01-03 VRRP Configuration

S9300 and S9300E Series Switches
Configuration Guide - Reliability 3 VRRP Configuration
3 VRRP Configuration
About This Chapter
This chapter describes how to configure the Virtual Router Redundancy Protocol
(VRRP). VRRP switches services from the master to the backup when the gateway
becomes faulty, providing continuous and reliable communication services.
3.1 Introduction to VRRP

This section describes the definition and functions of the Virtual Router
Redundancy Protocol (VRRP).
3.2 Principles
This section describes the implementation of VRRP.
3.3 Applicable Scenarios
This section describes the applicable scenarios of VRRP.
3.4 Configuration Task Summary
3.5 Licensing Requirements and Limitations for VRRP
3.6 Default Configuration
3.7 Configuring VRRP
3.8 Maintaining VRRP
3.9 Configuration Examples
3.10 Common Configuration Errors
3.11 FAQ
3.1 Introduction to VRRP

This section describes the definition and functions of the Virtual Router
Redundancy Protocol (VRRP).
Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 77

Definition
VRRP groups multiple routing devices into a virtual router and uses the virtual
gateway device's IP address as the default gateway address. When the gateway
fails, VRRP selects a new gateway to transmit service traffic to ensure reliable
communication.
Purpose
As networks rapidly develop and applications become diversified, various value-
added services such as Internet Protocol television (IPTV) and video conferencing
services are widely deployed. Demands for network infrastructure reliability are
increasing, especially for nonstop service transmission.
Generally, all hosts on the same network segment are configured with the same
default route with the gateway address as the next hop address. The hosts use the
default route to send packets to the gateway and the gateway forwards the
packets to other network segments. When the gateway fails, hosts with the same
default route cannot communicate with external networks. A common method to
improve network reliability is to configure multiple egress gateways. However,
route selection between the gateways becomes an issue.
VRRP resolves this issue. VRRP virtualizes multiple routing devices into a virtual
router without changing the networking. The virtual router IP address is
configured as the default gateway address. When the gateway fails, VRRP selects
a new gateway to transmit service traffic to ensure reliable communication.
Benefits
On a multicast or broadcast LAN, such as Ethernet, VRRP provides a highly reliable
link when the gateway fails, without modifying host and gateway configurations.
VRRP prevents network interruptions when a single link fails.
3.2 Principles
This section describes the implementation of VRRP.
3.2.1 Basic Concepts of VRRP

As shown in Figure 3-1, HostA is dual-homed to SwitchA and SwitchB through the
switch. SwitchA and SwitchB constitute a VRRP group to implement link
redundancy.

Figure 3-1 VRRP group
Master
10.1.1.10/24
Switch
SwitchA
Internet
HostA SwitchB
Gateway:10.1.1.10/24
IP Address:10.1.1.3/24
Backup
10.1.1.1/24
Switch Virtual Router

Internet
HostA VRRP VRID 1

Gateway:10.1.1.10/24 Virtual IP Address:10.1.1.10/24
IP Address:10.1.1.3/24 Virtual MAC Address:0000-5e00-0101
As shown in Figure 3-1, VRRP involves the following entities:

● VRRP router: device running VRRP. It may join one or more virtual routers.
SwitchA and SwitchB are VRRP routers.
● Virtual router: VRRP group consisting of one master and multiple backups.
The VRRP group's virtual IP address is used as the default gateway address on
a LAN. SwitchA and SwitchB constitute a virtual router.
● Virtual router master: VRRP device that forwards packets. SwitchA is the
virtual router master.
● Virtual router backup: a group of VRRP devices that do not forward packets.
When the master is faulty, a backup with the highest priority becomes the
master. SwitchB is the virtual router backup.
● VRID: virtual router ID. The VRID of the virtual router composed of SwitchA
and SwitchB is 1.
● Virtual IP address: IP address of a virtual router. A virtual router can be
assigned one or more virtual IP addresses. Virtual IP addresses are
configurable. The virtual IP address of the virtual router composed of SwitchA
and SwitchB is 10.1.1.10/24.
● IP address owner: VRRP device that uses an IP address of a virtual router as
the actual interface address. If an IP address owner is available, it usually
functions as the virtual router master. The interface address of SwitchA and
the IP address of the virtual router are both 10.1.1.10/24, so SwitchA is the IP
address owner.

● Virtual MAC address: MAC address that is generated by the virtual router
based on the VRID. A virtual router has one virtual MAC address and is in the
format of 00-00-5E-00-01-{VRID} (VRRP for IPv4) or 00-00-5E-00-02-{VRID}
(VRRP for IPv6). The virtual router sends ARP Reply packets carrying the
virtual MAC address but not the interface MAC address. The VRID of the
virtual router composed of SwitchA and SwitchB is 1, so the MAC address of
the VRRP group is 00-00-5E-00-01-01.
3.2.2 VRRPv2 and VRRPv3 Advertisement Packets

The master sends VRRP Advertisement packets to notify all backups in the VRRP
group of the master's priority and status.
VRRP Advertisement packets are encapsulated into IP packets and sent to the
VRRP virtual IP address. In the IP packet header, the source address is the primary
IP address of the interface that sends the packets (not the virtual IP address), the
destination address is 224.0.0.18, the TTL is 255, and the protocol number is 112.
The primary IP address is selected from one of actual IP addresses of interfaces.
Usually, it is the first configured IP address.
VRRP has two versions: VRRPv2 and VRRPv3. VRRPv2 applies to only the IPv4
network, and VRRPv3 applies to IPv4 and IPv6 networks.
VRRP is classified into VRRP for IPv4 (VRRP) and VRRP for IPv6 (VRRP6) by
network type. VRRP supports VRRPv2 and VRRPv3, and VRRP6 supports only
VRRPv3.
VRRPv2 and VRRPv3 Advertisement Packet Formats

Figure 3-2 shows the VRRPv2 Advertisement packet format, and Figure 3-3 shows
the VRRPv3 Advertisement packet format.
Figure 3-2 Format of a VRRPv2 Advertisement packet

0 34 7 15 23 31
Version Type Virtual Rtr ID Priority Count IP Addrs
Auth Type Adver Int Checksum
IP Address (1)
......
IP Address (n)
Authentication Data (1)
Authentication Data (2)

Figure 3-3 Format of a VRRPv3 Advertisement packet

0 3 4 7 8 15 16 23 24 31
Version Type Virtual Rtr ID Priority Count IPvX Addr
(rsvd) Max Adver Int Checksum
IPvX Address(es)
Table 3-1 describes fields in a VRRP Advertisement packet.
Table 3-1 Description of fields in a VRRP Advertisement packet

Field Description
VRRPv2 VRRPv3
Version VRRP protocol version. The VRRP protocol version. The

value is 2. value is 3.
Type VRRP Advertisement packet VRRP Advertisement packet

type. The value 1 indicates an type. The value 1 indicates an
Advertisement packet. Advertisement packet.
Virtual Rtr Virtual router ID. The value Virtual router ID. The value
ID (VRID) ranges from 1 to 255. ranges from 1 to 255.
Priority Priority of the master in a VRRP Priority of the master in a VRRP

group. The value ranges from 0 group. The value ranges from 0
to 255. The value 0 indicates to 255. The value 0 indicates
that the device stops that the device stops
participating in the VRRP group participating in the VRRP group
so that the backup with the so that the backup with the
highest priority can become the highest priority can become the
master immediately. The value master immediately. The value
255 is reserved for the IP 255 is reserved for the IP
address owner. The default address owner. The default
value is 100. value is 100.
Count IP Number of virtual IPv4 Number of virtual IPv4 or IPv6

Addrs/ addresses in the VRRP group. addresses in the VRRP group.
Count IPvX
Addr

Field Description
VRRPv2 VRRPv3
Auth Type Authentication mode. There are -

three authentication modes:
● 0: Non Authentication
● 1: Simple Text Password
● 2: IP Authentication Header
(MD5 authentication)
Adver Interval at which VRRP Interval at which VRRP

Int/Max Advertisement packets are sent, Advertisement packets are sent,
Adver Int in seconds. The default value is in centiseconds. The default
1. value is 100 (1 second).
Checksum 16-bit checksum, which is used 16-bit checksum, which is used

to verify data integrity in VRRP to verify data integrity in VRRP
Advertisement packets. Advertisement packets.
IP Address/ Virtual IPv4 address in the VRRP Virtual IPv4 or IPv6 address in
IPvX group. The Count IP Addrs field the VRRP group. The Count IPvX
Address(es) determines the number of Addrs field determines the
virtual IPv4 addresses in the number of virtual IPv4 or IPv6
VRRP group. addresses in the VRRP group.
Authenticat Authentication key. This field is -

ion Data used only in simple
authentication and MD5
authentication modes. In other
authentication modes, this field
is filled with 0s.
rsvd - Reserved. This field has a fixed

value of 0.
VRRPv2 and VRRPv3 have the following differences:

● Apply to different networks. VRRPv3 applies to IPv4 and IPv6 networks,
whereas VRRPv2 applies to only IPv4 networks.
● Have different authentication functions. VRRPv3 does not support
authentication, whereas VRRPv2 supports authentication.
VRRPv2 reserves the authentication field in VRRP Advertisement packets to be

compatible with VRRP defined in earlier versions. VRRP authentication cannot improve
security.
● Use different time units to measure the interval at which VRRP Advertisement
packets are sent. VRRPv3 uses centiseconds, whereas VRRPv2 uses seconds.

VRRP Authentication
Different authentication modes and authentication keys can be set in VRRPv2
Advertisement packets:
● Non-authentication: The local device does not authenticate VRRP
Advertisement packets before sending them. The remote device does not
authenticate the received VRRP Advertisement packets and considers all the
received packets valid.
● Simple authentication: The local device encapsulates the authentication mode
and authentication key into an outgoing VRRP Advertisement packet. When
the remote device receives the VRRP Advertisement packet, it checks whether
the authentication mode and authentication key in the packet are the same
as those configured locally. If so, the device considers the received VRRP
Advertisement packet valid. If not, the device considers the received VRRP
Advertisement packet invalid and discards it.
● MD5 authentication: The local device uses the MD5 algorithm to encrypt the
authentication key and encapsulates the key in the Authentication Data field
of an outgoing VRRP Advertisement packet. When the remote device receives
the VRRP Advertisement packet, it decrypts the authentication key, and then
checks whether the authentication mode and authentication key are the same
as those configured locally. The remote device then accepts or discards the
packet depending on the authentication result.
3.2.3 VRRP Implementation

VRRP State Machine
VRRP defines three statuses: Initialize, Master, and Backup. Only the device in
Master state can forward packets destined for the virtual IP address.
Table 3-2 VRRP statuses

Status Description
Initialize VRRP is unavailable. The device in Initialize state cannot

process VRRP Advertisement packets.
When VRRP is configured on the device or the device detects a
fault, it enters the Initialize state.
After receiving an interface Up message, the VRRP-enabled
device with priority 255 becomes the master and the VRRP-
enabled device with the priority less than 255 switches to the
Backup state.

Status Description
Master The VRRP device in Master state performs the following

operations:
● Sends VRRP Advertisement packets at intervals.
● Uses the virtual MAC address to respond to ARP Request
packets destined for the virtual IP address.
● Forwards IP packets destined for the virtual MAC address.
● Processes the IP packets destined for the virtual IP address if
the device is the IP address owner, or discards the IP packets
destined for the virtual IP address if the device is not the IP
address owner.
● Becomes the backup if the device receives a VRRP
Advertisement packet with a higher priority than its VRRP
priority.
● Becomes the backup if the device receives a VRRP
Advertisement packet with the same priority as its VRRP
priority and the IP address of the local interface is smaller
than the IP address of the connected interface on the
remote device.
Backup The VRRP device in Backup state performs the following

operations:
● Receives VRRP Advertisement packets from the master and
determines whether the master is working properly.
● Does not respond to ARP Request packets destined for the
virtual IP address.
● Processes the IP packets destined for the virtual IP address
based on the Layer 2 forwarding process.
● When receiving a packet of lower priority, it immediately
switches to the Master state by default. If non-preemption is
configured, the device resets the timer. If a preemption
delay is configured, the device resets the timer and switches
to the Master state after the preemption delay expires.
When receiving a packet of higher priority, the device resets
the timer. When receiving a packet of equal priority, the
device resets the timer but does not compare IP addresses.
Master_Down_Interval timer: If the backup does not receive
Advertisement packets after the timer expires, the backup
becomes the master. The calculation formula is as follows:
– Master_Down_Interval = 3xAdvertisement_Interval +
Skew_time (offset time)
– Skew_Time = (256 - Priority)/256
● Sets the Skew_time (offset time) if the device receives a
VRRP Advertisement packet with lower priority than its
VRRP priority and the packet priority is 0, or discards the
packet with non-0 priority and becomes the master
immediately.

VRRP Working Process

The VRRP working process is as follows:
1. Devices in a VRRP group select the master based on their priorities. The
master sends gratuitous ARP packets to notify the connected network devices
or hosts of the virtual MAC address of the VRRP group.
2. The master periodically sends VRRP Advertisement packets to all backups in
the VRRP group to advertise its configuration (for example, priority) and
running status.
3. If the master fails, the backup with the highest priority becomes the new
master.
4. If the original master is replaced by another device in the group, the new
master sends gratuitous ARP packets carrying the virtual MAC address and
virtual IP address of the virtual router to update the MAC address entry on
the connected network devices or hosts. User traffic is then switched to the
new master. This process is transparent to users.
5. When the original master recovers and is the IP address owner (with priority
255), the original master switches to the Master state. If the priority of the
original master is smaller than 255, the device first switches to the Backup
state, and then its priority is restored to the original value before the failure.
6. If the backup has a higher priority than the master, the working mode of the
backup (preemption or non-preemption) determines whether the master is
re-selected.
– Preemption mode: If the priority of a virtual router backup is higher than
the priority of the current virtual router master, the virtual router backup
automatically becomes the virtual router master.
– Non-preemption mode: As long as the virtual router master is working
properly, the backup with a higher priority cannot become the virtual
router master.
To ensure that the master and backup work properly, VRRP must be able to select
the master and advertise the master status.
The detailed VRRP working process is as follows:
● Selecting the master
VRRP determines the device role in the virtual router based on device
priorities. The device with a higher priority is more likely to become the
master.
The VRRP-enabled device in a VRRP group initially works in Initialize state.
After receiving an interface Up message, the VRRP-enabled device with
priority 255 directly becomes the master or the VRRP-enabled device with the
priority less than 255 first switches to the Backup state and then switches
back to the Master state after the Master_Down_Interval timer expires. The
device that first switches to the Master state obtains the priorities of other
devices in the group by exchanging VRRP Advertisement packets. Then the
master is selected.
– If the master priority in VRRP Advertisement packets is higher than or
equal to the priority of the device, the backup remains in Backup state.

– If the master priority in VRRP Advertisement packets is lower than the

priority of the device, the backup switches to the Master state in
preemption mode or retains in Backup state in non-preemption mode.
– If multiple devices in the VRRP group switch to the master, the devices
with a lower priority switch to the Backup state and the device with the
highest priority becomes the master after these devices exchange VRRP
Advertisement packets. If multiple devices have the same priority, the
device where the interface with the largest IP address resides is the
master.
– If the device is the IP address owner, it switches to the Master state
immediately after receiving an interface Up message.
● Advertising the master status
The master periodically sends VRRP Advertisement packets to all backups in
the VRRP group to advertise its configuration (for example, priority) and
running status. The backup determines whether the master works properly
based on the received VRRP Advertisement packets.
– When the master does not remain in Master state, for example, the
master leaves the group, it sends a VRRP Advertisement packet with
priority 0. In this manner, a backup can switch to the master immediately
without waiting for the Master_Down_Interval timer to time out. The
switchover period is called the Skew time and is measured in seconds.
The value is calculated using the following formula:
Skew time = (256 - Backup priority)/256
– If the master cannot send VRRP Advertisement packets due to network
faults, the backups cannot learn the running status of the master
immediately. The backups consider the master faulty only after the
Master_Down_Interval timer expires. Then a backup switches to the
Master state.
Master_Down_Interval = 3 x Advertisement_Interval + Skew_time (in
seconds)
If congestion occurs on an unstable network, the backup may not receive VRRP
Advertisement packets from the master within the period of Master_Down_Interval. A
backup then switches to the Master state. If the VRRP Advertisement packet from the
original master reaches the backup (new master), the new master switches to the
Backup state. In this case, the VRRP group status changes frequently. To solve the
problem, the preemption delay is used. When the Master_Down_Interval timer expires,
the backup waits for the preemption delay. If the backup does not receive a VRRP
Advertisement packet within the preemption delay, it switches to the Master state.
3.2.4 Basic VRRP Functions

3.2.4.1 VRRP Active/Standby
Active/Standby is the basic VRRP working mode, as shown in Figure 3-4. In active/
standby mode, a virtual router consists of one master and multiple backups.
SwitchA is the master and forwards service packets. SwitchB and SwitchC are
backups and do not forward services. SwitchA periodically sends VRRP
Advertisement packets to SwitchB and SwitchC, notifying them that the master is
working properly. If SwitchA is faulty, a new master is selected from SwitchB and

SwitchC based on their priorities. The new master then takes over traffic
forwarding.
After SwitchA recovers, it becomes the master in preemption mode or remains in

Backup state in non-preemption mode.
Figure 3-4 VRRP active/standby

VRRP
SwitchA
Master
HostA
Switch
Internet
SwitchB
Backup Router
HostB
SwitchC
Backup
VRRP
SwitchA
Initialize
HostA
Switch
Internet
SwitchB
Backup Router
HostB
SwitchC Data flow1

Master Data flow2
On the network shown in Figure 3-4:
● SwitchA is the master, with the priority 120. It uses the delayed preemption
mode.
● SwitchB is the backup, with the priority 100. It uses the immediate
preemption mode.
● SwitchC is the backup, with the priority 110. It uses the immediate
preemption mode.
1. When SwitchA is running properly, traffic sent from users is transmitted along
the path Switch -> SwitchA -> Router. SwitchA periodically sends VRRP

Advertisement packets to SwitchB and SwitchC, notifying them that the

master is working properly.
2. When a fault occurs on SwitchA, VRRP does not function on SwitchA. Because
SwitchC has a higher priority than SwitchB, SwitchC becomes the master.
SwitchC starts to send VRRP Advertisement packets and gratuitous ARP
packets, whereas SwitchB remains in Backup state. User traffic is transmitted
along the path Switch -> SwitchC -> Router.
3. When SwitchA recovers, its priority is restored to 120 and it enters the Backup
state. SwitchC continues sending VRRP Advertisement packets. When SwitchA
receives a VRRP Advertisement packet, it compares the priority in the packet
with its own priority and detects that its priority is higher. After the
preemption delay, SwitchA becomes the master and starts to send VRRP
Advertisement packets and gratuitous ARP packets. User traffic is again
transmitted along the path Switch -> SwitchA -> Router.
3.2.4.2 VRRP Load Balancing

In load balancing mode, multiple devices transmit service traffic simultaneously.
Therefore, the load balancing mode requires two or more virtual routers. Each
virtual router contains one master and multiple backups, and the master in each
virtual router can be different.
VRRP active/standby and load balancing modes are similar in terms of
implementation and packet negotiation processes. The load balancing mode
differs from the active/standby mode in the following ways:
● Multiple VRRP groups need to be created, and the master in each VRRP group
can be different.
● A VRRP device can join multiple VRRP groups and has different priorities in
different VRRP groups.
For an implementation example, see 3.3.2 Using VRRP to Implement Load
Balancing.
3.2.4.3 VRRP Smooth Switching

When an active/standby switchover occurs on the master in a VRRP group, the
master cannot send VRRP Advertisement packets before the switchover is
complete. Because backup does not receive any VRRP Advertisement packet within
the Master_Down_Interval, the backup switches to the Master state when the
Master_Down_Interval timer expires. In this situation, two masters exist in the
VRRP group. After the original master completes the active/standby switchover, it
detects that it has a higher priority than the new master, and therefore remains in
Master state. The new master switches back to the Backup state. Two active/
standby switchovers occur in this process, services are switched twice, causing
unstable service transmission.
VRRP smooth switching can be enabled on the master to prevent service
disruption during an active/standby switchover. During VRRP smooth switching,
the master works with the backup to ensure smooth service transmission.
Before enabling VRRP smooth switching, you must configure the backup to learn the interval at
which VRRP Advertisement packets are sent.

1. The backup receives a VRRP Advertisement packet from the master and
checks the interval in the packet. If the interval in the packet is different from
the locally configured interval, the backup changes its own interval in
accordance with the interval in the received packet.
2. When the master starts an active/standby switchover, it will save the current
interval at which VRRP Advertisement packets are sent and set the VRRP
smooth switching time to a new interval. During smooth VRRP switching, the
master sends a VRRP Advertisement packet at the new interval.
3. When the backup receives the VRRP Advertisement packet, it l changes its
own interval in accord with the new interval in the packet.
4. After the switchover is complete, the master restores its original interval and
sends a VRRP Advertisement packet at the new interval. The backup learns
the interval after receiving the packet.
● During VRRP smooth switching, the learning function takes precedence over the
preemption function. When the interval carried in the received packet is different from
the current interval and the priority carried in the received packet is lower than the
configured priority, the learning function takes effect and the timer is reset.
● VRRP smooth switching also depends on the system. If the system is busy since the
switchover and cannot schedule tasks of the VRRP module, VRRP smooth switching
cannot take effect.
3.2.5 mVRRP
A switch is usually dual-homed to two devices to improve network reliability.
Multiple VRRP groups can be configured on the two devices to transmit various
types of services. Each VRRP group needs to maintain its own state machine;
therefore, a large number of VRRP Advertisement packets are transmitted
between devices.
As shown in Figure 3-5, to decrease bandwidth and CPU resources occupied by
protocol packets, configure a VRRP group as a management Virtual Router
Redundancy Protocol (mVRRP) group and bind other VRRP groups to the mVRRP
group. The mVRRP group sends VRRP Advertisement packets to determine the
master and backup status for its VRRP groups. The bound VRRP groups do not
send VRRP Advertisement packets and the VRRP status is the same as the mVRRP
group status.

