No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

CLI-based Configuration Guide - Reliability

AR100, AR120, AR160, AR1200, AR2200, AR3200, and AR3600 V300R003

This document provides guidance for configuring reliability services, including interface backup, BFD, VRRP, and EFM.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
Configuring Basic Functions of an IPv4 VRRP Group

Configuring Basic Functions of an IPv4 VRRP Group

Pre-configuration Tasks

An IPv4 VRRP group implements gateway backup and ensures stable and high-efficient data forwarding.

Before configuring basic functions of an IPv4 VRRP group, configure network layer attributes of interfaces to ensure network connectivity.

Creating a VRRP Group

Context

VRRP virtualizes multiple devices into one gateway without changing the networking, and uses the virtual gateway's IP address as the default gateway address to implement next-hop gateway backup. After a VRRP group is configured, traffic is forwarded through the master. When the master fails, a new master is selected among backups to forward traffic. This implements gateway backup.

If load balancing is required in addition to gateway backup, configure two or more VRRP groups on an interface in multi-gateway load balancing mode.

Procedure
  • Create a VRRP group working in active/standby mode.

    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run vrrp vrid virtual-router-id virtual-ip virtual-address

      A VRRP group is created, and a virtual IP address is assigned to the VRRP group.

      By default, no VRRP group is created.

  • Create VRRP groups working in multi-gateway load balancing mode.

    If VRRP groups need to work in multi-gateway load balancing mode, repeat the steps to configure two or more VRRP groups on the interface and assign different VRIDs to them.

Setting the Device Priority in a VRRP Group

Context

The device with a higher priority in a VRRP group is more likely to become the master. You can specify the master to forward traffic by setting the device priority.

Procedure
  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run vrrp vrid virtual-router-id priority priority-value

    The device priority in a VRRP group is set.

    By default, the device priority is 100. A larger value indicates a higher priority of VRRP Advertisement packets.

    • Priority 0 is reserved in the system. Priority 255 is reserved for the IP address owner. The priority ranges from 1 to 254.

    • The priority of an IP address owner is fixed at 255 and cannot be manually changed. You can run the vrrp vrid virtual-router-id priority priority-value command to configure a non-255 priority for an IP address owner, but the configured priority does not take effect. If a VRRP device is no longer an IP address owner, the configured priority is used.

    • When devices in a VRRP group have the same priority and attempt to be the master simultaneously, the device on an interface with the largest IP address is the master. The device that first switches to the Master state becomes the master, and other backups remain unchanged.

(Optional) Configuring the VRRP Version Number

Context

IPv4 VRRP supports VRRPv2 and VRRPv3. If devices in a VRRP group use different VRRP versions, VRRP Advertisement packets may fail to be forwarded.
  • A VRRPv2 group can send and receive only VRRPv2 Advertisement packets. The VRRPv2 group discards received VRRPv3 Advertisement packets.
  • A VRRPv3 group can send and receive both VRRPv2 and VRRPv3 Advertisement packets. You can configure the mode in which VRRPv3 Advertisement packets are sent. The mode can be v2-only, v3-only, or v2v3-both.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run vrrp version { v2 | v3 }

    The VRRP version number is set.

    By default, VRRPv2 is used.

    If VRRPv3 is used, run the vrrp version-3 send-packet-mode { v2-only | v3-only | v2v3-both } command to set the mode in which VRRPv3 Advertisement packets are sent. The default mode is v3-only.

(Optional) Configuring VRRP Time Parameters

Context

You can set VRRP time parameters as needed. Table 7-6 describes applicable scenarios of VRRP time parameters.

Table 7-6  Applicable scenarios of VRRP time parameters
Parameter Applicable Scenario
Interval at which VRRP Advertisement packets are sent The master in a VRRP group sends VRRP Advertisement packets to backups at intervals to notify that it is working properly. After the Master_Down_Interval timer expires, the backup with the highest priority switches to the master if it does not receive VRRP Advertisement packets.

Heavy network traffic or time differences on different devices may result in the status change of the backups due to timeout of VRRP Advertisement packets. When packets from the original master reach the new master, the status of the new master changes. You can increase the interval to solve this problem.

