplink and downlink traffic.

Figure 12 hot backup member devices running multiple routing protocols

Restrictions and guidelines

This feature applies to the scenario where the hot backup member devices run multiple routing protocols.

To ensure switchover of both uplink and downlink traffic to the new active device, configure this feature with the same parameters on both hot backup member devices.

Do not use the silent-backup-interface and adjust-cost enable commands together.

Procedure

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Disable the standby device from sending or receiving protocol packets of a dynamic routing protocol.

silent-backup-interface { ospf | ospfv3 }

By default, the standby device can send and receive protocol packets of a dynamic routing protocol.

Configuring hot backup transparent in-path deployment

Enabling hot backup to monitor interfaces

About this task

Perform this task to enable hot backup to monitor the interfaces connecting the uplink and downlink devices in hot backup transparent in-path deployment. The monitored interfaces can forward packets only when they are all up. If any of the monitored interfaces goes down, none of them will be able to forward packets.

Restrictions and guidelines

You can use the track interface and track commands in conjunction, but you cannot use these commands to monitor the same interfaces.

The track vlan and track interface commands are mutually exclusive. You cannot configure both of them.

Hot backup does not support monitoring member ports of aggregate interfaces.

Procedure

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Enable hot backup to monitor a Layer 2 or Layer 3 Ethernet interface.

track interface interface-type interface-number

By default, hot backup does not monitor any interfaces.

Enabling hot backup to monitor VLANs

About this task

Perform this task to enable hot backup to monitor the VLANs of the uplink and downlink devices in hot backup transparent in-path deployment. The monitored VLANs are active and the member ports can forward packets only when the member ports are all up. If any of the member ports goes down, none of them will be able to forward packets, and all the monitored VLANs will become inactive.

In active/standby mode, the state of monitored VLANs is active on the primary device and inactive on the secondary device.

In dual-active mode, the state of monitored VLANs is active on both the primary and secondary devices.

Restrictions and guidelines

The track vlan command is mutually exclusive with the track interface and track commands. You cannot use the track vlan command in conjunction with the track interface or track command.

Do not enable hot backup to monitor VLAN 1 (to which all access ports belong by default). This restriction prevents an unused interface in down state from interrupting operation of other interfaces in VLAN 1.

Procedure

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Enable hot backup to monitor a VLAN.

track vlan vlan-id

By default, hot backup does not monitor any VLANs.

Associating hot backup with Track

About this task

Perform this task to associate hot backup with Track to monitor links. If one of the monitored track entries becomes Negative, hot backup performs an active/standby switchover and switches traffic to the new active device to ensure service continuity. For more information about Track, see Network Management and Monitoring Configuration Guide.

Procedure

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Associate hot backup with Track.

track track-entry-number

By default, hot backup is not associated with Track.

Performing an active/standby switchover

About this task

If you want to replace components or upgrade software on the current active device, you can perform this task to switch services to the standby device.

Restrictions and guidelines

This feature applies only when hot backup operates in active/standby mode, and it takes effect on only the active device.

In hot backup and VRRP associated network, performing this task might cause temporary virtual IP address conflict in the VRRP group, which is considered a normal condition.

For stable operation of hot backup, do not repeatedly perform this task within one minute.

Procedure

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Perform an active/standby switchover.

switchover request

Enabling transparent service traffic transmission between the hot backup members

About this task

Enable transparent service traffic transmission only when asymmetric-path traffic traverses the hot backup system operating in dual-active mode.

If an asymmetric-path flow traverses the hot backup system operating in dual-active mode, the flow and its return traffic are processed by different hot backup members. This will degrade the traffic processing performance of modules such as NBAR, DPI, and load balancing. For example, the packet recognition rate of NBAR might drop. For an asymmetric-path flow and its return traffic to be processed by the same hot backup member, enable transparent service traffic transmission. Transparent service traffic transmission is resource-intensive. Make sure you are fully aware of the impact of this feature when you use it on a live network.

Procedure

1. Enter system view.

system-view

2. Enter RBM view.

remote-backup group

3. Enable transparent service traffic transmission between the hot backup members.

transparent-transmit enable

By default, transparent service traffic transmission is enabled.

Configuring service features on the hot backup system

NAT on the hot backup system

For NAT to operate correctly on the hot backup system, you must associate NAT features with the VRRP groups. For example, when you use dynamic NAT, static NAT, NAT server, or NAT444, you must associate the feature with the VRRP groups. For more information about NAT features, see NAT Configuration Guide.

NAT features have similar mechanisms, and the operating mode of hot backup does not change the IP address translation process. This section uses dynamic NAT on the hot backup system in active/standby mode to explain how NAT works on the hot backup system.

About NAT on the hot backup system

When receiving an ARP request with a target IP address that belongs to the subnet of the IP address of a NAT interface, a NAT device replies with the MAC address of the NAT interface.

As shown in Figure 13, dynamic NAT is configured on the hot backup system that is operating in active/standby mode. If dynamic NAT is not associated with any VRRP group, the devices process the traffic as follows when the host accesses the Internet:

1. When receiving the packets sent by the host, Device A translates the source IP address into a public IP address in the NAT address group and forwards the packets to the router. In this example, the public IP address is in the same subnet as the virtual IP address of uplink VRRP group 1.

2. The router receives the return packets and broadcasts an ARP request for the destination public IP address.

3. Device A and Device B receive the ARP request and reply with the MAC address of their respective uplink interface because they have the same NAT address group configuration.

4. The router might send the return packets to the uplink interface of Device A or Device B, which affects service continuity.

For the router to learn the virtual MAC address of the uplink VRRP group, you must associate NAT features with the VRRP group.

Figure 13 NAT not associated with a VRRP group

Traffic forwarding process

The master in a VRRP group relies with the virtual MAC address of the VRRP group to an ARP request if the following requirements are met:

· NAT features are associated with the VRRP group.

· The target IP address belongs to the subnet that contains the IP address of a NAT interface.

As shown in Figure 14, dynamic NAT is configured on the hot backup system that is operating in active/standby mode. If NAT is associated with the uplink VRRP group, the devices process the traffic as follows when the host accesses the Internet:

2. The router receives the return packets and broadcasts an ARP request for the destination public IP address.

3. Device A and Device B receive the ARP request, and Device A (master) replies with the virtual MAC addresses of the uplink VRRP group.

4. Router A sends the return packets to Device A.

Figure 14 NAT on the hot backup system

For more information about VRRP group association with dynamic NAT, static NAT, NAT server, and NAT444, see Layer 3—IP Services Configuration Guide.

Hot backup support for SSL VPN

The hot backup channels are used to back up SSL VPN data, including user data, entries, and configuration. For more information about SSL VPN configuration, see VPN Configuration Guide.

Hot backup supports SSL VPN only when it is operating in active/standby mode and collaborating with VRRP groups.

Hot backup support for DPI services

When you use DPI services on the hot backup system operating in dual-active mode, you must enable DPI support for hot backup if asymmetric-path traffic exists. If you do not enable this feature, DPI services might fail to correctly identify and process packets. For more information about DPI support for hot backup, see DPI engine configuration in DPI Configuration Guide.

Hot backup support for contexts

You can configure hot backup only on the default context. The configuration will be issued to all non-default contexts.

To ensure configuration and service entry consistency, all non-default contexts use the hot backup channels created for the default context to back up configuration and service entries and transmit service traffic.

All non-default contexts use the keepalive detection and configuration consistency check mechanisms of the default context. When an active/standby switchover occurs on any context, the other contexts will perform an active/standby switchover accordingly.

Hot backup deployment schemes

Hot backup supports the following deployment schemes:

· Routed in-path deployment in active/standby mode.

· Routed in-path deployment in dual-active mode.

· Transparent in-path deployment in active/standby mode.

· Transparent in-path deployment in dual-active mode.

Routed in-path deployment in active/standby mode

Figure 15 shows a typical model of routed in-path deployment in active/standby mode. A hot backup system is directly connected to the upstream and downstream Layer 2 switches by Layer 3 interfaces. To use this scheme in collaboration with VRRP, perform the following tasks:

· Establish hot backup channels between Device A and Device B.

· On Device A and Device B, create uplink VRRP group 1 and downlink VRRP group 2 and associate them with hot backup.

· On Device A, associate VRRP group 1 and VRRP group 2 with the VRRP active group. On Device B, associate VRRP group 1 and VRRP group 2 with the VRRP standby group.

· On Device A and Device B, specify the IP address of Interface A1 on the router (2.1.1.15) as the next hop of the route to the Internet.

· On the router, specify the virtual IP address of VRRP group 1 (2.1.1.3) as the next hop of the route to the host's subnet.

· On the host, specify the virtual IP address of VRRP group 2 (10.1.1.3) as the default gateway.

· On Switch A, assign the interfaces attached to the router, Device A, and Device B to the same VLAN.

· On Switch B, assign the interfaces attached to the host, Device A, and Device B to the same VLAN.

Figure 15 Routed in-path deployment in active/standby mode

The following shows how traffic is forwarded when the host accesses the Internet in Figure 15:

1. The host identifies that the destination IP address is on a different subnet and sends an ARP request to obtain the MAC address of the default gateway. In this example, the host does not have the ARP entry for the default gateway.

2. Switch B broadcasts the ARP request and learns the MAC address of the host.

3. Device A and Device B receives the ARP request, and Device A (master) replies with the virtual MAC address of VRRP group 2.

4. Switch B learns the MAC address entry for the virtual MAC address of VRRP group 2 and forwards the ARP reply to the host.

5. The host learns the virtual MAC address and sends the packets destined for the Internet to the default gateway.

6. Switch B forwards the packets to Device A (master). The traffic of the host will be processed and forwarded by Device A as long as it is the master.

7. Device A does not have the ARP entry for the next hop of the route to the Internet and sends an ARP request to obtain the MAC address of the next hop. In the ARP request, the source MAC address is the virtual MAC address of VRRP group 1.

8. Switch A and the router then perform typical forwarding and ARP and MAC address learning.

The forwarding process for the traffic sent from the Internet to the host is similar to the above process.

Routed in-path deployment in dual-active mode

Figure 16 shows a typical model of routed in-path deployment in dual-active mode. A hot backup system is directly connected to the upstream and downstream Layer 2 switches by Layer 3 interfaces. To use this scheme in collaboration with VRRP, perform the following tasks:

· Establish hot backup channels between Device A and Device B.

· On Device A and Device B, create two uplink VRRP groups and two downlink VRRP groups.

· Create VRRP group 3 and VRRP group 4 on the downlink interfaces of Device A and Device B.

· On Device A, associate VRRP group 1 and VRRP group 3 with the VRRP active group, and associate VRRP group 2 and VRRP group 4 with the VRRP standby group.

· On Device B, associate VRRP group 1 and VRRP group 3 with the VRRP standby group, and associate VRRP group 2 and VRRP group 4 with the VRRP active group.

· On Device A and Device B, specify the IP address of Interface A1 on the router (2.1.1.15) as the next hop of the route to the Internet.

· On the router, configure routes as follows:

¡ Specify the virtual IP address of VRRP group 1 (2.1.1.3) as the next hop of the route to Host A's subnet.

¡ Specify the virtual IP address of VRRP group 2 (2.1.1.4) as the next hop of the route to Host B's subnet.

· On Host A, specify the virtual IP address of VRRP group 3 (10.1.1.3) as the default gateway.

· On Host B, specify the virtual IP address of VRRP group 4 (10.1.1.4) as the default gateway.

· On Switch A, assign the interfaces attached to the router, Device A, and Device B to the same VLAN.

· On Switch B, assign the interfaces attached to the hosts, Device A, and Device B to the same VLAN.

Figure 16 Routed in-path deployment in dual-active mode

As shown in Figure 16, the traffic of Host A and Host B is distributed to Device A and Device B, respectively. The traffic forwarding process is similar to that in active/standby mode.

Transparent in-path deployment in active/standby mode

Figure 17 shows a typical model of transparent in-path deployment in active/standby mode. The Layer 2 hot backup system is directly connected to the upstream and downstream Layer 2 switches by Layer 2 interfaces. To use this scheme, perform the following tasks:

· Establish hot backup channels between Device A and Device B.

· On Device A and Device B, assign uplink and downlink interfaces to the same VLAN.