Figure 3-5 mVRRP networking

SwitchA
HostA Master
Switch
2
Service mVRRP Internet
VRRP
1 mVRRP
HostB SwitchB
Backup
● mVRRP group
An mVRRP group has all functions of a common VRRP group, and determines
the statuses of its member VRRP groups by sending VRRP Advertisement
packets. An mVRRP group can be deployed on the same side as service VRRP
groups or on the interfaces that directly connect SwitchA and SwitchB:
– When an mVRRP group functions as the gateway (mVRRP1 in Figure
3-5), the mVRRP group determines the Master and Backup statuses and
forwards service traffic. You must first create a VRRP group and configure
a virtual IP address as the gateway address, and then configure this VRRP
group as an mVRRP group.
– When an mVRRP group does not function as the gateway (mVRRP2 in
Figure 3-5), the mVRRP group only determines the master and backup
statuses, and cannot forward service traffic. The mVRRP group does not
require a virtual IP address, and you can directly create an mVRRP group
on an interface. mVRRP simplifies maintenance.
● Service VRRP group
After common VRRP groups are bound to an mVRRP group, they become
service VRRP groups (member VRRP groups). Service VRRP groups do not
need to send VRRP Advertisement packets to determine their statuses. The
mVRRP group sends VRRP Advertisement packets to determine its status and
the statuses of all its bound service VRRP groups.
3.2.6 VRRP Association

3.2.6.1 VRRP Monitoring the Uplink Status
Additional technologies are required to enhance the VRRP active/standby function.
For example, when the link from the master to a network is disconnected, VRRP
cannot detect the fault or switch services, and hosts cannot remotely access the
network through the master. To solve this problem, configure VRRP to monitor the
specified interface or uplink status.
When the master detects that the interface or uplink fails, the master reduces its
priority to be lower than the priority of the backup and immediately sends VRRP
Advertisement packets. After the backup receives the VRRP Advertisement packets,

it detects that the priority in the VRRP Advertisement packets is lower than its
priority. The backup switches to the master. This ensures traffic forwarding.
VRRP Monitoring the Status of the Interface Connected to the Uplink

When the interface connected to the uplink becomes Down, the master reduces its
priority so that the backup switches to the master to forward traffic.
Figure 3-6 Association between a VRRP group and the interface status
Master Interface1
SwitchA SwitchC
HostA
Switch
Internet
HostB SwitchB SwitchD

Backup
VRRP
Backup Interface1
SwitchA SwitchC
HostA
Switch
Internet

Master
Service traffic
VRRP Normal interface
Faulty interface
As shown in Figure 3-6, a VRRP group is configured between SwitchA and

SwitchB. SwitchA is the master and SwitchB is the backup. SwitchA and SwitchB
work in preemption mode. Association between VRRP and uplink interface
Interface1 is configured on SwitchA. When Interface1 fails, the priority of SwitchA
decreases. Then SwitchB becomes the master through negotiation, ensuring that
user traffic is forwarded correctly.

Associating VRRP with BFD/NQA/Routing to Monitor the Remote Host or

Network Connected to the Uplink
BFD/NQA/Routing detects connectivity of the uplink on the master. When the
uplink of the master fails, BFD/NQA/routing rapidly detects the fault and instructs
the master to adjust its priority. This triggers an active/standby switchover and
ensures proper traffic forwarding.
Figure 3-7 Associating VRRP with BFD/NQA/routing to monitor the uplink status
Master
SwitchA SwitchC
HostA
Switch
Internet
SwitchE
Backup
VRRP
Backup
SwitchA SwitchC
HostA
Switch
Internet
SwitchE
Master
Service traffic
VRRP BFD/NQA/Routing

SwitchB. SwitchA is the master and SwitchB is the backup. SwitchA and SwitchB
work in preemption mode. BFD/NQA/Routing is configured to monitor the link
from SwitchA to SwitchE, and association between VRRP and BFD/NQA/routing is
configured on SwitchA. When BFD/NQA/routing detects the fault on the link from
SwitchA to SwitchE, BFD/NQA/routing rapidly instructs the master to adjust its
priority. Through VRRP Advertisement packet negotiation, SwitchB switches to the
master so that user traffic is forwarded correctly.
3.2.6.2 Association Between VRRP and BFD

A VRRP group sends and receives VRRP Advertisement packets to determine the
master and backup statuses, thereby implementing redundancy. If links connected

to a VRRP group fail, VRRP Advertisement packets cannot be sent for negotiation.
A backup will switch to the master after three times the duration of the interval
(about 3s) at which point VRRP Advertisement packets are sent. During the
switchover period, service traffic is still sent to the original master, causing user
traffic loss.
BFD can rapidly detect connectivity of links on the network. Association between
VRRP and BFD implements a fast switchover within 1 second. A BFD session is set
up between the master and backup and is bound to a VRRP group. BFD detects
faults of the VRRP group. When a fault occurs, BFD notifies the VRRP group of
performing an active/standby switchover, greatly reducing the service interruption
time.
A VRRP group can be associated with a static BFD session or a BFD session with
automatically negotiated parameters.
Figure 3-8 Association between VRRP and BFD

Master
SwitchA
HostA
Switch
Internet
HostB SwitchB
Backup
VRRP
Initialize
SwitchA
HostA
Switch
Internet
HostB SwitchB
Master
Service traffic
VRRP BFD packets

SwitchB. SwitchA is the master and SwitchB is the backup. User traffic is forwarded
through SwitchA. SwitchA and SwitchB work in preemption mode, and immediate
preemption is configured on SwitchB. BFD sessions are configured on SwitchA and
SwitchB and association between VRRP and BFD is configured on SwitchB.

When a fault occurs in the VRRP group, BFD rapidly detects the fault and instructs
SwitchB to increase the priority to a value higher than that of SwitchA. SwitchB
immediately switches to the master and forwards user-side traffic, implementing a
rapid active/standby switchover.
3.2.7 VRRP Heartbeat Line

As shown in Figure 3-9, a VRRP group is configured on SwitchA and SwitchB on
the VRRP + STP network. If the switch connected to users cannot forward VRRP
Advertisement packets (for example, the switch is configured to discard unknown
multicast packets) or when the unreachable or unstable link where VRRP
Advertisement packets pass through needs to be prevented, deploy a heartbeat
line between SwitchA and SwitchB to transmit VRRP Advertisement packets.
After the heartbeat line is configured, Interface1 and Interface2 need to be added
to the VLAN corresponding to the VRRP group. For example, when the VRRP group
is configured on VLANIF 100, Interface1 and Interface2 need to be added to VLAN
100. In this situation, a loop occurs between SwitchA, SwitchB, and Switch. A loop
prevention protocol such as STP needs to be used to eliminate loops.
Figure 3-9 VRRP heartbeat line
Network
Interface1 Interface2
SwitchA SwitchB
Master Backup
STP
VRRP
Switch
VRRP heartbeat line
3.3 Applicable Scenarios

This section describes the applicable scenarios of VRRP.

3.3.1 Using VRRP to Implement Next-Hop Gateway Backup

Users connect to the upper-layer network through the gateway. To ensure nonstop
service transmission, configure VRRP active/standby on the gateway to implement
next-hop gateway backup.
Figure 3-10 Using VRRP to implement next-hop gateway backup

VRRP
SwitchA
Master
HostA
Switch
Internet
SwitchB
Backup Router
HostB
SwitchC
Backup
VRRP
SwitchA
Initialize
HostA
Switch
Internet
SwitchB
Router
Backup
HostB
SwitchC Data flow1

Master Data flow2
As shown in Figure 3-10, SwitchA is the master and forwards service packets.
SwitchB and SwitchC are backups and do not forward services. If SwitchA is faulty,
a new master is selected from SwitchB and SwitchC based on their priorities. The
new master then takes over traffic.
You can configure VRRP to monitor the uplink status and association between
VRRP and BFD to enhance the VRRP active/standby function.
● To detect the faults on the uplink, configure VRRP to monitor the uplink
status. When the uplink interface or uplink fails, the priority of the master is

reduced. This triggers an active/standby switchover and ensures proper traffic

forwarding.
● To speed up the active/standby switchover in the VRRP group, configure a
BFD session between the master and backup and associate the BFD session
with the VRRP group. This is because BFD can fast detect faults. When the
link between the master and backup becomes Down, the backup immediately
switches to the master and takes over traffic.
3.3.2 Using VRRP to Implement Load Balancing

VRRP active/standby is configured on a gateway to implement gateway
redundancy. To reduce the burden of data traffic on the active device, VRRP load
balancing can be used to load balance uplink traffic.
Multi-Gateway Load Balancing

Multiple VRRP groups with virtual IP addresses are created, and different VRRP
groups are specified as gateways for different users, to implement load balancing.
Figure 3-11 Multi-gateway load balancing

VRRP VRID 1
Virtual IP Address:
10.1.1.111
SwitchA
HostA VRID1:Master
Default gateway: VRID2:Backup
10.1.1.111
SwitchC
Internet
HostB
Default gateway: SwitchB
10.1.1.112 VRID2:Master
VRID1:Backup
VRRP VRID 2
Virtual IP Address: Data flow 1
10.1.1.112 Data flow 2
As shown in Figure 3-11, two VRRP groups are configured:

● VRRP group 1: SwitchA functions as the master and SwitchB as the backup.
● VRRP group 2: SwitchB functions as the master and SwitchA as the backup.
VRRP groups 1 and 2 are gateways for different user hosts. The VRRP groups load
balance traffic and back up each other.

3.4 Configuration Task Summary

After basic VRRP functions are configured, VRRP can work properly. To deploy
special VRRP functions such as mVRRP and VRRP associations, perform the
following configurations.
Table 3-3 describes the VRRP configuration tasks.
Table 3-3 VRRP configuration task summary

Scenario Description Task
Configure basic You can configure a VRRP group 3.7.1 Configuring

functions of a VRRP to implement gateway backup Basic Functions of an
group and ensure stable and highly- IPv4 VRRP Group
efficient data forwarding. 3.7.4 Configuring
Basic Functions of an
IPv6 VRRP Group
Configure an An mVRRP group can be bound 3.7.2 Configuring an

mVRRP group to VRRP groups and determine mVRRP Group
the status of a VRRP group 3.7.5 Configuring an
based on the binding. mVRRP is mVRRP6 Group
used when multiple VRRP
groups coexist. mVRRP helps
decrease the number of VRRP
Advertisement packets to be
sent and minimize network
bandwidth and system resource
consumption.
Configure A VRRP group can be 3.7.3.1 Configuring

association between configured to monitor a BFD Association Between
VRRP and BFD to session. When the BFD session VRRP and BFD to
implement a rapid status changes, BFD notifies the Implement a Rapid
active/standby VRRP VRRP group of the change. Active/Standby
switchover After receiving the notification, Switchover
the VRRP group rapidly 3.7.6.1 Configuring
performs an active/standby Association Between
switchover. VRRP6 and BFD to
Implement a Rapid
Active/Standby
Switchover

Scenario Description Task
Configure When the uplink interface of 3.7.3.2 Configuring

association between the master becomes faulty, Association Between
VRRP and the VRRP cannot detect the status VRRP and the
interface status change of interfaces not in the Interface Status to
VRRP group. This may interrupt Implement an
services. You can associate a Active/Standby
VRRP group with the interface Switchover
status. When the monitored 3.7.6.2 Configuring
interface is faulty, the priority of Association Between
the master is adjusted. This VRRP6 and the
triggers an active/standby Interface Status to
switchover and reduces the Implement an
impact of services on the uplink Active/Standby
interface. Switchover
Configure Because VRRP cannot detect 3.7.3.3 Configuring

association between faults on the uplink of a VRRP Association Between
VRRP and group, services may be VRRP and BFD to
BFD/NQA/routing to interrupted. Association Monitor the Uplink
monitor the uplink between VRRP and BFD/NQA/ Status
status routing allows the device to 3.7.3.4 Configuring
detect faults on the uplink of Association Between
the master. When the uplink of VRRP and NQA to
the master fails, BFD/NQA/ Monitor the Uplink
routing rapidly detects the fault Status
and instructs the master to
adjust its priority. This triggers 3.7.3.5 Configuring
an active/standby switchover Association Between
and ensures proper traffic VRRP and Routing to
forwarding. Monitor the Uplink
Status
BFD implements millisecond-
level detection. Association
between VRRP and BFD
provides a rapid active/standby
switchover.
NQA technology collects
statistics on the delay, jitter, and
packet loss ratio. You can
configure the percentage of
failed NQA test instances and
NQA association to trigger an
active/standby switchover when
the uplink is unstable.
3.5 Licensing Requirements and Limitations for VRRP

Involved Network Elements

Other network elements are required to support VRRP functions.
Licensing Requirements
VRRP is a basic feature of a switch and is not under license control.
VRRP6 can be only used on the device enabled with IPv6. IPv6 requires a license.
By default, IPv6 of a newly purchased device is disabled. To use IPv6, apply for and
purchase the license from the equipment supplier.
Version Requirements
Table 3-4 Products and versions supporting VRRP

Prod Product Model Software Version
uct
S930 S9303, S9306, V100R002, V100R003, V100R006(C00&C01),

0 and S9312 V200R001C00, V200R002C00, V200R003C00,
V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008(C00&C10), V200R009C00, V200R010C00,
V200R011C10
S930 S9303E, S9306E, V200R001C00, V200R002C00, V200R003C00,

0E and S9312E V200R005C00SPC300, V200R006C00, V200R007C00,
V200R008(C00&C10), V200R009C00, V200R010C00,
V200R011C10
To know details about software mappings, see Hardware Query Tool.
Feature Limitations
● In V200R003 and earlier versions, VRRP can be configured only on the VLANIF
interface.
In V200R005, VRRP can be configured on the VLANIF interface and Layer 3
Ethernet interface.
In V200R006 and later versions, VRRP can be configured on the VLANIF
interface, Layer 3 Ethernet interface, Dot1q termination sub-interface, and
QinQ termination sub-interface.
● In V200R010 and later versions, VRRP6 can be configured on Dot1q
termination sub-interfaces or QinQ termination sub-interfaces.
● Switches of a VRRP group must be configured with the same VRID.
● VRRP groups must use different virtual IP addresses. The virtual IP address of
a VRRP group must be on the same network segment as the IP address of the
interface where the VRRP group is configured.
● If each switch in the VRRP group uses a different VRRP version, VRRP packets
may fail to be transmitted. When a VRRPv3-enabled switch and a VRRPv2-

enabled switch belong to the same VRRP group, run the vrrp version-3 send-
packet-mode { v2-only | v2v3-both } command to configure the switch to
send VRRPv2 packets.
● If both VRRP and static ARP are configured on a VLANIF interface, a Dot1q
termination sub-interface, a QinQ termination sub-interface, or an Ethernet
interface on a device, an IP address mapped to a static ARP entry cannot be
used as a virtual IP address. If a VRRP virtual IP address is an IP address
mapped to a static ARP entry on the device, the device generates incorrect
host routes, affecting traffic forwarding.
● The virtual MAC address of a VRRP group cannot be configured as a static or
blackhole MAC address.
● In V200R003 and earlier versions, a maximum of 255 VRRP groups can be
configured on the switch by default. In V200R005 and later versions, a
maximum of 256 VRRP groups can be configured on the switch by default. In
V200R010C00 and later versions, the set vrrp max-group-number max-
group-number command can be used to set the maximum number of allowed
VRRP groups.
● When configuring VRRP on the subinterface view, pay attention to the
following points:
– In V200R009 and earlier versions, when VRRP is configured on a Dot1q
termination sub-interface, only one VLAN can be configured on the sub-
interface. When VRRP is configured on a QinQ termination sub-interface,
only one PE VLAN and one CE VLAN can be configured on the sub-
interface.
– When configuring the VRRP groups on a VLAN tag termination sub-
interface, run the arp broadcast enable command to enable ARP
broadcast on the VLAN tag termination sub-interface.
● The ARP aging probe packets sent by a VRRP device use an interface IP
address, instead of a virtual IP address, as the source IP address.
3.6 Default Configuration

Table 3-5 Default VRRP configuration
Parameter Default Setting
Priority of the device in a VRRP group 100
Preemption Immediate preemption
Interval at which VRRP Advertisement 1s

packets are sent
Interval at which gratuitous ARP 120s

packets are sent
3.7 Configuring VRRP

3.7.1 Configuring Basic Functions of an IPv4 VRRP Group
Pre-configuration Tasks
An IPv4 VRRP group implements gateway backup and ensures stable and highly-
efficient data forwarding.
Before configuring basic functions of an IPv4 VRRP group, configure network layer
attributes of interfaces to ensure network connectivity.
3.7.1.1 Creating a VRRP Group
Context
VRRP virtualizes multiple devices into one gateway without changing the
networking, and uses the virtual gateway's IP address as the default gateway
address to implement next-hop gateway backup. After a VRRP group is configured,
traffic is forwarded through the master. If the master fails, a new master is
selected from the backups to forward traffic. This implements gateway backup.
If load balancing is required in addition to gateway backup, configure two or more

VRRP groups on an interface in multi-gateway load balancing mode.
Procedure
● Create a VRRP group working in active/standby mode.
a. Run:
system-view
The system view is displayed.

b. Run:
interface interface-type interface-number
The interface view is displayed.
You are advised not to configure a VRRP group on the VLANIF interface
corresponding to a super-VLAN. If VRRP groups are configured on the VLANIF
interface corresponding to a super-VLAN, ensure that a maximum of 256 VLANs
including common VLANs, super-VLANs, and sub-VLANs are used. Otherwise,
device performance may be affected.
c. (Optional) On an Ethernet interface, run:
undo portswitch
The interface is switched to Layer 3 mode.

By default, an Ethernet interface works in Layer 2 mode.
d. Run:
vrrp vrid virtual-router-id virtual-ip virtual-address
A VRRP group is created, and a virtual IP address is assigned to the VRRP

group.
By default, no VRRP group is created.

● Do not configure more than 1000 virtual IP addresses. Otherwise, the VRRP
group may flap.
● If many VRRP groups are configured, you can configure an mVRRP group and
bind VRRP groups to the mVRRP group to prevent CPU resources consumed
by protocol packets.
● Create VRRP groups working in multi-gateway load balancing mode.
If VRRP groups need to work in multi-gateway load balancing mode, repeat
the steps to configure two or more VRRP groups on the interface and assign
different VRIDs to them.
3.7.1.2 Setting the Device Priority in a VRRP Group
Context
Devices with higher priorities in a VRRP group are more likely to become the
master. You can specify the master to forward traffic by setting device priorities.
Procedure
1. Run:
system-view

2. Run:

3. (Optional) On an Ethernet interface, run:
undo portswitch

4. Run:
vrrp vrid virtual-router-id priority priority-value
The device priority in a VRRP group is set.

By default, the device priority is 100. A larger value indicates a higher priority
of VRRP Advertisement packets.
– Priority 0 is reserved in the system. Priority 255 is reserved for the IP
address owner. The configurable priority ranges from 1 to 254.
– The priority of an IP address owner is fixed at 255 and cannot be
manually changed. You can run the vrrp vrid virtual-router-id priority
priority-value command to change the priority of an IP address owner,
but the configured priority does not take effect. If a VRRP device is no
longer an IP address owner, the configured priority is used.
– When devices in a VRRP group have the same priority and attempt to be
the master simultaneously, the device where the interface with the
largest IP address resides becomes the master. The device that first enters
the Master state becomes the master, and other backups remain
unchanged.

3.7.1.3 (Optional) Configuring the VRRP Version Number
Context
IPv4 VRRP supports VRRPv2 and VRRPv3. If devices in a VRRP group use different
VRRP versions, VRRP Advertisement packets may fail to be forwarded.
● A VRRPv2 group can send and receive only VRRPv2 Advertisement packets,
and discards received VRRPv3 Advertisement packets.
● A VRRPv3 group can send and receive both VRRPv2 and VRRPv3
Advertisement packets. You can configure the mode in which VRRPv3
Advertisement packets are sent as v2-only, v3-only, or v2v3-both.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vrrp version { v2 | v3 }
The VRRP version number is set.

