Method used to configure the interworking between hot standby devices and IP-Link on USG firewalls

26

When a USG firewall works in hot standby mode, IP-Link automatically detects a link failure that affects services of the active and standby firewalls. If the VGMP management group is configured to monitor IP-Link, the USG firewall can adjust the priority of the VGMP management group to trigger the active/standby USG firewall switchover, and therefore ensuring service continuity.
After the VGMP management group is configured to monitor IP-Link, IP-Link can detect the status of the interface or link that is not directly connected to the USG firewall.
Key configurations for the interworking between the hot standby devices and IP-Link on USG firewall are as follows:

# Add interfaces GigabitEthernet 0/0/2 and GigabitEthernet 0/0/1 to the same Link-group management group.
[USG_A] interface GigabitEthernet 0/0/2
[USG_A-GigabitEthernet0/0/2] link-group 1
[USG_A-GigabitEthernet0/0/2] quit
[USG_A] interface GigabitEthernet 0/0/1
[USG_A-GigabitEthernet0/0/1] link-group 1
[USG_A-GigabitEthernet0/0/1] quit

If the USG firewalls work in hot standby mode on the OSPF network, run the following command:
[USG] hrp ospf-cost adjust-enable

# In the interface view, configure the Master and Slave management groups to monitor the status of the interfaces.
[USG_A] interface GigabitEthernet 0/0/2
[USG_A-GigabitEthernet0/0/2] hrp track master
[USG_A-GigabitEthernet0/0/2] quit
[USG_A] interface GigabitEthernet 0/0/1
[USG_A-GigabitEthernet0/0/1] hrp track master
[USG_A-GigabitEthernet0/0/1] quit
# Configure IP-Link to monitor the outbound interface.
[USG_A] ip-link check enable
[USG_A] ip-link 1 destination 200.1.1.1 interface GigabitEthernet 0/0/1
# Configure the interworking between the hot standby firewalls and IP-Link, and set the VGMP management group to monitor IP-Link. When the outbound interface is faulty, IP-Link state is changed to Down, and the priority of the VGMP management group is degraded to 2.
[USG_A] hrp track ip-link 1 master
# Configure the HRP backup channel.
[USG_A] hrp interface GigabitEthernet 0/0/3
# Configure the fast session backup.
[USG_A] hrp mirror session enable
# Enable the HRP.
[USG_A] hrp enable

Note: The hot standby mode involves two devices. The key configuration describes IP-Link configuration only on the master device. For details about the configurations on the slave device and USG6000, click the following link to view the specific configurations.

For specific configurations, click Configuring the Interworking Between Hot Standby Devices and IP-Link on USG Firewalls.

Other related questions:
Configuring link groups on the firewall
Mechanism of the HA link group on the firewall 1. In hot standby environment, add the upstream and downstream service interfaces to the same link group. When an interface is faulty and becomes down, it triggers the status of all interfaces in the group to be down. This guarantees fast route convergence on the upstream and downstream routers. 2. The link-group function binds the status of several interfaces to form a logical group. If any of the interfaces in the link-group fails, the system changes the status of all other interfaces to Down. After all interfaces in the group recover, the system changes the interfaces to Up. The link-group function guarantees that the upstream and downstream interfaces are in the same status. This prevents inconsistent upstream and downstream link paths after active/standby switchover. You are advised not to add interfaces on interface cards 18FE+2SFP, 16GE+4SFP, 5FSW, and 8FE+2GE to the link-group. Using them first is recommended. 3. Configure or delete the link group primary interface or interfaces on other interface cards through the web UI. a. Choose System > High Availability > Link Group. b. In Link Group, select the link group to be configured and modify it. c. Perform as follows to add the interface to or remove it from the link group. Add the interface to the link group. In the Available group box, select one or multiple interfaces or double-click an interface. To add all interfaces to the link group, click All. After the configuration succeeds, added interfaces are displayed in the Selected group box. Remove the interface from the link group. In the Selected group box, select one or multiple interfaces or double-click an interface. To remove all interfaces from the link group, click Clear. After the configuration succeeds, removed interfaces are displayed in the Available group box. d. Click Apply. 4. CLI configuration method: Run the system-view command to access the system view. Run the interface interface-type interface-number command to enter the interface view. Run the link-group link-group-id command to add the interface to the link group. Run the undo link-group command to remove the interface from the link group.

