Got it

[All About Switches] Services Fail to Be Switched to the VRRP Backup Device in Time When the Link to the VRRP Master Device Fails

Latest reply: Mar 9, 2018 05:53:42 1982 1 0 0 0

Involved Products and Versions

All products and versions


As shown in Figure 1-1, a VRRP group is configured on SwitchA and SwitchB. SwitchA is the VRRP master device and SwitchB is the VRRP backup device. A heartbeat link is deployed between SwitchA and SwitchB to transparently transmit packets of the corresponding VLAN. SwitchA is connected to SwitchC, and SwitchB is connected to SwitchD. Two network ports on the server are connected to SwitchA and SwitchB, respectively.

Figure 1-1 Networking diagram for the failure to switch services to the VRRP backup device in a timely manner when the link to the VRRP master device fails



Fault Symptom

When the link between the server and SwitchA fails, services cannot be switched to the standby link in a timely manner. Services can be restored only after 20 minutes.

Cause Analysis

Normally, SwitchA is the VRRP master device and SwitchB is the VRRP backup device. The link between the server and SwitchA is the active link, and the link between the server and SwitchB is the standby link. SwitchA learns the ARP entry of the server through the interface GE1/0/1, and SwitchB learns the ARP entry of the server from SwitchA through the heartbeat interface GE1/0/2.

When the active link of the server fails, the packets of the server are forwarded through the standby link of SwitchB. After the interface of SwitchA goes Down, SwitchA re-learns the ARP entry of the server. Therefore, no fault occurs when the server sends out packets and the reply packets reach SwitchA. However, if the reply packets reach SwitchB, the reply packets cannot reach the server. After the ARP entries on SwitchB are queried, it is found that the ARP interface on SwitchB is still the heartbeat interface and ARP update is not performed. As a result, the reply packets arriving at SwitchB continue to be sent to SwitchA. Because the link between SwitchA and the server is interrupted, a network fault occurs. The network recovers 20 minutes later after ARP entries are updated.

To locate the failure to update ARP entries in a timely manner, the configurations on SwitchA and SwitchB are checked. It is found that the arp anti-attack entry-check fixed-all enable and arp learning strict force-enable commands are configured on SwitchA and SwitchB. SwitchB learns the ARP entry of the server from the heartbeat interface. After the server performs an active/standby link switchover, the ARP entries learned by SwitchB through the interface GE1/0/1 are inconsistent with the original ARP entries. As a result, SwitchB does not update the ARP entries.

Troubleshooting Procedure

                          Step 1     Run the undo arp anti-attack entry-check enable command to disable ARP entry fixing, and run the undo arp learning strict command to disable strict ARP learning.


Conclusions and Suggestions

The following describes the application scenarios of ARP entry fixing and strict ARP learning.

ARP entry fixing

To defend against ARP address spoofing attacks, enable ARP entry fixing. The fixed-mac, fixed-all, and send-ack modes are applicable to different scenarios and are mutually exclusive:

l   The fixed-mac mode applies to networks where user MAC addresses are unchanged but user access locations often change. When a user connects to a different interface on the device, the device updates interface information in the ARP entry of the user timely.

l   The fixed-all mode applies to networks where user MAC addresses and user access locations are fixed.

l   The send-ack mode applies to networks where user MAC addresses and user access locations often change.

Strict ARP learning

If many user hosts send a large number of ARP packets to a device simultaneously or attackers send bogus ARP packets to the device, the following problems occur:

l   Processing ARP packets consumes many CPU resources. The device learns many invalid ARP entries, which exhaust ARP entry resources and prevent the device from learning ARP entries for ARP packets from authorized users. Consequently, communication of authorized users is interrupted.

l   After receiving bogus ARP packets, the device incorrectly modifies the ARP entries. As a result, authorized users cannot communicate with each other.

To avoid the preceding problems, enable strict ARP learning on the gateway. This function indicates that the device learns only ARP entries for ARP Reply packets in response to ARP Request packets sent by itself. This defends the device against most ARP attacks.

  • x
  • convention:

Created Mar 9, 2018 05:53:42

Good documentation
View more
  • x
  • convention:


You need to log in to comment to the post Login | Register

Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " User Agreement."

My Followers

Login and enjoy all the member benefits


Are you sure to block this user?
Users on your blacklist cannot comment on your post,cannot mention you, cannot send you private messages.
Please bind your phone number to obtain invitation bonus.
Information Protection Guide
Thanks for using Huawei Enterprise Support Community! We will help you learn how we collect, use, store and share your personal information and the rights you have in accordance with Privacy Policy and User Agreement.