By default, VRRPv2 is used.
If VRRPv3 is used, run the vrrp version-3 send-packet-mode { v2-only | v3-only |
v2v3-both } command to set the mode in which VRRPv3 Advertisement packets
are sent. The default mode is v3-only.
----End
3.7.1.4 (Optional) Configuring a VRRP Preemption Mode
Context
On an unstable network, if the BFD session status monitored by a VRRP group
flaps frequently or the backups cannot receive VRRP Advertisement packets within
a specified period, an active/standby switchover is performed, which causes
network flapping. The VRRP preemption mode and preemption delay can be
configured on the switch to enhance the stability of the master and backup.
It is recommended that immediate preemption be configured on the backup,
delayed preemption be configured on the master, and the preemption delay be
set. On an unstable network, these settings allow a period of time for status
synchronization between the uplink and downlink. If the preceding settings are
not used, two masters may coexist and users' devices may learn the incorrect
address of the master.
Procedure
● Configure non-preemption for the VRRP group on the switch.
a. Run:
system-view


b. Run:

undo portswitch

d. Run:
vrrp vrid virtual-router-id preempt-mode disable
The non-preemption mode is configured on the switch.
By default, the device uses the immediate preemption mode.
In non-preemption mode, the master that works properly can retain the
Master state. This state cannot be preempted even if the priority of the
master decreases.
● Configure a preemption mode on the switch and set the preemption delay.
a. Run:
system-view

b. Run:

undo portswitch

d. Run:
undo vrrp vrid virtual-router-id preempt-mode
A preemption mode is configured on the switch.
By default, the switch uses preemption.

e. Run:
vrrp vrid virtual-router-id preempt-mode timer delay delay-value
The preemption delay is set.
By default, the preemption delay is 0, indicating immediate preemption.

In immediate preemption mode, a backup immediately switches to the
master when detecting that its priority is higher than the master.
----End
3.7.1.5 (Optional) Configuring VRRP Time Parameters

Context
You can set VRRP time parameters as needed. Table 3-6 lists applicable scenarios.
Table 3-6 Applicable scenarios of VRRP time parameters

Function Applicable Scenario
Interval at The master in a VRRP group sends VRRP Advertisement

which VRRP packets to backups at intervals to notify that it is working
Advertisement properly. After the Master_Down_Interval timer expires, a
packets are new master is selected among the backups if the backups do
sent not receive VRRP Advertisement packets.
Heavy network traffic or time differences on different devices
may result in the backup status change due to timeout of
VRRP Advertisement packets. When packets from the original
master reach the new master, the status of the new master
changes. You can increase the interval to solve this problem.
Interval at To ensure that MAC address entries on the downstream

which switch are correct, the master in a VRRP group periodically
gratuitous ARP sends gratuitous ARP packets to update MAC address entries
packets are on the downstream switch.
sent by the
master
Delay before a On an unstable network, frequent flapping of the BFD

VRRP group session status or interface status monitored by a VRRP group
recovers may result in frequent switching of the VRRP group status.
After the delay is set, the VRRP group does not immediately
respond to an interface or BFD session Up event. Instead, the
VRRP group processes this event after the delay. This
prevents frequent switching of the VRRP group status.
Procedure
● Set the interval at which VRRP Advertisement packets are sent.
a. Run:
system-view

b. Run:

undo portswitch

d. Run:
vrrp vrid virtual-router-id timer advertise advertise-interval

The interval at which VRRP Advertisement packets are sent is set.
By default, the interval is 1 second.

● Set the interval at which gratuitous ARP packets are sent by the master.
a. Run:
system-view

b. Run:
vrrp gratuitous-arp timeout time
The interval at which gratuitous ARP packets are sent by the master is
set.
By default, the master sends gratuitous ARP packets every 120s.
The interval at which the master sends gratuitous ARP packets must be shorter
than the aging time of ARP entries on user devices.
▪ To restore the default interval at which gratuitous ARP packets are

sent, run the undo vrrp gratuitous-arp timeout command in the
system view.
▪ If the master does not need to send gratuitous ARP packets, run the
vrrp gratuitous-arp timeout disable command in the system view.
● Set the delay before a VRRP group recovers.
a. Run:
system-view

b. Run:
vrrp recover-delay delay-value
The delay before a VRRP group recovers is set.
By default, the delay before a VRRP group recovers is 0.
● After this command is used, all VRRP groups on the device are configured
with the same delay.
● When the device in a VRRP group restarts, VRRP status flapping may occur. It
is recommended that the delay be set based on actual networking.
----End
3.7.1.6 (Optional) Setting the Mode in Which VRRP Advertisement Packets

Are Sent in a Super-VLAN

Context
When a VRRP group is configured in a super-VLAN, configure VRRP Advertisement
packets to be sent to a specified sub-VLAN. Otherwise, Advertisement packets
would be broadcast in all sub-VLANs, wasting network bandwidth.
Prerequisites
A Super-VLAN has been configured.
Procedure
Step 1 Run:
system-view

Step 2 Run:
interface vlanif vlan-id
The VLANIF interface view is displayed.

Step 3 Run:
vrrp advertise send-mode { sub-vlan-id | all }
The mode in which VRRP Advertisement packets are sent in a super-VLAN is set.
By default, the master sends VRRP Advertisement packets to a sub-VLAN that is
Up and has the smallest VLAN ID in a super-VLAN.
● If sub-vlan-id is specified, the master sends VRRP Advertisement packets to a
specified sub-VLAN.
● If all is specified, the master broadcasts VRRP Advertisement packets to all
sub-VLANs of a super-VLAN.
If all is specified, the master broadcasts VRRP Advertisement packets to all sub-VLANs of a
super-VLAN, increasing the CPU usage. Therefore, do not specify all.
----End
3.7.1.7 (Optional) Disabling VRRP TTL Check
Context
The system checks the TTL value in received VRRP Advertisement packets, and
discards VRRP Advertisement packets with TTL values other than 255. On a
network where devices of different vendors are deployed, if TTL check is enabled
on the device, the device may incorrectly discard valid packets. In this case, disable
TTL check so that devices of different vendors can communicate.
Procedure
Step 1 Run:

system-view
Step 2 Run:
Step 3 (Optional) On an Ethernet interface, run:

undo portswitch
Step 4 Run:
vrrp un-check ttl
The device is configured not to check the TTL value in VRRP Advertisement
packets.
By default, the system checks the TTL value in VRRP Advertisement packets.
----End
3.7.1.8 (Optional) Setting the Authentication Mode of VRRP Advertisement

Packets
Context
Different authentication modes and authentication keys can be set in VRRPv2
Advertisement packets:
● Non-authentication: The device does not send authentication information in
outgoing VRRP Advertisement packets, and does not authenticate received
VRRP Advertisement packets, considering them all to be valid.
● Simple authentication: The device encapsulates the authentication mode and
authentication key into outgoing VRRP Advertisement packets. When a device
receives a VRRP Advertisement packet, it compares the authentication mode
and authentication key in the packet with those configured on the device. If
the values are the same, the device considers the received VRRP
Advertisement packet to be valid; otherwise, it discards it.
● MD5 authentication: The device uses the MD5 algorithm to encrypt the
authentication key and encapsulates the key in the Authentication Data field
of an outgoing VRRP Advertisement packet. The device that receives the VRRP
Advertisement packet matches the authentication mode with the decrypted
authentication key in the packet.
Only VRRPv2 supports authentication. VRRPv3 does not support authentication. VRRPv2
reserves the authentication field in VRRP Advertisement packets to be compatible with
VRRP defined in earlier versions. VRRP authentication cannot improve security.

Procedure
Step 1 Run:
system-view
Step 2 Run:

undo portswitch
Step 4 Run:
vrrp vrid virtual-router-id authentication-mode { simple { key | plain key | cipher cipher-key } | md5 md5-
key }
The authentication mode in VRRP Advertisement packets is configured.
By default, a VRRP group uses non-authentication.
● Devices in a VRRP group must be configured with the same authentication mode and
authentication key; otherwise, the VRRP group cannot negotiate the Master and Backup
states.
● To ensure security, you are advised to use MD5 authentication.
----End
3.7.1.9 (Optional) Enabling Ping to a Virtual IP Address
Context
The device allows user devices to ping a virtual IP address for the following
purposes:
● Monitoring the operating status of the master in a VRRP group
● Ensuring the reachable route between a user device and a network connected
through a default gateway that uses the virtual IP address
NOTICE
If ping to a virtual IP address is enabled, a device on an external network can ping

the virtual IP address. This exposes the device to ICMP-based attacks. You can use
the undo vrrp virtual-ip ping enable command to disable the ping function.

Procedure
Step 1 Run:
system-view
Step 2 Run:
vrrp virtual-ip ping enable
The ping to a virtual IP address is enabled.
By default, the ping function is enabled, and the master in a VRRP group responds
to ping packets sent to the virtual IP address.
----End
3.7.1.10 (Optional) Configuring VRRP Smooth Switching
Context
On a network where VRRP groups are configured, the master and backup cannot
communicate in real time during an active/standby switchover on the master
equipped with dual MPUs. When the master fails, the backup becomes the master.
When the original master recovers, it switches to the master again because its
priority is higher than the priority of the original backup. Because the system is
busy during the switchover, the master cannot send Hello packets and the backup
cannot receive packets immediately. In this case, the backup switches to the
master. Then a link switchover is performed, causing packet loss.
Enabling VRRP smooth switching on the switch equipped with dual MPUs can
optimize VRRP performance and reduce the impact on user traffic.
After VRRP smooth switching is enabled, the learning function takes precedence
over the preemption function. Therefore, the VRRP group status is not switched
and service traffic is not affected.
VRRP smooth switching must be configured on each device of a VRRP group.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vrrp timer-advertise learning enable
The device is enabled to learn the interval at which VRRP Advertisement packets
are sent.
By default, this function is enabled.
Step 3 Run:
vrrp smooth-switching timer timer-value

VRRP smooth switching is enabled, and the interval carried in VRRP Advertisement
packets during VRRP smooth switching is configured.
By default, VRRP smooth switching is enabled and the interval contained in VRRP
Advertisement packets is 100s.
The learning function must be enabled before this command is run. When the
learning function is disabled, VRRP smooth switching is also disabled.
● When the backup is restarted, it resets the Master_Down_Interval timer after the
interface recovers. If the interval for sending VRRP Advertisement packets on the master
is much longer than the interval on the backup, the master may not send VRRP
Advertisement packets after the Master_Down_Interval timer expires. In this case, the
backup becomes the master, and two masters exist in the group.
● During VRRP smooth switching, the master sends VRRP Advertisement packets at the
configured interval. If the time for VRRP smooth switching (for example, 1s) is shorter
than the interval for sending VRRP Advertisement packets (for example 10s), VRRP
Advertisement packets are sent at intervals of 10s, and the interval contained in the
VRRP Advertisement packet is 1s. As a result, the VRRP group status frequently flaps.
----End
3.7.1.11 Checking the Configuration
Procedure
● Run either of the following commands to check the VRRP group status and
parameters:
– display vrrp [ interface interface-type interface-number ] [ virtual-
router-id ] [ brief ]
– display vrrp { interface interface-type interface-number [ virtual-router-
id ] | virtual-router-id } verbose
● Run the display vrrp protocol-information command to check VRRP
information.
● Run the display vrrp [ interface interface-type interface-number ] [ virtual-
router-id ] statistics command to check statistics about sent and received
packets of the VRRP group.
----End
3.7.2 Configuring an mVRRP Group
An mVRRP group can be bound to VRRP groups and determine the status of its
bound VRRP groups. mVRRP is used when multiple VRRP groups coexist. mVRRP
helps decrease the number of VRRP Advertisement packets to be sent and
minimize network bandwidth and system resource consumption.
Before configuring basic functions of an mVRRP group, configure network layer


3.7.2.1 Configuring an mVRRP Group
Context
Each VRRP group needs to maintain its own state machine. Configuring an mVRRP
group reduces bandwidth occupied by VRRP Advertisement packets.
Procedure
1. Run:
system-view

2. Run:

undo portswitch

4. Run:

group.
5. Run:
admin-vrrp vrid virtual-router-id
The VRRP group is configured as an mVRRP group.

By default, no mVRRP group is configured.
3.7.2.2 Configuring a VRRP Group and Binding the VRRP Group to an mVRRP
Group
Context
You can bind VRRP groups to an mVRRP group so that mVRRP determines the
status of the bound VRRP groups.
Procedure
1. Run:
system-view

2. Run:
The view of the interface where a VRRP group is configured is displayed.

undo portswitch


4. Run:

group.
Because the mVRRP group determines the status of its member VRRP groups,
you do not need to set priorities for the member VRRP groups.
5. Run:
vrrp vrid virtual-router-id1 track admin-vrrp interface interface-type interface-number vrid virtual-
router-id2 unflowdown
The VRRP group is bound to an mVRRP group. A VRRP group can be bound to
only one mVRRP group.
By default, no VRRP group is bound to an mVRRP group.
After the binding is complete, the state machine of the bound VRRP group
depends on the status of the mVRRP group. That is, the bound VRRP group
inherits the status of the mVRRP group, deletes its VRRP Advertisement
packet timeout timer, and stops sending or receiving VRRP Advertisement
packets. A VRRP group can be bound to only one mVRRP group.
After a VRRP group is bound to an mVRRP group, VRRP Advertisement packets are not
sent periodically. MAC addresses are updated based on ARP Reply packets for
gratuitous ARP or from a gateway.
Procedure
● Run the display vrrp binding admin-vrrp [ interface interface-type1
interface-number1 ] [ vrid virtual-router-id1 ] member-vrrp [ interface
interface-type2 interface-number2 ] [ vrid virtual-router-id2 ] command to
check bindings between the mVRRP group and VRRP groups.
● Run the display vrrp binding admin-vrrp [ interface interface-type1
interface-number1 ] [ vrid virtual-router-id ] member-interface [ interface
interface-type2 interface-number2 ] command to check the bindings between
the mVRRP group and VRRP-enabled interfaces.
● Run the display vrrp admin-vrrp command to check the status of all mVRRP
groups.
----End
3.7.3 Configuring VRRP Association
VRRP association enables VRRP to detect faults in a timely manner and triggers an
active/standby switchover when the master or the uplink of the master becomes

faulty. VRRP association optimizes VRRP switchover and enhances network

reliability.
Before configuring VRRP association, perform the task of 3.7.1 Configuring Basic
Functions of an IPv4 VRRP Group.
You can configure VRRP association only after basic VRRP functions are
configured.
3.7.3.1 Configuring Association Between VRRP and BFD to Implement a

Rapid Active/Standby Switchover
Context
When a VRRP group becomes faulty, the backup with the highest priority detects
the fault and becomes the master after the Master_Down_Interval timer expires.
The switchover period lasts at least 3s. During this period, service traffic is still
sent to the original master, causing user traffic loss. In Figure 3-12, the VRRP
group is associated with a BFD session on the backup so that the BFD session can
rapidly detect communication faults of the VRRP group. If the BFD session detects
a fault, it immediately notifies the VRRP group that the priority of the backup
needs to be increased, and an active/standby switchover is triggered. This
millisecond-level switchover reduces traffic loss.
When the fault is rectified, the priority of the backup is restored and the original
master becomes the master again to forward traffic.
● A VRRP group can be associated with only a static BFD session or a static BFD session
with automatically negotiated discriminators.
● The master and backup in the VRRP group must work in preemption mode. It is
recommended that the preemption delay be 0 on the backup and nonzero on the
master.
● Multiple VRRP groups can monitor a BFD session, and a VRRP group can monitor a
maximum of eight BFD sessions simultaneously.
Figure 3-12 Association between VRRP and BFD to implement a rapid active/
standby switchover
Master
SwitchA
HostA
Switch
Internet
HostB
SwitchB
Backup
VRRP BFD packets

Procedure
Step 1 Configure a static BFD session or a static BFD session with automatically
negotiated discriminators. For details, see 2.7.1 Configuring Single-Hop BFD,
2.7.2 Configuring Multi-Hop BFD, and 2.7.3 Configuring Static BFD with
Automatically Negotiated Discriminators.
Step 2 Run:
system-view

Step 3 Run:
The view of the interface on the backup where a VRRP group is configured is
displayed.
undo portswitch

Step 5 Run:
vrrp vrid virtual-router-id track bfd-session { bfd-session-id | session-name bfd-configure-name }
[ increased value-increased | reduced value-reduced ]
Association between VRRP and BFD is configured.

By default, a VRRP group is not associated with a BFD session.
When associating a VRRP group with a BFD session, note the following points:
● If session-name bfd-configure-name is specified, the VRRP group can be bound to
only the static BFD session with automatically negotiated discriminators.
● If bfd-session-id is specified, the VRRP group can be bound to only the static BFD
session.
● After the value by which the priority increases is set, ensure that the priority of the
backup is higher than the priority of the master.
----End
3.7.3.2 Configuring Association Between VRRP and the Interface Status to

Implement an Active/Standby Switchover
Context
When the uplink interface of the master becomes faulty, VRRP cannot detect the
status change of interfaces outside the VRRP group, causing service interruption.
You can associate a VRRP group with the interface status. When the monitored
interface becomes faulty, the priority of the master is reduced. This triggers an
active/standby switchover and reduces the impact of the uplink interface fault on
service forwarding.

When the fault is rectified, the original master restores its priority to become the
master again and begins forwarding traffic.
The master and backup in the VRRP group must work in preemption mode. It is
recommended that the preemption delay be 0 on the backup and nonzero on the master.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of the interface on the master where a VRRP group is configured is
displayed.

undo portswitch
Step 4 Run:
vrrp vrid virtual-router-id track interface interface-type interface-number [ increased value-increased |
reduced value-reduced ]
Association between VRRP and the interface status is configured.
A VRRP group can monitor a total of eight BFD sessions and interfaces
simultaneously.
● After the value by which the priority decreases is set, ensure that the priority of the
● You can configure a VRRP group to monitor a maximum of eight interfaces on a device.
If the device is an IP address owner, the interfaces cannot be monitored.
----End
3.7.3.3 Configuring Association Between VRRP and BFD to Monitor the

Uplink Status
Context
Because VRRP cannot detect faults on the uplink of a VRRP group, services may be
interrupted. As shown in Figure 3-13, a VRRP group is associated with a BFD
session on the master so that the BFD session monitors the uplink status of the
master. If the BFD session detects a fault on the uplink, it immediately notifies the
VRRP group that the priority of the master needs to be decreased, and an active/

standby switchover is triggered. This reduces the impact of the uplink fault on
service forwarding.
BFD implements millisecond-level detection. Association between VRRP and BFD
provides a rapid active/standby switchover.
● A VRRP group can be associated with only a static BFD session or a static BFD session
with automatically negotiated discriminators.
master.
● Multiple VRRP groups can monitor a BFD session, and a VRRP group can monitor a
maximum of eight BFD sessions simultaneously.
Figure 3-13 Association between VRRP and BFD

Master
SwitchA SwitchC
HostA
Switch
Internet
RouterE
Backup
VRRP BFD packets
Procedure
Step 1 Configure a static BFD session or a static BFD session with automatically
negotiated discriminators. For details, see 2.7.1 Configuring Single-Hop BFD,
2.7.2 Configuring Multi-Hop BFD, and 2.7.3 Configuring Static BFD with
Automatically Negotiated Discriminators.
Step 2 Run:
system-view

Step 3 Run:
displayed.
undo portswitch

Step 5 Run:
vrrp vrid virtual-router-id track bfd-session { bfd-session-id | session-name bfd-configure-name }
[ increased value-increased | reduced value-reduced ]
Association between VRRP and BFD is configured.
By default, when the monitored BFD session becomes Down, the VRRP priority
decreases by 10.
When associating a VRRP group with a BFD session, note the following points:
● If session-name bfd-configure-name is specified, the VRRP group can be bound to
● If bfd-session-id is specified, the VRRP group can be bound to only the static BFD
session.
● After a VRRP group is associated with a BFD session, the BFD session type cannot be
modified. Before deleting the BFD session type, you must delete all original
configurations.
● After the value by which the priority decreases is set, ensure that the priority of the
----End
3.7.3.4 Configuring Association Between VRRP and NQA to Monitor the

Uplink Status
Context
interrupted. You can associate a VRRP group with an NQA test instance on the
master so that the NQA test instance monitors the uplink status of the master. If
the NQA test instance detects a fault on the uplink, it immediately notifies the
VRRP group that the priority of the master needs to be decreased, and an active/
standby switchover is triggered. This reduces the impact of the uplink fault on
service forwarding.
NQA technology collects statistics on the delay, jitter, and packet loss ratio. You
can configure the percentage of failed NQA test instances and NQA association to
trigger an active/standby switchover when the uplink is unstable.
● A VRRP group can only be associated with an NQA ICMP test instance.
master.

Procedure
Step 1 Create an NQA ICMP test instance. For details, see Configuring an ICMP Test
Instance.
Step 2 Run:
system-view
Step 3 Run:
displayed.

undo portswitch
Step 5 Run:
vrrp vrid virtual-router-id track nqa admin-name test-name [ reduced value-reduced ]
Association between VRRP and NQA is configured.
By default, if the associated NQA test instance fails, the priority of the device
decreases by 10.
When setting the value by which the priority decreases, ensure that the priority of the
backup is higher than the priority of the master in order to trigger an active/standby
switchover.
----End
3.7.3.5 Configuring Association Between VRRP and Routing to Monitor the

Uplink Status
Context
interrupted. The VRRP group monitors the number of routes on the uplink
forwarding path. When the route is withdrawn or becomes inactive, the master's
priority is adjusted and an active/standby switchover is performed. This reduces
the effect of a link fault on service forwarding.
During route association, the link switchover depends on convergence of a routing

protocol associated with the VRRP group.

