CLI example: Configuring hot backup in mirroring mode

Network configuration

As shown in the following figure, Device A and Device B are border security devices connected to the internal network and the Internet. To improve service stability, set up a hot backup system with the devices. Configure the hot backup system to operate in mirroring mode. The service interfaces with the same number on the devices use the same IP address. Configure Device A and Device B as the primary device and the secondary device, respectively. Set up MAD to avoid address conflicts between the two devices when the hot backup channel is disconnected. When Device A or its attached link fails, Device B takes over to ensure service continuity.

Figure-1 Network diagram

Software versions used

This configuration example was created and verified on E9900 of the F5000-AI-55-G device.

Restrictions and guidelines

Hardware environment consistency

Before you set up an RBM system, verify that the following hardware settings are consistent on the candidate member devices:

Device model.
Number and type of management interfaces of active and standby devices, service interfaces, and interfaces for setting up the RBM channels. Do not use one interface for multiple purposes.
Location, number, and type of disks. A device not with disks installed has small log storage and do not support some types of logs or reports.

Software environment consistency

Before you set up an RBM system, verify that the following software settings are consistent on the candidate member devices:

Software environment and version, including boot packages, system packages, feature packages, and patches.
Licensed signature libraries and features, such as signature library types, signature library version, validation time, and number of licensed resources.
Interface numbers.
Type, speed, and number of the interfaces for setting up the RBM channels. As a best practice, use aggregate interfaces.
Aggregate interface numbers and aggregation member port numbers.
Security zone configuration on the interfaces at the same location.
Multi-CPU packet distribution policy (configured with the forwarding policy command).

Procedures

Configure Switch A

# Create VLAN 10 on Switch A, and configure the interfaces that connect Switch A to Device A, Device B, and Router as access ports, and then assign the ports to VLAN 10.

# Add interfaces to VLANs and set the link type according to the network diagram as follows.

<SwitchA> system-view

[SwitchA] vlan 10

[SwitchA-vlan10] quit

[SwitchA] interface gigabitethernet 1/0/1

[SwitchA-GigabitEthernet1/0/1] port access vlan 10

[SwitchA-GigabitEthernet1/0/1] quit

[SwitchA] interface gigabitethernet 1/0/2

[SwitchA-GigabitEthernet1/0/2] port access vlan 10

[SwitchA-GigabitEthernet1/0/2] quit

[SwitchA] interface gigabitethernet 1/0/3

[SwitchA-GigabitEthernet1/0/3] port access vlan 10

[SwitchA-GigabitEthernet1/0/3] quit

Configure Switch B

# Create VLAN 10, configure the interfaces connected to Device A, Device B, and Host to operate at Layer 2, and assign the interfaces to VLAN 10 as access interfaces.

# Add interfaces to VLANs and set the link type according to the network diagram as follows.

<SwitchB> system-view

[SwitchB] vlan 10

[SwitchB-vlan10] quit

[SwitchB] interface gigabitethernet 1/0/1

[SwitchB-GigabitEthernet1/0/1] port access vlan 10

[SwitchB-GigabitEthernet1/0/1] quit

[SwitchB] interface gigabitethernet 1/0/2

[SwitchB-GigabitEthernet1/0/2] port access vlan 10

[SwitchB-GigabitEthernet1/0/2] quit

[SwitchB] interface gigabitethernet 1/0/3

[SwitchB-GigabitEthernet1/0/3] port access vlan 10

[SwitchB-GigabitEthernet1/0/3] quit

Configure Router

Assign IPv4 addresses to interfaces:
# Assign an IPv4 address to each interface as follows.
<Router> system-view
[Router] interface gigabitethernet 1/0/7
[Router-GigabitEthernet1/0/7] ip address 2.1.1.15 255.255.255.0
[Router-GigabitEthernet1/0/7] quit
# Assign IP addresses to other interfaces in the same way according to the network diagram. (Details not shown.)
Configure route settings for network connectivity.
This example takes static route configuration as an example. Configure route settings according to the actual network requirements.
# Configure static route settings according to the network diagram. In this example, specify 2.1.1.1 as the next hop of the route to the internal network, and specify 3.1.1.15 as the next hop of the route to the Internet.
[Router] ip route-static 10.1.1.0 255.255.255.0 2.1.1.1
[Router] ip route-static 0.0.0.0 0.0.0.0 3.1.1.15

