How is HSB configured on an AR

8

AR routers support HSB only when they are deployed as firewalls to ensure that user services are not interrupted when a firewall fault occurs.
The HSB configuration is the same on all AR models of all versions. The following describes the HSB configuration on AR2240 of V200R006 as an example.
To ensure enterprise intranet security, company A deploys a firewall between the intranet and extranet. All traffic must pass through the firewall; therefore, the firewall failure leads to interruption of all traffic. Company A deploys two firewalls in active/standby mode. Company A requires that if FW_A becomes faulty, FW_B takes over services from FW_A to ensure uninterrupted network running.
The HSB configuration is as follows:
1. Configure interface IP addresses to ensure that devices can communicate.
# Configure FW_A. The configuration of FW_B is similar to that of FW_A, and is not mentioned here.
[Huawei] sysname FW_A
[FW_A] interface gigabitethernet 2/0/0
[FW_A-GigabitEthernet2/0/0] ip address 10.1.1.1 24
[FW_A-GigabitEthernet2/0/0] quit
[FW_A] interface gigabitethernet 1/0/0
[FW_A-GigabitEthernet1/0/0] ip address 192.168.1.1 24
[FW_A-GigabitEthernet1/0/0] quit
# Configure Switch.
[Huawei] sysname Switch
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] interface gigabitethernet 0/0/1 //The configuration of GE0/0/2 is similar to that of GE0/0/1, and is not mentioned here.
[Switch-GigabitEthernet0/0/1] port hybrid pvid vlan 100
[Switch-GigabitEthernet0/0/1] port hybrid untagged vlan 100
[Switch-GigabitEthernet0/0/1] quit
2. Configure a VRRP group.
# Configure VRRP group 1 on FW_A, and set the priority of FW_A in VRRP group 1 to 120.
[FW_A] interface gigabitethernet 2/0/0
[FW_A-GigabitEthernet2/0/0] vrrp vrid 1 virtual-ip 10.1.1.111
[FW_A-GigabitEthernet2/0/0] vrrp vrid 1 priority 120
[FW_A-GigabitEthernet2/0/0] quit
# Configure VRRP group 1 on FW_B. The priority of FW_B in VRRP group 1 is the default value 100.
[FW_B] interface gigabitethernet 2/0/0
[FW_B-GigabitEthernet2/0/0] vrrp vrid 1 virtual-ip 10.1.1.111
[FW_B-GigabitEthernet2/0/0] quit
3. Configure HSB.
# Configure HSB service 0 on FW_A and FW_B, and configure the IP addresses and port numbers for the active and standby channels.
[FW_A] hsb-service 0
[FW_A-hsb-service-0] service-ip-port local-ip 192.168.1.1 peer-ip 192.168.1.2 local-data-port 10241 peer-data-port 10241
[FW_A-hsb-service-0] quit
[FW_B] hsb-service 0
[FW_B-hsb-service-0] service-ip-port local-ip 192.168.1.2 peer-ip 192.168.1.1 local-data-port 10241 peer-data-port 10241
[FW_B-hsb-service-0] quit
# Configure HSB group 0 on FW_A and bind HSB service 0 and VRRP group 1 to it. The configuration of FW_B is similar to that of FW_A, and is not mentioned here.
[FW_A] hsb-group 0
[FW_A-hsb-group-0] bind-service 0
[FW_A-hsb-group-0] track vrrp vrid 1 interface gigabitethernet 2/0/0
# Enable HSB on FW_A and FW_B to make the HSB group configuration take effect.
[FW_A-hsb-group-0] hsb enable
[FW_B-hsb-group-0] hsb enable

Other related questions:
Principles of HSB
The AR supports the HSB function. HSB implementation involves data synchronization and traffic switching. Data synchronization is performed to ensure consistent information on the master and backup devices when the two devices are working normally. Traffic switching is performed to ensure non-stop service forwarding when the master device fails or recovers. The principle for data synchronization is to establish active and standby channels between devices that back up each other. Session entries of the master device can be synchronized to the backup device through the channel at one time, in real time, or periodically. The principle for traffic switching is based on negotiation between the master device and the backup device using VRRP. When the master device fails, a new master device is elected based on VRRP priorities and the traffic is switched to the master device. For details, see “HSB Configuration�?in AR100&AR120&AR150&AR160&AR200&AR1200&AR2200&AR3200&AR3600 V200R008 CLI-based Configuration Guide - Reliability.

Does an AR support HSB
Starting from V200R003C01, all AR models support the hot standby (HSB) function. However, AR routers support HSB only when they are deployed as firewalls.

How to configure Assured Forwarding (AF) for packets of a certain type on an AR
On AR routers, you can run the queue af command to configure Assured Forwarding (AF) for packets of a certain type and set the minimum bandwidth. AF ensures a low drop probability of packets when the rate of outgoing service traffic does not exceed the minimum bandwidth. It is applied to services of heavy traffic whose bandwidth need to be ensured. Configuration example: Set the minimum bandwidth for the traffic of network segment 192.168.100.0 to 3000 kbit/s. [Huawei] acl 3022 //Configure an ACL to match traffic for which traffic is to be assured. [Huawei-acl-adv-3022] rule permit ip source 192.168.100.0 0.0.0.255 [Huawei-acl-adv-3022] quit [Huawei] traffic classifier c [Huawei-classifier-c] if-match acl 3022 //Create a traffic classifier to protect the traffic matching the ACL rule. [Huawei-classifier-c] quit [Huawei] traffic behavior b [Huawei-behavior-b] queue af bandwidth 3000 //Create a traffic behavior and set the minimum bandwidth to 3000 kbit/s. [Huawei-behavior-b] quit [Huawei] traffic policy p [Huawei-trafficpolicy-p] classifier c behavior b //Create a traffic policy and bind the traffic classifier and traffic behavior to the traffic policy. [Huawei-trafficpolicy-p] quit [Huawei] interface Ethernet 0/0/0 [Huawei-Ethernet0/0/0] traffic-policy p outbound //Apply the traffic policy on the interface.

STP enabling/disabling method on an AR router
By default, STP is enabled on an AR router globally and on Layer 2 interface. Run the stp enable command in the system or interface view to enable STP globally or on Layer 2 interface. Run the stp disable command in the system or interface view to disable STP globally or on Layer 2 interface.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top