● When a VRRP group is associated with a static route, the device can detect only faults
on the direct uplink.
master.
Procedure
Step 1 Run:
system-view
Step 2 Run:
displayed.

undo portswitch
Step 4 Run:
vrrp vrid virtual-router-id track ip route ip-address { mask-address | mask-length } [ vpn-instance vpn-
instance-name ] [ reduced value-reduced ]
Association between a route and a VRRP group is configured.
By default, the master's priority decreases by 10 if the associated route is

withdrawn or becomes inactive.
When setting the value by which the priority decreases, ensure that the priority of
the backup is higher than the priority of the master.
----End
Procedure
● Run either of the following commands to check the VRRP group status and
parameters:
– display vrrp [ interface interface-type interface-number ] [ virtual-
router-id ] [ brief ]
– display vrrp { interface interface-type interface-number [ virtual-router-
id ] | virtual-router-id } verbose
● Run the display vrrp protocol-information command to check VRRP
information.


router-id ] statistics command to check statistics about sent and received
packets of the VRRP group.
----End
3.7.4 Configuring Basic Functions of an IPv6 VRRP Group

An IPv6 VRRP group implements gateway backup and ensures stable and highly-
efficient data forwarding.
Before configuring basic functions of an IPv6 VRRP group, configure network layer
3.7.4.1 Creating a VRRP6 Group
Context
VRRP6 virtualizes multiple devices into one gateway without changing the
networking, and uses the virtual gateway's IP address as the default gateway
address to implement next-hop gateway backup. After a VRRP6 group is
configured, traffic is forwarded through the master. When the master fails, a new
master is selected among backups to forward traffic. This ensures device-level
reliability.
If load balancing is required in addition to gateway backup, configure two or more
VRRP6 groups on an interface in single-gateway load balancing mode or multi-
gateway load balancing mode.
Procedure
Step 1 Create a VRRP6 group working in active/standby mode.
1. Run:
system-view

2. Run:
ipv6
The IPv6 function is enabled.

By default, a device is disabled from forwarding IPv6 unicast packets.
3. Run:

undo portswitch


5. Run:
ipv6 enable
IPv6 is enabled on the interface.

By default, the IPv6 function is disabled on an interface.
6. Run:
ipv6 address { ipv6-address prefix-length | ipv6-address/prefix-length }
An IPv6 address is configured for the interface.

7. Run:
vrrp6 vrid virtual-router-id virtual-ip virtual-ipv6-address [ link-local ]
A VRRP6 group is created, and a virtual IPv6 address is assigned to the VRRP6
group.
By default, no VRRP6 group is created.
The first virtual IPv6 address of a VRRP6 group must be a link-local address.
Step 2 Create VRRP6 groups working in multi-gateway load balancing mode.
If VRRP6 groups need to work in multi-gateway load balancing mode, repeat the
Create a VRRP6 group working in master/backup mode steps to configure two
or more VRRP6 groups on the interface and assign different VRIDs to them.
----End
3.7.4.2 Setting the Device Priority in a VRRP6 Group
Context
Devices with higher priorities in a VRRP6 group are more likely to become the
master. You can specify the master to forward traffic by setting device priorities.
Procedure
Step 1 Run:
system-view

Step 2 Run:

undo portswitch

Step 4 Run:
vrrp6 vrid virtual-router-id priority priority-value
The device priority in a VRRP6 group is set.

By default, the device priority is 100.
● Priority 0 is reserved in the system. Priority 255 is reserved for the IP address
owner. The configurable priority ranges from 1 to 254.
● The priority of an IP address owner is fixed at 255 and cannot be manually
changed. You can run the vrrp vrid virtual-router-id priority priority-value
command to change the priority of an IP address owner, but the configured
priority does not take effect. If a VRRP device is no longer an IP address
owner, the configured priority is used.
● When devices in a VRRP6 group have the same priority and attempt to be the
master simultaneously, the device where the interface with the largest IP
address resides becomes the master. The device that first enters the Master
state becomes the master, and other backups remain unchanged.
----End
3.7.4.3 (Optional) Configuring a VRRP6 Preemption Mode
Context
On an unstable network, if the BFD session status monitored by a VRRP6 group
flaps frequently or the backups cannot receive VRRP6 Advertisement packets
within a specified period, an active/standby switchover is performed, which causes
network flapping. The VRRP6 preemption mode and preemption delay can be
configured on the switch to enhance the stability of the master and backup.
You are advised to set the preemption delay of the backup in a VRRP6 group to 0, configure
the master in preemption mode, and set the preemption delay. On an unstable network,
these settings allow a period of time for status synchronization between the uplink and
downlink. If the preceding settings are not used, two masters may coexist and users' devices
may learn the incorrect address of the master.
Procedure
● Configure non-preemption for the VRRP6 group on the switch.
a. Run:
system-view

b. Run:

undo portswitch

d. Run:
vrrp6 vrid virtual-router-id preempt-mode disable

The non-preemption mode is configured on the switch.

By default, the device uses the immediate preemption mode.
In non-preemption mode, the master retains the Master state as long as
it works properly. The master' status remains unchanged even if the
priority of the master decreases.
You can use the undo vrrp6 vrid virtual-router-id preempt-mode
command to restore the default preemption mode.
● Configure a preemption mode on the switch and set the preemption delay.
a. Run:
system-view

b. Run:

undo portswitch

d. Run:
vrrp6 vrid virtual-router-id preempt-mode timer delay delay-value
The preemption delay is set.

By default, the preemption delay is 0, indicating immediate preemption.
In immediate preemption mode, a backup immediately switches to the
master when detecting that its priority is higher than the master.
----End
3.7.4.4 (Optional) Configuring VRRP6 Time Parameters
Context
You can set VRRP6 time parameters as needed. Table 3-7 lists applicable
scenarios.

Table 3-7 Applicable scenarios of VRRP6 time parameters
Function Usage Scenario
Interval at The master in a VRRP6 group sends VRRP6 Advertisement

which VRRP6 packets to backups at intervals to notify that it is working
Advertisement properly. After the Master_Down_Interval timer expires, the
packets are backup with the highest priority switches to the master if it
sent does not receive VRRP6 Advertisement packets.
Heavy network traffic or time differences on different devices
may result in the status change of the backups due to timeout
of VRRP6 Advertisement packets. When packets from the
original master reach the new master, the status of the new
master changes. You can increase the interval to solve this
problem.
Interval at To ensure that MAC address entries on the downstream switch

which ND are correct, the master in a VRRP6 group periodically sends
packets are ND packets to update MAC address entries on the
sent by the downstream switch.
master
Delay before a On an unstable network, frequent flapping of the BFD session

VRRP6 group status or interface status monitored by a VRRP6 group may
recovers result in frequent switching of the VRRP6 group status. After
the delay is set, the VRRP6 group does not immediately
respond to an interface or BFD session Up event. Instead, the
VRRP6 group processes this event after the delay. This
prevents frequent switching of the VRRP6 group status.
Procedure
● Set the interval at which VRRP6 Advertisement packets are sent.
a. Run:
system-view

b. Run:

undo portswitch

d. Run:
vrrp6 vrid virtual-router-id timer advertise advertise-interval
The interval at which VRRP6 Advertisement packets are sent is set.
By default, VRRP6 Advertisement packets are sent at intervals of 1s.

If devices in a VRRP6 group use different intervals, VRRP6 may not work.
● Set the interval at which ND packets are sent by the master.
a. Run:
system-view

b. Run:
vrrp gratuitous-arp timeout time
The interval at which ND packets are sent by the master is set.
By default, the master sends ND packets every 120s.
The interval at which the master sends ND packets must be shorter than
the aging time of ND entries on each user device.
▪ To restore the default interval at which an ND packet is sent, run the

undo vrrp gratuitous-arp timeout command in the system view.
▪ To disable the master from sending ND packets, run the vrrp

gratuitous-arp timeout disable command in the system view.
● Set the delay before a VRRP6 group recovers.
a. Run:
system-view

b. Run:
vrrp recover-delay delay-value
The delay before a VRRP6 group recovers is set.
By default, the delay before a VRRP6 group recovers is 0.
● After this command is used, all VRRP6 groups on the device are configured
with the same delay.
● When the device in a VRRP6 group restarts, VRRP6 status flapping may occur.
It is recommended that the delay be set based on actual networking.
----End
3.7.4.5 (Optional) Disabling VRRP6 TTL Check
Context
The system checks the TTL value in received VRRP6 Advertisement packets, and
discards VRRP6 Advertisement packets with TTL values other than 255. On a
network where devices of different vendors are deployed, if TTL check is enabled
on the device, the device may incorrectly discard valid packets. In this case, disable
TTL check so that devices of different vendors can communicate.

Procedure
Step 1 Run:
system-view

Step 2 Run:

undo portswitch

Step 4 Run:
vrrp6 un-check hop-limit
The device is configured not to check the TTL value in VRRP6 Advertisement
packets.
By default, the system checks the TTL value in VRRP6 Advertisement packets.
----End
3.7.4.6 (Optional) Enabling Ping to a Virtual IP Address
Context
The device allows user devices to ping a virtual IP address for the following
purposes:
● Monitoring the operating status of the master in a VRRP group
● Ensuring the reachable route between a user device and a network connected
through a default gateway that uses the virtual IP address
NOTICE
If ping to a virtual IP address is enabled, a device on an external network can ping

the virtual IP address. This exposes the device to ICMP-based attacks. You can use
the undo vrrp virtual-ip ping enable command to disable the ping function.
Procedure
Step 1 Run:
system-view

Step 2 Run:
vrrp virtual-ip ping enable

The ping to a virtual IP address is enabled.
By default, the ping function is enabled, and the master in a VRRP group responds
to ping packets sent to the virtual IP address.
----End
3.7.4.7 (Optional) Configuring VRRP Smooth Switching
Context
On a network where VRRP groups are configured, the master and backup cannot
communicate in real time during an active/standby switchover on the master
equipped with dual MPUs. When the master fails, the backup becomes the master.
When the original master recovers, it switches to the master again because its
priority is higher than the priority of the original backup. Because the system is
busy during the switchover, the master cannot send Hello packets and the backup
cannot receive packets immediately. In this case, the backup switches to the
master. Then a link switchover is performed, causing packet loss.
Enabling VRRP smooth switching on the switch equipped with dual MPUs can
optimize VRRP performance and reduce the impact on user traffic.
After VRRP smooth switching is enabled, the learning function takes precedence
over the preemption function. Therefore, the VRRP group status is not switched
and service traffic is not affected.
VRRP smooth switching must be configured on each device of a VRRP group.
Procedure
Step 1 Run:
system-view
Step 2 Run:
vrrp timer-advertise learning enable
The device is enabled to learn the interval at which VRRP Advertisement packets
are sent.
By default, this function is enabled.
Step 3 Run:
vrrp smooth-switching timer timer-value
VRRP smooth switching is enabled, and the interval carried in VRRP Advertisement
packets during VRRP smooth switching is configured.
By default, VRRP smooth switching is enabled and the interval contained in VRRP
Advertisement packets is 100s.
The learning function must be enabled before this command is run. When the
learning function is disabled, VRRP smooth switching is also disabled.

● When the backup is restarted, it resets the Master_Down_Interval timer after the
interface recovers. If the interval for sending VRRP Advertisement packets on the master
is much longer than the interval on the backup, the master may not send VRRP
Advertisement packets after the Master_Down_Interval timer expires. In this case, the
backup becomes the master, and two masters exist in the group.
● During VRRP smooth switching, the master sends VRRP Advertisement packets at the
configured interval. If the time for VRRP smooth switching (for example, 1s) is shorter
than the interval for sending VRRP Advertisement packets (for example 10s), VRRP
Advertisement packets are sent at intervals of 10s, and the interval contained in the
VRRP Advertisement packet is 1s. As a result, the VRRP group status frequently flaps.
----End
Procedure
● Run the display vrrp6 [ interface interface-type interface-number ] [ vrid
virtual-router-id ] [ brief ] command to check the VRRP6 group status and
parameters.
virtual-router-id ] statistics command to check statistics about sent and
received packets of the VRRP6 group.
----End
3.7.5 Configuring an mVRRP6 Group
An mVRRP6 group can be bound to VRRP6 groups and determine the status of its
bound VRRP6 groups. mVRRP6 is used when multiple VRRP6 groups coexist.
mVRRP6 helps decrease the number of VRRP6 Advertisement packets to be sent
and minimize network bandwidth and system resource consumption.
Before configuring basic functions of an mVRRP6 group, configure network layer
3.7.5.1 Configuring an mVRRP6 Group
Context
Each VRRP6 group needs to maintain its own state machine. Configuring an
mVRRP6 group reduces bandwidth occupied by VRRP6 Advertisement packets.
Procedure
Step 1 Run:
system-view

Step 2 Run:

undo portswitch

Step 4 (Optional) Run:
group.
Step 5 Run:
admin-vrrp6 vrid virtual-router-id
The VRRP6 group is configured as an mVRRP6 group.

By default, no mVRRP6 group is configured.
----End
3.7.5.2 Configuring a VRRP6 Group and Binding the VRRP6 Group to an

mVRRP6 Group
Context
You can bind VRRP6 groups to an mVRRP6 group so that mVRRP6 determines the
status of the bound VRRP6 groups.
Procedure
Step 1 Run:
system-view

Step 2 Run:
The view of the interface where a VRRP6 group is configured is displayed.

undo portswitch

Step 4 Run:

group.
Because the mVRRP6 group determines the status of its member VRRP6 groups,
you do not need to set priorities for the member VRRP6 groups.
Step 5 Run:
vrrp6 vrid virtual-router-id1 track admin-vrrp6 interface interface-type interface-number vrid virtual-
router-id2 unflowdown
The VRRP6 group is bound to an mVRRP6 group.
By default, no VRRP6 group is bound to an mVRRP6 group.
After the binding is complete, the state machine of the bound VRRP6 group
depends on the status of the mVRRP6 group. That is, the bound VRRP6 group
inherits the status of the mVRRP6 group, deletes its VRRP6 Advertisement packet
timeout timer, and stops sending or receiving VRRP6 Advertisement packets. A
VRRP6 group can be bound to only one mVRRP6 group.
----End
Procedure
● Run the display vrrp6 binding admin-vrrp6 [ interface interface-type1
interface-number1 ] [ vrid virtual-router-id1 ] member-vrrp [ interface
interface-type2 interface-number2 ] [ vrid virtual-router-id2 ] command to
check bindings between the mVRRP6 group and VRRP6 groups.
● Run the display vrrp6 admin-vrrp6 command to check the status of all
mVRRP groups.
----End
3.7.6 Configuring VRRP6 Association
VRRP6 association enables VRRP6 to detect faults in a timely manner and triggers
an active/standby switchover when the master or the uplink of the master
becomes faulty. VRRP6 association optimizes VRRP6 switchover and enhances
network reliability.
Before configuring VRRP6 association, perform the task of 3.7.4 Configuring Basic
Functions of an IPv6 VRRP Group.
3.7.6.1 Configuring Association Between VRRP6 and BFD to Implement a

Rapid Active/Standby Switchover

Context
You can associate a VRRP6 group with a BFD session. When the BFD session status
changes, BFD notifies the VRRP6 group. This process triggers a rapid active/
standby switchover.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of the interface where a VRRP6 group is configured is displayed.

undo portswitch
Step 4 Run:
vrrp6 vrid virtual-router-id track bfd-session { session-id | session-name bfd-configure-name } [ increased
value-increased | reduced value-reduced ]
Association between VRRP6 and BFD is configured to implement a rapid active/

standby switchover.
increased value-increased: specifies the value by which the priority increases when
the monitored BFD session becomes Down. The value is an integer that ranges
from 1 to 255. The value 255 is reserved for the IP address owner, so the
maximum value of value-increased is 254. This parameter is valid only when the
VRRP6 group is in Backup state.
reduced value-reduced: specifies the value by which the priority decreases when
the monitored BFD session becomes Down. The value is an integer that ranges
from 1 to 254. The lowest priority is 1. When the priority is decreased to 1, the
master sends a VRRP6 Advertisement packet with priority 0. The value 0 is
reserved. When the backup receives a VRRP6 Advertisement packet with priority 0,
the backup becomes the master immediately. By default, the value is 10.
When setting the value by which the priority increases or decreases, ensure that the backup
has higher priority than the master so that a rapid active/standby switchover is performed.
When associating a VRRP6 group with a BFD session, note the following points:
● If session-name bfd-configure-name is specified, the VRRP6 group can be bound to
● If session-id is specified, the VRRP6 group can be bound to only the static BFD session.
Currently, the device supports only association between VRRP6 and BFD for IPv4.
----End

3.7.6.2 Configuring Association Between VRRP6 and the Interface Status to

Implement an Active/Standby Switchover
Context
When the uplink interface of the master becomes faulty, VRRP6 cannot detect the
status change of interfaces outside the VRRP6 group, causing service interruption.
You can associate a VRRP6 group with the interface status. When the monitored
interface becomes faulty, the priority of the master is reduced. This triggers an
active/standby switchover and reduces the impact of the uplink interface fault on
service forwarding.
The master and backup in the VRRP6 group must work in preemption mode. It is
recommended that the preemption delay be 0 on the backup and nonzero on the master.
Procedure
Step 1 Run:
system-view
Step 2 Run:
The view of the interface on the master where a VRRP6 group is configured is
displayed.

undo portswitch
Step 4 Run:
vrrp6 vrid virtual-router-id track interface interface-type interface-number [ increased value-increased |
reduced value-reduced ]
Association between VRRP6 and the interface status is configured.
If the IPv4 protocol status on the monitored interface configured with an IPv4 address
changes, the priority of the master is reduced. If the IPv6 protocol status on the monitored
interface configured with an IPv6 address changes, the VRRP6 group remains unchanged.
----End

Procedure
virtual-router-id ] [ brief ] command to check the VRRP6 group status and
parameters.
virtual-router-id ] statistics command to check statistics about sent and
received packets of the VRRP6 group.
----End
3.8 Maintaining VRRP
3.8.1 Monitoring the VRRP Running Status
Context
During routine maintenance, you can run the following commands to view VRRP
Advertisement packet statistics and monitor the VRRP running status.
Procedure
router-id ] statistics command in any view to view statistics about sent and
received packets of a VRRP group.
virtual-router-id ] statistics command in any view to view statistics about
sent and received packets of a VRRP6 group.
3.8.2 Clearing VRRP Advertisement Packet Statistics
Context
Before recollecting statistics about VRRP Advertisement packets in a given period
of time, clear existing statistics.
NOTICE
The cleared statistics cannot be restored. Exercise caution when you run the reset
command.
Procedure
● Run the reset vrrp [ interface interface-type interface-number ] [ vrid
virtual-router-id ] statistics command in the user view to clear statistics
about a VRRP group.

● Run the reset vrrp6 [ interface interface-type interface-number ] [ vrid

virtual-router-id ] statistics command in the user view to clear statistics
about a VRRP6 group.
3.9 Configuration Examples
3.9.1 Example for Configuring a VRRP Group in Active/

Standby Mode
Networking Requirements
In Figure 3-14, HostA is dual-homed to SwitchA and SwitchB through the switch.
To ensure nonstop service transmission, a VRRP group in active/standby mode
needs to be configured on SwitchA and SwitchB.
● The host uses SwitchA as the default gateway to connect to the Internet.
When SwitchA becomes faulty, SwitchB functions as the gateway. This
implements gateway backup.
● After SwitchA recovers, it switches to the master to transmit data after a
preemption delay of 20s.
Figure 3-14 Networking diagram for configuring a VRRP group

VRRP VRID 1
Virtual IP address: SwitchA
10.1.1.111 GE1/0/2 Master
GE1/0/1
10.1.1.1/24
192.168.1.1/24
GE1/0/1
GE1/0/1 192.168.1.2/24
GE1/0/3
Switch SwitchC Internet
172.16.1.1/24
HostA GE1/0/2 GE1/0/2
192.168.2.2/24
10.1.1.100/24
GE1/0/1
GE1/0/2 192.168.2.1/24
10.1.1.2/24 SwitchB
Backup
Device Interface VLANIF Interface IP Address
SwitchA GE1/0/1 VLANIF 300 192.168.1.1/24
GE1/0/2 VLANIF 100 10.1.1.1/24
SwitchB GE1/0/1 VLANIF 200 192.168.2.1/24
GE1/0/2 VLANIF 100 10.1.1.2/24

SwitchC GE1/0/1 VLANIF 300 192.168.1.2/24
GE1/0/2 VLANIF 200 192.168.2.2/24
GE1/0/3 VLANIF 400 172.16.1.1/24
Configuration Roadmap
The configuration roadmap is as follows:
1. Assign an IP address to each interface and configure a routing protocol to
ensure network connectivity.
2. Configure a VRRP group on SwitchA and SwitchB, set a higher priority for
SwitchA so that SwitchA functions as the master to forward traffic and set the
preemption delay to 20s on SwitchA, and set a lower priority for SwitchB so
that SwitchB functions as the backup.
Procedure
Step 1 Configure devices to ensure network connectivity.
# Assign an IP address to each interface. SwitchA is used as an example. The
configurations of SwitchB and SwitchC are similar to the configuration of SwitchA,
and are not mentioned here. For details, see the configuration files.
<Quidway> system-view
[Quidway] sysname SwitchA
[SwitchA] vlan batch 100 300
[SwitchA] interface gigabitethernet 1/0/1
[SwitchA-GigabitEthernet1/0/1] port hybrid pvid vlan 300
[SwitchA-GigabitEthernet1/0/1] port hybrid untagged vlan 300
[SwitchA-GigabitEthernet1/0/1] quit
[SwitchA] interface vlanif 100
[SwitchA-Vlanif100] ip address 10.1.1.1 24
[SwitchA-Vlanif100] quit
# Configure Layer 2 transmission on the switch.

