No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CX11x, CX31x, CX710 (Earlier Than V6.03), and CX91x Series Switch Modules V100R001C10 Configuration Guide 12

The documents describe the configuration of various services supported by the CX11x&CX31x&CX91x series switch modules The description covers configuration examples and function configurations.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Basic Functions of an IPv4 VRRP Group

Configuring Basic Functions of an IPv4 VRRP Group

An IPv4 VRRP group implements gateway backup and ensures stable and high-efficient data forwarding.

Pre-configuration Tasks

Before configuring basic functions of an IPv4 VRRP group, complete the following task:
  • Configuring network layer attributes of interfaces to ensure network connectivity

Creating a VRRP Group

Context

VRRP virtualizes multiple devices into one gateway without changing the networking, and uses the virtual gateway's IP address as the default gateway address to implement next-hop gateway backup. After a VRRP group is configured, traffic is forwarded through the master. When the master fails, a new master is selected among backups to forward traffic. This implements gateway backup.

If load balancing is required in addition to gateway backup, configure two or more VRRP groups on an interface in single-gateway load balancing mode or multi-gateway load balancing mode.

Procedure
  • Create a VRRP group working in active/standby mode.

    1. Run:
      system-view

      The system view is displayed.

    2. Run:
      interface interface-type interface-number

      The interface view is displayed.

      NOTE:

      It is recommended that VRRP be deployed on the VLANIF interface.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:
      vrrp vrid virtual-router-id virtual-ip virtual-address

      A VRRP group is created, and a virtual IP address is assigned to the VRRP group.

      By default, no VRRP group is created.

    5. Run:
      commit

      The configuration is committed.

  • Create VRRP groups working in multi-gateway load balancing mode.

    If VRRP groups need to work in multi-gateway load balancing mode, repeat the steps to configure two or more VRRP groups on the interface and assign different VRIDs to them.

  • Create VRRP groups working in single-gateway load balancing mode.

    In load balancing scenarios, you must run the arp fast-reply disable command to disable the ARP fast reply function.

    NOTE:

    The device supports single-gateway load balancing for common VRRP groups, including those that have been bound to an mVRRP group.

    1. Run:
      system-view

      The system view is displayed.

    2. (Optional) Run:
      vrrp member-lbrg timer hello hello-time

      An interval at which the master device in the load-balance redundancy group (LBRG) configured using a service VRRP backup group sends VRRP Advertisement packets is set.

      To ensure that the MAC entries on a downstream switch can be promptly updated, you can configure an interval at which the master device in an LBRG configured using a service VRRP backup group sends VRRP Advertisement packets to meet requirements for network reliability.

    3. Run:
      interface interface-type interface-number

      The interface view is displayed.

    4. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    5. Run:
      vrrp vrid virtual-router-id virtual-ip virtual-address

      A VRRP group is created.

      • If you use the VRRP group as a Load-Balance Redundancy Group (LBRG), you must assign a virtual IP address to the VRRP group.
      • If you use the VRRP group as an LBRG member group, you do not need to assign a virtual IP address to the VRRP group.
    6. Run:
      vrrp vrid virtual-router-id priority priority-value

      A VRRP priority is set for the device.

    7. Run:
      vrrp vrid virtual-router-id load-balance

      An LBRG is created.

    8. Run:
      vrrp vrid virtual-router-id join load-balance-vrrp vrid lb-vrid-value

      A VRRP group is added to the LBRG.

    9. Run:
      commit

      The configuration is committed.

Setting the Device Priority in a VRRP Group

Context

The device with a higher priority in a VRRP group is more likely to become the master. You can specify the master to forward traffic by setting the device priority.

Procedure
  1. Run:
    system-view

    The system view is displayed.

  2. Run:
    interface interface-type interface-number

    The interface view is displayed.

  3. On an Ethernet interface, run:

    undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

    NOTE:

    If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

  4. Run:
    vrrp vrid virtual-router-id priority priority-value

    The device priority in a VRRP group is set.

