Method used to configure interworking between BFD Sessions and the two-node cluster hot backup on the USG firewall

7

The VGMP management group is the core of the two-node cluster hot backup. It determines the active/standby state of a device.
By means of interworking between BFD sessions and the two-node cluster hot backup, the VGMP management group monitors static BFD sessions, and the priority of the VGMP management group varies depending on the BFD session state. In this way, the active/standby switchover between devices is triggered.

This case describes key configuration for the interworking between BFD sessions and the two-node cluster hot backup using active/standby two-node cluster hot backup as an example.
1. Establish the two-node cluster hot backup on two devices.
2. On USG_A and Router_A, create BFD sessions.
# On USG_A, configure BFD session 1, and set the peer IP address to 1.1.1.2 , local identifier to 10 , and remote identifier to 20 .
HRP_A[USG_A] bfd
HRP_A[USG_A-bfd] quit
HRP_A[USG_A] bfd 1 bind peer-ip 1.1.1.2
HRP_A[USG_A-bfd-session-1] discriminator local 10
HRP_A[USG_A-bfd-session-1] discriminator remote 20
HRP_A[USG_A-bfd-session-1] commit
HRP_A[USG_A-bfd-session-1] quit
# On Router_A, configure BFD session 1, and set the peer IP address to 10.100.30.2, local identifier to 20, and remote identifier to 10.
3. On USG_A, configure the interworking between BFD sessions and the two-node cluster hot backup.
HRP_A[USG_A] hrp track bfd-session 10 master
4. On USG_B and Router_B, create BFD sessions.
# On USG_B, configure BFD session 1, and set the peer IP address to 2.2.2.2, local identifier to 10, and remote identifier to 20.
HRP_S[USG_B] bfd
HRP_S[USG_B-bfd] quit
HRP_S[USG_B] bfd 1 bind peer-ip 2.2.2.2
HRP_S[USG_B-bfd-session-1] discriminator local 10
HRP_S[USG_B-bfd-session-1] discriminator remote 20
HRP_S[USG_B-bfd-session-1] commit
HRP_S[USG_B-bfd-session-1] quit
# On Router_B, configure BFD session 1, and set the peer IP address to 10.100.40.2, local identifier to 20, and remote identifier to 10.
5. On USG_A, configure the interworking between BFD sessions and the two-node cluster hot backup.
HRP_S[USG_B] hrp track bfd-session 10 slave
Note: The USG6000 configuration must be consistent with the key configuration of the USG2000&5000. This case takes the USG2000&5000 as an example to describe the configuration. You can learn the USG6000 configuration in other configurations.

Other related questions:
Method used to configure interworking between BFD sessions and static routes on the USG firewall
The static route is a special route manually configured by the network administrator for a specified path. Different from a dynamic route, the static route does not have any detection mechanism. When a fault occurs on the network, the network administrator needs to detect and locate the fault. By means of interworking between BFD sessions and the static route, the static route is bound with static BFD sessions, so that the static route state is updated in pace with the BFD session state. BFD sessions can be established between devices to improve the network reliability and accelerate route convergence upon network failures. The status of links between devices can be monitored using BFD sessions. Key configurations for the interworking between BFD sessions and the static route on the USG firewall are as follows: 1. # Configure BFD sessions for USG_B. [USG_A] bfd [USG_A-bfd] quit [USG_A] bfd ab bind peer-ip 10.1.1.2 [USG_A-bfd-session-ab] discriminator local 10 [USG_A-bfd-session-ab] discriminator remote 20 [USG_A-bfd-session-ab] commit [USG_A-bfd-session-ab] quit 2. # Configure the interworking between the static route and BFD sessions. [USG_A] ip route-static 192.168.1.0 255.255.255.0 10.1.1.2 track bfd-session ab Note: The USG6000 configuration must be consistent with the key configuration of the USG2000&5000. This case takes the USG2000&5000 as an example to describe the configuration. You can learn the USG6000 configuration in other configurations. For specific configurations, click Method used to configure interworking between BFD sessions and the static route on the USG firewall.