[Quidway] sysname Switch
[Switch] vlan 100
[Switch-vlan100] quit
[Switch] interface gigabitethernet 1/0/1
[Switch-GigabitEthernet1/0/1] port hybrid pvid vlan 100
[Switch-GigabitEthernet1/0/1] port hybrid untagged vlan 100
[Switch-GigabitEthernet1/0/1] quit
# Configure OSPF between SwitchA, SwitchB, and SwitchC. SwitchA is used as an

example. The configurations of SwitchB and SwitchC are similar to the

configuration of SwitchA, and are not mentioned here. For details, see the
configuration files.
[SwitchA] ospf 1
[SwitchA-ospf-1] area 0
[SwitchA-ospf-1-area-0.0.0.0] network 10.1.1.0 0.0.0.255
[SwitchA-ospf-1-area-0.0.0.0] quit
[SwitchA-ospf-1] quit
Step 2 Configure VRRP groups.

# Configure VRRP group 1 on SwitchA, and set the priority of SwitchA to 120 and
the preemption delay to 20s.
[SwitchA-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111
[SwitchA-Vlanif100] vrrp vrid 1 priority 120
[SwitchA-Vlanif100] vrrp vrid 1 preempt-mode timer delay 20
# Configure VRRP group 1 on SwitchB. SwitchB uses default value 100.

[SwitchB] interface vlanif 100
[SwitchB-Vlanif100] vrrp vrid 1 virtual-ip 10.1.1.111
[SwitchB-Vlanif100] quit
Step 3 Verify the configuration.

# After the configuration is complete, run the display vrrp command on SwitchA
and SwitchB. You can see that SwitchA is in Master state and SwitchB is in Backup
state.
[SwitchA] display vrrp
Vlanif100 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
Master IP : 10.1.1.1
PriorityRun : 120
PriorityConfig : 120
MasterPriority : 120
Preempt : YES Delay Time : 20 s
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Config type : normal-vrrp
Backup-forward : disabled
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
[SwitchB] display vrrp
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

# Run the display ip routing-table command on SwitchA and SwitchB. The

command output shows that a direct route to the virtual IP address exists in the
routing table of SwitchA and an OSPF route to the virtual IP address exists in the
routing table of SwitchB. The command output on SwitchA and SwitchB is as
follows:
[SwitchA] display ip routing-table
Route Flags: R - relay, D - download to fib
------------------------------------------------------------------------------
Routing Tables: Public
Destinations : 9 Routes : 10
Destination/Mask Proto Pre Cost Flags NextHop Interface
10.1.1.0/24 Direct 0 0 D 10.1.1.1 Vlanif100

10.1.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.1.111/32 Direct 0 0 D 127.0.0.1 Vlanif100
127.0.0.0/8 Direct 0 0 D 127.0.0.1 InLoopBack0
172.16.1.0/24 OSPF 10 2 D 192.168.1.2 Vlanif300
192.168.1.0/24 Direct 0 0 D 192.168.1.1 Vlanif300
192.168.1.1/32 Direct 0 0 D 127.0.0.1 Vlanif300
192.168.2.0/24 OSPF 10 2 D 10.1.1.2 Vlanif100
OSPF 10 2 D 192.168.1.2 Vlanif300
[SwitchB] display ip routing-table
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.2 Vlanif100

10.1.1.2/32 Direct 0 0 D 127.0.0.1 Vlanif100
10.1.1.111/32 OSPF 10 2 D 10.1.1.1 Vlanif100
172.16.1.0/24 OSPF 10 2 D 192.168.2.2 Vlanif200
192.168.1.0/24 OSPF 10 2 D 10.1.1.1 Vlanif100
OSPF 10 2 D 192.168.2.2 Vlanif200
192.168.2.0/24 Direct 0 0 D 192.168.2.1 Vlanif200
192.168.2.1/32 Direct 0 0 D 127.0.0.1 Vlanif200
# Run the shutdown command on GE1/0/2 of SwitchA to simulate a link fault.

[SwitchA-GigabitEthernet1/0/2] shutdown
# Run the display vrrp command on SwitchB to view the VRRP status. The
command output shows that SwitchB is in Master state.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES

Create time : 2012-01-12 20:15:46

Last change time : 2012-01-12 20:18:40
# Run the undo shutdown command on GE1/0/2 of SwitchA.

[SwitchA-GigabitEthernet1/0/2] undo shutdown
# After 20s, run the display vrrp command on SwitchA to view the VRRP status.
SwitchA restores to be in Master state.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:20:56
----End
Configuration Files
● SwitchA configuration file
#
sysname SwitchA
#
vlan batch 100 300
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 virtual-ip 10.1.1.111
vrrp vrid 1 priority 120
vrrp vrid 1 preempt-mode timer delay 20
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
interface GigabitEthernet1/0/1
port hybrid pvid vlan 300
port hybrid untagged vlan 300
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
● SwitchB configuration file

#
sysname SwitchB

#
vlan batch 100 200
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● SwitchC configuration file
#
sysname SwitchC
#
vlan batch 200 300 400
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif400
ip address 172.16.1.1 255.255.255.0
#
#
#
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● Switch configuration file
#
sysname Switch
#
vlan batch 100
#
#

#
return
3.9.2 Example for Configuring a VRRP Group in Load

Balancing Mode
In Figure 3-15, HostA and HostC are dual-homed to SwitchA and SwitchB through
the switch. To reduce the load of data traffic on SwitchA, HostA uses SwitchA as
the default gateway to connect to the Internet, and SwitchB functions as the
backup gateway. HostC uses SwitchB as the default gateway to connect to the
Internet, and SwitchA functions as the backup gateway. This implements load
balancing.
Figure 3-15 Networking diagram for configuring a VRRP group in load balancing
mode
VRRP VRID 1 SwitchA
Virtual IP address: VRID 1: Master
10.1.1.111 VRID 2: Backup
GE1/0/1
HostA 192.168.1.1/24
10.1.1.100/24
GE1/0/2 GE1/0/1
GE1/0/1 10.1.1.1/24 192.168.1.2/24
Switch GE1/0/3 Internet
SwitchC 172.16.1.1/24
GE1/0/2 GE1/0/2 GE1/0/2
10.1.1.2/24 192.168.2.2/24
HostC GE1/0/1
10.1.1.101/24 192.168.2.1/24
SwitchB
VRID 1: Backup
VRRP VRID 2 VRID 2: Master
Virtual IP address:
10.1.1.112
GE1/0/2 VLANIF 100 10.1.1.1/24
GE1/0/2 VLANIF 100 10.1.1.2/24

GE1/0/2 VLANIF 200 192.168.2.2/24
GE1/0/3 VLANIF 400 172.16.1.1/24
2. Create VRRP groups 1 and 2 on SwitchA and SwitchB. In VRRP group 1,
configure SwitchA as the master and SwitchB as the backup. In VRRP group 2,
configure SwitchB as the master and SwitchA as the backup.
Procedure

[Switch] vlan 100


[SwitchA] ospf 1

# Configure VRRP group 1 on SwitchA and SwitchB, set the priority of SwitchA to
120 and the preemption delay to 20s, and set the default priority for SwitchB.
# Configure VRRP group 2 on SwitchA and SwitchB, set the priority of SwitchB to
120 and the preemption delay to 20s, and set the default priority for SwitchA.
[SwitchB-Vlanif100] vrrp vrid 2 priority 120
[SwitchB-Vlanif100] vrrp vrid 2 preempt-mode timer delay 20

# After the configuration is complete, run the display vrrp command on SwitchA.
You can see that SwitchA is the master in VRRP group 1 and the backup in VRRP
group 2.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

State : Backup
Virtual IP : 10.1.1.112
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE

Virtual MAC : 0000-5e00-0102

Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# After the configuration is complete, run the display vrrp command on SwitchB.
You can see that SwitchB is the backup in VRRP group 1 and the master in VRRP
group 2.
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

State : Master
Virtual IP : 10.1.1.112
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 300
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#

#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
#
sysname SwitchB
#
vlan batch 100 200
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
#
sysname SwitchC
#
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif400
ip address 172.16.1.1 255.255.255.0
#
#
#


#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return
3.9.3 Example for Configuring Association Between VRRP and

BFD to Implement a Rapid Active/Standby Switchover
In Figure 3-16, hosts on a LAN are dual-homed to SwitchA and SwitchB through
the switch. A VRRP group is established on SwitchA and SwitchB, and SwitchA is
the master.
If SwitchA or a link between SwitchA and SwitchB becomes faulty, VRRP
Advertisement packet negotiation takes time. To implement a rapid active/standby
switchover, deploy a BFD session on the link and associate the VRRP group with
the BFD session. When the primary interface on the master or the link fails, the
BFD session rapidly detects the fault and notifies the VRRP group of it. The VRRP
group then performs a rapid active/standby switchover. The backup becomes the
Master and takes over traffic forwarding. This reduces the impact of the fault on
service transmission.

standby switchover
VRRP VRID 1
Virtual IP Address:
10.1.1.3/24 GE1/0/1
Master
VLANIF100 SwitchA
10.1.1.1/24
HostA
GE1/0/1
Switch Internet
GE1/0/2
HostB GE1/0/1
VLANIF100 SwitchB
10.1.1.2/24 Backup BFD packets
Association between a VRRP group and a BFD session is used to implement a
rapid active/standby switchover. The configuration roadmap is as follows:
2. Configure a VRRP group on SwitchA and SwitchB. SwitchA functions as the
master, its priority is 120, and the preemption delay is 20s. SwitchB functions
as the backup and uses the default priority.
3. Configure a static BFD session on SwitchA and SwitchB to monitor the link of
the VRRP group.
4. Configure association between VRRP and BFD on SwitchB to implement a
rapid active/standby switchover when the link is faulty.
Procedure
configuration of SwitchB is similar to the configuration of SwitchA, and is not
mentioned here. For details, see the configuration files.
[SwitchA] vlan 100
[SwitchA-vlan100] quit


[Switch] vlan 100

# Configure OSPF between SwitchA and SwitchB. SwitchA is used as an example.

The configuration of SwitchB is similar to the configuration of SwitchA, and is not
mentioned here. For details, see the configuration files.
[SwitchA] ospf 1
Step 2 Configure a VRRP group.

# Configure VRRP group 1 on SwitchB. SwitchB uses default value 100.

Step 3 Configure a static BFD session.

# Create a BFD session on SwitchA.
[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip 10.1.1.2 interface vlanif 100
[SwitchA-bfd-session-atob] discriminator local 1
[SwitchA-bfd-session-atob] discriminator remote 2
[SwitchA-bfd-session-atob] min-rx-interval 100
[SwitchA-bfd-session-atob] min-tx-interval 100
[SwitchA-bfd-session-atob] commit
[SwitchA-bfd-session-atob] quit
# Create a BFD session on SwitchB.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd btoa bind peer-ip 10.1.1.1 interface vlanif 100
[SwitchB-bfd-session-btoa] discriminator local 2
[SwitchB-bfd-session-btoa] discriminator remote 1
[SwitchB-bfd-session-btoa] min-rx-interval 100
[SwitchB-bfd-session-btoa] min-tx-interval 100
[SwitchB-bfd-session-btoa] commit
[SwitchB-bfd-session-btoa] quit
Run the display bfd session command on SwitchA and SwitchB. You can see that
the BFD session is Up. The display on SwitchA is used as an example.
[SwitchA] display bfd session all
--------------------------------------------------------------------------------

Local Remote PeerIpAddr State Type InterfaceName

--------------------------------------------------------------------------------
1 2 10.1.1.2 Up S_IP_IF Vlanif100
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 1/0
Step 4 Associate BFD with VRRP.

# Configure association between VRRP and BFD on SwitchB. When the BFD
session becomes Down, the priority of SwitchB increases by 40.
[SwitchB-Vlanif100] vrrp vrid 1 track bfd-session 2 increased 40

and SwitchB. SwitchA is the master, SwitchB is the backup, and the associated BFD
session is in Up state.
State : Master
Virtual IP : 10.1.1.3
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Track BFD : 2 Priority increased : 40
BFD-session state : UP
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

Then run the display vrrp command on SwitchA and SwitchB. You can see that
SwitchA is in Initialize state, SwitchB becomes the master, and the associated BFD
session becomes Down.


State : Initialize
Master IP : 0.0.0.0
PriorityRun : 120
MasterPriority : 0
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Master
PriorityRun : 140
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
BFD-session state : DOWN
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

# After 20s, run the display vrrp command on SwitchA and SwitchB. You can see
that SwitchA restores to be the master and SwitchB the backup, and the
associated BFD session is in Up state.
State : Master
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

State : Backup
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
#
#
bfd atob bind peer-ip 10.1.1.2 interface Vlanif100
discriminator local 1
discriminator remote 2
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname SwitchB
#
vlan batch 100
#
bfd
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
vrrp vrid 1 track bfd-session 2 increased 40
#


#
bfd btoa bind peer-ip 10.1.1.1 interface Vlanif100
min-tx-interval 100
min-rx-interval 100
commit
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return

NQA to Monitor the Uplink Status
the switch. A VRRP group is established on SwitchA and SwitchB, and SwitchA is
the master. Generally, SwitchA functions as the gateway and user traffic is along
the path Switch -> SwitchA -> SwitchC -> SwitchE.
When the link between SwitchC and SwitchE becomes faulty, the VRRP group is
required to be able to detect the fault. Then an active/standby switchover is
performed rapidly andSwitchB takes over services. This reduces the impact of the
link fault on service forwarding.

Figure 3-17 Association between VRRP and NQA to monitor the uplink status
GE1/0/2
192.168.1.1/24
VRRP VRID 1 Master
Virtual IP address: SwitchA SwitchC
GE1/0/1 GE1/0/2
10.1.1.10
192.168.1.2/24 172.16.1.1/24
GE1/0/1
GE1/0/1 172.16.1.2/24
GE1/0/0
10.1.1.1/24
SwitchE Internet
GE1/0/1
Switch 10.1.1.2/24 GE1/0/1 GE1/0/2
GE2/0/0
192.168.2.2/24 172.16.2.2/24
GE1/0/2
SwitchB 172.16.2.1/24
SwitchD
Backup
GE1/0/2
HostA 192.168.2.1/24 NQA packets
GE1/0/2 VLANIF 300 192.168.1.1/24
GE1/0/2 VLANIF 200 192.168.2.1/24
GE1/0/2 VLANIF 500 172.16.1.1/24
SwitchD GE1/0/1 VLANIF 200 192.168.2.2/24
GE1/0/2 VLANIF 400 172.16.2.1/24
SwitchE GE1/0/1 VLANIF 500 172.16.1.2/24
GE1/0/2 VLANIF 400 172.16.2.2/24

2. Configure a VRRP group on SwitchA and SwitchB. Set the priority of SwitchA
to 120 and the preemption delay to 20s so that SwitchA functions as the
master. Configure SwitchB to use the default priority so that SwitchB
functions as the backup.

3. Configure an NQA test instance of ICMP on SwitchA, specify the IP address of

GE1/0/1 on SwitchE as the destination address, and configure the NQA test
instance to detect connectivity of the link between SwitchA and SwitchE.
4. Configure association between VRRP and NQA on SwitchA. When the link is
faulty, an active/standby switchover can be performed rapidly.
Procedure
configurations of SwitchB, SwitchC, SwitchD, and SwitchE are similar to the
[SwitchA-GigabitEthernet1/0/1] port link-type trunk
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 100
[SwitchA-GigabitEthernet1/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1

[Switch] vlan 100
[Switch-GigabitEthernet1/0/0] port link-type trunk
[Switch-GigabitEthernet1/0/0] port trunk allow-pass vlan 100
[Switch-GigabitEthernet1/0/0] port trunk pvid vlan 100
[Switch-GigabitEthernet1/0/0] undo port trunk allow-pass vlan 1
# Configure OSPF between devices. SwitchA is used as an example. The

[SwitchA] ospf 1


# Configure VRRP group 1 on SwitchB. SwitchB uses default priority 100.

Step 3 Configure an NQA test instance.

# Configure an NQA test instance of ICMP with destination IP address
172.16.1.2/24 on SwitchA.
[SwitchA] nqa test-instance user test
[SwitchA-nqa-user-test] test-type icmp
[SwitchA-nqa-user-test] destination-address ipv4 172.16.1.2
[SwitchA-nqa-user-test] frequency 15
[SwitchA-nqa-user-test] start now
[SwitchA-nqa-user-test] quit
# Run the display nqa results test-instance user test command on SwitchA. The
command output shows that the NQA test instance status is success.
[SwitchA] display nqa results test-instance user test
NQA entry(user, test) :testflag is active ,testtype is icmp
1 . Test 1 result The test is finished
Send operation times: 3 Receive response times: 2
Completion:success RTD OverThresholds number: 0
Attempts number:1 Drop operation number:0
Disconnect operation number:0 Operation timeout number:1
System busy operation number:0 Connection fail number:0
Operation sequence errors number:0 RTT Status errors number:0
Destination ip address:172.16.1.2
Min/Max/Average Completion Time: 6/6/6
Sum/Square-Sum Completion Time: 12/72
Last Good Probe Time: 2012-05-22 17:32:56.1
Lost packet ratio: 33 %
Step 4 Configure association between VRRP and NQA.

# Configure association between VRRP and NQA on SwitchA. When the NQA test
instance is failed, the priority of SwitchA decreases by 40.
[SwitchA-Vlanif100] vrrp vrid 1 track nqa user test reduced 40

and SwitchB. You can see that SwitchA is the master, SwitchB is the backup, and
the associated NQA test instance is success.
State : Master

PriorityRun : 120
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Track NQA : user test Priority reduced : 40
NQA state : success
Create time : 2012-05-22 17:32:56
Last change time : 2012-05-22 17:33:00
State : Backup
PriorityRun : 100
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-22 17:33:00
Last change time : 2012-05-22 17:33:04
# Run the shutdown command on GE1/0/1 of SwitchE to simulate a link fault.

[SwitchE] interface gigabitethernet 1/0/1
[SwitchE-GigabitEthernet1/0/1] shutdown
[SwitchE-GigabitEthernet1/0/1] quit
# Run the display vrrp command on SwitchA and SwitchB. You can see that
SwitchA is in Backup state, SwitchB becomes the master, and the NQA test
instance is failed.
State : Backup
PriorityRun : 80
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
NQA state : failed
Create time : 2012-05-22 17:34:56
Last change time : 2012-05-22 17:35:00
State : Master

PriorityRun : 100
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-22 17:35:00
Last change time : 2012-05-22 17:35:04
# Run the undo shutdown command on GE1/0/1 of SwitchE.

[SwitchE-GigabitEthernet1/0/1] undo shutdown
associated NQA test instance status is success.
State : Master
PriorityRun : 120
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
NQA state : success
Create time : 2012-05-22 17:36:56
Last change time : 2012-05-22 17:37:00
State : Backup
PriorityRun : 100
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-22 17:37:00
Last change time : 2012-05-22 17:37:04
----End
Configuration Files

#
sysname SwitchA
#
vlan batch 100 300
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 track nqa user test reduced 40
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
#
port link-type trunk
port trunk pvid vlan 100
undo port trunk allow-pass vlan 1
port trunk allow-pass vlan 100
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
nqa test-instance user test
test-type icmp
destination-address ipv4 172.16.1.2
frequency 15
start now
#
return

#
sysname SwitchB
#
vlan batch 100 200
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 300 500
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
#
interface Vlanif500
ip address 172.16.1.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
● SwitchD configuration file
#
sysname SwitchD
#
vlan batch 200 400
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
#
interface Vlanif400
ip address 172.16.2.1 255.255.255.0
#
#
#
ospf 1
area 0.0.0.0
network 172.16.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● SwitchE configuration file
#
sysname SwitchE
#
vlan batch 400 500
#
interface Vlanif400
ip address 172.16.2.2 255.255.255.0
#
interface Vlanif500
ip address 172.16.1.2 255.255.255.0
#
#


#
ospf 1
area 0.0.0.0
network 172.16.1.0 0.0.0.255
network 172.16.2.0 0.0.0.255
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return

Routing to Monitor the Uplink Status
As shown in Figure 3-18, hosts on a LAN are dual-homed to SwitchA and SwitchB
through the switch. A VRRP group is established on SwitchA and SwitchB, and
SwitchA is the master. SwitchA functions as the gateway and user traffic is
forwarded along the path Switch -> SwitchA -> SwitchC -> SwitchE.
When the route between SwitchC and SwitchE is withdrawn or becomes inactive,
the VRRP group is required to be able to detect the fault. Then an active/standby
switchover is performed rapidly and SwitchB takes over services. This reduces the
impact of the link fault on service forwarding.