· Configure hot backup to monitor one of the following objects:

¡ The VLAN where Device A and Device B reside.

You do not need to enable spanning tree on the upstream and downstream switches.

¡ Uplink and downlink interfaces of Device A and Device B.

You must enable spanning tree on the upstream and downstream switches.

· On Switch A, assign the interfaces attached to the upstream router, Device A, and Device B to the same VLAN.

· On Switch B, assign the interfaces attached to the hosts, Device A, and Device B to the same VLAN.

Figure 17 Transparent in-path deployment in active/standby mode

Transparent in-path deployment in dual-active mode

Figure 18 shows a typical model of transparent in-path deployment in dual-active mode. The Layer 2 hot backup system is directly connected to the upstream and downstream routers by Layer 2 interfaces. To use this scheme, perform the following tasks:

· Establish hot backup channels between Device A and Device B.

· On Device A and Device B, assign uplink and downlink interfaces to the same VLAN.

· On Device A and Device B, configure hot backup to monitor the status of the uplink and downlink interfaces.

· On Router A and Router B, configure the same cost for OSPF routes and enable per-flow load sharing among ECMP routes.

Figure 18 Transparent in-path deployment in dual-active mode

Display and maintenance commands for hot backup

Execute display commands in any view.

Task	Command
Display hot backup status information.	display remote-backup-group status
Display the configuration consistency check result for hot backup.	display remote-backup-group sync-check

Hot backup configuration examples (IPv4)

Example: Configuring active/standby hot backup in collaboration with VRRP

Network configuration

As shown in Figure 19, set up a hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to collaborate with VRRP.

· Configure the hot backup system to operate in active/standby mode.

· Configure Device A and Device B as the primary device and the secondary device, respectively.

Figure 19 Network diagram

‌

Procedure

1. Verify that Device A and Device B have software and hardware environment consistency.

2. Configure Switch A:

NOTE:

This step only provides the brief configuration procedure.

# Create VLAN 10.

# Configure the interfaces attached to the hot backup system and the router to operate at Layer 2. Assign them to VLAN 10 as access interfaces.

3. Configure Switch B:

NOTE:

This step only provides the brief configuration procedure.

# Create VLAN 10.

# Configure the interfaces attached to the hot backup system and the host to operate at Layer 2. Assign them to VLAN 10 as access interfaces.

4. Configure the router:

NOTE:

This step only provides the brief configuration procedure.

# Assign 2.1.1.15/24 to GigabitEthernet 1/0/7.

# Configure routes as follows:

¡ Specify 2.1.1.3 (virtual IP address of VRRP group 1) as the next hop of the routes to the internal network.

¡ Specify the IP address of the peer interface attached to the traffic outgoing interface as the next hop of the route to the Internet.

5. Configure Device A:

a. Assign an IP address to GigabitEthernet 1/0/1.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ip address 2.1.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

b. Add interfaces to security zones.

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceA-security-zone-Untrust] quit

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceA-security-zone-Trust] quit

c. Configure settings for routing. This example configures a static route, and the next hop in the route is 2.1.1.15.

[DeviceA] ip route-static 0.0.0.0 0.0.0.0 2.1.1.15

d. Configure a security policy.

Perform this task only on the primary device. After the hot backup system is set up, the secondary device automatically synchronizes its security policy configuration with the primary device.

# Configure a rule named trust-untrust to permit the packets from 10.1.1.0/24 to the Internet.

[DeviceA] security-policy ip

[DeviceA-security-policy-ip] rule name trust-untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24

[DeviceA-security-policy-ip-3-trust-untrust] action pass

[DeviceA-security-policy-ip-3-trust-untrust] quit

# Configure rules to permit VRRP protocol packets. When the hot backup channel is disconnected, Device A and Device B can exchange VRRP protocol packets to elect a VRRP master.

[DeviceA-security-policy-ip] rule name vrrp1

[DeviceA-security-policy-ip-4-vrrp1] source-zone trust

[DeviceA-security-policy-ip-4-vrrp1] destination-zone local

[DeviceA-security-policy-ip-4-vrrp1] service vrrp

[DeviceA-security-policy-ip-4-vrrp1] action pass

[DeviceA-security-policy-ip-4-vrrp1] quit

[DeviceA-security-policy-ip] rule name vrrp2

[DeviceA-security-policy-ip-5-vrrp2] source-zone local

[DeviceA-security-policy-ip-5-vrrp2] destination-zone trust

[DeviceA-security-policy-ip-5-vrrp2] service vrrp

[DeviceA-security-policy-ip-5-vrrp2] action pass

[DeviceA-security-policy-ip-5-vrrp2] quit

[DeviceA-security-policy-ip] rule name vrrp3

[DeviceA-security-policy-ip-6-vrrp3] source-zone untrust

[DeviceA-security-policy-ip-6-vrrp3] destination-zone local

[DeviceA-security-policy-ip-6-vrrp3] service vrrp

[DeviceA-security-policy-ip-6-vrrp3] action pass

[DeviceA-security-policy-ip-6-vrrp3] quit

[DeviceA-security-policy-ip] rule name vrrp4

[DeviceA-security-policy-ip-7-vrrp4] source-zone local

[DeviceA-security-policy-ip-7-vrrp4] destination-zone untrust

[DeviceA-security-policy-ip-7-vrrp4] service vrrp

[DeviceA-security-policy-ip-7-vrrp4] action pass

[DeviceA-security-policy-ip-7-vrrp4] quit

[DeviceA-security-policy-ip] quit

e. Configure hot backup settings.

# Set up a hot backup system.

[DeviceA] remote-backup group

[DeviceA-remote-backup-group] remote-ip 10.2.1.2

[DeviceA-remote-backup-group] local-ip 10.2.1.1

[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceA-remote-backup-group] device-role primary

RBM_P[DeviceA-remote-backup-group] undo backup-mode

RBM_P[DeviceA-remote-backup-group] hot-backup enable

RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable

RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12

RBM_P[DeviceA-remote-backup-group] quit

# Create VRRP groups and associate them with the hot backup system.

RBM_P[DeviceA] interface gigabitethernet 1/0/1

RBM_P[DeviceA-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 2.1.1.3 active

RBM_P[DeviceA-GigabitEthernet1/0/1] quit

RBM_P[DeviceA] interface gigabitethernet 1/0/2

RBM_P[DeviceA-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.1.1.3 active

RBM_P[DeviceA-GigabitEthernet1/0/2] quit

f. Configure security services on Device A. (Details not shown.)

6. Configure Device B:

a. Assign an IP address to GigabitEthernet 1/0/1.

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ip address 2.1.1.2 255.255.255.0

[DeviceB-GigabitEthernet1/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

b. Add interfaces to security zones.

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceB-security-zone-Untrust] quit

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceB-security-zone-Trust] quit

c. Configure settings for routing. This example configures a static route, and the next hop in the route is 2.1.1.15.

[DeviceB] ip route-static 0.0.0.0 0.0.0.0 2.1.1.15

d. Configure hot backup settings.

# Set up a hot backup system.

[DeviceB] remote-backup group

[DeviceB-remote-backup-group] remote-ip 10.2.1.1

[DeviceB-remote-backup-group] local-ip 10.2.1.2

[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceB-remote-backup-group] device-role secondary

RBM_S[DeviceB-remote-backup-group] undo backup-mode

RBM_S[DeviceB-remote-backup-group] hot-backup enable

RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable

RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 12

RBM_S[DeviceB-remote-backup-group] quit

# Create VRRP groups and associate them with the hot backup system.

RBM_S[DeviceB] interface gigabitethernet 1/0/1

RBM_S[DeviceB-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 2.1.1.3 standby

RBM_S[DeviceB-GigabitEthernet1/0/1] quit

RBM_S[DeviceB] interface gigabitethernet 1/0/2

RBM_S[DeviceB-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.1.1.3 standby

RBM_S[DeviceB-GigabitEthernet1/0/2] quit

7. On the host, specify 10.1.1.3 (virtual IP address of VRRP group 2) as the default gateway. (Details not shown.)

Verifying the configuration

1. Verify the configuration on Device A:

# Verify that the hot backup channels have been set up.

RBM_P[DeviceA] display remote-backup-group status

Remote backup group information:

Backup mode: Active/standby

Device management role: Primary

Device running status: Active

Data channel interface: GigabitEthernet1/0/3

Local IP: 10.2.1.1

Remote IP: 10.2.1.2 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 0 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

# Verify that Device A is the master in all VRRP groups.

RBM_P[DeviceA] display vrrp

IPv4 Virtual Router Information:

Running mode : Standard

RBM control channel is established

VRRP active group status : Master

VRRP standby group status: Master

Total number of virtual routers : 2

Interface VRID State Running Adver Auth Virtual

Pri Timer Type IP

---------------------------------------------------------------------

GE1/0/1 1 Master 100 100 None 2.1.1.3

GE1/0/2 2 Master 100 100 None 10.1.1.3

# Enable logging for the security policy that permits communication between security zones Trust and Untrust. Verity that Device A generates log messages when the host communicates with the Internet. (Details not shown.)

2. Verify the configuration on Device B:

# Verify that the hot backup channels have been set up.

RBM_S[DeviceB] display remote-backup-group status

Remote backup group information:

Backup mode: Active/standby

Device management role: Secondary

Device running status: Standby

Data channel interface: GigabitEthernet1/0/3

Local IP: 10.2.1.2

Remote IP: 10.2.1.1 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 0 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

# Verify that Device A is the backup in all VRRP groups.

RBM_S[DeviceB] display vrrp

IPv4 Virtual Router Information:

Running mode : Standard

RBM control channel is established

VRRP active group status : Backup

VRRP standby group status: Backup

Total number of virtual routers : 2

Interface VRID State Running Adver Auth Virtual

Pri Timer Type IP

---------------------------------------------------------------------

GE1/0/1 1 Backup 100 100 None 2.1.1.3

GE1/0/2 2 Backup 100 100 None 10.1.1.3

# Enable logging for the security policy that permits communication between security zones Trust and Untrust. Verity that Device B does not generate log messages when the host communicates with the Internet. (Details not shown.)

Example: Configuring dual-active hot backup in collaboration with VRRP

Network configuration

As shown in Figure 20, set up a hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to collaborate with VRRP.

· Configure the hot backup system to operate in dual-active mode.

· Configure Device A and Device B to load share traffic.

Figure 20 Network diagram

‌

Procedure

1. Verify that Device A and Device B have software and hardware environment consistency.

2. Configure Switch A:

NOTE:

This step only provides the brief configuration procedure.

# Create VLAN 10.

# Configure the interfaces attached to the hot backup system and the router to operate at Layer 2. Assign them to VLAN 10 as access interfaces.

3. Configure Switch B:

NOTE:

This step only provides the brief configuration procedure.

# Create VLAN 10.

# Configure the interfaces attached to the hot backup system and the host to operate at Layer 2. Assign them to VLAN 10 as access interfaces.

4. Configure the router:

NOTE:

This step only provides the brief configuration procedure.

# Assign 2.1.1.15/24 to GigabitEthernet 1/0/7.

# Configure routes as follows:

¡ Specify 2.1.1.3 (virtual IP address of VRRP group 1) as the next hop of the routes to some subnets of the internal network. Specify 2.1.1.4 (virtual IP address of VRRP group 2) as the next hop of the routes to the other subnets of the internal network.

¡ Specify the IP address of the peer interface attached to the traffic outgoing interface as the next hop of the route to the Internet.

5. Configure Device A:

a. Assign an IP address to GigabitEthernet 1/0/1.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ip address 2.1.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

b. Add interfaces to security zones.

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceA-security-zone-Untrust] quit

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceA-security-zone-Trust] quit

c. Configure settings for routing. This example configures a static route, and the next hop in the route is 2.1.1.15.

[DeviceA] ip route-static 0.0.0.0 0.0.0.0 2.1.1.15

d. Configure a security policy.

Perform this task only on the primary device. After the hot backup system is set up, the secondary device automatically synchronizes its security policy configuration with the primary device.