Method used to configure interworking between BFD sessions and the DHCP client on the USG firewall
When serving as a DHCP client, an egress gateway cannot sensitize the accessibility of a link where it resides. If the link is faulty, service traffic cannot be rapidly switched over to a standby link, resulting in service interruption. The interworking between the DHCP client and BFD sessions can address this issue. According to this function, the DHCP client is associated with BFD sessions, so that the firewall can dynamically determine the DHCP link accessibility based on the BFD session state. Key configurations for the interworking between BFD sessions and the DHCP client on the USG firewall are as follows: # Configure BFD session 1, and set the peer IP address to 8.8.8.1, local identifier to 10, and remote identifier to 20. [USG_A] bfd [USG_A-bfd] quit [USG_A] bfd 1 bind peer-ip 8.8.8.1 interface GigabitEthernet 0/0/1 nexthop dhcp [USG_A-bfd-session-1] discriminator local 10 [USG_A-bfd-session-1] discriminator remote 20 [USG_A-bfd-session-1] commit [USG_A-bfd-session-1] quit Configure the interworking between the DHCP client and the BFD session. # Associate the DHCP client with BFD sessions. [USG_A] dhcp enable [USG_A] interface GigabitEthernet 0/0/1 [USG_A-GigabitEthernet0/0/1] dhcp client enable track bfd-session 10 [USG_A-GigabitEthernet0/0/1] quit Note: The USG6000 configuration must be consistent with the key configuration of the USG2000&5000. This case takes the USG2000&5000 as an example to describe the configuration. You can learn the USG6000 configuration in other configurations. For specific configurations, click Method used to configure interworking between BFD sessions and the DHCP client on the USG firewall.

Method used to configure interworking between BFD sessions and policy-based routing on the USG firewall
By means of interworking between policy-based routing and BFD sessions, the preceding issue is addressed, the flexibility of policy-based routing is enhanced, and the capability of policy-based routing for dynamically sensitizing the network environment is improved. By associating execution actions of policy-based routing with static BFD sessions, the firewall can rapidly monitor the link accessibility of the next hop or outbound interface specified by policy-based routing based on BFD sessions. The firewall can dynamically determine the availability of policy-based routing based on the BFD session state. Key configurations for the interworking between BFD sessions and policy-based routing on the USG firewall are as follows:# Configure BFD session 1, and set the peer IP address to 1.1.2.1, local identifier to 10, and remote identifier to 20. [USG] bfd [USG-bfd] quit [USG] bfd 1 bind peer-ip 1.1.2.1 [USG-bfd-session-1] discriminator local 10 [USG-bfd-session-1] discriminator remote 20 [USG-bfd-session-1] commit [USG-bfd-session-1] quit # Configure policy testA, set packets from source address 10.1.0.0/16 to be delivered to next hop address 1.1.2.1, and associate the next hop address with BFD session 1. [USG] policy-based-route testA permit node 5 [USG-policy-based-route-testA-5] if-match acl 3001 [USG-policy-based-route-testA-5] apply ip-address next-hop 1.1.2.1 track bfd-session 10 [USG-policy-based-route-testA-5] quit # Apply policy testA to interface GigabitEthernet 0/0/1 to process packets received at this interface. [USG] interface GigabitEthernet 0/0/1 [USG-GigabitEthernet0/0/1] ip policy-based-route testA [USG-GigabitEthernet0/0/1] quit # Configure a default route, set the next hop address to 1.1.2.1/24, and associate the next hop address with BFD session 1. [USG] ip route-static 0.0.0.0 0.0.0.0 1.1.2.1 track bfd-session 1 Note: The USG6000 configuration must be consistent with the key configuration of the USG2000&5000. This case takes the USG2000&5000 as an example to describe the configuration. You can learn the USG6000 configuration in other configurations. For specific configurations, click Method used to configure interworking between BFD sessions and policy-based routing on the USG firewall.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top