Figure 3-18 Association between VRRP and routing to monitor the uplink status
GE1/0/2
192.168.1.1/24
VRRP VRID 1 Master
Virtual IP address: SwitchA SwitchC
GE1/0/1 GE1/0/2
10.1.1.10
192.168.1.2/24 172.16.1.1/24
GE1/0/1
GE1/0/0 GE1/0/1 172.16.1.2/24
10.1.1.1/24
SwitchE Internet
GE1/0/1
Switch 10.1.1.2/24 GE1/0/1 GE1/0/2
GE2/0/0
192.168.2.2/24 172.16.2.2/24
GE1/0/2
SwitchB SwitchD 172.16.2.1/24
Backup
GE1/0/2
HostA 192.168.2.1/24
GE1/0/2 VLANIF 300 192.168.1.1/24
GE1/0/2 VLANIF 200 192.168.2.1/24
GE1/0/2 VLANIF 500 172.16.1.1/24
SwitchD GE1/0/1 VLANIF 200 192.168.2.2/24
GE1/0/2 VLANIF 400 172.16.2.1/24
SwitchE GE1/0/1 VLANIF 500 172.16.1.2/24
GE1/0/2 VLANIF 400 172.16.2.2/24

2. Configure a VRRP group on SwitchA and SwitchB, set a higher priority for
preemption delay to 20s, and set a lower priority for SwitchB so that SwitchB
functions as the backup.

3. Configure association between VRRP and routing on SwitchA so that an

active/standby switchover is performed immediately when the monitored
route is withdrawn or becomes inactive.
Procedure
Step 1 Assign an IP address to each interface. SwitchA is used as an example. The
[SwitchA-GigabitEthernet1/0/1] port trunk pvid vlan 100
[SwitchA-GigabitEthernet1/0/1] undo port trunk allow-pass vlan 1
Step 2 Configure Layer 2 transmission on the switch.

[Switch] vlan 100
# Configure VRRP group 1 on SwitchB. SwitchB uses default priority 100.


Step 4 Configure IS-IS. SwitchA, SwitchC, and SwitchE are used as an example. The
configurations of SwitchB and SwitchD are similar to the configuration of SwitchA,
# Set the IS-IS NET of SwitchA to 10.0000.0000.0001.00, and set the IS-IS level to
1.
[SwitchA] isis 1
[SwitchA-isis-1] is-level level-1
[SwitchA-isis-1] network-entity 10.0000.0000.0001.00
[SwitchA-isis-1] quit
[SwitchA-Vlanif300] isis enable 1
# Set the IS-IS NET of SwitchC to 10.0000.0000.0002.00, and set the IS-IS level to
1.
[SwitchC] isis 1
[SwitchC-isis-1] is-level level-1
[SwitchC-isis-1] network-entity 10.0000.0000.0002.00
[SwitchC-isis-1] quit
[SwitchC] interface vlanif 300
[SwitchC-Vlanif300] isis enable 1
[SwitchC-Vlanif300] quit
[SwitchC] interface vlanif 500
[SwitchC-Vlanif500] isis enable 1
[SwitchC-Vlanif500] quit
# Set the IS-IS NET of SwitchE to 10.0000.0000.0003.00 and 20.0000.0000.0003.00,

and set the IS-IS level to 1.
[SwitchE] isis 1
[SwitchE-isis-1] is-level level-1
[SwitchE-isis-1] network-entity 10.0000.0000.0003.00
[SwitchE-isis-1] quit
[SwitchE] interface vlanif 500
[SwitchE-Vlanif500] isis enable 1
[SwitchE-Vlanif500] quit
[SwitchE] isis 2
[SwitchE-isis-2] is-level level-1
[SwitchE-isis-2] network-entity 20.0000.0000.0003.00
[SwitchE-isis-2] quit
[SwitchE] interface vlanif 400
[SwitchE-Vlanif400] isis enable 2
[SwitchE-Vlanif400] quit
Step 5 Configure association between VRRP and routing on SwitchA. When the associated
route is withdrawn, the priority of SwitchA decreases by 40.
[SwitchA-Vlanif100] vrrp vrid 1 track ip route 172.16.1.0 24 reduced 40

# After the configuration is complete, run the display isis route command on
SwitchA. You can see a route to network segment 172.16.1.0/24.
[SwitchA] display isis route
Route information for ISIS(1)

-----------------------------
ISIS(1) Level-1 Forwarding Table

--------------------------------
IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags

-------------------------------------------------------------------------------
172.16.1.0/24 20 NULL Vlanif300 192.168.1.2 A/-/-/-
192.168.1.0/24 10 NULL Vlanif300 Direct D/-/L/-
Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,
U-Up/Down Bit Set
SwitchA is the master, SwitchB is the backup, and the associated route is
reachable.
State : Master
PriorityRun : 120
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Track IP route : 172.16.1.0/24 Priority reduced : 40
IP route state : Reachable
Create time : 2012-05-29 21:25:47
Last change time : 2012-05-29 21:25:51
State : Backup
PriorityRun : 100
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-29 21:25:47
Last change time : 2012-05-29 21:25:51
# Run the shutdown command on GE1/0/1 of SwitchE to simulate a link fault.

[SwitchE-GigabitEthernet1/0/1] shutdown
# Run the display isis route command on SwitchA. You can see that the route to
network segment 172.16.1.0/24 is withdrawn.
[SwitchA] display isis route
Route information for ISIS(1)

-----------------------------
ISIS(1) Level-1 Forwarding Table

--------------------------------
IPV4 Destination IntCost ExtCost ExitInterface NextHop Flags

-------------------------------------------------------------------------------
192.168.1.0/24 10 NULL Vlanif300 Direct D/-/L/-

Flags: D-Direct, A-Added to URT, L-Advertised in LSPs, S-IGP Shortcut,

U-Up/Down Bit Set
SwitchA is in Backup state, SwitchB is in Master state, and the associated route is
unreachable.
State : Backup
PriorityRun : 80
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
IP route state : Unreachable
Create time : 2012-05-29 21:25:47
Last change time : 2012-05-29 21:25:51
State : Master
PriorityRun : 100
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-29 21:25:47
Last change time : 2012-05-29 21:25:51
# Run the undo shutdown command on GE1/0/1 of SwitchE.

[SwitchE-GigabitEthernet1/0/1] undo shutdown
associated route is reachable.
State : Master
PriorityRun : 120
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101

Check TTL : YES

IP route state : Reachable
Create time : 2012-05-29 21:27:47
Last change time : 2012-05-29 21:27:51
State : Backup
PriorityRun : 100
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-29 21:27:47
Last change time : 2012-05-29 21:27:51
----End
Configuration Files
#
sysname SwitchA
#
vlan batch 100 300
#
isis 1
is-level level-1
network-entity 10.0000.0000.0001.00
#
interface Vlanif100
ip address 10.1.1.1 255.255.255.0
vrrp vrid 1 track ip route 172.16.1.0 255.255.255.0 reduced 40
#
interface Vlanif300
ip address 192.168.1.1 255.255.255.0
isis enable 1
#
#
#
return

#
sysname SwitchB
#
vlan batch 100 200

#
isis 2
is-level level-1
network-entity 20.0000.0000.0001.00
#
interface Vlanif100
ip address 10.1.1.2 255.255.255.0
#
interface Vlanif200
ip address 192.168.2.1 255.255.255.0
isis enable 2
#
#
#
return
#
sysname SwitchC
#
vlan batch 300 500
#
isis 1
is-level level-1
network-entity 10.0000.0000.0002.00
#
interface Vlanif300
ip address 192.168.1.2 255.255.255.0
isis enable 1
#
interface Vlanif500
ip address 172.16.1.1 255.255.255.0
isis enable 1
#
#
#
return
● SwitchD configuration file
#
sysname SwitchD
#
vlan batch 200 400
#
isis 2
is-level level-1
network-entity 20.0000.0000.0002.00
#
interface Vlanif200
ip address 192.168.2.2 255.255.255.0
isis enable 2
#
interface Vlanif400
ip address 172.16.2.1 255.255.255.0
isis enable 2

#
#
#
return
● SwitchE configuration file

#
sysname SwitchE
#
vlan batch 400 500
#
isis 1
is-level level-1
network-entity 10.0000.0000.0003.00
#
isis 2
is-level level-1
network-entity 20.0000.0000.0003.00
#
interface Vlanif400
ip address 172.16.2.2 255.255.255.0
isis enable 2
#
interface Vlanif500
ip address 172.16.1.2 255.255.255.0
isis enable 1
#
#
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return

3.9.6 Example for Configuring MSTP + VRRP Network

As shown in Figure 3-19, hosts connect to SwitchC, and SwitchC connects to the
Internet through SwitchA and SwitchB. To improve access reliability, the user
configures redundant links. The redundant links causes a network loop, which
leads to broadcast storm and destroy MAC address entries.
It is required that the network loop be prevented when redundant links are
deployed, traffic be switched to another link when one link is broken, and network
bandwidth be effectively used.
MSTP can be configured on the network to prevent loops. MSTP blocks redundant
links and prunes a network into a tree topology free from loops. In addition, VRRP
needs to be configured on SwitchA and SwitchB. HostA connects to the Internet by
using SwitchA as the default gateway and SwitchB as the secondary gateway.
HostB connects to the Internet by using SwitchB as the default gateway and
SwitchA as the secondary gateway. Traffic is thus load balanced and
communication reliability is improved.
Figure 3-19 MSTP + VRRP network

VRRP VRID 1 SwitchA
Virtual IP Address: VRID 1:Master
HostA
10.1.2.100 VRID 2:Backup
VLAN2
10.1.2.101/24 /1 GE
E1/0 1/0
G / 3 RouterA
GE
GE1/0/2
1/0 /1
/2 1/0
GE
SwitchC MSTP Internet
GE1/0/2
GE
3
1 /0/SwitchC 1/0/4
G E
GE RouterB
HostB 1/0 /0 /3
/1 GE1
VLAN3
10.1.3.101/24 SwitchB
VRID 1:Backup
VRRP VRID 2 VRID 2:Master
Virtual IP Address:
10.1.3.100
VLAN2 MSTI1 VLAN3 MSTI2
MSTI1: MSTI2:
Root Switch:SwitchA Root Switch:SwitchB

Blocked port Blocked port

SwitchA GE1/0/1 and VLANIF 2 10.1.2.102/24

GE1/0/2
GE1/0/1 and VLANIF 3 10.1.3.102/24

GE1/0/2
GE1/0/3 VLANIF 4 10.1.4.102/24
SwitchB GE1/0/1 and VLANIF 2 10.1.2.103/24

GE1/0/2
GE1/0/1 and VLANIF 3 10.1.3.103/24

GE1/0/2
GE1/0/3 VLANIF 5 10.1.5.103/24
1. Configure basic MSTP on the switches, including:
a. Configure MST and create multi-instance, map VLAN 2 to MSTI1, and
map VLAN 3 to MSTI2 to load balance traffic.
b. Configure the root bridge and backup bridge in the MST region.
c. Configure the path cost on an interface so that the interface can be
blocked.
d. Enable MSTP to prevent loops:
▪ Enable MSTP globally.
▪ Enable MSTP on all interfaces except the interfaces connecting to

hosts.
Because the interfaces connecting to hosts do not participate in MSTP

calculation, configure these ports as edge ports.
2. Enable the protection function to protect devices or links. For example, enable
the protection function on the root bridge of each instance to protect roots.
3. Configure Layer 2 forwarding.
4. Assign an IP address to each interface and configure the routing protocol on
each device to ensure network connectivity.
5. Create VRRP group 1 and VRRP group 2 on SwitchA and SwitchB. Configure
SwitchA as the master device and SwitchB as the backup device of VRRP
group 1. Configure SwitchB as the master device and SwitchA as the backup
device of VRRP group 2.

Procedure
Step 1 Configure basic MSTP functions.
1. Add SwitchA, SwitchB, and SwitchC to region RG1, and create instances MSTI1
and MSTI2.
# Configure an MST region on SwitchA.
[SwitchA] stp region-configuration
[SwitchA-mst-region] region-name RG1
[SwitchA-mst-region] instance 1 vlan 2
[SwitchA-mst-region] instance 2 vlan 3
[SwitchA-mst-region] active region-configuration
[SwitchA-mst-region] quit
# Configure an MST region on SwitchB.

[Quidway] sysname SwitchB
[SwitchB] stp region-configuration
[SwitchB-mst-region] region-name RG1
[SwitchB-mst-region] instance 1 vlan 2
[SwitchB-mst-region] instance 2 vlan 3
[SwitchB-mst-region] active region-configuration
[SwitchB-mst-region] quit
# Configure an MST region on SwitchC.

[Quidway] sysname SwitchC
[SwitchC] stp region-configuration
[SwitchC-mst-region] region-name RG1
[SwitchC-mst-region] instance 1 vlan 2
[SwitchC-mst-region] instance 2 vlan 3
[SwitchC-mst-region] active region-configuration
[SwitchC-mst-region] quit
2. Configure the root bridges and backup bridges for MSTI1 and MSTI2 in RG1.
– Configure the root bridge and backup bridge for MSTI1.
# Set SwitchA as the root bridge of MSTI1.
[SwitchA] stp instance 1 root primary
# Set SwitchB as the backup bridge of MSTI1.

[SwitchB] stp instance 1 root secondary
– Configure the root bridge and backup bridge for MSTI2.

# Set SwitchB as the root bridge of MSTI2.
[SwitchB] stp instance 2 root primary
# Set SwitchA as the backup bridge of MSTI2.

[SwitchA] stp instance 2 root secondary
3. Set the path costs of the interfaces that you want to block on MSTI1 and
MSTI2 to be greater than the default value.
– The path cost range is decided by the calculation method. The Huawei calculation
method is used as an example. Set the path costs of the interfaces to 20000.
– The switches on the same network must use the same calculation method to
calculate path costs.
# Set the path cost calculation method on SwitchA to Huawei calculation
method.

[SwitchA] stp pathcost-standard legacy
# Set the path cost calculation method on SwitchB to Huawei calculation

method.
[SwitchB] stp pathcost-standard legacy
# Set the path cost calculation method on SwitchC to Huawei calculation

method. Set the path cost of GE1/0/1 in MSTI2 to 20000; set the path cost of
GE1/0/4 in MSTI1 to 20000.
[SwitchC] stp pathcost-standard legacy
[SwitchC] interface gigabitethernet 1/0/1
[SwitchC-GigabitEthernet1/0/1] stp instance 2 cost 20000
[SwitchC-GigabitEthernet1/0/1] quit
[SwitchC-GigabitEthernet1/0/4] stp instance 1 cost 20000
4. Enable MSTP to prevent loops.

– Enable MSTP globally.
# Enable MSTP on SwitchA.
[SwitchA] stp enable
# Enable MSTP on SwitchB.

[SwitchB] stp enable
# Enable MSTP on SwitchC.

[SwitchC] stp enable
– Configure the ports connected to hosts as edge ports.

# Configure GE1/0/2 and GE1/0/3 of Switch C as an edge port.
[SwitchC-GigabitEthernet1/0/2] stp edged-port enable
[SwitchC-GigabitEthernet1/0/3] stp edged-port enable
(Optional) Configure BPDU protection on SwitchC.

[SwitchC] stp bpdu-protection
– Configure the ports connected to Router as edge ports.

# Configure GE1/0/3 of Switch A as an edge port.
[SwitchA-GigabitEthernet1/0/3] stp edged-port enable
(Optional) Configure BPDU protection on SwitchA.

[SwitchA] stp bpdu-protection
# Disable STP on GE1/0/3 of Switch B as an edge port.

[SwitchB] interface gigabitethernet 1/0/3
[SwitchB-GigabitEthernet1/0/3] stp edged-port enable
[SwitchB-GigabitEthernet1/0/3] quit
(Optional) Configure BPDU protection on SwitchB.

[SwitchB] stp bpdu-protection
If edge ports are connected to network devices that have STP enabled and BPDU
protection is enabled, the edge ports will be shut down and their attributes
remain unchanged after they receive BPDUs.
Step 2 Enable the protection function on the designated interfaces of each root bridge.

# Enable root protection on GE1/0/1 of SwitchA.

[SwitchA-GigabitEthernet1/0/1] stp root-protection
# Enable root protection on GE1/0/1 of SwitchB.

[SwitchB-GigabitEthernet1/0/1] stp root-protection
Step 3 Configure Layer 2 forwarding on the switches in the ring.

● Create VLANs 2 and 3 on SwitchA, SwitchB, and SwitchC.
# Create VLANs 2 and 3 on SwitchA.
[SwitchA] vlan batch 2 to 3
# Create VLANs 2 and 3 on SwitchB.

[SwitchB] vlan batch 2 to 3
# Create VLANs 2 and 3 on SwitchC.

[SwitchC] vlan batch 2 to 3
● Add the interfaces connecting to the loops to VLANs.

# Add GE1/0/1 of SwitchA to VLANs.
[SwitchA-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 3
# Add GE1/0/2 of SwitchA to VLANs.

[SwitchA-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 3
# Add GE1/0/1 of SwitchB to VLANs.

[SwitchB-GigabitEthernet1/0/1] port link-type trunk
[SwitchB-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 3
# Add GE1/0/2 of SwitchB to VLANs.

[SwitchB-GigabitEthernet1/0/2] port link-type trunk
[SwitchB-GigabitEthernet1/0/2] port trunk allow-pass vlan 2 to 3
# Add GE1/0/1 of SwitchC to VLANs.

[SwitchC-GigabitEthernet1/0/1] port link-type trunk
[SwitchC-GigabitEthernet1/0/1] port trunk allow-pass vlan 2 to 3
# Add GE1/0/2 of SwitchC to VLAN 2.

[SwitchC-GigabitEthernet1/0/2] port link-type access
[SwitchC-GigabitEthernet1/0/2] port default vlan 2
# Add GE1/0/3 of SwitchC to VLAN 3.

[SwitchC-GigabitEthernet1/0/3] port link-type access
[SwitchC-GigabitEthernet1/0/3] port default vlan 3

# Add GE1/0/4 of SwitchC to VLANs.

[SwitchC-GigabitEthernet1/0/4] port link-type trunk
[SwitchC-GigabitEthernet1/0/4] port trunk allow-pass vlan 2 to 3
After the preceding configurations are complete and the network topology
becomes stable, perform the following operations to verify the configuration.
MSTI 1 and MSTI 2 are used as examples. You do not need to focus on the interface status
in MSTI 0.
# Run the display stp brief command on SwitchA to view the status and
protection type on interfaces. The displayed information is as follows:
[SwitchA] display stp brief
MSTID Port Role STP State Protection
0 GigabitEthernet1/0/1 DESI FORWARDING ROOT
0 GigabitEthernet1/0/2 DESI FORWARDING NONE
2 GigabitEthernet1/0/2 ROOT FORWARDING NONE
In MSTI1, GE1/0/2 and GE1/0/1 of SwitchA are set as designated interfaces

because SwitchA is the root bridge of MSTI1. In MSTI2, GE1/0/1 of SwitchA is set
as the designated interface and GE1/0/2 is set as the root interface.
# Run the display stp brief command on SwitchB. The displayed information is as
follows:
[SwitchB] display stp brief
In MSTI2, GE1/0/1 and GE1/0/2 of SwitchB are set as designated interfaces

because SwitchB is the root bridge of MSTI2. In MSTI1, GE1/0/1 of SwitchB is set
as the designated interface and GE1/0/2 is set as the root interface.
# Run the display stp interface brief command on SwitchC. The displayed
information is as follows:
[SwitchC] display stp interface gigabitethernet 1/0/1 brief
2 GigabitEthernet1/0/1 ALTE DISCARDING NONE
[SwitchC] display stp interface gigabitethernet 1/0/4 brief
GE1/0/1 of SwitchC is the root interface of MSTI1, and is blocked in MSTI2.

GE1/0/4 of SwitchC is the root interface of MSTI2, and is blocked in MSTI1.

Step 5 Connect devices.

# Assign an IP address to each interface, for example, the interfaces on SwitchA.
The configurations on SwitchB are similar to the configurations on SwitchA. For
details, see the configuration file.
[SwitchA] vlan batch 4
# Run OSPF on SwitchA, SwitchB, and routers. The configurations on SwitchA are
used as an example. The configurations on SwitchB are similar to the
configurations on SwitchA. For details, see the configuration file.
[SwitchA] ospf 1

# Create VRRP group 1 on SwitchA and SwitchB. Set SwitchA as the master device,
priority to 120, and preemption delay to 20 seconds. Set SwitchB as the backup
device and retain the default priority.
# Create VRRP group 2 on SwitchA and SwitchB. Set SwitchB as the master device,
priority to 120, and preemption delay to 20 seconds. Set SwitchA as the backup
device and retain the default priority.
[SwitchB-Vlanif3] vrrp vrid 2 priority 120
[SwitchB-Vlanif3] vrrp vrid 2 preempt-mode timer delay 20
# Set the virtual IP address 10.1.2.100 of VRRP group 1 as the default gateway of
Host A, and the virtual IP address 10.1.3.100 of VRRP group 2 as the default
gateway of Host B.

