冗余组典型配置举例

1、组网需求

工作在三层，上下行分别连接两台路由器，两台路由器接口不在同一网段

• 如图所示，Device A和Device B组成IRF，Router 1和IRF相连的接口与Router 2和IRF相连的接口不在同一网段，Router 3和IRF相连的接口与Router 4和IRF相连的接口不在同一网段。
• 正常情况下，流量走Router 1——Device A——Router 3；当这条通道上的任一链路或者设备故障时，流量切换到Router 2——Device B——Router 4。正常通道故障恢复时，流量再切回。

2、组网图

3、配置步骤

(1) 配置IRF

• 配置Device A

# 配置IRF端口1，并将它与物理端口Ten-GigabitEthernet1/5/0/1绑定。

<DeviceA> system-view
[DeviceA] irf member 1
 Info: Member ID change will take effect after the member reboots and operates in IRF mode.
[DeviceA] irf-port 2
[DeviceA-irf-port2] port group interface ten-gigabitethernet 1/5/0/1
[DeviceA-irf-port2] quit

# 为确保Device A与Device B在主设备选举过程中，Device A为主，修改Device A成员优先级为2（成员优先级大的优先，缺省情况下，设备的成员优先级均为1）。

[DeviceA] irf priority 2

# 将当前配置保存到下次启动配置文件。

[DeviceA] quit
<DeviceA> save

# 将设备的运行模式切换到IRF模式。

<DeviceA> system-view
[DeviceA] chassis convert mode irf
The device will switch to IRF mode and reboot. You are recommended to save the current running configuration and specify the configuration file for the next startup. Continue? [Y/N]:y
 Do you want to convert the content of the next startup configuration file flash:/startup.cfg to make it available in IRF mode? [Y/N]:y
 Please wait...
 Saving the converted configuration file to the main board succeeded.
Slot 1:
 Saving the converted configuration file succeeded.
 Now rebooting, please wait...

设备重启后Device A组成了只有一台成员设备的IRF。

• 配置Device B

# 配置Device B的成员编号为2，创建IRF端口1，并将它与物理端口Ten-GigabitEthernet1/5/0/1绑定。

<DeviceB> system-view
[DeviceB] irf member 2
 Info: Member ID change will take effect after the member reboots and operates in IRF mode.
[DeviceB] irf-port 1
[DeviceB-irf-port1] port group interface ten-gigabitethernet 1/5/0/1
[DeviceB-irf-port1] quit

# 将当前配置保存到下次启动配置文件。

[DeviceB] quit
<DeviceB> save

# 参照图2-6进行物理连线。

# 将设备的运行模式切换到IRF模式。

<DeviceB> system-view
[DeviceB] chassis convert mode irf
The device will switch to IRF mode and reboot. You are recommended to save the current running configuration and specify the configuration file for the next startup. Continue? [Y/N]:y
 Do you want to convert the content of the next startup configuration file flash:/startup.cfg to make it available in IRF mode? [Y/N]:y
 Please wait...
 Saving the converted configuration file to the main board succeeded.
Slot 1:
 Saving the converted configuration file succeeded.
 Now rebooting, please wait...

设备B重启后与设备A形成IRF。

(2) 配置Track，监测上、下行接口的状态以及安全引擎上Blade接口的物理状态。

<DeviceA> system-view
[DeviceA] track 1 interface ten-gigabitethernet 1/5/0/2 physical
[DeviceA-track-1] quit
[DeviceA] track 2 interface ten-gigabitethernet 1/5/0/3 physical
[DeviceA-track-2] quit
[DeviceA] track 3 interface ten-gigabitethernet 2/5/0/2 physical
[DeviceA-track-3] quit
[DeviceA] track 4 interface ten-gigabitethernet 2/5/0/3 physical
[DeviceA-track-4] quit
[DeviceA] track 5 interface blade 1/4/0/1 physical
[DeviceA-track-5] quit
[DeviceA] track 6 interface blade 2/4/0/1 physical
[DeviceA-track-6] quit

(3) 配置备份组，并指定Device A上的安全引擎为主，Device B上的安全引擎为备。

[DeviceA] failover group group1
[DeviceA-failover-group-group1] bind chassis 1 slot 4 cpu 1 primary
[DeviceA-failover-group-group1] bind chassis 2 slot 4 cpu 1 secondary
[DeviceA-failover-group-group1] quit