# Configure a rule named trust-untrust to permit the packets from 10.1.1.0/24 to the Internet.

[DeviceA] security-policy ip

[DeviceA-security-policy-ip] rule name trust-untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24

[DeviceA-security-policy-ip-3-trust-untrust] action pass

[DeviceA-security-policy-ip-3-trust-untrust] quit

# Configure rules to permit VRRP protocol packets. When the hot backup channel is disconnected, Device A and Device B can exchange VRRP protocol packets to elect a VRRP master.

[DeviceA-security-policy-ip] rule name vrrp1

[DeviceA-security-policy-ip-4-vrrp1] source-zone trust

[DeviceA-security-policy-ip-4-vrrp1] destination-zone local

[DeviceA-security-policy-ip-4-vrrp1] service vrrp

[DeviceA-security-policy-ip-4-vrrp1] action pass

[DeviceA-security-policy-ip-4-vrrp1] quit

[DeviceA-security-policy-ip] rule name vrrp2

[DeviceA-security-policy-ip-5-vrrp2] source-zone local

[DeviceA-security-policy-ip-5-vrrp2] destination-zone trust

[DeviceA-security-policy-ip-5-vrrp2] service vrrp

[DeviceA-security-policy-ip-5-vrrp2] action pass

[DeviceA-security-policy-ip-5-vrrp2] quit

[DeviceA-security-policy-ip] rule name vrrp3

[DeviceA-security-policy-ip-6-vrrp3] source-zone untrust

[DeviceA-security-policy-ip-6-vrrp3] destination-zone local

[DeviceA-security-policy-ip-6-vrrp3] service vrrp

[DeviceA-security-policy-ip-6-vrrp3] action pass

[DeviceA-security-policy-ip-6-vrrp3] quit

[DeviceA-security-policy-ip] rule name vrrp4

[DeviceA-security-policy-ip-7-vrrp4] source-zone local

[DeviceA-security-policy-ip-7-vrrp4] destination-zone untrust

[DeviceA-security-policy-ip-7-vrrp4] service vrrp

[DeviceA-security-policy-ip-7-vrrp4] action pass

[DeviceA-security-policy-ip-7-vrrp4] quit

[DeviceA-security-policy-ip] quit

e. Configure hot backup settings.

# Set up a hot backup system.

[DeviceA] remote-backup group

[DeviceA-remote-backup-group] remote-ip 10.2.1.2

[DeviceA-remote-backup-group] local-ip 10.2.1.1

[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceA-remote-backup-group] device-role primary

RBM_P[DeviceA-remote-backup-group] backup-mode dual-active

RBM_P[DeviceA-remote-backup-group] hot-backup enable

RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable

RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12

RBM_P[DeviceA-remote-backup-group] delay-time 1

RBM_P[DeviceA-remote-backup-group] quit

# Create VRRP groups and associate them with the hot backup system.

RBM_P[DeviceA] interface gigabitethernet 1/0/1

RBM_P[DeviceA-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 2.1.1.3 active

RBM_P[DeviceA-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 2.1.1.4 standby

RBM_P[DeviceA-GigabitEthernet1/0/1] quit

RBM_P[DeviceA] interface gigabitethernet 1/0/2

RBM_P[DeviceA-GigabitEthernet1/0/2] vrrp vrid 3 virtual-ip 10.1.1.3 active

RBM_P[DeviceA-GigabitEthernet1/0/2] vrrp vrid 4 virtual-ip 10.1.1.4 standby

RBM_P[DeviceA-GigabitEthernet1/0/2] quit

f. Configure security services on Device A. (Details not shown.)

6. Configure Device B:

a. Assign an IP address to GigabitEthernet 1/0/1.

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ip address 2.1.1.2 255.255.255.0

[DeviceB-GigabitEthernet1/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

b. Add interfaces to security zones.

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceB-security-zone-Untrust] quit

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceB-security-zone-Trust] quit

c. Configure settings for routing. This example configures a static route, and the next hop in the route is 2.1.1.15.

[DeviceB] ip route-static 0.0.0.0 0.0.0.0 2.1.1.15

d. Configure hot backup settings.

# Set up a hot backup system.

[DeviceB] remote-backup group

[DeviceB-remote-backup-group] remote-ip 10.2.1.1

[DeviceB-remote-backup-group] local-ip 10.2.1.2

[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceB-remote-backup-group] device-role secondary

RBM_S[DeviceB-remote-backup-group] backup-mode dual-active

RBM_S[DeviceB-remote-backup-group] hot-backup enable

RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable

RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 12

RBM_S[DeviceB-remote-backup-group] delay-time 1

RBM_S[DeviceB-remote-backup-group] quit

# Create VRRP groups and associate them with the hot backup system.

RBM_S[DeviceB] interface gigabitethernet 1/0/1

RBM_S[DeviceB-GigabitEthernet1/0/1] vrrp vrid 1 virtual-ip 2.1.1.3 standby

RBM_S[DeviceB-GigabitEthernet1/0/1] vrrp vrid 2 virtual-ip 2.1.1.4 active

RBM_S[DeviceB-GigabitEthernet1/0/1] quit

RBM_S[DeviceB] interface gigabitethernet 1/0/2

RBM_S[DeviceB-GigabitEthernet1/0/2] vrrp vrid 3 virtual-ip 10.1.1.3 standby

RBM_S[DeviceB-GigabitEthernet1/0/2] vrrp vrid 4 virtual-ip 10.1.1.4 active

RBM_S[DeviceB-GigabitEthernet1/0/2] quit

7. On some hosts, specify 10.1.1.3 (virtual IP address of VRRP group 3) as the default gateway. On the other hosts, specify 10.1.1.4 (virtual IP address of VRRP group 4) as the default gateway. (Details not shown.)

Verifying the configuration

1. Verify the configuration on Device A:

# Verify that the hot backup channels have been set up.

RBM_P[DeviceA] display remote-backup-group status

Remote backup group information:

Backup mode: Dual-active

Device management role: Primary

Device running status: Active

Data channel interface: GigabitEthernet1/0/3

Local IP: 10.2.1.1

Remote IP: 10.2.1.2 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 1 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

# Verify that Device A is the master in VRRP groups 1 and 3 and the backup in VRRP groups 2 and 4.

RBM_P[DeviceA] display vrrp

IPv4 Virtual Router Information:

Running mode : Standard

RBM control channel is established

VRRP active group status : Master

VRRP standby group status: Backup

Total number of virtual routers : 4

Interface VRID State Running Adver Auth Virtual

Pri Timer Type IP

---------------------------------------------------------------------

GE1/0/1 1 Master 100 100 None 2.1.1.3

GE1/0/1 2 Backup 100 100 None 2.1.1.4

GE1/0/2 3 Master 100 100 None 10.1.1.3

GE1/0/2 4 Backup 100 100 None 10.1.1.4

# Enable logging for the security policy that permits communication between security zones Trust and Untrust. Verity that Device A generates log messages when a host for which Device A forwards traffic communicates with the Internet. Verity that Device A does not generate log messages when a host for which Device B forwards traffic communicates with the Internet. (Details not shown.)

2. Verify the configuration on Device B:

# Verify that the hot backup channels have been set up.

RBM_S[DeviceB] display remote-backup-group status

Remote backup group information:

Backup mode: Dual-active

Device management role: Secondary

Device running status: Active

Data channel interface: GigabitEthernet1/0/3

Local IP: 10.2.1.2

Remote IP: 10.2.1.1 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 1 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

# Verify that Device B is the master in VRRP groups 2 and 4 and the backup in VRRP groups 1 and 3.

RBM_S[DeviceB] display vrrp

IPv4 Virtual Router Information:

Running mode : Standard

RBM control channel is established

VRRP active group status : Master

VRRP standby group status: Backup

Total number of virtual routers : 4

Interface VRID State Running Adver Auth Virtual

Pri Timer Type IP

---------------------------------------------------------------------

GE1/0/1 1 Backup 100 100 None 2.1.1.3

GE1/0/1 2 Master 100 100 None 2.1.1.4

GE1/0/2 3 Backup 100 100 None 10.1.1.3

GE1/0/2 4 Master 100 100 None 10.1.1.4

# Enable logging for the security policy that permits communication between security zones Trust and Untrust. Verity that Device B generates log messages when a host for which Device B forwards traffic communicates with the Internet. Verity that Device B does not generate log messages when a host for which Device A forwards traffic communicates with the Internet. (Details not shown.)

Example: Configuring active/standby hot backup in collaboration with a routing protocol

Network configuration

As shown in Figure 21, set up a hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to collaborate with OSPF.

· Configure the hot backup system to operate in active/standby mode.

· Configure Device A and Device B as the primary device and the secondary device, respectively.

Figure 21 Network diagram

‌

Procedure

1. Verify that Device A and Device B have software and hardware environment consistency.

2. Configure Router A:

NOTE:

This step only provides the brief configuration procedure.

# Assign 2.1.1.2/24 to GigabitEthernet 1/0/7.

# Assign 2.1.10.2/24 to GigabitEthernet 1/0/8.

# Configure OSPF for Device A, Device B, and the routers to have Layer 3 reachability.

3. Configure Router B:

NOTE:

This step only provides the brief configuration procedure.

# Assign 10.1.1.2/24 to GigabitEthernet 1/0/7.

# Assign 10.1.10.2/24 to GigabitEthernet 1/0/8.

# Configure OSPF for Device A, Device B, and the routers to have Layer 3 reachability.

4. Configure Device A:

a. Assign an IP address to GigabitEthernet 1/0/1.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ip address 2.1.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

b. Add interfaces to security zones.

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceA-security-zone-Untrust] quit

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceA-security-zone-Trust] quit

c. Configure OSPF. Use the default OSPF link cost configuration.

[DeviceA] router id 2.1.1.1

[DeviceA] ospf

[DeviceA-ospf-1] area 0

[DeviceA-ospf-1-area-0.0.0.0] network 2.1.1.0 0.0.0.255

[DeviceA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[DeviceA-ospf-1-area-0.0.0.0] quit

[DeviceA-ospf-1] quit

d. Configure a security policy.

Perform this task only on the primary device. After the hot backup system is set up, the secondary device automatically synchronizes its security policy configuration with the primary device.

# Configure a rule named trust-untrust to permit the packets from 20.1.1.0/24 to the Internet.

[DeviceA] security-policy ip

[DeviceA-security-policy-ip] rule name trust-untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 20.1.1.0 24

[DeviceA-security-policy-ip-3-trust-untrust] action pass

[DeviceA-security-policy-ip-3-trust-untrust] quit

# Configure rules to permit OSPF protocol packets.

[DeviceA-security-policy-ip] rule name ospf1

[DeviceA-security-policy-ip-4-ospf1] source-zone trust

[DeviceA-security-policy-ip-4-ospf1] destination-zone local

[DeviceA-security-policy-ip-4-ospf1] service ospf

[DeviceA-security-policy-ip-4-ospf1] action pass

[DeviceA-security-policy-ip-4-ospf1] quit

[DeviceA-security-policy-ip] rule name ospf2

[DeviceA-security-policy-ip-5-ospf2] source-zone local

[DeviceA-security-policy-ip-5-ospf2] destination-zone trust

[DeviceA-security-policy-ip-5-ospf2] service ospf

[DeviceA-security-policy-ip-5-ospf2] action pass

[DeviceA-security-policy-ip-5-ospf2] quit

[DeviceA-security-policy-ip] rule name ospf3

[DeviceA-security-policy-ip-6-ospf3] source-zone untrust

[DeviceA-security-policy-ip-6-ospf3] destination-zone local

[DeviceA-security-policy-ip-6-ospf3] service ospf

[DeviceA-security-policy-ip-6-ospf3] action pass

[DeviceA-security-policy-ip-6-ospf3] quit

[DeviceA-security-policy-ip] rule name ospf4

[DeviceA-security-policy-ip-7-ospf4] source-zone local

[DeviceA-security-policy-ip-7-ospf4] destination-zone untrust

[DeviceA-security-policy-ip-7-ospf4] service ospf

[DeviceA-security-policy-ip-7-ospf4] action pass

[DeviceA-security-policy-ip-7-ospf4] quit

[DeviceA-security-policy-ip] quit

e. Configure hot backup settings.