Method used to configure interworking between BFD Sessions and the two-node cluster hot backup on the USG firewall
The VGMP management group is the core of the two-node cluster hot backup. It determines the active/standby state of a device. By means of interworking between BFD sessions and the two-node cluster hot backup, the VGMP management group monitors static BFD sessions, and the priority of the VGMP management group varies depending on the BFD session state. In this way, the active/standby switchover between devices is triggered. This case describes key configuration for the interworking between BFD sessions and the two-node cluster hot backup using active/standby two-node cluster hot backup as an example. 1. Establish the two-node cluster hot backup on two devices. 2. On USG_A and Router_A, create BFD sessions. # On USG_A, configure BFD session 1, and set the peer IP address to 1.1.1.2, local identifier to 10, and remote identifier to 20. HRP_A[USG_A] bfd HRP_A[USG_A-bfd] quit HRP_A[USG_A] bfd 1 bind peer-ip 1.1.1.2 HRP_A[USG_A-bfd-session-1] discriminator local 10 HRP_A[USG_A-bfd-session-1] discriminator remote 20 HRP_A[USG_A-bfd-session-1] commit HRP_A[USG_A-bfd-session-1] quit # On Router_A, configure BFD session 1, and set the peer IP address to 10.100.30.2, local identifier to 20, and remote identifier to 10. 3. On USG_A, configure the interworking between BFD sessions and the two-node cluster hot backup. HRP_A[USG_A] hrp track bfd-session 10 master 4. On USG_B and Router_B, create BFD sessions. # On USG_B, configure BFD session 1, and set the peer IP address to 2.2.2.2, local identifier to 10, and remote identifier to 20. HRP_S[USG_B] bfd HRP_S[USG_B-bfd] quit HRP_S[USG_B] bfd 1 bind peer-ip 2.2.2.2 HRP_S[USG_B-bfd-session-1] discriminator local 10 HRP_S[USG_B-bfd-session-1] discriminator remote 20 HRP_S[USG_B-bfd-session-1] commit HRP_S[USG_B-bfd-session-1] quit # On Router_B, configure BFD session 1, and set the peer IP address to 10.100.40.2, local identifier to 20, and remote identifier to 10. 5. On USG_A, configure the interworking between BFD sessions and the two-node cluster hot backup. HRP_S[USG_B] hrp track bfd-session 10 slave Note: The USG6000 configuration must be consistent with the key configuration of the USG2000&5000. This case takes the USG2000&5000 as an example to describe the configuration. You can learn the USG6000 configuration in other configurations. For specific configurations, click Method used to configure interworking between BFD sessions and the two-node cluster hot backup client on the USG firewall.

Method used to configure interworking between BFD sessions and the DHCP client on the USG firewall
When serving as a DHCP client, an egress gateway cannot sensitize the accessibility of a link where it resides. If the link is faulty, service traffic cannot be rapidly switched over to a standby link, resulting in service interruption. The interworking between the DHCP client and BFD sessions can address this issue. According to this function, the DHCP client is associated with BFD sessions, so that the firewall can dynamically determine the DHCP link accessibility based on the BFD session state. Key configurations for the interworking between BFD sessions and the DHCP client on the USG firewall are as follows: # Configure BFD session 1, and set the peer IP address to 8.8.8.1, local identifier to 10, and remote identifier to 20. [USG_A] bfd [USG_A-bfd] quit [USG_A] bfd 1 bind peer-ip 8.8.8.1 interface GigabitEthernet 0/0/1 nexthop dhcp [USG_A-bfd-session-1] discriminator local 10 [USG_A-bfd-session-1] discriminator remote 20 [USG_A-bfd-session-1] commit [USG_A-bfd-session-1] quit Configure the interworking between the DHCP client and the BFD session. # Associate the DHCP client with BFD sessions. [USG_A] dhcp enable [USG_A] interface GigabitEthernet 0/0/1 [USG_A-GigabitEthernet0/0/1] dhcp client enable track bfd-session 10 [USG_A-GigabitEthernet0/0/1] quit Note: The USG6000 configuration must be consistent with the key configuration of the USG2000&5000. This case takes the USG2000&5000 as an example to describe the configuration. You can learn the USG6000 configuration in other configurations. For specific configurations, click Method used to configure interworking between BFD sessions and the DHCP client on the USG firewall.

Method used to configure interworking between BFD sessions and static routes on the USG firewall
The static route is a special route manually configured by the network administrator for a specified path. Different from a dynamic route, the static route does not have any detection mechanism. When a fault occurs on the network, the network administrator needs to detect and locate the fault. By means of interworking between BFD sessions and the static route, the static route is bound with static BFD sessions, so that the static route state is updated in pace with the BFD session state. BFD sessions can be established between devices to improve the network reliability and accelerate route convergence upon network failures. The status of links between devices can be monitored using BFD sessions. Key configurations for the interworking between BFD sessions and the static route on the USG firewall are as follows: 1. # Configure BFD sessions for USG_B. [USG_A] bfd [USG_A-bfd] quit [USG_A] bfd ab bind peer-ip 10.1.1.2 [USG_A-bfd-session-ab] discriminator local 10 [USG_A-bfd-session-ab] discriminator remote 20 [USG_A-bfd-session-ab] commit [USG_A-bfd-session-ab] quit 2. # Configure the interworking between the static route and BFD sessions. [USG_A] ip route-static 192.168.1.0 255.255.255.0 10.1.1.2 track bfd-session ab Note: The USG6000 configuration must be consistent with the key configuration of the USG2000&5000. This case takes the USG2000&5000 as an example to describe the configuration. You can learn the USG6000 configuration in other configurations. For specific configurations, click Method used to configure interworking between BFD sessions and the static route on the USG firewall.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top