    By default, the device priority is 100. A larger value indicates a higher priority of VRRP Advertisement packets.

    NOTE:
    • Priority 0 is reserved in the system. Priority 255 is reserved for the IP address owner, and the priority of the IP address owner cannot be changed. The priority ranges from 1 to 254.

    • When devices in a VRRP group have the same priority and attempt to be the master simultaneously, the device on an interface with the largest IP address is the master. The device that first switches to the Master state becomes the master, and other backups remain unchanged.

  5. Run:
    commit

    The configuration is committed.

(Optional) Configuring the VRRP Version Number

Context

IPv4 VRRP supports VRRPv2 and VRRPv3. If devices in a VRRP group use different VRRP versions, VRRP Advertisement packets may fail to be forwarded.
  • A VRRPv2 group can send and receive only VRRPv2 Advertisement packets. The VRRPv2 group discards received VRRPv3 Advertisement packets.

  • A VRRPv3 group can send and receive both VRRPv2 and VRRPv3 Advertisement packets. The VRRPv3 group can communicate with both VRRPv2 and VRRPv3 groups.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    vrrp version { 2 | 3 }

    The VRRP version number is set.

    By default, VRRPv2 is used.

    Run either of the following commands:

    • To configure the device to send VRRP Advertisement packets of a specified version, run the vrrp compatible-version { 2 | 3 | all } command in the system view.
    • To configure the device's interface to send VRRP Advertisement packets of a specified version, run the vrrp vrid virtual-router-id compatible-version { 2 | 3 | all } command in the view of the interface on which the VRRP group is configured.

  3. Run:

    commit

    The configuration is committed.

(Optional) Configuring VRRP Time Parameters

Context

You can set VRRP time parameters as needed. Table 11-17 describes applicable scenarios of VRRP time parameters.

Table 11-17 Applicable scenarios of VRRP time parameters

Parameter

Applicable Scenario

Interval at which VRRP Advertisement packets are sent

The master in a VRRP group sends VRRP Advertisement packets to backups at intervals to notify that it is working properly. After the Master_Down_Interval timer expires, the backup with the highest priority switches to the master if it does not receive VRRP Advertisement packets.

Heavy network traffic or time differences on different devices may result in the status change of the backups due to timeout of VRRP Advertisement packets. When packets from the original master reach the new master, the status of the new master changes. You can increase the interval to solve this problem.

Preemption delay

On an unstable network, if the BFD session status monitored by a VRRP group flaps frequently or the backups cannot receive VRRP Advertisement packets within a specified period, an active/standby switchover is frequently performed, which causes network flapping. You can adjust the preemption delay of the master in the VRRP group so that the backup with the highest priority switches to the master after the delay. This prevents frequent change of the VRRP group status.

Timeout interval at which gratuitous ARP packets are sent by the master

To ensure that MAC address entries on the downstream switch are correct, the master in a VRRP group periodically sends gratuitous ARP packets to update MAC address entries on the downstream switch.

Delay in recovering a VRRP group

On an unstable network, frequent flapping of the BFD session status or interface status monitored by a VRRP group may result in frequent switching of the VRRP group status. After the delay in recovering a VRRP group is set, the VRRP group does not immediately respond to an interface or BFD session Up event. Instead, the VRRP group processes this event after the delay in recovering a VRRP group. This prevents frequent switching of the VRRP group status.

Procedure

  • Set the interval at which VRRP Advertisement packets are sent.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      vrrp vrid virtual-router-id timer advertise advertise-interval

      The interval at which VRRP Advertisement packets are sent is set.

      By default, the interval is 1 second.

    5. Run:

      commit

      The configuration is committed.

  • Set the preemption delay of the master.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      interface interface-type interface-number

      The interface view is displayed.

    3. On an Ethernet interface, run:

      undo portswitch

      The interface is switched to Layer 3 mode.