# Associate track entries with interfaces.

[DeviceA] track 1 interface gigabitethernet 1/0/1

[DeviceA-track-1] quit

[DeviceA] track 2 interface gigabitethernet 1/0/2

[DeviceA-track-2] quit

# Set up a hot backup system.

[DeviceA] remote-backup group

[DeviceA-remote-backup-group] remote-ip 10.2.1.2

[DeviceA-remote-backup-group] local-ip 10.2.1.1

[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceA-remote-backup-group] device-role primary

RBM_P[DeviceA-remote-backup-group] undo backup-mode

RBM_P[DeviceA-remote-backup-group] hot-backup enable

RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable

RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12

# Configure the hot backup system to change the link costs advertised in OSPF routes to 6000.

RBM_P[DeviceA-remote-backup-group] adjust-cost ospf enable absolute 6000

# Configure the hot backup system to monitor the status of track entry 1 and track entry 2.

RBM_P[DeviceA-remote-backup-group] track 1

RBM_P[DeviceA-remote-backup-group] track 2

RBM_P[DeviceA-remote-backup-group] quit

f. Configure security services on Device A. (Details not shown.)

5. Configure Device B:

a. Assign an IP address to GigabitEthernet 1/0/1.

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ip address 2.1.10.1 255.255.255.0

[DeviceB-GigabitEthernet1/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

b. Add interfaces to security zones.

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceB-security-zone-Untrust] quit

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceB-security-zone-Trust] quit

c. Configure OSPF. Use the default OSPF link cost configuration.

[DeviceB] router id 2.1.10.1

[DeviceB] ospf

[DeviceB-ospf-1] area 0

[DeviceB-ospf-1-area-0.0.0.0] network 2.1.10.0 0.0.0.255

[DeviceB-ospf-1-area-0.0.0.0] network 10.1.10.0 0.0.0.255

[DeviceB-ospf-1-area-0.0.0.0] quit

[DeviceB-ospf-1] quit

# Associate track entries with interfaces.

[DeviceB] track 1 interface gigabitethernet 1/0/1

[DeviceB-track-1] quit

[DeviceB] track 2 interface gigabitethernet 1/0/2

[DeviceB-track-2] quit

# Set up a hot backup system.

[DeviceB] remote-backup group

[DeviceB-remote-backup-group] remote-ip 10.2.1.1

[DeviceB-remote-backup-group] local-ip 10.2.1.2

[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceB-remote-backup-group] device-role secondary

RBM_S[DeviceB-remote-backup-group] undo backup-mode

RBM_S[DeviceB-remote-backup-group] hot-backup enable

RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable

RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 12

# Configure the hot backup system to change the link costs advertised in OSPF routes to 6000.

RBM_S[DeviceB-remote-backup-group] adjust-cost ospf enable absolute 6000

# Configure the hot backup system to monitor the status of track entry 1 and track entry 2.

RBM_S[DeviceB-remote-backup-group] track 1

RBM_S[DeviceB-remote-backup-group] track 2

RBM_S[DeviceB-remote-backup-group] quit

6. On the host, specify 20.1.1.1 as the default gateway. (Details not shown.)

Verifying the configuration

1. Verify the configuration on Device A:

# Verify that the hot backup channels have been set up.

RBM_P[DeviceA] display remote-backup-group status

Remote backup group information:

Backup mode: Active/standby

Device management role: Primary

Device running status: Active

Data channel interface: GigabitEthernet1/0/3

Local IP: 10.2.1.1

Remote IP: 10.2.1.2 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 0 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

# Verify that the OSPF routes advertised by Device A include a smaller link cost than that advertised by Device B.

RBM_P[DeviceA] display ospf interface

OSPF Process 1 with Router ID 2.1.1.1

Interfaces

Area: 0.0.0.0

IP Address Type State Cost Pri DR BDR

2.1.1.1 Broadcast BDR 1 1 2.1.1.2 2.1.1.1

10.1.1.1 Broadcast DR 1 1 10.1.1.1 10.1.1.2

2. Verify the configuration on Device B:

# Verify that the hot backup channels have been set up.

RBM_S[DeviceB] display remote-backup-group status

Remote backup group information:

Backup mode: Active/standby

Device management role: Secondary

Device running status: Standby

Data channel interface: GigabitEthernet1/0/3

Local IP: 10.2.1.2

Remote IP: 10.2.1.1 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 0 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

# Verify that the OSPF routes advertised by Device B include a larger link cost than that advertised by Device A.

RBM_S[DeviceB] display ospf interface

OSPF Process 1 with Router ID 2.1.10.1

Interfaces

Area: 0.0.0.0

IP Address Type State Cost Pri DR BDR

2.1.10.1 Broadcast BDR 6000 1 2.1.10.2 2.1.10.1

10.1.10.1 Broadcast BDR 6000 1 10.1.10.2 10.1.10.1

Example: Configuring dual-active hot backup in collaboration with a routing protocol

Network configuration

As shown in Figure 22, set up a hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to collaborate with OSPF.

· Configure the hot backup system to operate in dual-active mode.

· Configure Device A and Device B to load share traffic.

Figure 22 Network diagram

‌

Procedure

1. Verify that Device A and Device B have software and hardware environment consistency.

2. Configure Router A:

NOTE:

This step only provides the brief configuration procedure.

# Assign 2.1.1.2/24 to GigabitEthernet 1/0/7.

# Assign 2.1.10.2/24 to GigabitEthernet 1/0/8.

# Configure OSPF for Device A, Device B, and the routers to have Layer 3 reachability.

# Configure per-flow load sharing for IP forwarding.

3. Configure Router B:

NOTE:

This step only provides the brief configuration procedure.

# Assign 10.1.1.2/24 to GigabitEthernet 1/0/7.

# Assign 10.1.10.2/24 to GigabitEthernet 1/0/8.

# Configure OSPF for Device A, Device B, and the routers to have Layer 3 reachability.

# Configure per-flow load sharing for IP forwarding.

4. Configure Device A:

a. Assign an IP address to GigabitEthernet 1/0/1.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ip address 2.1.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

b. Add interfaces to security zones.

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceA-security-zone-Untrust] quit

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceA-security-zone-Trust] quit

c. Configure OSPF. Use the default OSPF link cost configuration.

[DeviceA] router id 2.1.1.1

[DeviceA] ospf

[DeviceA-ospf-1] area 0

[DeviceA-ospf-1-area-0.0.0.0] network 2.1.1.0 0.0.0.255

[DeviceA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255

[DeviceA-ospf-1-area-0.0.0.0] quit

[DeviceA-ospf-1] quit

d. Configure a security policy.

Perform this task only on the primary device. After the hot backup system is set up, the secondary device automatically synchronizes its security policy configuration with the primary device.

# Configure a rule named trust-untrust to permit the packets from 20.1.1.0/24 to the Internet.

[DeviceA] security-policy ip

[DeviceA-security-policy-ip] rule name trust-untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 20.1.1.0 24

[DeviceA-security-policy-ip-3-trust-untrust] action pass

[DeviceA-security-policy-ip-3-trust-untrust] quit

# Configure rules to permit OSPF protocol packets.

[DeviceA-security-policy-ip] rule name ospf1

[DeviceA-security-policy-ip-4-ospf1] source-zone trust

[DeviceA-security-policy-ip-4-ospf1] destination-zone local

[DeviceA-security-policy-ip-4-ospf1] service ospf

[DeviceA-security-policy-ip-4-ospf1] action pass

[DeviceA-security-policy-ip-4-ospf1] quit

[DeviceA-security-policy-ip] rule name ospf2

[DeviceA-security-policy-ip-5-ospf2] source-zone local

[DeviceA-security-policy-ip-5-ospf2] destination-zone trust

[DeviceA-security-policy-ip-5-ospf2] service ospf

[DeviceA-security-policy-ip-5-ospf2] action pass

[DeviceA-security-policy-ip-5-ospf2] quit

[DeviceA-security-policy-ip] rule name ospf3

[DeviceA-security-policy-ip-6-ospf3] source-zone untrust

[DeviceA-security-policy-ip-6-ospf3] destination-zone local

[DeviceA-security-policy-ip-6-ospf3] service ospf

[DeviceA-security-policy-ip-6-ospf3] action pass

[DeviceA-security-policy-ip-6-ospf3] quit

[DeviceA-security-policy-ip] rule name ospf4

[DeviceA-security-policy-ip-7-ospf4] source-zone local

[DeviceA-security-policy-ip-7-ospf4] destination-zone untrust

[DeviceA-security-policy-ip-7-ospf4] service ospf

[DeviceA-security-policy-ip-7-ospf4] action pass

[DeviceA-security-policy-ip-7-ospf4] quit

[DeviceA-security-policy-ip] quit

e. Configure hot backup settings.

# Associate track entries with interfaces.

[DeviceA] track 1 interface gigabitethernet 1/0/1

[DeviceA-track-1] quit

[DeviceA] track 2 interface gigabitethernet 1/0/2

[DeviceA-track-2] quit

# Set up a hot backup system.

[DeviceA] remote-backup group

[DeviceA-remote-backup-group] remote-ip 10.2.1.2

[DeviceA-remote-backup-group] local-ip 10.2.1.1

[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceA-remote-backup-group] device-role primary

RBM_P[DeviceA-remote-backup-group] backup-mode dual-active

RBM_P[DeviceA-remote-backup-group] hot-backup enable

RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable

RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12

RBM_P[DeviceA-remote-backup-group] delay-time 1

# Configure the hot backup system to change the link costs advertised in OSPF routes to 1.

RBM_P[DeviceA-remote-backup-group] adjust-cost ospf enable absolute 1

# Configure the hot backup system to monitor the status of track entry 1 and track entry 2.

RBM_P[DeviceA-remote-backup-group] track 1

RBM_P[DeviceA-remote-backup-group] track 2

RBM_P[DeviceA-remote-backup-group] quit

f. Configure security services on Device A. (Details not shown.)

5. Configure Device B:

a. Assign an IP address to GigabitEthernet 1/0/1.

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ip address 2.1.10.1 255.255.255.0

[DeviceB-GigabitEthernet1/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

b. Add interfaces to security zones.

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceB-security-zone-Untrust] quit

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceB-security-zone-Trust] quit

c. Configure OSPF. Use the default OSPF link cost configuration.

[DeviceB] router id 2.1.10.1

[DeviceB] ospf

[DeviceB-ospf-1] area 0

[DeviceB-ospf-1-area-0.0.0.0] network 2.1.10.0 0.0.0.255

[DeviceB-ospf-1-area-0.0.0.0] network 10.1.10.0 0.0.0.255

[DeviceB-ospf-1-area-0.0.0.0] quit

[DeviceB-ospf-1] quit

d. Configure hot backup settings.

# Associate track entries with interfaces.

[DeviceB] track 1 interface gigabitethernet 1/0/1

[DeviceB-track-1] quit

[DeviceB] track 2 interface gigabitethernet 1/0/2

[DeviceB-track-2] quit

# Set up a hot backup system.

[DeviceB] remote-backup group

[DeviceB-remote-backup-group] remote-ip 10.2.1.1

[DeviceB-remote-backup-group] local-ip 10.2.1.2

[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceB-remote-backup-group] device-role secondary

RBM_S[DeviceB-remote-backup-group] backup-mode dual-active

RBM_S[DeviceB-remote-backup-group] hot-backup enable

RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable

RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 12

RBM_S[DeviceB-remote-backup-group] delay-time 1

# Configure the hot backup system to change the link costs advertised in OSPF routes to 1.

RBM_S[DeviceB-remote-backup-group] adjust-cost ospf enable absolute 1

# Configure the hot backup system to monitor the status of track entry 1 and track entry 2.

RBM_S[DeviceB-remote-backup-group] track 1

RBM_S[DeviceB-remote-backup-group] track 2

RBM_S[DeviceB-remote-backup-group] quit

6. On the hosts, specify 20.1.1.1 as the default gateway. (Details not shown.)

Verifying the configuration

1. Verify the configuration on Device A:

# Verify that the hot backup channels have been set up.

RBM_P[DeviceA] display remote-backup-group status

Remote backup group information:

Backup mode: Dual-active

Device management role: Primary

Device running status: Active

Data channel interface: GigabitEthernet1/0/3

Local IP: 10.2.1.1

Remote IP: 10.2.1.2 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 1 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

# Verify that the OSPF routes advertised by Device A and Device B include the same link cost.

RBM_P[DeviceA] display ospf interface

OSPF Process 1 with Router ID 2.1.1.1

Interfaces

Area: 0.0.0.0

IP Address Type State Cost Pri DR BDR

2.1.1.1 Broadcast BDR 1 1 2.1.1.2 2.1.1.1

10.1.1.1 Broadcast DR 1 1 10.1.1.1 10.1.1.2

2. Verify the configuration on Device B:

# Verify that the hot backup channels have been set up.

RBM_S[DeviceB] display remote-backup-group status

Remote backup group information:

Backup mode: Dual-active

Device management role: Secondary

Device running status: Active

Data channel interface: GigabitEthernet1/0/3

Local IP: 10.2.1.2

Remote IP: 10.2.1.1 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 1 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

# Verify that the OSPF routes advertised by Device A and Device B include the same link cost.

RBM_S[DeviceB] display ospf interface

OSPF Process 1 with Router ID 2.1.10.1

Interfaces

Area: 0.0.0.0

IP Address Type State Cost Pri DR BDR

2.1.10.1 Broadcast BDR 1 1 2.1.10.2 2.1.10.1

10.1.10.1 Broadcast BDR 1 1 10.1.10.2 10.1.10.1

Example: Configuring a transparent in-path hot backup system in active/standby mode

Network configuration

As shown in Figure 23, set up a transparent in-path hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to operate in active/standby mode.

