As shown in the following figure, Device A and Device B are border security devices connected to the internal network and the Internet. To improve service stability, set up a hot backup system with the devices. Configure the hot backup system to operate in mirroring mode. The service interfaces with the same number on the devices use the same IP address. Configure Device A and Device B as the primary device and the secondary device, respectively. Set up MAD to avoid address conflicts between the two devices when the hot backup channel is disconnected. When Device A or its attached link fails, Device B takes over to ensure service continuity.
Figure 1 Network diagram
This configuration example was created and verified on F9900 of the F5000-AI120 device.
Before you set up an RBM system, verify that the following hardware settings are consistent on the candidate member devices:
Device model.
Number and type of management interfaces of active and standby devices, service interfaces, and interfaces for setting up the RBM channels. Do not use one interface for multiple purposes.
Location, number, and type of disks. A device not with disks installed has small log storage and do not support some types of logs or reports.
Before you set up an RBM system, verify that the following software settings are consistent on the candidate member devices:
Software environment and version, including boot packages, system packages, feature packages, and patches.
Licensed signature libraries and features, such as signature library types, signature library version, validation time, and number of licensed resources.
Interface numbers.
Type, speed, and number of the interfaces for setting up the RBM channels. As a best practice, use aggregate interfaces.
Aggregate interface numbers and aggregation member port numbers.
Security zone configuration on the interfaces at the same location.
Multi-CPU packet distribution policy (configured with the forwarding policy command).
# Create VLAN 10 on Switch A, and configure the interfaces that connect Switch A to Device A, Device B, and Router as access ports, and then assign the ports to VLAN 10.
# Add interfaces to VLANs and set the link type according to the network diagram as follows.
<SwitchA> system-view
[SwitchA] vlan 10
[SwitchA-vlan10] quit
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port access vlan 10
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface gigabitethernet 1/0/2
[SwitchA-GigabitEthernet1/0/2] port access vlan 10
[SwitchA-GigabitEthernet1/0/2] quit
[SwitchA] interface gigabitethernet 1/0/3
[SwitchA-GigabitEthernet1/0/3] port access vlan 10
[SwitchA-GigabitEthernet1/0/3] quit
# Create VLAN 10, configure the interfaces connected to Device A, Device B, and Host to operate at Layer 2, and assign the interfaces to VLAN 10 as access interfaces.
# Add interfaces to VLANs and set the link type according to the network diagram as follows.
<SwitchB> system-view
[SwitchB] vlan 10
[SwitchB-vlan10] quit
[SwitchB] interface gigabitethernet 1/0/1
[SwitchB-GigabitEthernet1/0/1] port access vlan 10
[SwitchB-GigabitEthernet1/0/1] quit
[SwitchB] interface gigabitethernet 1/0/2
[SwitchB-GigabitEthernet1/0/2] port access vlan 10
[SwitchB-GigabitEthernet1/0/2] quit
[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] port access vlan 10
[SwitchB-GigabitEthernet1/0/3] quit
Assign IPv4 addresses to interfaces:
# Assign an IPv4 address to each interface as follows.
<Router> system-view
[Router] interface gigabitethernet 1/0/7
[Router-GigabitEthernet1/0/7] ip address 2.1.1.15 255.255.255.0
[Router-GigabitEthernet1/0/7] quit
# Assign IP addresses to other interfaces in the same way according to the network diagram. (Details not shown.)
Configure route settings for network connectivity.
This example takes static route configuration as an example. Configure route settings according to the actual network requirements.
# Configure static route settings according to the network diagram. In this example, specify 2.1.1.1 as the next hop of the route to the internal network, and specify 3.1.1.15 as the next hop of the route to the Internet.
[Router] ip route-static 10.1.1.0 255.255.255.0 2.1.1.1
[Router] ip route-static 0.0.0.0 0.0.0.0 3.1.1.15
Assign IPv4 addresses to interfaces:
# Assign an IPv4 address to each interface as follows.
<DeviceA> system-view
[DeviceA] interface gigabitethernet 1/0/1
[DeviceA-GigabitEthernet1/0/1] ip address 2.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/1] quit
[DeviceA] interface gigabitethernet 1/0/2
[DeviceA-GigabitEthernet1/0/2] ip address 10.1.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/2] quit
[DeviceA] interface gigabitethernet 1/0/3
[DeviceA-GigabitEthernet1/0/3] ip address 10.2.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/3] quit
[DeviceA] interface gigabitethernet 1/0/5
[DeviceA-GigabitEthernet1/0/5] ip address 10.4.1.1 255.255.255.0
[DeviceA-GigabitEthernet1/0/5] quit
Add interfaces to security zones.