# After completing the preceding configurations, run the display vrrp command
on SwitchA. SwitchA's VRRP status is master in VRRP group 1 and backup in VRRP
group 2.
State : Master
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58

State : Backup
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18
Last change time : 2012-05-26 11:48:58
# Run the display vrrp command on SwitchB. SwitchB's VRRP status is backup in
VRRP group 1 and master in VRRP group 2.
State : Backup
Virtual IP : 10.1.2.100
Master IP : 10.1.2.102
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-11 11:39:18
Last change time : 2012-05-26 11:38:58

State : Master
Virtual IP : 10.1.3.100
Master IP : 10.1.3.103
PriorityRun : 120

TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-11 11:40:18
Last change time : 2012-05-26 11:48:58
----End
Configuration File
#
sysname SwitchA
#
vlan batch 2 to 4
#
stp instance 1 root primary
stp instance 2 root secondary
stp bpdu-protection
stp pathcost-standard legacy
stp enable
#
stp region-configuration
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
active region-configuration
#
interface Vlanif2
ip address 10.1.2.102 255.255.255.0
#
interface Vlanif3
ip address 10.1.3.102 255.255.255.0
#
interface Vlanif4
ip address 10.1.4.102 255.255.255.0
#
port trunk allow-pass vlan 2 to 3
stp root-protection
#
#
stp edged-port enable
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.4.0 0.0.0.255
#
return


#
sysname SwitchB
#
vlan batch 2 to 3 5
#
stp instance 1 root secondary
stp instance 2 root primary
stp bpdu-protection
stp enable
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#
interface Vlanif2
ip address 10.1.2.103 255.255.255.0
#
interface Vlanif3
ip address 10.1.3.103 255.255.255.0
#
interface Vlanif5
ip address 10.1.5.103 255.255.255.0
#
stp root-protection
#
#
#
ospf 1
area 0.0.0.0
network 10.1.2.0 0.0.0.255
network 10.1.3.0 0.0.0.255
network 10.1.5.0 0.0.0.255
#
return

#
sysname SwitchC
#
vlan batch 2 to 3
#
stp bpdu-protection
stp enable
#
region-name RG1
instance 1 vlan 2
instance 2 vlan 3
#

stp instance 2 cost 20000
#
port link-type access
port default vlan 2
#
port default vlan 3
#
stp instance 1 cost 20000
#
return
3.9.7 Example for Configuring VRRP on a Dot1q Termination

Sub-interface
the switch. User packets sent from the switch carry one tag. The requirements are
as follows:
● After SwitchA recovers, it becomes the gateway within 20s.
Figure 3-20 Networking for configuring VRRP on the Dot1q termination sub-
interface
In te rn e t
G E 1 /0 /0 G E 2 /0 /0
1 9 2 .1 6 8 .2 .2 /2 4 1 9 2 .1 6 8 .1 .2 /2 4
G E 1 /0 /0 G E 1 /0 /0
1 9 2 .1 6 8 .2 .1 /2 4 S w itc h C 1 9 2 .1 6 8 .1 .1 /2 4
S w itc h A S w itc h B
G E 2 /0 /0 .1 G E 2 /0 /0 .1
1 0 .1 .1 .1 /2 4 1 0 .1 .1 .2 /2 4
S w itc h V R R P V R ID 1
G E 1 /0 /1 G E 1 /0 /2 V irtu a l IP a d d re s s :
1 0 .1 .1 .1 1 1 /2 4
G E 1 /0 /0
VLAN 10
Host
1 0 .1 .1 .3 /2 4

VRRP is configured on the Dot1q termination sub-interface to implement gateway
redundancy. The configuration roadmap is as follows:

2. Configure a VRRP group on sub-interfaces of SwitchA and SwitchB, set a
higher priority for SwitchA so that SwitchA functions as the master to forward
traffic and set the preemption delay to 20s, and set a lower priority for
SwitchB so that SwitchB functions as the backup.
Procedure

[SwitchA] interface gigabitethernet 2/0/0.1
[SwitchA-GigabitEthernet2/0/0.1] ip address 10.1.1.1 24
[SwitchA-GigabitEthernet2/0/0.1] quit
[SwitchA-GigabitEthernet1/0/0] undo portswitch
[SwitchA-GigabitEthernet1/0/0] ip address 192.168.2.1 24
# Configure Layer 2 forwarding on the switch.

[Switch] vlan 10
[Switch-GigabitEthernet1/0/0] port link-type access
[Switch-GigabitEthernet1/0/0] port default vlan 10

[SwitchA] ospf 1
Step 2 Configure VRRP on a Dot1q termination sub-interface.

# Configure VRRP group 1 on GE2/0/0.1 of SwitchA, and set the priority of

SwitchA to 120 and the preemption delay to 20s.
[SwitchA-GigabitEthernet2/0/0.1] dot1q termination vid 10
[SwitchA-GigabitEthernet2/0/0.1] arp broadcast enable
[SwitchA-GigabitEthernet2/0/0.1] dot1q vrrp vid 10
[SwitchA-GigabitEthernet2/0/0.1] vrrp vrid 1 virtual-ip 10.1.1.111
[SwitchA-GigabitEthernet2/0/0.1] vrrp vrid 1 priority 120
[SwitchA-GigabitEthernet2/0/0.1] vrrp vrid 1 preempt-mode timer delay 20
# Configure VRRP group 1 on GE2/0/0.1 of SwitchB, and set the default priority of
100 for SwitchB.
[SwitchB] interface gigabitethernet 2/0/0.1
[SwitchB-GigabitEthernet2/0/0.1] dot1q termination vid 10
[SwitchB-GigabitEthernet2/0/0.1] arp broadcast enable
[SwitchB-GigabitEthernet2/0/0.1] dot1q vrrp vid 10
[SwitchB-GigabitEthernet2/0/0.1] vrrp vrid 1 virtual-ip 10.1.1.111
[SwitchB-GigabitEthernet2/0/0.1] quit
state.
GigabitEthernet2/0/0.1 | Virtual Router 1
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-30 21:25:47
Last change time : 2012-05-30 21:25:51
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-30 21:25:47
Last change time : 2012-05-30 21:25:51


routing table of SwitchB.
------------------------------------------------------------------------------
10.1.1.0/24 Direct 0 0 D 10.1.1.1 GigabitEthernet2/0/0.1

192.168.1.0/24 OSPF 10 2 D 192.168.2.2 GigabitEthernet1/0/0
OSPF 10 2 D 10.1.1.2 GigabitEthernet2/0/0.1
192.168.2.0/24 Direct 0 0 D 192.168.2.1 GigabitEthernet1/0/0
------------------------------------------------------------------------------

10.1.1.111/32 OSPF 10 2 D 10.1.1.1 GigabitEthernet2/0/0.1
# Run the shutdown command on GE2/0/0.1 of SwitchA to simulate a link fault.

[SwitchA-GigabitEthernet2/0/0.1] shutdown
SwitchA is in Initialize state and SwitchB is in Master state.
State : Initialize
Virtual IP : 10.1.1.111
Master IP : 0.0.0.0
PriorityRun : 120
MasterPriority : 0
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-30 21:27:47
Last change time : 2012-05-30 21:27:51
State : Master
Virtual IP : 10.1.1.111

PriorityRun : 100
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-30 21:27:47
Last change time : 2012-05-30 21:27:51
# Run the undo shutdown command on GE2/0/0.1 of SwitchA.

[SwitchA-GigabitEthernet2/0/0.1] undo shutdown
that SwitchA is in Master state and SwitchB is in Backup state.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-30 21:28:47
Last change time : 2012-05-30 21:28:51
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun :1s
TimerConfig :1s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-30 21:28:47
Last change time : 2012-05-30 21:28:51
----End
Configuration Files
#
sysname SwitchA

#
undo portswitch
ip address 192.168.2.1 255.255.255.0
#
interface GigabitEthernet2/0/0.1
dot1q termination vid 10
dot1q vrrp vid 10
ip address 10.1.1.1 255.255.255.0
arp broadcast enable
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
#
sysname SwitchB
#
undo portswitch
ip address 192.168.1.1 255.255.255.0
#
dot1q termination vid 10
dot1q vrrp vid 10
ip address 10.1.1.2 255.255.255.0
arp broadcast enable
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return
#
sysname SwitchC
#
undo portswitch
ip address 192.168.2.2 255.255.255.0
#
undo portswitch
ip address 192.168.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
#
sysname Switch
#
vlan batch 10
#

port default vlan 10

#
#
#
return
3.9.8 Example for Configuring VRRP on a QinQ Termination

Sub-interface
As shown in Figure 3-21, hosts on a LAN are dual-homed to SwitchA and SwitchB
through LSW1. HostA belongs to VLAN 10 and HostB belongs to VLAN 20. User
packets sent from LSW1 carry double tags. The requirements are as follows:
● After SwitchA recovers, it becomes the gateway within 20s.
Figure 3-21 Networking for configuring VRRP on a QinQ termination sub-

interface
In te rn e t
G E 1 /0 /0 G E 2 /0 /0
1 9 2 .1 6 8 .2 .2 /2 4 1 9 2 .1 6 8 .1 .2 /2 4
G E 1 /0 /0 G E 1 /0 /0
1 9 2 .1 6 8 .2 .1 /2 4 S w itc h C 1 9 2 .1 6 8 .1 .1 /2 4
S w itc h A S w itc h B
G E 2 /0 /0 .1 1 0 .1 .1 .1 /2 4 G E 2 /0 /0 .1 1 0 .1 .1 .2 /2 4
G E 2 /0 /0 .2 1 0 .1 .2 .1 /2 4 G E 2 /0 /0 .2 1 0 .1 .2 .2 /2 4
V R R P V R ID 2
V irtu re IP a d d re s s：
V R R P V R ID 1
1 0 .1 .2 .1 1 1 /2 4
V irtu re IP a d d re s s： G E 1 /0 /2 G E 1 /0 /3
1 0 .1 .1 .1 1 1 /2 4
G E 1 /0 /0 G E 1 /0 /1
G E 1 /0 /1 LSW 1 G E 1 /0 /1
LSW 2 LSW 3
G E 1 /0 /0 G E 1 /0 /0
VLAN 10 VLAN 20
H o s tA H o s tB
1 0 .1 .1 .3 /2 4 1 0 .1 .2 .3 /2 4


2. Configure a VRRP group on sub-interfaces of SwitchA and SwitchB, set a
higher priority for SwitchA so that SwitchA functions as the master to forward
traffic and set the preemption delay to 20s, and set a lower priority for
SwitchB so that SwitchB functions as the backup.
Procedure

[SwitchA-GigabitEthernet1/0/0] undo portswitch
[SwitchA-GigabitEthernet1/0/0] ip address 192.168.2.1 24

[SwitchA] ospf 1
Step 2 Configure Layer 2 forwarding.
# Configure LSW2.
[Quidway] sysname LSW2
[LSW2] vlan 10
[LSW2-vlan10] quit
[LSW2] interface gigabitethernet 1/0/0
[LSW2-GigabitEthernet1/0/0] port link-type access
[LSW2-GigabitEthernet1/0/0] port default vlan 10
[LSW2-GigabitEthernet1/0/0] quit
[LSW2-GigabitEthernet1/0/1] port link-type trunk
[LSW2-GigabitEthernet1/0/1] port trunk allow-pass vlan 10
# Configure LSW3.

[LSW3] vlan 20
[LSW3-vlan20] quit
[LSW3-GigabitEthernet1/0/0] port link-type access
[LSW3-GigabitEthernet1/0/0] port default vlan 20
# Configure LSW1.
[LSW1] vlan 100
[LSW1-vlan100] quit
[LSW1-GigabitEthernet1/0/0] port vlan-stacking vlan 10 stack-vlan 100
[LSW1-GigabitEthernet1/0/1] port vlan-stacking vlan 20 stack-vlan 100
Step 3 Configure VRRP on a QinQ termination sub-interface.

# On SwitchA, configure VRRP group 1 on GE2/0/0.1 and VRRP group 2 on
GE2/0/0.2, and set the priority of SwitchA in the two VRRP groups to 120 and the
preemption delay to 20s.
[SwitchA-GigabitEthernet2/0/0.1] qinq termination pe-vid 100 ce-vid 10
[SwitchA-GigabitEthernet2/0/0.1] qinq vrrp pe-vid 100 ce-vid 10
[SwitchA-GigabitEthernet2/0/0.2] qinq termination pe-vid 100 ce-vid 20
[SwitchA-GigabitEthernet2/0/0.2] qinq vrrp pe-vid 100 ce-vid 20
# On SwitchB, configure VRRP group 1 on GE2/0/0.1 and VRRP group 2 on

GE2/0/0.2, and configure SwitchB to use the default priority in the two VRRP
groups.
[SwitchB-GigabitEthernet2/0/0.1] qinq termination pe-vid 100 ce-vid 10
[SwitchB-GigabitEthernet2/0/0.1] qinq vrrp pe-vid 100 ce-vid 10
[SwitchB-GigabitEthernet2/0/0.2] qinq termination pe-vid 100 ce-vid 20
[SwitchB-GigabitEthernet2/0/0.2] qinq vrrp pe-vid 100 ce-vid 20


state in the two VRRP groups.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-29 21:25:47
Last change time : 2012-05-29 21:27:10

State : Master
Virtual IP : 10.1.2.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-29 21:25:47
Last change time : 2012-05-29 21:27:10
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-29 21:25:47
Last change time : 2012-05-29 21:27:10

State : Backup
Virtual IP : 10.1.2.111
PriorityRun : 100

TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-29 21:25:47
Last change time : 2012-05-29 21:27:10

routing table of SwitchB.
------------------------------------------------------------------------------

------------------------------------------------------------------------------

# Run the shutdown command on GE2/0/0.1 of SwitchA to simulate a link fault.

[SwitchA-GigabitEthernet2/0/0.1] shutdown
SwitchA is in Initialize state and SwitchB is in Master state in VRRP group 1.


State : Initialize
Virtual IP : 10.1.1.111
Master IP : 0.0.0.0
PriorityRun : 120
MasterPriority : 0
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-29 21:27:47
Last change time : 2012-05-29 21:29:10

State : Master
Virtual IP : 10.1.2.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-29 21:25:47
Last change time : 2012-05-29 21:27:10
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-29 21:27:47
Last change time : 2012-05-29 21:29:10

State : Backup
Virtual IP : 10.1.2.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES

Create time : 2012-05-29 21:25:47
Last change time : 2012-05-29 21:27:10
# Run the undo shutdown command on GE2/0/0.1 of SwitchA.

[SwitchA-GigabitEthernet2/0/0.1] undo shutdown
that SwitchA is in Master state and SwitchB is in Backup state in VRRP group 1.
State : Master
Virtual IP : 10.1.1.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-29 21:29:47
Last change time : 2012-05-29 21:31:10

State : Master
Virtual IP : 10.1.2.111
PriorityRun : 120
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-29 21:25:47
Last change time : 2012-05-29 21:27:10
State : Backup
Virtual IP : 10.1.1.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0101
Check TTL : YES
Create time : 2012-05-29 21:29:47
Last change time : 2012-05-29 21:31:10

State : Backup

Virtual IP : 10.1.2.111
PriorityRun : 100
TimerRun : 1 s
TimerConfig : 1 s
Auth type : NONE
Virtual MAC : 0000-5e00-0102
Check TTL : YES
Create time : 2012-05-29 21:25:47
Last change time : 2012-05-29 21:27:10
----End
Configuration Files
#
sysname SwitchA
#
undo portswitch
ip address 192.168.2.1 255.255.255.0
#
qinq termination pe-vid 100 ce-vid 10
qinq vrrp pe-vid 100 ce-vid 10
ip address 10.1.1.1 255.255.255.0
#
ip address 10.1.2.1 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return

#
sysname SwitchB
#
undo portswitch
ip address 192.168.1.1 255.255.255.0
#
ip address 10.1.1.2 255.255.255.0
#


ip address 10.1.2.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 10.1.1.0 0.0.0.255
network 10.1.2.0 0.0.0.255
network 192.168.1.0 0.0.0.255
#
return

#
sysname SwitchC
#
undo portswitch
ip address 192.168.2.2 255.255.255.0
#
undo portswitch
ip address 192.168.1.2 255.255.255.0
#
ospf 1
area 0.0.0.0
network 192.168.1.0 0.0.0.255
network 192.168.2.0 0.0.0.255
#
return
● LSW1 configuration file

#
sysname LSW1
#
vlan batch 100
#
port vlan-stacking vlan 10 stack-vlan 100
#
port vlan-stacking vlan 20 stack-vlan 100
#
#
#
return

#
sysname LSW2
#
vlan batch 10
#
#
#
return


#
sysname LSW3
#
vlan batch 20
#
#
#
return
3.9.9 Example for Configuring a VRRP6 Group in Active/

Standby Mode
In Figure 3-22, HostA is dual-homed to SwitchA and SwitchB through the switch
on the IPv6 network. To ensure nonstop service transmission, a VRRP6 group in
active/standby mode needs to be configured on SwitchA and SwitchB.
● After SwitchA recovers, it preempts to be the master to transmit data after a
preemption delay of 20s.
Figure 3-22 Networking diagram for configuring a VRRP6 group in active/standby

mode
VRRP6 VRID 1
FC00::100/64 GE1/0/2 Master
GE1/0/1
FC00::1/64 2002::1/64
GE1/0/1
GE1/0/1 2002::2/64
SwitchC
GE1/0/3
Switch Internet
2003::2/64
2001::2/64
FC00::3/64
GE1/0/1
GE1/0/2 2001::1/64
FC00::2/64SwitchB
Backup
SwitchA GE1/0/1 VLANIF 300 2002::1/64

GE1/0/2 VLANIF 100 FC00::1/64
SwitchB GE1/0/1 VLANIF 200 2001::1/64
GE1/0/2 VLANIF 100 FC00::2/64
SwitchC GE1/0/1 VLANIF 300 2002::2/64
GE1/0/2 VLANIF 200 2001::2/64
GE1/0/3 VLANIF 400 2003::2/64
2. Configure a VRRP6 group on SwitchA and SwitchB, set a higher priority for
preemption delay to 20s on SwitchA, and set a lower priority for SwitchB so
that SwitchB functions as the backup.
Procedure
# Configure VLANs that each interface belongs to. SwitchA is used as an example.
The configurations of SwitchB and SwitchC are similar to the configuration of
SwitchA, and are not mentioned here. For details, see the configuration files.

[SwitchA] ipv6
[SwitchA-Vlanif100] ipv6 enable
[SwitchA-Vlanif100] ipv6 address FC00::1 64
[SwitchA-Vlanif300] ipv6 address 2002::1 64

[Switch] vlan 100
# Configure OSPFv3 between SwitchA, SwitchB, and SwitchC. SwitchA is used as

an example. The configurations of SwitchB and SwitchC are similar to the
[SwitchA] ospfv3
[SwitchA-ospfv3-1] router-id 1.1.1.1
[SwitchA-ospfv3-1] quit
[SwitchA-Vlanif100] ospfv3 1 area 0
Step 2 Configure VRRP6 groups.

# Configure VRRP6 group 1 on SwitchA, and set the priority of SwitchA to 120 and
[SwitchA-Vlanif100] vrrp6 vrid 1 virtual-ip FE80::1 link-local
[SwitchA-Vlanif100] vrrp6 vrid 1 virtual-ip FC00::100
[SwitchA-Vlanif100] vrrp6 vrid 1 priority 120
[SwitchA-Vlanif100] vrrp6 vrid 1 preempt-mode timer delay 20
# Configure VRRP6 group 1 on SwitchB, and set the default priority of 100 for
SwitchB.
[SwitchB-Vlanif100] vrrp6 vrid 1 virtual-ip FE80::1 link-local
[SwitchB-Vlanif100] vrrp6 vrid 1 virtual-ip FC00::100

# After the configuration is complete, run the display vrrp6 command on SwitchA
state.
[SwitchA] display vrrp6
State : Master
Virtual IP : FE80::1
FC00::100
Master IP : FE80::218:82FF:FED3:2AF3
PriorityRun : 120
TimerRun : 100 cs
TimerConfig : 100 cs
Virtual MAC : 0000-5e00-0201
Check hop limit : YES


Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
[SwitchB] display vrrp6
State : Backup
FC00::100
PriorityRun : 100
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

# Run the display vrrp6 command on SwitchA and SwitchB. You can see that
SwitchA is in Initialize state and SwitchB is in Master state.
State : Initialize
FC00::100
Master IP : ::
PriorityRun : 120
MasterPriority : 0
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Master
FC00::100
Master IP : FE80::218:82FF:FE68:7455
PriorityRun : 100
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46


# After 20s, run the display vrrp6 command on SwitchA and SwitchB. You can see
that SwitchA is in Master state and SwitchB is in Backup state.
State : Master
FC00::100
PriorityRun : 120
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Backup
FC00::100
PriorityRun : 100
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 100 300
#
ospfv3 1
router-id 1.1.1.1
#
interface Vlanif100
ipv6 enable
ipv6 address FC00::1/64
ospfv3 1 area 0.0.0.0
vrrp6 vrid 1 virtual-ip FE80::1 link-local
vrrp6 vrid 1 virtual-ip FC00::100
vrrp6 vrid 1 priority 120
vrrp6 vrid 1 preempt-mode timer delay 20

#
interface Vlanif300
ipv6 enable
ipv6 address 2002::1/64
#
#
#
return
#
sysname SwitchB
#
ipv6
#
vlan batch 100 200
#
ospfv3 1
router-id 2.2.2.2
#
interface Vlanif100
ipv6 enable
#
interface Vlanif200
ipv6 enable
#
#
#
return
#
sysname SwitchC
#
ipv6
#
#
ospfv3 1
router-id 3.3.3.3
#
interface Vlanif200
ipv6 enable
#
interface Vlanif300
ipv6 enable


#
interface Vlanif400
ipv6 enable
#
#
#
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return
3.9.10 Example for Configuring a VRRP6 Group in Load

Balancing Mode
In Figure 3-23, HostA and HostC are dual-homed to SwitchA and SwitchB through
the switch on the IPv6 network. To reduce the load of data traffic on SwitchA,
HostA uses SwitchA as the default gateway to connect to the Internet, and
SwitchB functions as the backup gateway. HostC uses SwitchB as the default
gateway to connect to the Internet, and SwitchA functions as the backup gateway.
This implements load balancing.