· Connect Switch A and Switch B to Layer 2 interfaces of the hot backup system.

· Configure Device A and Device B as the primary device and the secondary device, respectively.

Figure 23 Network diagram

‌

Procedure

1. Verify that Device A and Device B have software and hardware environment consistency.

2. Configure Switch A:

NOTE:

This step only provides the brief configuration procedure.

# Create VLAN 10.

# Configure the interfaces attached to the hot backup system and the router to operate at Layer 2. Assign them to VLAN 10 as access interfaces.

3. Configure Switch B:

NOTE:

This step only provides the brief configuration procedure.

# Create VLAN 10.

# Configure the interfaces attached to the hot backup system and the host to operate at Layer 2. Assign them to VLAN 10 as access interfaces.

4. Configure Device A:

a. Configure VLANs.

# Configure the uplink and downlink interfaces to operate at Layer 2.

<DeviceA> system-view

[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/2

[DeviceA-if-range] port link-mode bridge

[DeviceA-if-range] quit

# Assign the uplink and downlink interfaces to VLAN 10.

[DeviceA] vlan 10

[DeviceA-vlan10] port gigabitethernet 1/0/1

[DeviceA-vlan10] port gigabitethernet 1/0/2

[DeviceA-vlan10] quit

b. Assign an IP address to GigabitEthernet 1/0/3.

[DeviceA] interface gigabitethernet 1/0/3

[DeviceA-GigabitEthernet1/0/3] ip address 10.2.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/3] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

c. Add interfaces to security zones.

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1 vlan 10

[DeviceA-security-zone-Untrust] quit

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2 vlan 10

[DeviceA-security-zone-Trust] quit

d. Configure a rule named trust-untrust to permit the packets from 10.1.1.0/24 to the Internet.

Perform this task only on the primary device. After the hot backup system is set up, the secondary device automatically synchronizes its security policy configuration with the primary device.

[DeviceA] security-policy ip

[DeviceA-security-policy-ip] rule name trust-untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24

[DeviceA-security-policy-ip-3-trust-untrust] action pass

[DeviceA-security-policy-ip-3-trust-untrust] quit

[DeviceA-security-policy-ip] quit

e. Configure hot backup settings.

# Set up a hot backup system.

[DeviceA] remote-backup group

[DeviceA-remote-backup-group] remote-ip 10.2.1.2

[DeviceA-remote-backup-group] local-ip 10.2.1.1

[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceA-remote-backup-group] device-role primary

RBM_P[DeviceA-remote-backup-group] undo backup-mode

RBM_P[DeviceA-remote-backup-group] hot-backup enable

RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable

RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12

# Configure the hot backup system to monitor the status of VLAN 10.

RBM_P[DeviceA-remote-backup-group] track vlan 10

RBM_P[DeviceA-remote-backup-group] quit

f. Configure security services on Device A. (Details not shown.)

5. Configure Device B:

a. Configure VLANs.

# Configure the uplink and downlink interfaces to operate at Layer 2.

<DeviceB> system-view

[DeviceB] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/2

[DeviceB-if-range] port link-mode bridge

[DeviceB-if-range] quit

# Assign the uplink and downlink interfaces to VLAN 10.

[DeviceB] vlan 10

[DeviceB-vlan10] port gigabitethernet 1/0/1

[DeviceB-vlan10] port gigabitethernet 1/0/2

[DeviceB-vlan10] quit

b. Assign an IP address to GigabitEthernet 1/0/3.

[DeviceB] interface gigabitethernet 1/0/3

[DeviceB-GigabitEthernet1/0/3] ip address 10.2.1.2 255.255.255.0

[DeviceB-GigabitEthernet1/0/3] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

c. Add interfaces to security zones.

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1 vlan 10

[DeviceB-security-zone-Untrust] quit

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2 vlan 10

[DeviceB-security-zone-Trust] quit

d. Configure hot backup settings.

# Set up a hot backup system.

[DeviceB] remote-backup group

[DeviceB-remote-backup-group] remote-ip 10.2.1.1

[DeviceB-remote-backup-group] local-ip 10.2.1.2

[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceB-remote-backup-group] device-role secondary

RBM_S[DeviceB-remote-backup-group] undo backup-mode

RBM_S[DeviceB-remote-backup-group] hot-backup enable

RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable

RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 12

# Configure the hot backup system to monitor the state of VLAN 10.

RBM_S[DeviceB-remote-backup-group] track vlan 10

RBM_S[DeviceB-remote-backup-group] quit

6. On the host, specify 10.1.1.1 as the default gateway. (Details not shown.)

Verifying the configuration

1. Verify that the hot backup channels have been set up on Device A.

RBM_P[DeviceA] display remote-backup-group status

Remote backup group information:

Backup mode: Active/standby

Device management role: Primary

Device running status: Active

Data channel interface: GigabitEthernet1/0/3

Local IP: 10.2.1.1

Remote IP: 10.2.1.2 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 0 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

2. Verify that the hot backup channels have been set up on Device B.

RBM_S[DeviceB] display remote-backup-group status

Remote backup group information:

Backup mode: Active/standby

Device management role: Secondary

Device running status: Standby

Data channel interface: GigabitEthernet1/0/3

Local IP: 10.2.1.2

Remote IP: 10.2.1.1 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 0 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

Example: Configuring a transparent in-path hot backup system in dual-active mode

Network configuration

As shown in Figure 24, set up a transparent in-path hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to operate in dual-active mode.

· Connect Router A and Router B to Layer 2 interfaces of the hot backup system.

· Configure Device A and Device B to load share traffic.

Figure 24 Network diagram

‌

Procedure

1. Verify that Device A and Device B have software and hardware environment consistency.

2. Configure OSPF on Router A for the host to access the Internet and for Device A and Device B to load share the traffic sent to the host.

3. Configure OSPF on Router B for the host to access the Internet and for Device A and Device B to load share the traffic sent to the Internet.

4. Configure Device A:

a. Configure VLANs.

# Configure the uplink and downlink interfaces to operate at Layer 2.

<DeviceA> system-view

[DeviceA] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/2

[DeviceA-if-range] port link-mode bridge

[DeviceA-if-range] quit

# Assign the uplink and downlink interfaces to VLAN 10.

[DeviceA] vlan 10

[DeviceA-vlan10] port gigabitethernet 1/0/1

[DeviceA-vlan10] port gigabitethernet 1/0/2

[DeviceA-vlan10] quit

b. Assign an IP address to GigabitEthernet 1/0/3.

[DeviceA] interface GigabitEthernet 1/0/3

[DeviceA-GigabitEthernet1/0/3] ip address 10.2.1.1 255.255.255.0

[DeviceA-GigabitEthernet1/0/3] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

c. Add interfaces to security zones.

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1 vlan 10

[DeviceA-security-zone-Untrust] quit

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2 vlan 10

[DeviceA-security-zone-Trust] quit

d. Configure a security policy.

Perform this task only on the primary device. After the hot backup system is set up, the secondary device automatically synchronizes its security policy configuration with the primary device.

# Configure a rule named trust-untrust to permit the packets from 10.1.1.0/24 to the Internet.

[DeviceA] security-policy ip

[DeviceA-security-policy-ip] rule name trust-untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust

[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24

[DeviceA-security-policy-ip-3-trust-untrust] action pass

[DeviceA-security-policy-ip-3-trust-untrust] quit

# Configure rules to permit OSPF protocol packets.

[DeviceA-security-policy-ip] rule name ospf1

[DeviceA-security-policy-ip-4-ospf1] source-zone trust

[DeviceA-security-policy-ip-4-ospf1] destination-zone untrust

[DeviceA-security-policy-ip-4-ospf1] service ospf

[DeviceA-security-policy-ip-4-ospf1] action pass

[DeviceA-security-policy-ip-4-ospf1] quit

[DeviceA-security-policy-ip] rule name ospf2

[DeviceA-security-policy-ip-5-ospf2] source-zone untrust

[DeviceA-security-policy-ip-5-ospf2] destination-zone trust

[DeviceA-security-policy-ip-5-ospf2] service ospf

[DeviceA-security-policy-ip-5-ospf2] action pass

[DeviceA-security-policy-ip-5-ospf2] quit

[DeviceA-security-policy-ip] quit

e. Configure hot backup settings.

# Set up a hot backup system.

[DeviceA] remote-backup group

[DeviceA-remote-backup-group] remote-ip 10.2.1.2

[DeviceA-remote-backup-group] local-ip 10.2.1.1

[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceA-remote-backup-group] device-role primary

RBM_P[DeviceA-remote-backup-group] backup-mode dual-active

RBM_P[DeviceA-remote-backup-group] hot-backup enable

RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable

RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12

RBM_P[DeviceA-remote-backup-group] delay-time 1

# Configure the hot backup system to monitor the status of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.

RBM_P[DeviceA-remote-backup-group] track interface gigabitethernet 1/0/1

RBM_P[DeviceA-remote-backup-group] track interface gigabitethernet 1/0/2

RBM_P[DeviceA-remote-backup-group] quit

f. Configure security services on Device A. (Details not shown.)

5. Configure Device B:

a. Configure VLANs.

# Configure the uplink and downlink interfaces to operate at Layer 2.

<DeviceB> system-view

[DeviceB] interface range gigabitethernet 1/0/1 to gigabitethernet 1/0/2

[DeviceB-if-range] port link-mode bridge

[DeviceB-if-range] quit

# Assign the uplink and downlink interfaces to VLAN 10.

[DeviceB] vlan 10

[DeviceB-vlan10] port gigabitethernet 1/0/1

[DeviceB-vlan10] port gigabitethernet 1/0/2

[DeviceB-vlan10] quit

b. Assign an IP address to GigabitEthernet 1/0/3.

[DeviceB] interface gigabitethernet 1/0/3

[DeviceB-GigabitEthernet1/0/3] ip address 10.2.1.2 255.255.255.0

[DeviceB-GigabitEthernet1/0/3] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

c. Add interfaces to security zones.

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1 vlan 10

[DeviceB-security-zone-Untrust] quit

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2 vlan 10

[DeviceB-security-zone-Trust] quit

d. Configure hot backup settings.

