As shown in Figure 1, set up the HA group at the border between the Internet and the internal network of an enterprise to ensure service continuity.
Configure the HA group to collaborate with OSPF.
Configure the HA group to operate in active/standby mode.
Configure Device A and Device B as the primary device and the secondary device, respectively.
This configuration example was created and verified on E8371 of the F5000-AI160 device.
A hot backup system can contain a maximum of two devices.
To ensure that the traffic size is within the processing capability of one device upon failure of the other device, make sure the throughput of each device does not exceed 50% of its capability.
Before you configure hot backup, verify that the following hardware settings are the same on the devices to be assigned to a hot backup system:
Device model.
Number and type of management interfaces, service interfaces, and interfaces for setting up the hot backup channels. Do not use one interface for multiple purposes.
Location, number, and type of disks. A device not with disks installed has small log storage and do not support some types of logs or reports.
Before you configure hot backup, verify that the following software settings are the same on the devices to be assigned to a hot backup system:
Software environment and version, including boot packages, system packages, feature packages, and patches.
Licensed signature libraries and features, such as signature library types, signature library version, validation time, and number of licensed resources.
Interface numbers.
Type, speed, and number of the interfaces for setting up the hot backup channels. As a best practice, use aggregate interfaces.
Aggregate interface numbers and aggregation member port numbers.
Security zone configuration on the interfaces at the same location.
Multi-CPU packet distribution policy (configurable with the forwarding policy command).
Assign an IPv4 address to GigabitEthernet 1/0/7.
<RouterA> system-view
[RouterA] interface gigabitethernet 1/0/7
[RouterA-GigabitEthernet1/0/7] ip address 2.1.1.2 255.255.255.0
[RouterA-GigabitEthernet1/0/7] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
Specify 3.1.1.15 as the next hop of the route to the Internet.
[RouterA] ip route-static 0.0.0.0 0.0.0.0 3.1.1.15
Configure OSPF. Use the default OSPF link cost configuration.
[RouterA] router id 2.1.1.2
[RouterA] ospf
[RouterA-ospf-1] area 0
[RouterA-ospf-1-area-0.0.0.0] network 2.1.1.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] network 2.1.10.0 0.0.0.255
[RouterA-ospf-1-area-0.0.0.0] quit
[RouterA-ospf-1] quit
Configure IPv4 addresses for interfaces.
# Assign an IPv4 address to GigabitEthernet 1/0/7.
<RouterB> system-view
[RouterB] interface gigabitethernet 1/0/7
[RouterB-GigabitEthernet1/0/7] ip address 10.1.1.2 255.255.255.0
[RouterB-GigabitEthernet1/0/7] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
Configure OSPF. Use the default OSPF link cost configuration.
[RouterB] router id 10.1.1.2
[RouterB] ospf
[RouterB-ospf-1] area 0
[RouterB-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 10.1.10.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] network 20.1.1.0 0.0.0.255
[RouterB-ospf-1-area-0.0.0.0] quit
[RouterB-ospf-1] quit
Assign an IP address to GigabitEthernet 1/0/1.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 2.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
Add interfaces to security zones.
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
Configure OSPF. Use the default OSPF link cost configuration.
[DeviceA] router id 2.1.1.1
[DeviceA] ospf
[DeviceA-ospf-1] area 0
[DeviceA-ospf-1-area-0.0.0.0] network 2.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[DeviceA-ospf-1-area-0.0.0.0] quit
[DeviceA-ospf-1] quit
Configure a security policy.
Perform this task only on the primary device. After the HA group is set up, the secondary device automatically synchronizes its security policy configuration with the primary device.
# Configure a rule named trust-untrust to permit the packets from 20.1.1.0/24 to the Internet.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-0-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-0-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-0-trust-untrust] source-ip-subnet 20.1.1.0 24