# Add interfaces to security zones according to the network diagram.
[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceA-security-zone-Untrust] quit
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceA-security-zone-Trust] quit
[DeviceA] security-zone name dmz
[DeviceA-security-zone-DMZ] import interface gigabitethernet 1/0/5
[DeviceA-security-zone-DMZ] quit
Configure route settings for network connectivity:
This example takes static route configuration as an example. Configure route settings according to the actual network requirements.
# Configure a static route for Layer 3 connectivity between the internal and external networks according to the network diagram. The next hop for the static route to the external network is 2.1.1.15.
[DeviceA] ip route-static 0.0.0.0 0.0.0.0 2.1.1.15
Configure security policy settings to permit specific service packets:
Perform this task only on the primary device. After the RBM system is set up, the secondary device automatically synchronizes its security policy configuration with the primary device.
# Create a security policy rule named trust-untrust to allow internal network users to access the Internet and prevent Internet users to access the internal network.
[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule name trust-untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-3-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-3-trust-untrust] source-ip-subnet 10.1.1.0 24
[DeviceA-security-policy-ip-3-trust-untrust] action pass
[DeviceA-security-policy-ip-3-trust-untrust] quit
# Configure a security policy rule named loglocalout to allow Device to send fast log information to the log host.
[DeviceA-security-policy-ip] rule name loglocalout
[DeviceA-security-policy-ip-4-loglocalout] source-zone local
[DeviceA-security-policy-ip-4-loglocalout] destination-zone dmz
[DeviceA-security-policy-ip-4-loglocalout] action pass
[DeviceA-security-policy-ip-4-loglocalout] quit
[DeviceA-security-policy-ip] quit
Configure RBM settings
In this example, Ethernet interfaces are used for control and data channel setup. If a device has both RBM and Ethernet interfaces, use the RBM interface for control and data channel setup to protect device security and stability. Do not use an RBM interface as a service interface.
# Configure Track to monitor status of interfaces.
[DeviceA] track 1 interface gigabitethernet 1/0/1
[DeviceA-track-1] quit
[DeviceA] track 2 interface gigabitethernet 1/0/2
[DeviceA-track-2] quit
# Specify two devices for the RBM system, with Device A as the primary device, and Device B as the secondary device. When Device A or its attached link fails, Device B takes over to ensure service continuity.
[DeviceA] remote-backup group
[DeviceA-remote-backup-group] remote-ip 10.2.1.2
[DeviceA-remote-backup-group] local-ip 10.2.1.1
[DeviceA-remote-backup-group] data-channel interface gigabitethernet 1/0/3
[DeviceA-remote-backup-group] backup-mode mirror
[DeviceA-remote-backup-group] device-role auto
RBM_MIRROR_P[DeviceA-remote-backup-group] hot-backup enable
RBM_MIRROR_P[DeviceA-remote-backup-group] configuration auto-sync enable route-static
RBM_MIRROR_P[DeviceA-remote-backup-group] configuration auto-sync enable
RBM_MIRROR_P[DeviceA-remote-backup-group] configuration sync-check interval 12
# Configure the management interface for the mirroring mode to connect to the network management device and log host.
RBM_MIRROR_P[DeviceA-remote-backup-group] mirror mgt-interface gigabitethernet 1/0/5
# Associate RBM with track entries 1 and 2.
RBM_MIRROR_P[DeviceA-remote-backup-group] track 1
RBM_MIRROR_P[DeviceA-remote-backup-group] track 2
RBM_MIRROR_P[DeviceA-remote-backup-group] quit
Configure ARP MAD to avoid address conflicts between the two devices when the RBM channel is disconnected.
# Create VLAN 20, and assign GigabitEthernet 1/0/4 on Device A to VLAN 20.
RBM_MIRROR_P[DeviceA] vlan 20
RBM_MIRROR_P[DeviceA-vlan20] quit
RBM_MIRROR_P[DeviceA] interface gigabitethernet 1/0/4
RBM_MIRROR_P[DeviceA-GigabitEthernet1/0/4] port link-mode bridge
RBM_MIRROR_P[DeviceA-GigabitEthernet1/0/4] port access vlan 20
RBM_MIRROR_P[DeviceA-GigabitEthernet1/0/4] quit
# Create VLAN-interface 20, assign an IP address to the interface, and enable ARP MAD.
RBM_MIRROR_P[DeviceA] interface vlan-interface 20
RBM_MIRROR_P[DeviceA-Vlan-interface20] ip address 10.3.1.1 24
RBM_MIRROR_P[DeviceA-Vlan-interface20] mad arp enable
You need to assign a domain ID (range: 0-4294967295)
[Current domain is: 1]:
The assigned domain ID is: 1
Configure security services on Device A. (Details not shown.)