(4) 配置冗余组。

# 创建Node 1，Node 1和Device A绑定，为主节点，成员接口为Ten-GigabitEthernet1/5/0/2和Ten-GigabitEthernet1/5/0/3。关联的Track项为1、2和5。

[DeviceA] redundancy group aaa
[DeviceA-redundancy-group-aaa] node 1
[DeviceA-redundancy-group-aaa-node1] bind chassis 1
[DeviceA-redundancy-group-aaa-node1] priority 100
[DeviceA-redundancy-group-aaa-node1] node-member interface ten-gigabitethernet 1/5/0/2
[DeviceA-redundancy-group-aaa-node1] node-member interface ten-gigabitethernet 1/5/0/3
[DeviceA-redundancy-group-aaa-node1] track 1 interface ten-gigabitethernet 1/5/0/2
[DeviceA-redundancy-group-aaa-node1] track 2 interface ten-gigabitethernet 1/5/0/3
[DeviceA-redundancy-group-aaa-node1] track 5 interface blade 1/4/0/1
[DeviceA-redundancy-group-aaa-node1] quit

# 创建Node 2，Node 2和Device B绑定，为备节点，成员接口为Ten-GigabitEthernet2/5/0/2和Ten-GigabitEthernet2/5/0/3。关联的Track项为3、4和6。

[DeviceA-redundancy-group-aaa] node 2
[DeviceA-redundancy-group-aaa-node2] bind chassis 2
[DeviceA-redundancy-group-aaa-node2] priority 50
[DeviceA-redundancy-group-aaa-node2] node-member interface ten-gigabitethernet 2/5/0/2
[DeviceA-redundancy-group-aaa-node2] node-member interface ten-gigabitethernet 2/5/0/3
[DeviceA-redundancy-group-aaa-node2] track 3 interface ten-gigabitethernet 2/5/0/2
[DeviceA-redundancy-group-aaa-node2] track 4 interface ten-gigabitethernet 2/5/0/3
[DeviceA-redundancy-group-aaa-node2] track 6 interface blade 2/4/0/1
[DeviceA-redundancy-group-aaa-node2] quit

# 将备份组1添加到冗余组中。

[DeviceA-redundancy-group-aaa] member failover group group1
[DeviceA-redundancy-group-aaa] quit

(5) 配置接口IP地址

# 根据组网图中规划的信息，配置各接口的IP地址，具体配置步骤如下。

[DeviceA] interface ten-gigabitethernet 1/5/0/2
[DeviceA-Ten-GigabitEthernet1/5/0/2] ip address 1.1.1.2 255.255.255.0
[DeviceA-Ten-GigabitEthernet1/5/0/2] quit

请参考以上步骤配置其他接口的IP地址，具体配置步骤略。

(6) 配置静态路由

本举例仅以静态路由方式配置路由信息。实际组网中，请根据具体情况选择相应的路由配置方式。

# 请根据组网图中规划的信息，配置静态路由。本举例假设LAN网段为5.5.5.0/24，实际使用中请以具体组网情况为准，具体配置步骤如下。

[DeviceA] ip route-static 0.0.0.0 0 1.1.1.1
[DeviceA] ip route-static 0.0.0.0 0 2.2.2.1 preference 80
[DeviceA] ip route-static 5.5.5.0 24 3.3.3.3
[DeviceA] ip route-static 5.5.5.0 24 4.4.4.3 preference 80

(7) 配置接口加入安全域

# 请根据组网图中规划的信息，将接口加入对应的安全域，具体配置步骤如下。

[DeviceA] security-zone name untrust
[DeviceA-security-zone-Untrust] import interface ten-gigabitethernet 1/5/0/2
[DeviceA-security-zone-Untrust] import interface ten-gigabitethernet 2/5/0/2
[DeviceA-security-zone-Untrust] quit
[DeviceA] security-zone name trust
[DeviceA-security-zone-Trust] import interface ten-gigabitethernet 1/5/0/3
[DeviceA-security-zone-Trust] import interface ten-gigabitethernet 2/5/0/3
[DeviceA-security-zone-Trust] quit