[DeviceA-security-policy-ip-0-trust-untrust] action pass
[DeviceA-security-policy-ip-0-trust-untrust] quit
# Configure rules to permit OSPF protocol packets.
[DeviceA-security-policy-ip] rule name ospf1
[DeviceA-security-policy-ip-1-ospf1] source-zone trust
[DeviceA-security-policy-ip-1-ospf1] destination-zone local
[DeviceA-security-policy-ip-1-ospf1] service ospf
[DeviceA-security-policy-ip-1-ospf1] action pass
[DeviceA-security-policy-ip-1-ospf1] quit
[DeviceA-security-policy-ip] rule name ospf2
[DeviceA-security-policy-ip-2-ospf2] source-zone local
[DeviceA-security-policy-ip-2-ospf2] destination-zone trust
[DeviceA-security-policy-ip-2-ospf2] service ospf
[DeviceA-security-policy-ip-2-ospf2] action pass
[DeviceA-security-policy-ip-2-ospf2] quit
[DeviceA-security-policy-ip] rule name ospf3
[DeviceA-security-policy-ip-3-ospf3] source-zone untrust
[DeviceA-security-policy-ip-3-ospf3] destination-zone local
[DeviceA-security-policy-ip-3-ospf3] service ospf
[DeviceA-security-policy-ip-3-ospf3] action pass
[DeviceA-security-policy-ip-3-ospf3] quit
[DeviceA-security-policy-ip] rule name ospf4
[DeviceA-security-policy-ip-4-ospf4] source-zone local
[DeviceA-security-policy-ip-4-ospf4] destination-zone untrust
[DeviceA-security-policy-ip-4-ospf4] service ospf
[DeviceA-security-policy-ip-4-ospf4] action pass
[DeviceA-security-policy-ip-4-ospf4] quit
[DeviceA-security-policy-ip] quit
Configure HA group settings.
# Associate track entries with interfaces.
[DeviceA] track 1 interface gigabitethernet 1/0/1
[DeviceA-track-1] quit
[DeviceA] track 2 interface gigabitethernet 1/0/2
[DeviceA-track-2] quit
# Set up an HA group.
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 10.2.1.2
[DeviceA-remote-backup-group] local-ip 10.2.1.1
[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3
[DeviceA-remote-backup-group] device-role primary
RBM_P[DeviceA-remote-backup-group] undo backup-mode
RBM_P[DeviceA-remote-backup-group] hot-backup enable
RBM_P[DeviceA-remote-backup-group] configuration auto-sync enable
RBM_P[DeviceA-remote-backup-group] configuration sync-check interval 12
# Configure the HA group to change the link costs advertised in OSPF routes to 6000.
RBM_P[DeviceA-remote-backup-group] adjust-cost ospf enable absolute 6000
# Configure the HA group to monitor the status of track entry 1 and track entry 2.
RBM_P[DeviceA-remote-backup-group] track 1
RBM_P[DeviceA-remote-backup-group] track 2
RBM_P[DeviceA-remote-backup-group] quit
Configure security services on Device A. (Details not shown.)
Assign an IP address to GigabitEthernet 1/0/1.
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/1
[DeviceB-GigabitEthernet1/0/1] ip address 2.1.10.1 255.255.255.0
[DeviceB-GigabitEthernet1/0/1] quit
# Assign IP addresses to other interfaces in the same way. (Details not shown.)
Add interfaces to security zones.
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
Configure OSPF. Use the default OSPF link cost configuration.
[DeviceB] router id 2.1.10.1
[DeviceB] ospf
[DeviceB-ospf-1] area 0
[DeviceB-ospf-1-area-0.0.0.0] network 2.1.10.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] network 10.1.10.0 0.0.0.255
[DeviceB-ospf-1-area-0.0.0.0] quit
[DeviceB-ospf-1] quit
Associate track entries with interfaces.
[DeviceB] track 1 interface gigabitethernet 1/0/1
[DeviceB-track-1] quit
[DeviceB] track 2 interface gigabitethernet 1/0/2
[DeviceB-track-2] quit
Set up an HA group.
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 10.2.1.1
[DeviceB-remote-backup-group] local-ip 10.2.1.2
[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3
[DeviceB-remote-backup-group] device-role secondary
RBM_S[DeviceB-remote-backup-group] undo backup-mode
RBM_S[DeviceB-remote-backup-group] hot-backup enable
RBM_S[DeviceB-remote-backup-group] configuration auto-sync enable
RBM_S[DeviceB-remote-backup-group] configuration sync-check interval 12
Configure the HA group to change the link costs advertised in OSPF routes to 6000.
RBM_S[DeviceB-remote-backup-group] adjust-cost ospf enable absolute 6000
Configure the HA group to monitor the status of track entry 1 and track entry 2.