      By default, an Ethernet interface works in Layer 2 mode.

      If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

      NOTE:

      If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

    4. Run:

      vrrp vrid virtual-router-id preempt timer delay delay-value

      The preemption delay is set.

      The default preemption delay is 5 seconds for a preemption caused by an interface Up event or 0 seconds (indicating immediate preemption) for a preemption caused by other reasons.

      You can use the vrrp vrid virtual-router-id preempt disable command to set the non-preemption mode. In non-preemption mode, the master that works properly can retain the Master state. The backup cannot switch to the master even if the priority of the master decreases.

      You can use the undo vrrp vrid virtual-router-id preempt command to restore the default preemption mode.

      NOTE:

      It is recommended that you set the preemption delay of the backup in a VRRP group to 0, configure the master in preemption mode, and set the preemption delay. On an unstable network, these settings allow a period of time for status synchronization between the uplink and downlink. If the preceding settings are not used, two masters coexist and users devices may learn the incorrect address of the master.

    5. Run:

      commit

      The configuration is committed.

  • Set the timeout interval at which gratuitous ARP packets are sent by the master.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      vrrp gratuitous-arp interval interval-value

      The timeout interval at which gratuitous ARP packets are sent by the master is set.

      By default, the master sends gratuitous ARP packets every 120s.

      NOTE:

      The timeout interval at which the master sends gratuitous ARP packets must be shorter than the aging time of ARP entries on user devices.

      • To restore the default interval at which gratuitous ARP packets are sent, run the undo vrrp gratuitous-arp interval command in the system view.

      • If the master does not need to send gratuitous ARP packets, run the vrrp gratuitous-arp interval disable command in the system view.

    3. Run:

      commit

      The configuration is committed.

  • Set the delay in recovering a VRRP group.
    1. Run:

      system-view

      The system view is displayed.

    2. Run:

      vrrp recover-delay delay-value

      The delay in recovering a VRRP group is set.

      By default, the delay in recovering a VRRP group is 0.

      NOTE:
      • After this command is used, all VRRP groups on the device are configured with the same delay.

      • When the device in a VRRP group restarts, VRRP status flapping may occur. It is recommended that the delay be set based on actual networking.

    3. Run:

      commit

      The configuration is committed.

(Optional) Setting the Mode in Which VRRP Advertisement Packets Are Sent in a Super-VLAN

Context

When a VRRP group is configured in a super-VLAN, configure VRRP Advertisement packets to be sent to a specified sub-VLAN so that Advertisement packets are not broadcast in all sub-VLANs. This saves network bandwidth.

Prerequisites

A Super-VLAN has been configured.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface vlanif vlan-id

    The VLANIF interface view is displayed.

  3. Run:

    vrrp advertise vlan { sub-vlan-id | all }

    A mode in which VRRP Advertisement packets are sent in a super-VLAN is set.

    By default, the master sends VRRP Advertisement packets to a sub-VLAN that is Up and has the smallest VLAN ID in a super-VLAN.

    • If sub-vlan-id is specified, the master sends VRRP Advertisement packets to a specified sub-VLAN.

    • If all is specified, the master broadcasts VRRP Advertisement packets to all sub-VLANs of a super-VLAN.

    If all is specified, the master broadcasts VRRP Advertisement packets to all sub-VLANs of a super-VLAN, increasing the CPU usage. Therefore, do not specify all.

  4. Run:

    commit

    The configuration is committed.

(Optional) Disabling VRRP TTL Check

Context

The system checks the TTL value in received VRRP Advertisement packets, and discards VRRP Advertisement packets in which the TTL value is not 255. On a network where devices of different vendors are deployed, if TTL check is enabled on the device, the device may incorrectly discard valid packets. In this case, disable TTL check so that devices of different vendors can communicate.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. On an Ethernet interface, run:

    undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

    NOTE:

    If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

  4. Run:

    vrrp check ttl disable

    The device is configured not to check the TTL value in VRRP Advertisement packets.