Preemption delay On an unstable network, if the BFD session status monitored by a VRRP group flaps frequently or the backups cannot receive VRRP Advertisement packets within a specified period, an active/standby switchover is frequently performed, which causes network flapping. You can adjust the preemption delay of the master in the VRRP group so that the backup with the highest priority switches to the master after the delay. This prevents frequent change of the VRRP group status.
Timeout interval at which gratuitous ARP packets are sent by the master To ensure that MAC address entries on the downstream switch are correct, the master in a VRRP group periodically sends gratuitous ARP packets to update MAC address entries on the downstream switch.
NOTE:

Do not configure special MAC addresses such as the system MAC address and VRRP virtual MAC address as blackhole MAC addresses on the backup to prevent VRRP flapping.

Delay before a VRRP group recovers On an unstable network, frequent flapping of the BFD session status or interface status monitored by a VRRP group may result in frequent switching of the VRRP group status. After the delay is set, the VRRP group does not immediately respond to an interface or BFD session Up event. Instead, the VRRP group processes this event after the delay. This prevents frequent switching of the VRRP group status.

Procedure

  • Set the interval at which VRRP Advertisement packets are sent.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run vrrp vrid virtual-router-id timer advertise advertise-interval

      The interval at which VRRP Advertisement packets are sent is set.

      By default, the interval is 1 second.

      NOTE:

      The interval at which a device sends VRRP Advertisement packets cannot be less than the time that the device takes to perform a master/slave main control board switchover. If the interval is less than the switchover time, protocol flapping may occur during a master/slave main control board switchover. It is recommended that the interval be set to a value greater than 1s.

  • Set the preemption delay of the master.
    1. Run system-view

      The system view is displayed.

    2. Run interface interface-type interface-number

      The interface view is displayed.

    3. Run vrrp vrid virtual-router-id preempt-mode timer delay delay-value

      The preemption delay is set.

      By default, the preemption delay is 0. In immediate preemption mode, a backup can immediately switch to the master when its priority is higher than the master.

      You can use the vrrp vrid virtual-router-id preempt-mode disable command to set the non-preemption mode. In non-preemption mode, the master that works properly can retain the Master state. The backup cannot switch to the master even if the priority of the master decreases.

      You can use the undo vrrp vrid virtual-router-id preempt-mode command to restore the default preemption mode.

      NOTE:

      It is recommended that you set the preemption delay of the backup in a VRRP group to 0, configure the master in preemption mode, and set the preemption delay. On an unstable network, these settings allow a period of time for status synchronization between the uplink and downlink. If the preceding settings are not used, two masters coexist and users devices may learn the incorrect address of the master.

  • Set the timeout interval at which gratuitous ARP packets are sent by the master.
    1. Run system-view

      The system view is displayed.

    2. Run vrrp gratuitous-arp timeout time

      The timeout interval at which gratuitous ARP packets are sent by the master is set.

      By default, the master sends gratuitous ARP packets every 120s.

      NOTE:

      The timeout interval at which the master sends gratuitous ARP packets must be shorter than the aging time of ARP entries on user devices.

      • To restore the default interval at which gratuitous ARP packets are sent, run the undo vrrp gratuitous-arp timeout command in the system view.

      • If the master does not need to send gratuitous ARP packets, run the vrrp gratuitous-arp timeout disable command in the system view.

  • Set the delay before a VRRP group recovers.
    1. Run system-view

      The system view is displayed.

    2. Run vrrp recover-delay delay-value

      The delay before a VRRP group recovers is set.

      By default, the delay before a VRRP group recovers is 0.

      NOTE:
      • After this command is used, all VRRP groups on the device are configured with the same delay.

      • When the device in a VRRP group restarts, VRRP status flapping may occur. It is recommended that the delay be set based on actual networking.

(Optional) Setting the Mode in Which VRRP Advertisement Packets Are Sent in a Super-VLAN

Context

When a VRRP group is configured in a super-VLAN, configure VRRP Advertisement packets to be sent to a specified sub-VLAN so that Advertisement packets are not broadcast in all sub-VLANs. This saves network bandwidth.

Prerequisites

A Super-VLAN has been configured.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface vlanif vlan-id

    The VLANIF interface view is displayed.