# After completing RBM configuration, configure security services. Configure the modules whose configuration information can be backed up by RBM only on the primary device (Device A).
Assign IPv4 addresses to interfaces:
# Assign IPv4 addresses to interfaces according to the network diagram. (The configuration is not required for the interfaces except the mirroring-mode management interface and hot backup channel interface. The IP address of such interfaces will be automatically synchronized to the standby device.)
<DeviceB> system-view
[DeviceB] interface gigabitethernet 1/0/3
[DeviceB-GigabitEthernet1/0/3] ip address 10.2.1.2 255.255.255.0
[DeviceB-GigabitEthernet1/0/3] quit
[DeviceB] interface gigabitethernet 1/0/5
[DeviceB-GigabitEthernet1/0/5] ip address 10.4.1.2 255.255.255.0
[DeviceB-GigabitEthernet1/0/5] quit
Add interfaces to security zones.
# Add interfaces to security zones according to the network diagram.
[DeviceB] security-zone name untrust
[DeviceB-security-zone-Untrust] import interface gigabitethernet 1/0/1
[DeviceB-security-zone-Untrust] quit
[DeviceB] security-zone name trust
[DeviceB-security-zone-Trust] import interface gigabitethernet 1/0/2
[DeviceB-security-zone-Trust] quit
[DeviceB] security-zone name dmz
[DeviceB-security-zone-DMZ] import interface gigabitethernet 1/0/5
[DeviceB-security-zone-DMZ] quit
Configure RBM settings
In this example, Ethernet interfaces are used for control and data channel setup. If a device has both RBM and Ethernet interfaces, use the RBM interface for control and data channel setup to protect device security and stability. Do not use an RBM interface as a service interface.
# Configure Track to monitor status of interfaces.
[DeviceB] track 1 interface gigabitethernet 1/0/1
[DeviceB-track-1] quit
[DeviceB] track 2 interface gigabitethernet 1/0/2
[DeviceB-track-2] quit
# Specify two devices for the RBM system, with Device A as the primary device, and Device B as the secondary device. When Device A or its attached link fails, Device B takes over to ensure service continuity.
[DeviceB] remote-backup group
[DeviceB-remote-backup-group] remote-ip 10.2.1.1
[DeviceB-remote-backup-group] local-ip 10.2.1.2
[DeviceB-remote-backup-group] data-channel interface gigabitethernet 1/0/3
[DeviceB-remote-backup-group] backup-mode mirror
[DeviceB-remote-backup-group] device-role auto
RBM_MIRROR_S[DeviceB-remote-backup-group] hot-backup enable
RBM_MIRROR_S[DeviceB-remote-backup-group] configuration auto-sync enable route-static
RBM_MIRROR_S[DeviceB-remote-backup-group] configuration auto-sync enable
RBM_MIRROR_S[DeviceB-remote-backup-group] configuration sync-check interval 12
# Configure the mirroring-mode management interface for connecting to the network management device and log host and for performing MAD.
RBM_MIRROR_S[DeviceB-remote-backup-group] mirror mgt-interface gigabitethernet 1/0/5
# Associate RBM with track entries 1 and 2.
RBM_MIRROR_S[DeviceB-remote-backup-group] track 1
RBM_MIRROR_S[DeviceB-remote-backup-group] track 2
RBM_MIRROR_S[DeviceB-remote-backup-group] quit
Configure ARP MAD
# Create VLAN 20, and assign GigabitEthernet 1/0/4 on Device B to VLAN 20.
RBM_MIRROR_S[DeviceB] vlan 20
RBM_MIRROR_S[DeviceB-vlan20] quit
RBM_MIRROR_S[DeviceB] interface gigabitethernet 1/0/4
RBM_MIRROR_S[DeviceB-GigabitEthernet1/0/4] port link-mode bridge
RBM_MIRROR_S[DeviceB-GigabitEthernet1/0/4] port access vlan 20
RBM_MIRROR_S[DeviceB-GigabitEthernet1/0/4] quit
# Create VLAN-interface 20, assign an IP address to the interface, and enable ARP MAD. (The IP address configuration is not required, because mirroring-mode interface IP addresses will be automatically synchronized.)