(8) 配置安全策略

# 配置名称为trust-untrust的安全策略规则，使LAN 1和LAN 2中的主机可以访问外网，具体配置步骤如下。

[DeviceA] security-policy ip
[DeviceA-security-policy-ip] rule 1 name trust-untrust
[DeviceA-security-policy-ip-1-trust-untrust] source-zone trust
[DeviceA-security-policy-ip-1-trust-untrust] destination-zone untrust
[DeviceA-security-policy-ip-1-trust-untrust] source-ip-subnet 5.5.5.0 24
[DeviceA-security-policy-ip-1-trust-untrust] action pass
[DeviceA-security-policy-ip-1-trust-untrust] quit
[DeviceA-security-policy-ip]quit

4、验证配置

(1) 缺省情况下的显示信息

# 显示冗余组信息。可以看到优先级高的Node 1为主节点，Node 1和Node 2下面的成员接口都处于UP状态。

[DeviceA] display redundancy group aaa
Redundancy group aaa (ID 1):
  Node ID      Chassis       Priority   Status        Track weight
  1            Chassis1      100        Primary       255
  2            Chassis4      50         Secondary     255
Preempt delay time remained     : 0    min
Preempt delay timer setting     : 1    min
Remaining hold-down time        : 0    sec
Hold-down timer setting         : 1    sec
Manual switchover request       : No

Member interfaces:
Member failover groups:
    group1
Node 1:
  Node member     Physical status
      XGE1/5/0/2   UP
      XGE1/5/0/3   UP
  Track info:
    Track    Status       Reduced weight     Interface
    1        Positive     255                XGE1/5/0/2
    2        Positive     255                XGE1/5/0/3
    5        Positive     255                Blade1/4/0/1
Node 2:
  Node member     Physical status
      XGE2/5/0/2   UP
      XGE2/5/0/3   UP
  Track info:
    Track    Status       Reduced weight     Interface
    3        Positive       255              XGE2/5/0/2
    4        Positive       255              XGE2/5/0/3
    6        Positive       255              Blade2/4/0/1

# 显示备份组信息。可以看到备份组中配置为Primary的安全引擎处理业务。

[DeviceA] display failover group group1
Stateful failover group information:

ID   Name                      Primary         Secondary       Active Status
255  group1 

               1/4.1           2/4.1           Primary

(2) 冗余组内主备倒换后的显示信息

# 手工关闭接口Ten-GigabitEthernet1/5/0/3，显示冗余组信息。可以看到优先级低的Node 2为主节点，Node 1的成员接口Ten-GigabitEthernet1/5/0/3故障（DOWN），Ten-GigabitEthernet1/5/0/2被协议关闭（DOWN(redundancy down)），Node 2的成员接口转发报文。

[DeviceA] interface ten-gigabitethernet 1/5/0/3
[DeviceA-Ten-GigabitEthernet1/5/0/3] shutdown
[DeviceA-Ten-GigabitEthernet1/5/0/3] quit
[DeviceA] display redundancy group aaa
Redundancy group aaa (ID 1):
  Node ID      Chassis       Priority   Status        Track weight
  1            Chassis1      100        Secondary     -255
  2            Chassis4      50         Primary       255

Preempt delay time remained     : 0    min
Preempt delay timer setting     : 1    min
Remaining hold-down time        : 0    sec
Hold-down timer setting         : 1    sec
Manual switchover request       : No

Member interfaces:
Member failover groups:
    group1

Node 1:
  Node member     Physical status
      XGE1/5/0/2       DOWN(redundancy down)
      XGE1/5/0/3       DOWN
  Track info:
    Track    Status       Reduced weight     Interface
    1         Negative     255                XGE1/5/0/2
    2         Negative     255                XGE1/5/0/3 (Fault)
    5         Positive     255                Blade1/4/0/1
Node 2:
  Node member     Physical status
      XGE2/5/0/2   UP
      XGE2/5/0/3   UP
  Track info:
    Track    Status       Reduced weight     Interface
    3         Positive       255              XGE2/5/0/2
    4         Positive       255              XGE2/5/0/3
    6         Positive       255              Blade2/4/0/1

# 显示备份组信息。可以看到备份组中配置为Secondary的安全引擎处理业务。

[DeviceA] display failover group group1
Stateful failover group information:
ID   Name                      Primary         Secondary       Active Status
255  group1                    1/4.1           2/4.1           Secondary