Whether it is normal that the output of the display hrp group command displays that the status of certain groups is disable in hot standby deployment

6

It is normal. In hot standby deployment, only the active VGMP group on the active device is working, and only the standby VGMP group on the standby device is working.

Other related questions:
Checking whether the hot standby status is normal
Run the display hrp state command to check. HRP_A display hrp state The firewall's config state is: ACTIVE Backup channel usage: 0.01% Time elapsed after the last switchover: 0 days, 0 hours, 1 minutes Current state of virtual routers configured as active: GigabitEthernet1/0/2 vrid 2 : active GigabitEthernet1/0/1 vrid 1 : active

Precautions for active/standby upgrade in hot standby deployment on the USG2000&5000
Precautions for active/standby upgrade in hot standby deployment on the USG2000&5000 are as follows: As for software version upgrade in hot standby deployment, you shall comply with a primary principle. That is, you shall upgrade the active and standby devices individually and upgrade the standby device first and then the active device. In addition, you must disable the HRP function during the upgrade. Note: For software version upgrade in hot standby deployment, the target software versions of the active and standby devices must be the same. Otherwise, the HRP function may fail to be enabled simultaneously. Hardware restrictions Currently, hot standby can be implemented only between two devices. The active and standby devices must have the same product model and version. The active and standby devices must have the same number and types of boards installed in the same arrangement. Otherwise, the information synchronized from the active device does not match the physical configuration of the standby device. As a result, faults occur after an active/standby switchover. If you want to use a Layer-2 interface as a heartbeat interface, add the Layer-2 interface to a VLAN. Then create a VLANIF interface and configure an IP address for it. Use the VLANIF interface as a heartbeat interface and specify remote to specify the IP address of the heartbeat interface on the remote device. Software restrictions The active and standby devices must use the same software version. Otherwise, configuration commands or session list structures of the different software versions may be different. In this case, errors may occur on the active and standby devices when you back up configuration commands and status. The BootROM versions on the active and standby devices must be the same. The operating mode of the active and standby devices must be the same, that is, both the active and standby devices must be in firewall mode or UTM mode. You are advised to use the initial configuration file on both devices. Otherwise, faults may occur after the active/standby switchover because of configuration conflicts. The names, quantities, and configuration sequence of virtual firewalls on the active and standby devices must be the same. The interfaces on the same slot of the active and standby devices must be added to the same security zone. For example, if the GigabitEthernet0/0/1 interface on the active device is added to the Trust zone, the GigabitEthernet0/0/1 interface on the standby device must also be added to the Trust zone. Configurations of heartbeat interfaces (HRP heartbeat link) on the active and standby devices must be consistent. Note: The USG2110-X/2100 and USG2100 BSR/HSR do not support the function of specifying the heartbeat interface IP address of the peer device. Therefore, you cannot use the VLANIF interface as the heartbeat interface. The service interfaces of the active and standby devices use fixed IP addresses. Therefore, you cannot use the dual-system hot backup function together with functions for obtaining IP address automatically, such as PPPoE dial-up, DHCP client, 3G, and XDSL.

Why is no information about members of an IGMP multicast group displayed in the display igmp group command output on a CE series switch

If the display igmp group command output does not display any information, the specified multicast group has no members.

In normal cases, after users join a multicast group dynamically by sending IGMP Report messages, the IGMP multicast group information is displayed in the display igmp group command output. The following is an example:
<HUAWEI> display igmp group
Interface group report information of VPN instance: public net
 Vlanif100(10.1.6.2):
  Total 1 IGMP Group reported
   Group Address   Last Reporter   Uptime      Expires
   225.1.1.2       10.1.6.10       00:02:04    00:01:17
In the command output, Group Address indicates the IP address of the multicast group that users have joined, and Last Reporter indicates the last host that has sent an IGMP Report message.


HRP information that can be synchronized in hot standby deployment on the USG6000
1. HRP configurations that can be backed up on the USG6000 include: a. Policies: security policy, NAT policy, bandwidth management, authentication policy, attack defense, blacklist, and ASPF. b. Objects: address, area, service, application, user, authentication server, time range, URL category, keyword group, mail address group, signature, security profile (for antivirus, intrusion prevention, URL filtering, file blocking, data filtering, application behavior control, and mail filtering). c. Network: new logical interface, security zone, DNS, IPSec, SSL VPN, TSM interworking, and static route (supported in V100R001C30SPC100 and later versions only). d. System: administrator and log configuration. Note: In most cases, display, reset, and debugging commands cannot be backed up. Based on the preceding descriptions, we can see that basic network configurations of the firewall, such as interface addresses and routes, cannot be backed up. All these configurations need to be configured before the hot standby status is successfully established. As for the preceding configurations that can be backed up, configure them only on the active device after the hot standby status is successfully established. 2. USG status information that can be backed up is as follows: a. Session table b. Server map table c. IP monitoring table d. Fragment cache table e. GTP table f. Blacklist g. PAT-based port mapping table h. NO-PAT-based address mapping table

Whether the standby device in hot standby deployment can be configured
By default, configurations that can be backed up can be configured only on the active device and automatically synchronized to the standby device. You cannot configure them on the standby device. After you run the hrp slave config enable command on the active device, the standby device obtains the permission for configuring these commands when this command is backed up to the standby device. The configurations on the standby device are also synchronized to the active device. Configurations that cannot be backed up, such as interface IP addresses, can be configured on the standby device.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top