RBM_S[DeviceB-remote-backup-group] track 1
RBM_S[DeviceB-remote-backup-group] track 2
RBM_S[DeviceB-remote-backup-group] quit
# Verify that the HA channels have been set up.
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Primary
Device running status: Active
Data channel interface: GigabitEthernet1/0/3
Local IP: 10.2.1.1
Remote IP: 10.2.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 0 min
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Local device rebooted
# Verify that the OSPF routes advertised by Device A include a smaller link cost than that advertised by Device B.
RBM_P[DeviceA] display ospf interface
OSPF Process 1 with Router ID 2.1.1.1
Interfaces
Area: 0.0.0.0
IP Address Type State Cost Pri DR BDR
2.1.1.1 Broadcast BDR 1 1 2.1.1.2 2.1.1.1
10.1.1.1 Broadcast DR 1 1 10.1.1.1 10.1.1.2
# Verify that the HA channels have been set up.
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Active/standby
Device management role: Secondary
Device running status: Standby
Data channel interface: GigabitEthernet1/0/3
Local IP: 10.2.1.2
Remote IP: 10.2.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Delay-time: 0 min
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Local device rebooted
# Verify that the OSPF routes advertised by Device B include a larger link cost than that advertised by Device A.
RBM_S[DeviceB] display ospf interface
OSPF Process 1 with Router ID 2.1.10.1
Interfaces
Area: 0.0.0.0
IP Address Type State Cost Pri DR BDR
2.1.10.1 Broadcast BDR 6000 1 2.1.10.2 2.1.10.1
10.1.10.1 Broadcast BDR 6000 1 10.1.10.2 10.1.10.1
RouterA
#
router id 2.1.1.2
#
ospf 1
area 0.0.0.0
network 2.1.1.0 0.0.0.255
network 2.1.10.0 0.0.0.255
#
interface GigabitEthernet1/0/7
port link-mode route
ip address 2.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/8
port link-mode route
ip address 2.1.10.2 255.255.255.0
#
interface GigabitEthernet1/0/9
port link-mode route
ip address 3.1.1.14 255.255.255.0
#
ip route-static 0.0.0.0 0 3.1.1.15
RouterB
#
router id 10.1.1.2
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.10.0 0.0.0.255
network 20.1.1.0 0.0.0.255
#
interface GigabitEthernet1/0/7
port link-mode route
ip address 10.1.1.2 255.255.255.0
#
interface GigabitEthernet1/0/8
port link-mode route
ip address 10.1.10.2 255.255.255.0
#
interface GigabitEthernet1/0/9
port link-mode route
ip address 20.1.1.1 255.255.255.0
DeviceA
#
router id 2.1.1.1
#
track 1 interface GigabitEthernet1/0/1
#
track 2 interface GigabitEthernet1/0/2
#
ospf 1
area 0.0.0.0
network 2.1.1.0 0.0.0.255
network 10.1.1.0 0.0.0.255
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 2.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 10.2.1.1 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 20.1.1.0 255.255.255.0
rule 1 name ospf1
action pass
source-zone trust
destination-zone local
service ospf
rule 2 name ospf2
action pass
source-zone local
destination-zone trust
service ospf
rule 3 name ospf3
action pass
source-zone untrust
destination-zone local
service ospf
rule 4 name ospf4
action pass
source-zone local
destination-zone untrust
service ospf
#
remote-backup group
data-channel interface GigabitEthernet1/0/3
configuration sync-check interval 12
adjust-cost ospf enable absolute 6000
track 1
track 2
local-ip 10.2.1.1
remote-ip 10.2.1.2
device-role primary
DeviceB
#
router id 2.1.10.1
#
track 1 interface GigabitEthernet1/0/1
#
track 2 interface GigabitEthernet1/0/2
#
ospf 1
area 0.0.0.0
network 2.1.10.0 0.0.0.255
network 10.1.10.0 0.0.0.255
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 2.1.10.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 10.1.10.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 10.2.1.2 255.255.255.0
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
remote-backup group
data-channel interface GigabitEthernet1/0/3
configuration sync-check interval 12
adjust-cost ospf enable absolute 6000
track 1
track 2
local-ip 10.2.1.2
remote-ip 10.2.1.1