No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

Incorrect Protection Tunnel Configuration Causes Master/Backup Switchover Failures In a Dual-ME60 Hot Backup Scenario

Publication Date:  2018-10-09 Views:  64 Downloads:  0
Issue Description
Version: ME60 V600R002C02SPC700

The network topology is as follows:


The S9306 is an aggregation layer device. Its upstream interface is configured as an Eth-Trunk interface that connects to the ME60. The upstream interface and interconnection interface transparently transmit service VLAN tags and mVRRP VLAN tags.

The ME60 works in dual-system hot backup mode. VRRP is enabled on sub-interfaces of downstream links through mVRRP VLANs. Service VRRP is enabled on upstream links, and a protection tunnel is set up between the ME60s.

The firewalls also work in dual-system hot backup mode, and VRRP is enabled on the downstream interfaces and interconnection interfaces.

Static routes are configured on ME60s and Eudemons for interconnection. The destination IP address of each static route is the VRRP virtual IP address.

Key configurations:

VRRP packets are multicast packets and cannot be forwarded at Layer 3. To allow VRRP packets to be sent to Eudemon B, the ME60 must transparently transmit VRRP packets. Therefore, run the portswitch command to change the mode of the upstream and interconnection interfaces on the ME60 from Layer 3 to Layer 2.

interface Eth-Trunk3
portswitch
description to_E1000EA
port link-type access
port default vlan 32
interface Eth-Trunk0
portswitch
description to_ME60B
port link-type trunk
port trunk allow-pass vlan 32
In addition, the ME60s use shared address pools. To allow a protection tunnel to be established between the ME60s, an interconnection address must be configured. As a result, a new VLAN and a VLANIF interface are configured. The interconnection link between the ME60s transparently transmits packets from the VLAN.
Vlan38
interface Vlanif38
description to ME60B
ip address ×.×.×.× 255.255.255.252
interface Eth-Trunk0
port trunk allow-pass vlan 32  38

Fault description:
A PC is connected to S9306 A. Whether a master/slave ME60 switchover is successful can be determined based on the SPES authentication result. Before a switchover is performed, the PC can pass the SPES authentication. After the downstream interface of ME60 A goes Down, the PC fails the SPES authentication. The PC can obtain the IP address (×.×.×.×) but cannot pass the SPES authentication. In addition, the gateway address fails to be pinged on the PC.
Handling Process
1. Check the RBS configuration. It is found that an incorrect interface is bound to the protection tunnel. The interconnection address does not belong to the Layer 2 interface Eth-Trunk0. The attempt to bind VLANIF38 to the protection tunnel also fails, and it is found that a VLANIF interface cannot be bound to the protection tunnel.

remote-backup-service rbs1
protect redirect ip-nexthop ×.×.×.×  interface Eth-Trunk0

2. Cancel the VLANIF38 configuration and configure an Eth-Trunk0 sub-interface to which the RBS is bound so that the sub-interface can transparently transmit VLAN packets and function as a Layer 3 interface.
interface Eth-Trunk0.1
vlan-type dot1q 38
ip address ×.×.×.× 255.255.255.252
remote-backup-service rbs1
protect redirect ip-nexthop ×.×.×.×  interface Eth-Trunk0.1

3. The configuration on the backup device is also modified accordingly. After the modification is complete, the PC passes the authentication.

Root Cause
1. After the downstream link of ME60 A is disconnected, the PC should go online through ME60 B and access user information should be available on ME60 B. The display access-user command output shows that access user information is available on the backup device, but the user is found to be in the pre-authentication domain. The same access user information is found available on ME60 A, indicating that the backup information is correct.



2. The PC fails the SPEC authentication, indicating that the direction of SPEC traffic is incorrect. Traffic direction analysis indicates that both upstream and downstream traffic is transmitted through the protection tunnel after the master/backup switchover. Therefore, it is determined that the configuration of the protection tunnel is incorrect.
Suggestions
When Layer 2 interfaces for transparent transmission of VLAN packets and a protection tunnel need to be configured between ME60s, the protection tunnel must be configured on the sub-interface because a VLANIF interface cannot be bound to an RBS. In addition, different system versions support different interfaces that can be bound to an RBS. For example, the versions earlier than V600R002C02SPC600 do not support the trunk interface. Therefore, check the system version before performing the configuration.

END