# Set up a hot backup system.

[DeviceB] remote-backup group

[DeviceB-remote-backup-group] remote-ip 10.2.1.1

[DeviceB-remote-backup-group] local-ip 10.2.1.2

[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceB-remote-backup-group] device-role secondary

RBM_S[DeviceB-remote-backup-group] backup-mode dual-active

RBM_S[DeviceB-remote-backup-group] hot-backup enable

RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable

RBM_S[DeviceB-remote-backup-group] delay-time 1

RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 12

# Configure the hot backup system to monitor the status of GigabitEthernet 1/0/1 and GigabitEthernet 1/0/2.

RBM_S[DeviceB-remote-backup-group] track interface gigabitethernet 1/0/1

RBM_S[DeviceB-remote-backup-group] track interface gigabitethernet 1/0/2

RBM_S[DeviceB-remote-backup-group] quit

6. On the host, specify 10.1.1.1 as the default gateway. (Details not shown.)

Verifying the configuration

1. Verify that the hot backup channels have been set up on Device A.

RBM_P[DeviceA] display remote-backup-group status

Remote backup group information:

Backup mode: Dual-active

Device management role: Primary

Device running status: Active

Data channel interface: GigabitEthernet1/0/3

Local IP: 10.2.1.1

Remote IP: 10.2.1.2 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 1 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

2. Verify that the hot backup channels have been set up on Device B.

RBM_S[DeviceB] display remote-backup-group status

Remote backup group information:

Backup mode: Dual-active

Device management role: Secondary

Device running status: Active

Data channel interface: GigabitEthernet1/0/3

Local IP: 10.2.1.2

Remote IP: 10.2.1.1 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 1 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

Example: Configuring interface-based NAT on an active/standby hot backup system in collaboration with VRRP

Network configuration

As shown in Figure 25, set up a hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to collaborate with VRRP.

· Configure the hot backup system to operate in active/standby mode.

· Configure Device A and Device B as the primary device and the secondary device, respectively.

· Configure dynamic NAT to translate the private IP addresses in the internal network into public IP addresses 2.1.1.1 through 2.1.1.10.

Figure 25 Network diagram

‌

Procedure

1. Set up the hot backup system as described in "Example: Configuring active/standby hot backup in collaboration with VRRP."

2. Configure dynamic NAT on Device A (primary):

# Create NAT address group 1 and add address range 2.1.1.5 to 2.1.1.10. Associate NAT address group 1 with VRRP group 1.

RBM_P<DeviceA> system-view

RBM_P[DeviceA] nat address-group 1

RBM_P[DeviceA-address-group-1] address 2.1.1.5 2.1.1.10

RBM_P[DeviceA-address-group-1] vrrp vrid 1

RBM_P[DeviceA-address-group-1] quit

# Configure outbound dynamic NAT to use NAT address group 1 for address translation on GigabitEthernet 1/0/1.

RBM_P[DeviceA] interface gigabitethernet 1/0/1

RBM_P[DeviceA-GigabitEthernet1/0/1] nat outbound address-group 1

RBM_P[DeviceA-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify that the host can communicate with the Internet. (Details not shown.)

# Verify that Device A has generated a NAT session entry.

RBM_P[DeviceA] display nat session verbose

Slot 1:

Initiator:

Source IP/port: 10.1.1.10/52082

Destination IP/port: 202.38.1.10/80

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/2

Source security zone: Trust

Responder:

Source IP/port: 202.38.1.10/80

Destination IP/port: 2.1.1.5/1036

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Untrust

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: 2

Rule name: 3

Start time: 2019-1-29 16:16:59 TTL: 9995s

Initiator->Responder: 551 packets 32547 bytes

Responder->Initiator: 956 packets 1385514 bytes

Total sessions found: 1

Example: Configuring interface-based NAT on a dual-active hot backup system in collaboration with VRRP

Network configuration

As shown in Figure 26, set up a hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to collaborate with VRRP.

· Configure the hot backup system to operate in dual-active mode.

· Configure Device A and Device B to load share traffic.

· Configure dynamic NAT to translate the private IP addresses in the internal network into public IP addresses 2.1.1.1 through 2.1.1.10.

Figure 26 Network diagram

‌

Procedure

1. Set up the hot backup system as described in "Example: Configuring dual-active hot backup in collaboration with VRRP".

2. Configure dynamic NAT on Device A (primary):

# Create NAT address group 1 and add address range 2.1.1.5 to 2.1.1.7. Associate NAT address group 1 with VRRP group 1.

RBM_P<DeviceA> system-view

RBM_P[DeviceA] nat address-group 1

RBM_P[DeviceA-address-group-1] address 2.1.1.5 2.1.1.7

RBM_P[DeviceA-address-group-1] vrrp vrid 1

RBM_P[DeviceA-address-group-1] quit

# Create NAT address group 2 and add address range 2.1.1.8 to 2.1.1.10. Associate NAT address group 2 with VRRP group 2.

RBM_P[DeviceA] nat address-group 2

RBM_P[DeviceA-address-group-2] address 2.1.1.8 2.1.1.10

RBM_P[DeviceA-address-group-2] vrrp vrid 2

RBM_P[DeviceA-address-group-2] quit

# Configure ACL 3000 to permit packets from 10.1.1.1/25. Configure ACL 3001 to permit packets from 10.1.1.129/25.

RBM_P[DeviceA] acl advanced 3000

RBM_P[DeviceA-ipv4-adv-3000] rule permit ip source 10.1.1.1 0.0.0.127

RBM_P[DeviceA-ipv4-adv-3000] quit

RBM_P[DeviceA] acl advanced 3001

RBM_P[DeviceA-ipv4-adv-3001] rule permit ip source 10.1.1.129 0.0.0.127

RBM_P[DeviceA-ipv4-adv-3001] quit

# Configure outbound dynamic NAT on GigabitEthernet 1/0/1. The source IP addresses of the packets permitted by ACL 3000 are translated into the addresses in NAT address group 1. The source IP addresses of the packets permitted by ACL 3001 are translated into the addresses in NAT address group 2.

RBM_P[DeviceA] interface gigabitethernet 1/0/1

RBM_P[DeviceA-GigabitEthernet1/0/1] nat outbound 3000 address-group 1

RBM_P[DeviceA-GigabitEthernet1/0/1] nat outbound 3001 address-group 2

RBM_P[DeviceA-GigabitEthernet1/0/1] quit

Verifying the configuration

# Verify that Host 1 can communicate with the Internet. (Details not shown.)

# Verify that Device A has generated a NAT session entry.

RBM_P[DeviceA] display nat session verbose

Slot 1:

Initiator:

Source IP/port: 10.1.1.100/52082

Destination IP/port: 202.38.1.10/80

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/2

Source security zone: Trust

Responder:

Source IP/port: 202.38.1.10/80

Destination IP/port: 2.1.1.5/1036

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Untrust

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: 2

Rule name: 3

Start time: 2019-1-29 16:16:59 TTL: 9995s

Initiator->Responder: 551 packets 32547 bytes

Responder->Initiator: 956 packets 1385514 bytes

Total sessions found: 1

# Verify that Host 3 can communicate with the Internet. (Details not shown.)

# Verify that Device B has generated a NAT session entry.

RBM_S[DeviceB] display nat session verbose

Slot 1:

Initiator:

Source IP/port: 10.1.1.200/52082

Destination IP/port: 202.38.1.10/80

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface:

Source security zone: Trust

Responder:

Source IP/port: 202.38.1.10/80

Destination IP/port: 2.1.1.8/1036

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface:

Source security zone: Untrust

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: 2

Rule name: 3

Start time: 2019-1-29 16:17:59 TTL: 9995s

Initiator->Responder: 551 packets 32547 bytes

Responder->Initiator: 956 packets 1385514 bytes

Total sessions found: 1

Example: Configuring global NAT on an active/standby hot backup system in collaboration with VRRP

Network configuration

As shown in Figure 27, set up a hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to collaborate with VRRP.

· Configure the hot backup system to operate in active/standby mode.

· Configure Device A and Device B as the primary device and the secondary device, respectively.

· Configure dynamic NAT to translate the private IP addresses in the internal network into public IP addresses 2.1.1.1 through 2.1.1.10.

Figure 27 Network diagram

‌

Procedure

1. Set up the hot backup system as described in "Example: Configuring active/standby hot backup in collaboration with VRRP."

2. Configure dynamic NAT globally on Device A (primary):

# Create NAT address group 1 and add address range 2.1.1.5 to 2.1.1.10. Associate NAT address group 1 with VRRP group 1.

RBM_P<DeviceA> system-view

RBM_P[DeviceA] nat address-group 1

RBM_P[DeviceA-address-group-1] address 2.1.1.5 2.1.1.10

RBM_P[DeviceA-address-group-1] vrrp vrid 1

RBM_P[DeviceA-address-group-1] quit

# Configure a global NAT policy to use NAT address group 1 for address translation of the traffic sent from the internal network to the Internet.

RBM_P[DeviceA] nat global-policy

RBM_P[DeviceA-nat-global-policy] rule name rule1

RBM_P[DeviceA-nat-global-policy-rule1] source-zone Trust

RBM_P[DeviceA-nat-global-policy-rule1] destination-zone Untrust

RBM_P[DeviceA-nat-global-policy-rule1] source-ip subnet 10.1.1.0 24

RBM_P[DeviceA-nat-global-policy-rule1] action snat address-group 1 vrrp 1

RBM_P[DeviceA-nat-global-policy-rule1] quit

RBM_P[DeviceA-nat-global-policy] quit

Verifying the configuration

# Verify that the host can communicate with the Internet. (Details not shown.)

# Verify that Device A has generated a NAT session entry.

RBM_P[DeviceA] display nat session verbose

Slot 1:

Initiator:

Source IP/port: 10.1.1.10/52082

Destination IP/port: 202.38.1.10/80

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/2

Source security zone: Trust

Responder:

Source IP/port: 202.38.1.10/80

Destination IP/port: 2.1.1.5/1036

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Untrust

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: 2

Rule name: 3

Start time: 2019-1-29 16:16:59 TTL: 9995s

Initiator->Responder: 551 packets 32547 bytes

Responder->Initiator: 956 packets 1385514 bytes

Total sessions found: 1

Example: Configuring global NAT on a dual-active hot backup system in collaboration with VRRP

Network configuration

As shown in Figure 28, set up a hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to collaborate with VRRP.

· Configure the hot backup system to operate in dual-active mode.

· Configure Device A and Device B to load share traffic.

· Configure dynamic NAT to translate the private IP addresses in the internal network into public IP addresses 2.1.1.1 through 2.1.1.10.

Figure 28 Network diagram

‌

Procedure

1. Set up the hot backup system as described in "Example: Configuring dual-active hot backup in collaboration with VRRP".

2. Configure dynamic NAT on Device A (primary):

# Create NAT address group 1 and add address range 2.1.1.5 to 2.1.1.7. Associate NAT address group 1 with VRRP group 1.

RBM_P<DeviceA> system-view

RBM_P[DeviceA] nat address-group 1

RBM_P[DeviceA-address-group-1] address 2.1.1.5 2.1.1.7

RBM_P[DeviceA-address-group-1] vrrp vrid 1

RBM_P[DeviceA-address-group-1] quit

# Create NAT address group 2 and add address range 2.1.1.8 to 2.1.1.10. Associate NAT address group 2 with VRRP group 2.

RBM_P[DeviceA] nat address-group 2

RBM_P[DeviceA-address-group-2] address 2.1.1.8 2.1.1.10

RBM_P[DeviceA-address-group-2] vrrp vrid 2

RBM_P[DeviceA-address-group-2] quit

# Configure global NAT rule 1 to use NAT address group 1 for address translation of the traffic sent from the 10.1.1.1/25 network to the Internet.

RBM_P[DeviceA] nat global-policy

RBM_P[DeviceA-nat-global-policy] rule name rule1

RBM_P[DeviceA-nat-global-policy-rule1] source-zone Trust

RBM_P[DeviceA-nat-global-policy-rule1] destination-zone Untrust

RBM_P[DeviceA-nat-global-policy-rule1] source-ip subnet 10.1.1.1 25

RBM_P[DeviceA-nat-global-policy-rule1] action snat address-group 1 vrrp 1

RBM_P[DeviceA-nat-global-policy-rule1] quit

# Configure global NAT rule 2 to use NAT address group 2 for address translation of the traffic sent from the 10.1.1.129/25 network to the Internet.