RBM_MIRROR_S[DeviceB] interface vlan-interface 20
RBM_MIRROR_S[DeviceB-Vlan-interface20] mad arp enable
You need to assign a domain ID (range: 0-4294967295)
[Current domain is: 1]:
The assigned domain ID is: 1
# Specify the default gateway as 10.1.1.1 (virtual IPv4 address) for the host.
# Connect the devices after completing all configurations for them.
# Verify that the RBM settings have taken effect and the RBM channels have been set up.
RBM_P[DeviceA] display remote-backup-group status
Remote backup group information:
Backup mode: Mirroring
Device management role: Primary
Device running status: Active
Data channel interface: GigabitEthernet1/0/3
Data channel interface current state: Up
Local IP: 10.2.1.1
Remote IP: 10.2.1.2 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Active Interface status changed
# Verify that the RBM settings have taken effect and the RBM channels have been set up.
RBM_S[DeviceB] display remote-backup-group status
Remote backup group information:
Backup mode: Mirroring
Device management role: Secondary
Device running status: Standby
Data channel interface: GigabitEthernet1/0/3
Data channel interface current state: Up
Local IP: 10.2.1.2
Remote IP: 10.2.1.1 Destination port: 60064
Control channel status: Connected
Keepalive interval: 1s
Keepalive count: 10
Configuration consistency check interval: 12 hour
Configuration consistency check result: Not Performed
Configuration backup status: Auto sync enabled
Session backup status: Hot backup enabled
Uptime since last switchover: 0 days, 3 hours, 11 minutes
Switchover records:
Time Status change Cause
2021-06-22 13:33:33 Initial to Standby Interface status changed
#
interface GigabitEthernet1/0/7
port link-mode route
ip address 2.1.1.15 255.255.255.0
#
interface GigabitEthernet1/0/8
port link-mode route
ip address 3.1.1.14 255.255.255.0
#
ip route-static 0.0.0.0 0 3.1.1.15
ip route-static 10.1.1.0 24 2.1.1.1
#
vlan 10
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 10
#
interface GigabitEthernet1/0/3
port access vlan 10
#
vlan 10
#
interface GigabitEthernet1/0/1
port access vlan 10
#
interface GigabitEthernet1/0/2
port access vlan 10
#
interface GigabitEthernet1/0/3
port access vlan 10
#
track 1 interface GigabitEthernet1/0/1
#
track 2 interface GigabitEthernet1/0/2
#
remote-backup group
data-channel interface GigabitEthernet1/0/3
backup-mode mirror
mirror mgt-interface GigabitEthernet1/0/5
configuration sync-check interval 12
configuration auto-sync enable route-static
track 1
track 2
local-ip 10.2.1.1
remote-ip 10.2.1.2
device-role auto
#
vlan 20
#
interface Vlan-interface20
ip address 10.3.1.1 255.255.255.0
mad arp enable
#
interface GigabitEthernet1/0/1
port link-mode route
ip address 2.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/2
port link-mode route
ip address 10.1.1.1 255.255.255.0
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 10.2.1.1 255.255.255.0
#
interface GigabitEthernet1/0/5
port link-mode route
ip address 10.4.1.1 255.255.255.0
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 20
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name DMZ
import interface GigabitEthernet1/0/5
#
security-zone name Untrust
import interface GigabitEthernet1/0/1
#
ip route-static 0.0.0.0 0 2.1.1.15
#
security-policy ip
rule 0 name trust-untrust
action pass
source-zone trust
destination-zone untrust
source-ip-subnet 10.1.1.0 255.255.255.0
rule 1 name loglocalout
action pass
source-zone local
destination-zone dmz
#
track 1 interface GigabitEthernet1/0/1
#
track 2 interface GigabitEthernet1/0/2
#
remote-backup group
data-channel interface GigabitEthernet1/0/3
backup-mode mirror
mirror mgt-interface GigabitEthernet1/0/5
configuration sync-check interval 12
configuration auto-sync enable route-static
track 1
track 2
local-ip 10.2.1.2
remote-ip 10.2.1.1
device-role auto
#
vlan 20
#
interface Vlan-interface20
mad arp enable
#
interface GigabitEthernet1/0/3
port link-mode route
ip address 10.2.1.2 255.255.255.0
#
interface GigabitEthernet1/0/5
port link-mode route
ip address 10.4.1.2 255.255.255.0
#
interface GigabitEthernet1/0/4
port link-mode bridge
port access vlan 20
#
security-zone name Trust
import interface GigabitEthernet1/0/2
#
security-zone name DMZ
import interface GigabitEthernet1/0/5
#
security-zone name Untrust
import interface GigabitEthernet1/0/1