Configure Device A

Assign IPv4 addresses to interfaces:
# Assign an IPv4 address to each interface as follows.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 2.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ip address 10.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] ip address 10.2.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/3] quit
[DeviceA] interface gigabitethernet 1/0/5
[DeviceA-GigabitEthernet1/0/5] ip address 10.4.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/5] quit
Add interfaces to security zones.
# Add interfaces to security zones according to the network diagram.
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name dmz
[DeviceA-security-zone-DMZ] import interface gigabitethernet 1/0/5
[DeviceA-security-zone-DMZ] quit
Configure route settings for network connectivity:
This example takes static route configuration as an example. Configure route settings according to the actual network requirements.
# Configure a static route for Layer 3 connectivity between the internal and external networks according to the network diagram. The next hop for the static route to the external network is 2.1.1.15.
[DeviceA] ip route-static 0.0.0.0 0.0.0.0 2.1.1.15
Configure security policy settings to permit specific service packets:
Perform this task only on the primary device. After the RBM system is set up, the secondary device automatically synchronizes its security policy configuration with the primary device.
# Create a security policy rule named trust-untrust to allow internal network users to access the Internet and prevent Internet users to access the internal network.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# Configure a security policy rule named loglocalout to allow Device to send fast log information to the log host.
[DeviceA-security-policy-ip] rule name loglocalout
[DeviceA-security-policy-ip-4-loglocalout] source-zone local
[DeviceA-security-policy-ip-4-loglocalout] destination-zone dmz
[DeviceA-security-policy-ip-4-loglocalout] action pass
[DeviceA-security-policy-ip-4-loglocalout] quit
[DeviceA-security-policy-ip] quit
Configure RBM settings
In this example, Ethernet interfaces are used for control and data channel setup. If a device has both RBM and Ethernet interfaces, use the RBM interface for control and data channel setup to protect device security and stability. Do not use an RBM interface as a service interface.
# Configure Track to monitor status of interfaces.
[DeviceA] track 1 interface gigabitethernet 1/0/1
[DeviceA-track-1] quit
[DeviceA] track 2 interface gigabitethernet 1/0/2
[DeviceA-track-2] quit
# Specify two devices for the RBM system, with Device A as the primary device, and Device B as the secondary device. When Device A or its attached link fails, Device B takes over to ensure service continuity.
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 10.2.1.2
[DeviceA-remote-backup-group] local-ip 10.2.1.1
[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3
[DeviceA-remote-backup-group] backup-mode mirror
[DeviceA-remote-backup-group] device-role auto
RBM_MIRROR_P[DeviceA-remote-backup-group] hot-backup enable
RBM_MIRROR_P[DeviceA-remote-backup-group] configuration auto-sync enable route-static
RBM_MIRROR_P[DeviceA-remote-backup-group] configuration auto-sync enable
RBM_MIRROR_P[DeviceA-remote-backup-group] configuration sync-check interval 12
# Configure the management interface for the mirroring mode to connect to the network management device and log host.
RBM_MIRROR_P[DeviceA-remote-backup-group] mirror mgt-interface gigabitethernet 1/0/5
# Associate RBM with track entries 1 and 2.
RBM_MIRROR_P[DeviceA-remote-backup-group] track 1
RBM_MIRROR_P[DeviceA-remote-backup-group] track 2
RBM_MIRROR_P[DeviceA-remote-backup-group] quit
Configure ARP MAD to avoid address conflicts between the two devices when the RBM channel is disconnected.
# Create VLAN 20, and assign GigabitEthernet 1/0/4 on Device A to VLAN 20.
RBM_MIRROR_P[DeviceA] vlan 20
RBM_MIRROR_P[DeviceA-vlan20] quit
RBM_MIRROR_P[DeviceA] interface gigabitethernet 1/0/4
RBM_MIRROR_P[DeviceA-GigabitEthernet1/0/4] port link-mode bridge
RBM_MIRROR_P[DeviceA-GigabitEthernet1/0/4] port access vlan 20
RBM_MIRROR_P[DeviceA-GigabitEthernet1/0/4] quit
# Create VLAN-interface 20, assign an IP address to the interface, and enable ARP MAD.
RBM_MIRROR_P[DeviceA] interface vlan-interface 20
RBM_MIRROR_P[DeviceA-Vlan-interface20] ip address 10.3.1.1 24
RBM_MIRROR_P[DeviceA-Vlan-interface20] mad arp enable
You need to assign a domain ID (range: 0-4294967295)
[Current domain is: 1]:
The assigned domain ID is: 1
Configure security services on Device A. (Details not shown.)
# After completing RBM configuration, configure security services. Configure the modules whose configuration information can be backed up by RBM only on the primary device (Device A).