RBM_P[DeviceA-nat-global-policy] rule name rule2

RBM_P[DeviceA-nat-global-policy-rule2] source-zone Trust

RBM_P[DeviceA-nat-global-policy-rule2] destination-zone Untrust

RBM_P[DeviceA-nat-global-policy-rule2] source-ip subnet 10.1.1.129 25

RBM_P[DeviceA-nat-global-policy-rule2] action snat address-group 2 vrrp 2

RBM_P[DeviceA-nat-global-policy-rule2] quit

RBM_P[DeviceA-nat-global-policy] quit

Verifying the configuration

# Verify that Host 1 can communicate with the Internet. (Details not shown.)

# Verify that Device A has generated a NAT session entry.

RBM_P[DeviceA] display nat session verbose

Slot 1:

Initiator:

Source IP/port: 10.1.1.100/52082

Destination IP/port: 202.38.1.10/80

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/2

Source security zone: Trust

Responder:

Source IP/port: 202.38.1.10/80

Destination IP/port: 2.1.1.5/1036

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface: GigabitEthernet1/0/1

Source security zone: Untrust

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: 2

Rule name: 3

Start time: 2019-1-29 16:16:59 TTL: 9995s

Initiator->Responder: 551 packets 32547 bytes

Responder->Initiator: 956 packets 1385514 bytes

Total sessions found: 1

# Verify that Host 3 can communicate with the Internet. (Details not shown.)

# Verify that Device B has generated a NAT session entry.

RBM_S[DeviceB] display nat session verbose

Slot 1:

Initiator:

Source IP/port: 10.1.1.200/52082

Destination IP/port: 202.38.1.10/80

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface:

Source security zone: Trust

Responder:

Source IP/port: 202.38.1.10/80

Destination IP/port: 2.1.1.8/1036

DS-Lite tunnel peer: -

VPN instance/VLAN ID/Inline ID: -/-/-

Protocol: TCP(6)

Inbound interface:

Source security zone: Untrust

State: TCP_ESTABLISHED

Application: HTTP

Rule ID: 2

Rule name: 3

Start time: 2019-1-29 16:17:59 TTL: 9995s

Initiator->Responder: 551 packets 32547 bytes

Responder->Initiator: 956 packets 1385514 bytes

Total sessions found: 1

Hot backup configuration examples (IPv6)

Example: Configuring active/standby hot backup in collaboration with VRRP

Network configuration

As shown in Figure 19, set up a hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to collaborate with VRRP.

· Configure the hot backup system to operate in active/standby mode.

· Configure Device A and Device B as the primary device and the secondary device, respectively.

Figure 29 Network diagram

‌

Procedure

1. Verify that Device A and Device B have software and hardware environment consistency.

2. Configure Switch A:

NOTE:

This step only provides the brief configuration procedure.

# Create VLAN 10.

# Configure the interfaces attached to the hot backup system and the router to operate at Layer 2. Assign them to VLAN 10 as access interfaces.

3. Configure Switch B:

NOTE:

This step only provides the brief configuration procedure.

# Create VLAN 10.

# Configure the interfaces attached to the hot backup system and the host to operate at Layer 2. Assign them to VLAN 10 as access interfaces.

4. Configure the router:

NOTE:

This step only provides the brief configuration procedure.

# Assign 3003::15/64 to GigabitEthernet 1/0/7.

# Configure routes as follows:

¡ Specify 3003::3/64 (virtual IP address of VRRP group 1) as the next hop of the routes to the internal network.

¡ Specify the IP address of the peer interface attached to the traffic outgoing interface as the next hop of the route to the Internet.

5. Configure Device A:

a. Assign IP addresses to interfaces.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ipv6 address 3003::1/64

[DeviceA-GigabitEthernet1/0/1] ipv6 address fe80::3:1 link-local

[DeviceA-GigabitEthernet1/0/1] quit

[DeviceA] interface gigabitethernet 1/0/2

[DeviceA-GigabitEthernet1/0/2] ipv6 address 3001::1/64

[DeviceA-GigabitEthernet1/0/2] ipv6 address fe80::1:1 link-local

[DeviceA-GigabitEthernet1/0/2] undo ipv6 nd ra halt

[DeviceA-GigabitEthernet1/0/2] quit

[DeviceA] interface gigabitethernet 1/0/3

[DeviceA-GigabitEthernet1/0/3] ipv6 address 3005::1/64

[DeviceA-GigabitEthernet1/0/3] ipv6 address auto link-local

[DeviceA-GigabitEthernet1/0/3] quit

b. Add interfaces to security zones.

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceA-security-zone-Untrust] quit

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceA-security-zone-Trust] quit

c. Configure settings for routing. This example configures a static route, and the next hop in the route is 3003::15.

[DeviceA] ipv6 route-static 0::0 0 3003::15

d. Configure a security policy.

Perform this task only on the primary device. After the hot backup system is set up, the secondary device automatically synchronizes its security policy configuration with the primary device.

# Configure security policy rule named trust-untrust to permit the packets from 3001::0/64 to the Internet.

[DeviceA] security-policy ipv6

[DeviceA-security-policy-ipv6] rule name trust-untrust

[DeviceA-security-policy-ipv6-3-trust-untrust] source-zone trust

[DeviceA-security-policy-ipv6-3-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ipv6-3-trust-untrust] source-ip-subnet 3001::0 64

[DeviceA-security-policy-ipv6-3-trust-untrust] action pass

[DeviceA-security-policy-ipv6-3-trust-untrust] quit

# Configure rules to permit VRRP protocol packets. When the hot backup channel is disconnected, Device A and Device B can exchange VRRP protocol packets to elect a VRRP master.

[DeviceA-security-policy-ipv6] rule name vrrp1

[DeviceA-security-policy-ipv6-4-vrrp1] source-zone trust

[DeviceA-security-policy-ipv6-4-vrrp1] destination-zone local

[DeviceA-security-policy-ipv6-4-vrrp1] service vrrp

[DeviceA-security-policy-ipv6-4-vrrp1] action pass

[DeviceA-security-policy-ipv6-4-vrrp1] quit

[DeviceA-security-policy-ipv6] rule name vrrp2

[DeviceA-security-policy-ipv6-5-vrrp2] source-zone local

[DeviceA-security-policy-ipv6-5-vrrp2] destination-zone trust

[DeviceA-security-policy-ipv6-5-vrrp2] service vrrp

[DeviceA-security-policy-ipv6-5-vrrp2] action pass

[DeviceA-security-policy-ipv6-5-vrrp2] quit

[DeviceA-security-policy-ipv6] rule name vrrp3

[DeviceA-security-policy-ipv6-6-vrrp3] source-zone untrust

[DeviceA-security-policy-ipv6-6-vrrp3] destination-zone local

[DeviceA-security-policy-ipv6-6-vrrp3] service vrrp

[DeviceA-security-policy-ipv6-6-vrrp3] action pass

[DeviceA-security-policy-ipv6-6-vrrp3] quit

[DeviceA-security-policy-ipv6] rule name vrrp4

[DeviceA-security-policy-ipv6-7-vrrp4] source-zone local

[DeviceA-security-policy-ipv6-7-vrrp4] destination-zone untrust

[DeviceA-security-policy-ipv6-7-vrrp4] service vrrp

[DeviceA-security-policy-ipv6-7-vrrp4] action pass

[DeviceA-security-policy-ipv6-7-vrrp4] quit

[DeviceA-security-policy-ipv6] quit

e. Configure hot backup settings.

# Set up a hot backup system.

[DeviceA] remote-backup group

[DeviceA-remote-backup-group] remote-ipv6 3005::2

[DeviceA-remote-backup-group] local-ipv6 3005::1

[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceA-remote-backup-group] device-role primary

RBM_P[DeviceA-remote-backup-group] undo backup-mode

RBM_P[DeviceA-remote-backup-group] hot-backup enable

RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable

RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12

RBM_P[DeviceA-remote-backup-group] quit

# Create VRRP groups and associate them with the hot backup system.

RBM_P[DeviceA] interface gigabitethernet 1/0/1

RBM_P[DeviceA-GigabitEthernet1/0/1] vrrp ipv6 vrid 1 virtual-ip fe80::3:3 link-local active

RBM_P[DeviceA-GigabitEthernet1/0/1] vrrp ipv6 vrid 1 virtual-ip 3003::3

RBM_P[DeviceA-GigabitEthernet1/0/1] quit

RBM_P[DeviceA] interface gigabitethernet 1/0/2

RBM_P[DeviceA-GigabitEthernet1/0/2] vrrp ipv6 vrid 1 virtual-ip fe80::1:3 link-local active

RBM_P[DeviceA-GigabitEthernet1/0/2] vrrp ipv6 vrid 1 virtual-ip 3001::3

RBM_P[DeviceA-GigabitEthernet1/0/2] quit

f. Configure security services on Device A. (Details not shown.)

6. Configure Device B:

a. Assign IP addresses to interfaces.

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ipv6 address 3003::2/64

[DeviceB-GigabitEthernet1/0/1] ipv6 address fe80::3:2 link-local

[DeviceB-GigabitEthernet1/0/1] quit

[DeviceB] interface gigabitethernet 1/0/2

[DeviceB-GigabitEthernet1/0/2] ipv6 address 3001::2/64

[DeviceB-GigabitEthernet1/0/2] ipv6 address fe80::1:2 link-local

[DeviceB-GigabitEthernet1/0/2] undo ipv6 nd ra halt

[DeviceB-GigabitEthernet1/0/2] quit

[DeviceB] interface gigabitethernet 1/0/3

[DeviceB-GigabitEthernet1/0/3] ipv6 address 3005::2/64

[DeviceB-GigabitEthernet1/0/3] ipv6 address auto link-local

[DeviceB-GigabitEthernet1/0/3] quit

b. Add interfaces to security zones.

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceB-security-zone-Untrust] quit

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceB-security-zone-Trust] quit

c. Configure settings for routing. This example configures a static route, and the next hop in the route is 3003::15.

[DeviceB] ipv6 route-static 0::0 0 3003::15

d. Configure hot backup settings.

# Set up a hot backup system.

[DeviceB] remote-backup group

[DeviceB-remote-backup-group] remote-ipv6 3005::1

[DeviceB-remote-backup-group] local-ipv6 3005::2

[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceB-remote-backup-group] device-role secondary

RBM_S[DeviceB-remote-backup-group] undo backup-mode

RBM_S[DeviceB-remote-backup-group] hot-backup enable

RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable

RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 12

RBM_S[DeviceB-remote-backup-group] quit

# Create VRRP groups and associate them with the hot backup system.

RBM_S[DeviceB] interface gigabitethernet 1/0/1

RBM_S[DeviceB-GigabitEthernet1/0/1] vrrp ipv6 vrid 1 virtual-ip fe80::3:3 link-local standby

RBM_S[DeviceB-GigabitEthernet1/0/1] vrrp ipv6 vrid 1 virtual-ip 3003::3

RBM_S[DeviceB-GigabitEthernet1/0/1] quit

RBM_S[DeviceB] interface gigabitethernet 1/0/2

RBM_S[DeviceB-GigabitEthernet1/0/2] vrrp ipv6 vrid 1 virtual-ip fe80::1:3 link-local standby

RBM_S[DeviceB-GigabitEthernet1/0/2] vrrp ipv6 vrid 1 virtual-ip 3001::3

RBM_S[DeviceB-GigabitEthernet1/0/2] quit

7. On the host, specify 3001::3 (virtual IP address of VRRP group 2) as the default gateway. (Details not shown.)

Verifying the configuration

1. Verify the configuration on Device A:

# Verify that the hot backup channels have been set up.

RBM_P[DeviceA] display remote-backup-group status

Remote backup group information:

Backup mode: Active/standby

Device management role: Primary

Device running status: Active

Data channel interface: GigabitEthernet1/0/3

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 0 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

# Verify that Device A is the master in all VRRP groups.

RBM_P[DeviceA] display vrrp ipv6

IPv6 Virtual Router Information:

Running mode : Standard

RBM control channel is established

IPv6 VRRP active group status : Master

IPv6 VRRP standby group status: Master

Total number of virtual routers : 2

Interface VRID State Running Adver Auth Virtual

Pri Timer Type IP

---------------------------------------------------------------------

GE1/0/1 1 Master 100 100 None FE80::3:3

GE1/0/2 1 Master 100 100 None FE80::1:3

2. Verify the configuration on Device B:

# Verify that the hot backup channels have been set up.

RBM_S[DeviceB] display remote-backup-group status

Remote backup group information:

Backup mode: Active/standby

Device management role: Secondary

Device running status: Standby

Data channel interface: GigabitEthernet1/0/3

Local IPv6: 3005::2

Remote IPv6: 3005::1 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 0 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

# Verify that Device A is the backup in all VRRP groups.

RBM_S[DeviceB] display vrrp ipv6

IPv6 Virtual Router Information:

Running mode : Standard

RBM control channel is established

IPv6 VRRP active group status : Backup

IPv6 VRRP standby group status: Backup

Total number of virtual routers : 2

Interface VRID State Running Adver Auth Virtual

Pri Timer Type IP

---------------------------------------------------------------------

GE1/0/1 1 Backup 100 100 None FE80::3:3

GE1/0/2 1 Backup 100 100 None FE80::1:3

Example: Configuring dual-active hot backup in collaboration with a routing protocol

Network configuration

As shown in Figure 22, set up a hot backup system at the border between the Internet and the internal network of an enterprise to ensure service continuity.