    By default, the system checks the TTL value in VRRP Advertisement packets.

  5. Run:

    commit

    The configuration is committed.

(Optional) Setting the Authentication Mode of VRRP Advertisement Packets

Context

Different authentication modes and authentication keys can be set in VRRPv2 Advertisement packets:
  • Non-authentication: The device does not authenticate outgoing VRRP Advertisement packets. In addition, the device does not authenticate the received VRRP Advertisement packets. It considers all the received packets valid.
  • Simple authentication: The device encapsulates the authentication mode and authentication key into an outgoing VRRP Advertisement packet. The device that receives the VRRP Advertisement packet compares the authentication mode and authentication key in the packet with those configured on the device. If the values are the same, the device considers the received VRRP Advertisement packet valid. If the values are different, the device considers the received VRRP Advertisement packet invalid and discards it.
  • MD5 authentication: The device uses the MD5 algorithm to encrypt the authentication key and encapsulates the key in the Authentication Data field of an outgoing VRRP Advertisement packet. The device that receives the VRRP Advertisement packet matches the authentication mode with the decrypted authentication key in the packet.
NOTE:

Only VRRPv2 supports authentication. VRRPv3 does not support authentication. VRRPv2 reserves the authentication field in VRRP Advertisement packets to be compatible with VRRP defined in RFC 2338. VRRP authentication cannot improve security.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    interface interface-type interface-number

    The interface view is displayed.

  3. On an Ethernet interface, run:

    undo portswitch

    The interface is switched to Layer 3 mode.

    By default, an Ethernet interface works in Layer 2 mode.

    If an Ethernet interface already has Layer 2 configuration, this command fails to be executed on the interface. Before running this command on the interface, delete all the Layer 2 configuration of the interface.

    NOTE:

    If many Ethernet interfaces need to be switched to Layer 3 mode, run the undo portswitch batch interface-type { interface-number1 [ to interface-number2 ] } &<1-10> command in the system view to switch these interfaces to Layer 3 mode in batches.

  4. Run:

    vrrp vrid virtual-router-id authentication-mode { simple { key | plain key | cipher cipher-key } | md5 md5-key }

    The authentication mode in VRRP Advertisement packets is configured.

    By default, a VRRP group uses non-authentication.

    NOTE:
    • Devices in a VRRP group must be configured with the same authentication mode and authentication key; otherwise, the VRRP group cannot negotiate the Master and Backup states.

    • An MD5 key can be entered in cipher text or plain text. The MD5 key in plain text is a string of 1 to 8 characters, and the MD5 key in cipher text is a string of 32 characters.

  5. Run:

    commit

    The configuration is committed.

(Optional) Enabling the Ping to a Virtual IP Address

Context

The device allows user devices to ping a virtual IP address to serve the following purposes:
  • Monitors the operating status of the master in a VRRP group.
  • Monitors communication between a user device and a network connected through a default gateway that uses the virtual IP address.

If the ping to a virtual IP address is enabled, a device on an external network can ping a virtual IP address. This exposes the device to ICMP-based attacks. The vrrp virtual-ip ping disable command can be used to disable the ping function.

Procedure

  1. Run:

    system-view

    The system view is displayed.

  2. Run:

    undo vrrp virtual-ip ping disable

    The ping to a virtual IP address is enabled.

    By default, the ping function is enabled. The master in a VRRP group responds to ping packets sent to the virtual IP address.

  3. Run:

    commit

    The configuration is committed.

Checking the Configuration

Procedure

  • Run the display vrrp [ interface interface-type interface-number ] [ virtual-router-id ] statistics command to check statistics about sent and received packets of the VRRP group.
Translation
Download
Updated: 2019-08-09

Document ID: EDOC1000041694

Views: 59627

Downloads: 3623

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next