Configure Device B

Assign IPv4 addresses to interfaces:
# Assign IPv4 addresses to interfaces according to the network diagram. (The configuration is not required for the interfaces except the mirroring-mode management interface and hot backup channel interface. The IP address of such interfaces will be automatically synchronized to the standby device.)
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] ip address 10.2.1.2 255.255.255.0
[DeviceB-GigabitEthernet1/0/3] quit
[DeviceB] interface gigabitethernet 1/0/5
[DeviceB-GigabitEthernet1/0/5] ip address 10.4.1.2 255.255.255.0
[DeviceB-GigabitEthernet1/0/5] quit
Add interfaces to security zones.
# Add interfaces to security zones according to the network diagram.
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name dmz
[DeviceB-security-zone-DMZ] import interface gigabitethernet 1/0/5
[DeviceB-security-zone-DMZ] quit
Configure RBM settings
In this example, Ethernet interfaces are used for control and data channel setup. If a device has both RBM and Ethernet interfaces, use the RBM interface for control and data channel setup to protect device security and stability. Do not use an RBM interface as a service interface.
# Configure Track to monitor status of interfaces.
[DeviceB] track 1 interface gigabitethernet 1/0/1
[DeviceB-track-1] quit
[DeviceB] track 2 interface gigabitethernet 1/0/2
[DeviceB-track-2] quit
# Specify two devices for the RBM system, with Device A as the primary device, and Device B as the secondary device. When Device A or its attached link fails, Device B takes over to ensure service continuity.
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 10.2.1.1
[DeviceB-remote-backup-group] local-ip 10.2.1.2
[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3
[DeviceB-remote-backup-group] backup-mode mirror
[DeviceB-remote-backup-group] device-role auto
RBM_MIRROR_S[DeviceB-remote-backup-group] hot-backup enable
RBM_MIRROR_S[DeviceB-remote-backup-group] configuration auto-sync enable route-static
RBM_MIRROR_S[DeviceB-remote-backup-group] configuration auto-sync enable
RBM_MIRROR_S[DeviceB-remote-backup-group] configuration sync-check interval 12
# Configure the mirroring-mode management interface for connecting to the network management device and log host and for performing MAD.
RBM_MIRROR_S[DeviceB-remote-backup-group] mirror mgt-interface gigabitethernet 1/0/5
# Associate RBM with track entries 1 and 2.
RBM_MIRROR_S[DeviceB-remote-backup-group] track 1
RBM_MIRROR_S[DeviceB-remote-backup-group] track 2
RBM_MIRROR_S[DeviceB-remote-backup-group] quit
Configure ARP MAD
# Create VLAN 20, and assign GigabitEthernet 1/0/4 on Device B to VLAN 20.
RBM_MIRROR_S[DeviceB] vlan 20
RBM_MIRROR_S[DeviceB-vlan20] quit
RBM_MIRROR_S[DeviceB] interface gigabitethernet 1/0/4
RBM_MIRROR_S[DeviceB-GigabitEthernet1/0/4] port link-mode bridge
RBM_MIRROR_S[DeviceB-GigabitEthernet1/0/4] port access vlan 20
RBM_MIRROR_S[DeviceB-GigabitEthernet1/0/4] quit
# Create VLAN-interface 20, assign an IP address to the interface, and enable ARP MAD. (The IP address configuration is not required, because mirroring-mode interface IP addresses will be automatically synchronized.)
RBM_MIRROR_S[DeviceB] interface vlan-interface 20
RBM_MIRROR_S[DeviceB-Vlan-interface20] mad arp enable
You need to assign a domain ID (range: 0-4294967295)
[Current domain is: 1]:
The assigned domain ID is: 1

Configure Host

# Specify the default gateway as 10.1.1.1 (virtual IPv4 address) for the host.

Connect devices

# Connect the devices after completing all configurations for them.

Verifying the configuration

Device A

# Verify that the RBM settings have taken effect and the RBM channels have been set up.

RBM_P[DeviceA] display remote-backup-group status

Remote backup group information:

Backup mode: Mirroring

Device management role: Primary

Device running status: Active

Data channel interface: GigabitEthernet1/0/3

Data channel interface current state: Up

Local IP: 10.2.1.1

Remote IP: 10.2.1.2 Destination port: 60064

Control channel status: Connected

Keepalive interval： 1s

Keepalive count: 10

Configuration consistency check interval: 12 hour

Configuration consistency check result: Not Performed

Configuration backup status: Auto sync enabled

Session backup status: Hot backup enabled

Uptime since last switchover: 0 days, 3 hours, 11 minutes

Switchover records:

Time Status change Cause

2021-06-22 13:33:33 Initial to Active Interface status changed

Device B

# Verify that the RBM settings have taken effect and the RBM channels have been set up.

RBM_S[DeviceB] display remote-backup-group status