· Configure the hot backup system to collaborate with OSPFv3.

· Configure the hot backup system to operate in dual-active mode.

· Configure Device A and Device B to load share traffic.

Figure 30 Network diagram

‌

Procedure

1. Verify that Device A and Device B have software and hardware environment consistency.

2. Configure Router A:

NOTE:

This step only provides the brief configuration procedure.

# Assign 3003::2/64 to GigabitEthernet 1/0/7.

# Assign 3004::2/64 to GigabitEthernet 1/0/8.

# Configure OSPFv3 for Device A, Device B, and the routers to have Layer 3 reachability.

# Configure per-flow load sharing for IP forwarding.

3. Configure Router B:

NOTE:

This step only provides the brief configuration procedure.

# Assign 3001::2/64 to GigabitEthernet 1/0/7.

# Assign 3002::2/64 to GigabitEthernet 1/0/8.

# Configure OSPFv3 for Device A, Device B, and the routers to have Layer 3 reachability.

# Configure per-flow load sharing for IP forwarding.

4. Configure Device A:

a. Assign an IP address to GigabitEthernet 1/0/1.

<DeviceA> system-view

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ipv6 address 3003::1/64

[DeviceA-GigabitEthernet1/0/1] ipv6 address auto link-local

[DeviceA-GigabitEthernet1/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

b. Add interfaces to security zones.

[DeviceA] security-zone name untrust

[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceA-security-zone-Untrust] quit

[DeviceA] security-zone name trust

[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceA-security-zone-Trust] quit

c. Configure OSPFv3. Use the default OSPFv3 link cost configuration.

[DeviceA] ospfv3 1

[DeviceA-ospfv3-1] router-id 2.1.1.1

[DeviceA-ospfv3-1] quit

[DeviceA] interface gigabitethernet 1/0/1

[DeviceA-GigabitEthernet1/0/1] ospfv3 1 area 0

[DeviceA-GigabitEthernet1/0/1] quit

[DeviceA] interface GigabitEthernet1/0/2

[DeviceA-GigabitEthernet1/0/2] ospfv3 1 area 0

[DeviceA-GigabitEthernet1/0/2] quit

d. Configure a security policy.

Perform this task only on the primary device. After the hot backup system is set up, the secondary device automatically synchronizes its security policy configuration with the primary device.

# Configure security policy rule named trust-untrust to permit the packets from 2001::0/64 to the Internet.

[DeviceA] security-policy ipv6

[DeviceA-security-policy-ipv6] rule name trust-untrust

[DeviceA-security-policy-ipv6-3-trust-untrust] source-zone trust

[DeviceA-security-policy-ipv6-3-trust-untrust] destination-zone untrust

[DeviceA-security-policy-ipv6-3-trust-untrust] source-ip-subnet 2001::0 64

[DeviceA-security-policy-ipv6-3-trust-untrust] action pass

[DeviceA-security-policy-ipv6-3-trust-untrust] quit

# Configure rules to permit OSPFv3 protocol packets.

[DeviceA-security-policy-ipv6] rule name ospf1

[DeviceA-security-policy-ipv6-4-ospf1] source-zone trust

[DeviceA-security-policy-ipv6-4-ospf1] destination-zone local

[DeviceA-security-policy-ipv6-4-ospf1] service ospf

[DeviceA-security-policy-ipv6-4-ospf1] action pass

[DeviceA-security-policy-ipv6-4-ospf1] quit

[DeviceA-security-policy-ipv6] rule name ospf2

[DeviceA-security-policy-ipv6-5-ospf2] source-zone local

[DeviceA-security-policy-ipv6-5-ospf2] destination-zone trust

[DeviceA-security-policy-ipv6-5-ospf2] service ospf

[DeviceA-security-policy-ipv6-5-ospf2] action pass

[DeviceA-security-policy-ipv6-5-ospf2] quit

[DeviceA-security-policy-ipv6] rule name ospf3

[DeviceA-security-policy-ipv6-6-ospf3] source-zone untrust

[DeviceA-security-policy-ipv6-6-ospf3] destination-zone local

[DeviceA-security-policy-ipv6-6-ospf3] service ospf

[DeviceA-security-policy-ipv6-6-ospf3] action pass

[DeviceA-security-policy-ipv6-6-ospf3] quit

[DeviceA-security-policy-ipv6] rule name ospf4

[DeviceA-security-policy-ipv6-7-ospf4] source-zone local

[DeviceA-security-policy-ipv6-7-ospf4] destination-zone untrust

[DeviceA-security-policy-ipv6-7-ospf4] service ospf

[DeviceA-security-policy-ipv6-7-ospf4] action pass

[DeviceA-security-policy-ipv6-7-ospf4] quit

[DeviceA-security-policy-ipv6] quit

e. Configure hot backup settings.

# Associate track entries with interfaces.

[DeviceA] track 1 interface gigabitethernet 1/0/1

[DeviceA-track-1] quit

[DeviceA] track 2 interface gigabitethernet 1/0/2

[DeviceA-track-2] quit

# Set up a hot backup system.

[DeviceA] remote-backup group

[DeviceA-remote-backup-group] remote-ipv6 3005::2

[DeviceA-remote-backup-group] local-ipv6 3005::1

[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceA-remote-backup-group] device-role primary

RBM_P[DeviceA-remote-backup-group] backup-mode dual-active

RBM_P[DeviceA-remote-backup-group] hot-backup enable

RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable

RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12

RBM_P[DeviceA-remote-backup-group] delay-time 1

# Configure the hot backup system to change the link costs advertised in OSPFv3 routes to 1.

RBM_P[DeviceA-remote-backup-group] adjust-cost ospfv3 enable absolute 1

# Configure the hot backup system to monitor the status of track entry 1 and track entry 2.

RBM_P[DeviceA-remote-backup-group] track 1

RBM_P[DeviceA-remote-backup-group] track 2

RBM_P[DeviceA-remote-backup-group] quit

f. Configure security services on Device A. (Details not shown.)

5. Configure Device B:

a. Assign IP addresses to interfaces.

<DeviceB> system-view

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ipv6 address 3004::1/64

[DeviceB-GigabitEthernet1/0/1] ipv6 address auto link-local

[DeviceB-GigabitEthernet1/0/1] quit

# Assign IP addresses to other interfaces in the same way. (Details not shown.)

b. Add interfaces to security zones.

[DeviceB] security-zone name untrust

[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1

[DeviceB-security-zone-Untrust] quit

[DeviceB] security-zone name trust

[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2

[DeviceB-security-zone-Trust] quit

c. Configure OSPFv3. Use the default OSPFv3 link cost configuration.

[DeviceB] ospfv3 1

[DeviceB-ospfv3-1] router-id 3.1.1.1

[DeviceB-ospfv3-1] quit

[DeviceB] interface gigabitethernet 1/0/1

[DeviceB-GigabitEthernet1/0/1] ospfv3 1 area 0

[DeviceB-GigabitEthernet1/0/1] quit

[DeviceB] interface GigabitEthernet1/0/2

[DeviceB-GigabitEthernet1/0/2] ospfv3 1 area 0

[DeviceB-GigabitEthernet1/0/2] quit

d. Configure hot backup settings.

# Associate track entries with interfaces.

[DeviceB] track 1 interface gigabitethernet 1/0/1

[DeviceB-track-1] quit

[DeviceB] track 2 interface gigabitethernet 1/0/2

[DeviceB-track-2] quit

# Set up a hot backup system.

[DeviceB] remote-backup group

[DeviceB-remote-backup-group] remote-ipv6 3005::1

[DeviceB-remote-backup-group] local-ipv6 3005::2

[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3

[DeviceB-remote-backup-group] device-role secondary

RBM_S[DeviceB-remote-backup-group] backup-mode dual-active

RBM_S[DeviceB-remote-backup-group] hot-backup enable

RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable

RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 12

RBM_S[DeviceB-remote-backup-group] delay-time 1

# Configure the hot backup system to change the link costs advertised in OSPFv3 routes to 1.

RBM_S[DeviceB-remote-backup-group] adjust-cost ospfv3 enable absolute 1

# Configure the hot backup system to monitor the status of track entry 1 and track entry 2.

RBM_S[DeviceB-remote-backup-group] track 1

RBM_S[DeviceB-remote-backup-group] track 2

RBM_S[DeviceB-remote-backup-group] quit

6. On the hosts, specify 2002::1 as the default gateway. (Details not shown.)

Verifying the configuration

1. Verify the configuration on Device A:

# Verify that the hot backup channels have been set up.

RBM_P[DeviceA] display remote-backup-group status

Remote backup group information:

Backup mode: Dual-active

Device management role: Primary

Device running status: Active

Data channel interface: GigabitEthernet1/0/3

Local IPv6: 3005::1

Remote IPv6: 3005::2 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 1 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

# Verify that the OSPFv3 routes advertised by Device A and Device B include the same link cost.

RBM_P[DeviceA] display ospfv3 interface

OSPFv3 Process 1 with Router ID 2.1.1.1

Area: 0.0.0.0

-------------------------------------------------------------------------

ID State Cost Pri DR BDR Ins Name

2 DR 1 1 2.1.1.1 1.1.1.1 0 GE1/0/1

3 BDR 1 1 4.1.1.1 2.1.1.1 0 GE1/0/2

2. Verify the configuration on Device B:

# Verify that the hot backup channels have been set up.

RBM_S[DeviceB] display remote-backup-group status

Remote backup group information:

Backup mode: Dual-active

Device management role: Secondary

Device running status: Active

Data channel interface: GigabitEthernet1/0/3

Local IPv6: 3005::2

Remote IPv6: 3005::1 Destination port: 60064

Control channel status: Connected

Keepalive interval: 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Delay-time: 1 min

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

# Verify that the OSPFv3 routes advertised by Device A and Device B include the same link cost.

RBM_S[DeviceB] display ospfv3 interface

OSPFv3 Process 1 with Router ID 3.1.1.1

Area: 0.0.0.0

-------------------------------------------------------------------------

ID State Cost Pri DR BDR Ins Name

2 DR 1 1 3.1.1.1 1.1.1.1 0 GE1/0/1

3 BDR 1 1 4.1.1.1 3.1.1.1 0 GE1/0/2

09-High Availability Configuration Guide

Configuring hot backup

About hot backup

Operating modes of hot backup

Active/standby mode

Dual-active mode

Hot backup packets

Hot backup channels

Running status switchover process

About hot backup and VRRP association

VRRP active/standby group

VRRP master election in the hot backup environment

ARP and MAC learning in VRRP

Transparent in-path deployment of hot backup

Restrictions: Hardware compatibility with hot backup

Routed in-path hot backup deployment between upstream and downstream routers

Routed in-path hot backup deployment between upstream and downstream switches

Transparent in-path hot backup deployment between upstream and downstream routers

Transparent in-path hot backup deployment between upstream and downstream switches

Compatibility with contexts

Compatibility with NAT

Compatibility with other protocols

Configuring the hot backup role

About this task

Restrictions and guidelines

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

Configuring hot backup configuration synchronization

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

About this task

Restrictions and guidelines

Procedure

About this task

Procedure

Configuring service features on the hot backup system

NAT on the hot backup system

About NAT on the hot backup system

Traffic forwarding process

Display and maintenance commands for hot backup

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure

Verifying the configuration

Network configuration

Procedure