  3. Run vrrp advertise send-mode { sub-vlan-id | all }

    A mode in which VRRP Advertisement packets are sent in a super-VLAN is set.

    By default, the master sends VRRP Advertisement packets to a sub-VLAN that is Up and has the smallest VLAN ID in a super-VLAN.

    • If sub-vlan-id is specified, the master sends VRRP Advertisement packets to a specified sub-VLAN.

    • If all is specified, the master broadcasts VRRP Advertisement packets to all sub-VLANs of a super-VLAN.

(Optional) Disabling VRRP TTL Check

Context

The system checks the TTL value in received VRRP Advertisement packets, and discards VRRP Advertisement packets in which the TTL value is not 255. On a network where devices of different vendors are deployed, if TTL check is enabled on the device, the device may incorrectly discard valid packets. In this case, disable TTL check so that devices of different vendors can communicate.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run vrrp un-check ttl

    The device is configured not to check the TTL value in VRRP Advertisement packets.

    By default, the system checks the TTL value in VRRP Advertisement packets.

(Optional) Setting the Authentication Mode of VRRP Advertisement Packets

Context

Different authentication modes and authentication keys can be set in VRRPv2 Advertisement packets:
  • Non-authentication: The device does not authenticate outgoing VRRP Advertisement packets. In addition, the device does not authenticate the received VRRP Advertisement packets. It considers all the received packets valid.
  • Simple authentication: The device encapsulates the authentication mode and authentication key into an outgoing VRRP Advertisement packet. The device that receives the VRRP Advertisement packet compares the authentication mode and authentication key in the packet with those configured on the device. If the values are the same, the device considers the received VRRP Advertisement packet valid. If the values are different, the device considers the received VRRP Advertisement packet invalid and discards it.
  • MD5 authentication: The device uses the MD5 algorithm to encrypt the authentication key and encapsulates the key in the Authentication Data field of an outgoing VRRP Advertisement packet. The device that receives the VRRP Advertisement packet matches the authentication mode with the decrypted authentication key in the packet.
NOTE:

Only VRRPv2 supports authentication. VRRPv3 does not support authentication. VRRPv2 reserves the authentication field in VRRP Advertisement packets to be compatible with VRRP defined in RFC 2338. VRRP authentication cannot improve security.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run interface interface-type interface-number

    The interface view is displayed.

  3. Run vrrp vrid virtual-router-id authentication-mode { simple { key | plain key | cipher cipher-key } | md5 md5-key }

    The authentication mode in VRRP Advertisement packets is configured.

    By default, a VRRP group uses non-authentication.

    NOTE:
    • Devices in a VRRP group must be configured with the same authentication mode and authentication key; otherwise, the VRRP group cannot negotiate the Master and Backup states.

    • To ensure security, you are advised to use MD5 as the authentication algorithm of VRRP.

(Optional) Enabling the Ping to a Virtual IP Address

Context

The device allows user devices to ping a virtual IP address to serve the following purposes:
  • Monitors the operating status of the master in a VRRP group.
  • Monitors communication between a user device and a network connected through a default gateway that uses the virtual IP address.

If the ping to a virtual IP address is enabled, a device on an external network can ping a virtual IP address. This exposes the device to ICMP-based attacks. The undo vrrp virtual-ip ping enable command can be used to disable the ping function.

Procedure

  1. Run system-view

    The system view is displayed.

  2. Run vrrp virtual-ip ping enable

    The ping to a virtual IP address is enabled.

    By default, the ping function is enabled. The master in a VRRP group responds to ping packets sent to the virtual IP address.

Checking the Configuration

Procedure

  • Run either of the following commands to check the VRRP group status and parameters:

    • display vrrp [ interface interface-type interface-number ] [ virtual-router-id ] [ brief ]
    • display vrrp { interface interface-type interface-number [ virtual-router-id ] | virtual-router-id } verbose

  • Run the display vrrp protocol-information command to check VRRP information.
  • Run the display vrrp [ interface interface-type interface-number ] [ virtual-router-id ] statistics command to check statistics about sent and received packets of the VRRP group.
Translation
Download
Updated: 2019-03-06

Document ID: EDOC1100069338

Views: 14149

Downloads: 42

Average rating:
This Document Applies to these Products
Related Documents
Related Version
Share
Previous Next