Figure 3-23 Networking diagram for a VRRP6 group in load balancing mode
VRRP6 VRID 1
FC00::100/64 VRID 1: Master
VRID 2: Backup
HostA GE1/0/1
FC00::3/64 2002::1/64
GE1/0/2 GE1/0/1
GE1/0/1 FC00::1/64 2002::2/64
Switch GE1/0/3 Internet
SwitchC
2003::2/64
GE1/0/2 GE1/0/2 GE1/0/2
FC00::2/64 2001::2/64
HostC GE1/0/1
FC00::4/64 2001::1/64
SwitchB
VRID 1: Backup
VRID 2: Master
VRRP6 VRID 2
Virtual IP address:
FC00::60/64
GE1/0/2 VLANIF 100 FC00::1/64
GE1/0/2 VLANIF 100 FC00::2/64
GE1/0/2 VLANIF 200 2001::2/64
GE1/0/3 VLANIF 400 2003::2/64

2. Create VRRP6 groups 1 and 2 on SwitchA and SwitchB. In VRRP6 group 1,
configure SwitchA as the master and SwitchB as the backup. In VRRP6 group
2, configure SwitchB as the master and SwitchA as the backup.
Procedure


[SwitchA] ipv6

[Switch] vlan 100

[SwitchA] ospfv3
Step 2 Configure VRRP6 groups.

# Configure VRRP6 group 1 on SwitchA and SwitchB, set the priority of SwitchA to
120 and the preemption delay to 20s, and set the default priority for SwitchB.


# Configure VRRP6 group 2 on SwitchA and SwitchB, set the priority of SwitchB to
120 and the preemption delay to 20s, and set the default priority for SwitchA.
[SwitchB-Vlanif100] vrrp6 vrid 2 priority 120
[SwitchB-Vlanif100] vrrp6 vrid 2 preempt-mode timer delay 20

# After the configuration is complete, run the display vrrp6 command on
SwitchA. You can see that SwitchA is the master in VRRP6 group 1 and the backup
in VRRP6 group 2.
State : Master
FC00::100
PriorityRun : 120
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

State : Backup
FC00::60
Master IP : FE80::218:82FF:FE68:7455
PriorityRun : 100
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0202
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
# After the configuration is complete, run the display vrrp6 command on

SwitchB. You can see that SwitchB is the backup in VRRP6 group 1 and the master
in VRRP6 group 2.


State : Backup
FC00::100
PriorityRun : 100
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

State : Master
FC00::60
Master IP : FE80::218:82FF:FE68:7455
PriorityRun : 120
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0202
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 100 300
#
ospfv3 1
router-id 1.1.1.1
#
interface Vlanif100
ipv6 enable
#
interface Vlanif300
ipv6 enable

#
#
#
return
#
sysname SwitchB
#
ipv6
#
vlan batch 100 200
#
ospfv3 1
router-id 2.2.2.2
#
interface Vlanif100
ipv6 enable
#
interface Vlanif200
ipv6 enable
#
#
#
return
#
sysname SwitchC
#
ipv6
#
#
ospfv3 1
router-id 3.3.3.3
#
interface Vlanif200
ipv6 enable
#
interface Vlanif300
ipv6 enable

#
interface Vlanif400
ipv6 enable
#
#
#
#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return
3.9.11 Example for Configuring Association Between VRRP6

and BFD to Implement a Rapid Active/Standby Switchover
In Figure 3-24, HostA on the IPv6 network is dual-homed to SwitchA and SwitchB
through the switch. A VRRP6 group is established on SwitchA and SwitchB, and
SwitchA is the master.
When SwitchA or a link between SwitchA and SwitchB becomes faulty, VRRP6
Advertisement packet negotiation takes time. To implement a rapid active/standby
switchover, deploy a BFD session on the link and associate the VRRP6 group with
the BFD session. When the primary interface on the master or the link fails, the
BFD session rapidly detects the fault and notifies the VRRP6 group of it. After
receiving the notification, the VRRP6 group performs a rapid active/standby
switchover. The backup becomes the Master and takes over traffic. This reduces
the impact of the fault on service transmission.

standby switchover
VRRP6 VRID 1
FC00::100/64 GE1/0/2 Master
GE1/0/1
FC00::1/64 2002::1/64
GE1/0/1
GE1/0/1 2002::2/64
GE1/0/3
Switch SwitchC Internet
2003::2/64
2001::2/64
FC00::3/64
GE1/0/1
GE1/0/2 2001::1/64
FC00::2/64SwitchB
BFD packets
Backup
GE1/0/2 VLANIF 100 FC00::1/64

10.1.1.1/24
GE1/0/2 VLANIF 100 FC00::2/64

10.1.1.2/24
GE1/0/2 VLANIF 200 2001::2/64
GE1/0/3 VLANIF 400 2003::2/64
Association between a VRRP6 group and a BFD session is used to implement a
rapid active/standby switchover. The configuration roadmap is as follows:

2. Configure a VRRP6 group on SwitchA and SwitchB. SwitchA functions as the
master, its priority is 120, and the preemption delay is 20s. SwitchB functions
as the backup and uses the default priority.
3. Configure a static BFD session on SwitchA and SwitchB to monitor the link of
the VRRP6 group.

4. Configure association between VRRP6 and BFD on SwitchB to implement a

rapid active/standby switchover when the link is faulty.
Procedure

[SwitchA] ipv6

[Switch] vlan 100

[SwitchA] ospfv3


Step 2 Configure a VRRP6 group.
# Configure VRRP6 group 1 on SwitchA, and set the priority of SwitchA to 120 and
# Configure VRRP6 group 1 on SwitchB. SwitchB uses default value 100.

Step 3 Configure a static BFD session.
# Create a BFD session on SwitchA.

[SwitchA] bfd
[SwitchA-bfd] quit
[SwitchA] bfd atob bind peer-ip 10.1.1.2 interface vlanif 100
[SwitchA-bfd-session-atob] discriminator local 1
[SwitchA-bfd-session-atob] discriminator remote 2
[SwitchA-bfd-session-atob] min-rx-interval 100
[SwitchA-bfd-session-atob] min-tx-interval 100
[SwitchA-bfd-session-atob] commit
[SwitchA-bfd-session-atob] quit
# Create a BFD session on SwitchB.

[SwitchB] bfd
[SwitchB-bfd] quit
[SwitchB] bfd btoa bind peer-ip 10.1.1.1 interface vlanif 100
[SwitchB-bfd-session-btoa] discriminator local 2
[SwitchB-bfd-session-btoa] discriminator remote 1
[SwitchB-bfd-session-btoa] min-rx-interval 100
[SwitchB-bfd-session-btoa] min-tx-interval 100
[SwitchB-bfd-session-btoa] commit
[SwitchB-bfd-session-btoa] quit
# Run the display bfd session command on SwitchA and SwitchB. You can see
that the BFD session is Up. The display on SwitchA is used as an example.
[SwitchA] display bfd session all
--------------------------------------------------------------------------------
Local Remote PeerIpAddr State Type InterfaceName
--------------------------------------------------------------------------------
1 2 10.1.1.2 Up S_IP_IF Vlanif100
--------------------------------------------------------------------------------
Total UP/DOWN Session Number : 1/0
Step 4 Associate BFD with VRRP6.
# Configure association between VRRP6 and BFD on SwitchB. When the BFD
session becomes Down, the priority of SwitchB increases by 40.
[SwitchB-Vlanif100] vrrp6 vrid 1 track bfd-session 2 increased 40

# After the configuration is complete, run the display vrrp6 command on SwitchA
and SwitchB. SwitchA is the master, SwitchB is the backup, and the associated BFD
session is in Up state.
State : Master
FC00::100
Master IP : FE80::200:AFF:FE88:158D
PriorityRun : 120
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Backup
FC00::100
PriorityRun : 100
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

# Run the display vrrp6 command on SwitchA and SwitchB. You can see that
SwitchA is in Initialize state, SwitchB becomes the master, and the associated BFD
session becomes Down.
State : Initialize
FC00::100
Master IP : ::
PriorityRun : 120
MasterPriority : 0
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201


Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Master
FC00::100
Master IP : FE80::121B:54FF:FE98:D3B0
PriorityRun : 140
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
BFD-session state : DOWN
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46

# After 20s, run the display vrrp6 command on SwitchA and SwitchB. You can see
associated BFD session is in Up state.
State : Master
FC00::100
PriorityRun : 120
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201
Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
State : Backup
FC00::100
PriorityRun : 100
TimerRun : 100 cs
Virtual MAC : 0000-5e00-0201

Create time : 2012-01-12 20:15:46
Last change time : 2012-01-12 20:15:46
----End
Configuration Files
#
sysname SwitchA
#
ipv6
#
vlan batch 100 300
#
bfd
#
ospfv3 1
router-id 1.1.1.1
#
interface Vlanif100
ipv6 enable
ip address 10.1.1.1 255.255.255.0
#
interface Vlanif300
ipv6 enable
#
#
#
bfd atob bind peer-ip 10.1.1.2 interface Vlanif100
min-tx-interval 100
min-rx-interval 100
commit
#
return
#
sysname SwitchB
#
ipv6
#
vlan batch 100 200
#
bfd
#
ospfv3 1

router-id 2.2.2.2
#
interface Vlanif100
ipv6 enable
ip address 10.1.1.2 255.255.255.0
vrrp6 vrid 1 track bfd-session 2 increased 40
#
interface Vlanif200
ipv6 enable
#
#
#
bfd btoa bind peer-ip 10.1.1.1 interface Vlanif100
min-tx-interval 100
min-rx-interval 100
commit
#
return
#
sysname SwitchC
#
ipv6
#
#
ospfv3 1
router-id 3.3.3.3
#
interface Vlanif200
ipv6 enable
#
interface Vlanif300
ipv6 enable
#
interface Vlanif400
ipv6 enable
#
#
#


#
return

#
sysname Switch
#
vlan batch 100
#
#
#
return
3.10 Common Configuration Errors
3.10.1 Multiple Masters Coexist in a VRRP Group
Fault Description
Multiple masters exist in a VRRP group.
Procedure
Step 1 Ping masters to check network connectivity between masters.
● If the ping operation fails, check whether the network connection is correct.
● If the ping operation is successful and the TTL value of the ping packet is 255,
go to step 2.
Step 2 Run the display vrrp protocol-information command in any view to check
whether the VRRP version on each master is compatible with the mode in which
VRRP Advertisement packets are sent.
● If the version is incompatible with the mode, run the vrrp version { v2 | v3 }
command in the system view to change the version.
● If the version is compatible with the mode, go to step 3.
● A VRRPv2 group can only send and receive VRRPv2 Advertisement packets, and discards
the received VRRPv3 Advertisement packets.
● A VRRPv3 group can send and receive both VRRPv2 and VRRPv3 Advertisement packets.
You can configure the mode in which VRRPv3 Advertisement packets are sent as v2-
only, v3-only, or v2v3-both.
Step 3 Run the display vrrp virtual-router-id command in any view to check whether the
masters use the same virtual IP address, interval at which VRRP Advertisement
packets are sent, authentication mode, and authentication key.

● If the configured virtual IP addresses are different, run the vrrp vrid virtual-
router-id virtual-ip virtual-address command to set the same virtual IP
address.
● If the intervals are different, run the vrrp vrid virtual-router-id timer
advertise advertise-interval command to set the same interval.
● If the authentication modes and keys are different, run the vrrp vrid virtual-
router-id authentication-mode { simple { key | plain key | cipher cipher-
key } | md5 md5-key } command to set the same authentication mode and
key.
To ensure security, you are advised to use MD5 authentication.
----End
3.10.2 VRRP Group Status Changes Frequently
Fault Description
The VRRP group status changes frequently.
Procedure
Step 1 Run the display vrrp virtual-router-id command in any view to check whether the
VRRP group is associated with an interface or a BFD session.
● If the VRRP group is associated with the interface or a BFD session, flapping
of the interface or a BFD session causes VRRP group status flapping. Rectify
the fault on the associated module.
● If association is not configured, go to step 2.
Step 2 Run the display vrrp virtual-router-id command in any view to check the
preemption delay of the VRRP group.
● If the preemption delay is 0, run the vrrp vrid virtual-router-id preempt-
mode timer delay delay-value command in the view of the interface where
the VRRP group is configured to set the nonzero preemption delay.
● If the preemption is not 0, go to step 3.
Step 3 Run the vrrp vrid virtual-router-id timer advertise advertise-interval command in
the view of the interface where the VRRP group is configured to set a larger
interval at which VRRP Advertisement packets are sent, or run the vrrp vrid
virtual-router-id preempt-mode timer delay delay-value command to set a larger
preemption delay.
----End
3.10.3 A Downstream Device Cannot Ping the Virtual IP

Address of a VRRP Group

Fault Symptom
A downstream device cannot ping the virtual IP address of a VRRP group.
Procedure
Step 1 Check whether ping to the virtual IP address of the VRRP group is enabled.
By default, the master is enabled to respond to ping packets. If this function is
disabled, a downstream device cannot ping the virtual IP address of a VRRP group.
Run the display current-configuration command in any view of the master to
check whether the undo vrrp virtual-ip ping enable command is used. If the
undo vrrp virtual-ip ping enable command is used, run the vrrp virtual-ip ping
enable command in the system view to enable ping to the virtual IP address of a
VRRP group.
----End
3.11 FAQ
3.11.1 How Does the Master/Slave Switchover Work in VRRP
on the switch?
You can set the VRRP priority when configuring a VRRP group. The switch of the
highest priority functions as the master switch, and the switches of lower priorities
function as the standby switches. If the master switch is Down, a standby switch
functions as a master switch.
● The VRRP preemption mode is as follows:
– If VRRP preemption is disabled, once a switch functions as a master
switch in the VRRP standby group, other switches cannot become a
master switch even if they are configured with higher priorities. If the
master switch is faulty, a standby switch can become the master one.
– If VRRP preemption is enabled, once a switch finds that its priority is
higher than that of the current master switch, it becomes the master
switch, and the previous master switch accordingly becomes a standby
switch.
By default, VRRP preemption is enabled and the delay is 0.
● The VRRP can track the specified interface.
If a tracked interface is down, the priority of the switch is reduced by a certain
value (value-reduced). In this case, the priority of this switch will become
lower than the priorities of other switches. Then, the switch of the highest
priority becomes the master switch. The switch can track VLANIF interfaces
and physical interfaces. If a VLANIF interface consists of multiple interfaces,
the priority of the VLANIF interface is not reduced as long as one interface is
Up.
● VRRP tracking BFD session:
When the tracked BFD session goes Down on a switch, the priority of the
switch increases or decreases (depending on the configuration), triggering re-
election of the master. The switch with a higher priority becomes the master.

3.11.2 Can Physical Interfaces Be Configured as Monitored

Interfaces of a VRRP Group?
Certain physical interfaces can be configured as monitored interfaces of a VRRP
group. A maximum of eight interfaces can be tracked.
3.11.3 How Can I Adjust the Interval Between Gratuitous ARP

Packets Sent from a VRRP Group?
By default, the master router in a VRRP group sends a gratuitous ARP packet every
2 minutes. You can use the vrrp gratuitous-arp timeout command to change the
interval at which gratuitous ARP packets are sent.
The interval configured by the vrrp gratuitous-arp timeout command takes effect globally.
Currently, the interval cannot be configured for a single VRRP group.
3.11.4 Why VRRP Heartbeat Packets Cannot Be Transmitted

Normally When a VRRP Group Is Configured in a Super-VLAN?
By default, VRRP Advertisement packets of a super-VLAN are sent only to the sub-
VLAN that has the smallest VLAN ID among all the sub-VLANs in Up state. You
use the vrrp advertise send-mode command to cancel or configure the mode in
which VRRP Advertisement packets of a super-VLAN are sent.
3.11.5 How Is the VRRP Status Negotiated When the Same

Priority Is Set for Devices in the VRRP Group?
When devices in the VRRP group use the same priority:
● If the VRRP master and slave are determined, the VRRP status is not
negotiated again.
● If two masters exist before devices in the VRRP group exchange heartbeat
packets, the VRRP status is negotiated as follows:
If the source IP address of a received heartbeat packet on the local end is
larger than the primary IP address of the interface, the local device switches
to the Backup state. Otherwise, the local end discards the heartbeat packet
and retains in Master state.
3.11.6 How Do I Enable the Ping to the Virtual IP Address?

By default, the ping to the virtual IP address is enabled. After the ping to the
virtual IP address is disabled, you can run the vrrp virtual-ip ping enable
command to enable the ping to the virtual IP address.
3.11.7 How Are VRRP Heartbeat Packets Sent in a Super-

VLAN?

You can use the vrrp advertise send-mode command to configure the mode in
which VRRP heartbeat packets are sent in a super-VLAN. To reduce the number of
VRRP heartbeat packets on the Layer 2 network, configure the device to send
VRRP heartbeat packets in all sub-VLANs or a specified sub-VLAN.
3.11.8 Why Does MAC Address Triggered ARP Entry Update

Need to Be Configured When Devices of a VRRP Group
Connect to Servers
On the Ethernet, MAC address entries are used to guide Layer 2 data forwarding.
The ARP entries that define the mapping between IP addresses and MAC
addresses guide communication between devices on different network segments.
In a scenario where devices of a VRRP group connect to servers, the outbound
interface in a MAC address entry is updated by packets, whereas that in an ARP
entry is updated after the aging time is reached. In this case, the outbound
interfaces in the MAC address entry and ARP entry may be different. To address
this issue, run the mac-address update arp command to enable the MAC address
triggered ARP entry update function. In Figure 3-25, SwitchA and SwitchB
function as gateways of the server and have VRRP enabled to enhance reliability.
VRRP packets are transmitted on the directly connected link between the two
switches. When the server sends packets, only one network interface is selected to
forward packets. When a network fault or traffic exception is detected, another
network interface is used.
● SwitchA functions as the master device and the server uses Port1 to send
packets. SwitchA learns the ARP entry and MAC entry on Port1, and SwitchB
learns the server MAC address on Port2.
● When the server detects that Port1 is faulty, the server uses Port2 to forward
service packets. SwitchA learns the server MAC address on Port2. If the server
does not send an ARP Request packet to SwitchA, SwitchA still learns the ARP
entry on Port1. In this case, packets sent from SwitchA to the server are
forwarded through Port1 until the ARP entry is aged out.
To solve the problem, configure MAC address triggered ARP entry update. This
function enables the device to update the corresponding ARP entry when the
outbound interface in a MAC address entry changes.

Figure 3-25 Networking for configuring MAC address triggered ARP entry update
when a VRRP active/backup switchover is performed
SwitchA(VRRP Master) SwitchB(VRRP Backup)
Port2 Port2
Port1 Port1
Port1 Port2
Server
MAC address triggered ARP entry update is disabled by default. You can run the
mac-address update arp command to enable MAC address triggered ARP entry
update.
3.11.9 Can a VRRP-enabled Switch Interwork with a Non-

Huawei Device?
VRRP complies with standards. A VRRP-enabled switch can interwork with a non-
Huawei device.

01-03 VRRP Configuration

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

01-03 VRRP Configuration

Uploaded by

Copyright:

Available Formats

S9300 and S9300E Series Switches

Configuration Guide - Reliability 3 VRRP Configuration

About This Chapter

3.1 Introduction to VRRP

3.1 Introduction to VRRP

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 77

3.2.1 Basic Concepts of VRRP

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 78

Figure 3-1 VRRP group

Switch Virtual Router

HostA VRRP VRID 1

As shown in Figure 3-1, VRRP involves the following entities:

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 79

3.2.2 VRRPv2 and VRRPv3 Advertisement Packets

VRRPv2 and VRRPv3 Advertisement Packet Formats

Figure 3-2 Format of a VRRPv2 Advertisement packet

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 80

Figure 3-3 Format of a VRRPv3 Advertisement packet

(rsvd) Max Adver Int Checksum

Table 3-1 describes fields in a VRRP Advertisement packet.

Table 3-1 Description of fields in a VRRP Advertisement packet

Version VRRP protocol version. The VRRP protocol version. The

Type VRRP Advertisement packet VRRP Advertisement packet

Priority Priority of the master in a VRRP Priority of the master in a VRRP

Count IP Number of virtual IPv4 Number of virtual IPv4 or IPv6

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 81

Auth Type Authentication mode. There are -

Adver Interval at which VRRP Interval at which VRRP

Checksum 16-bit checksum, which is used 16-bit checksum, which is used

Authenticat Authentication key. This field is -

rsvd - Reserved. This field has a fixed

VRRPv2 and VRRPv3 have the following differences:

VRRPv2 reserves the authentication field in VRRP Advertisement packets to be

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 82

3.2.3 VRRP Implementation

Table 3-2 VRRP statuses

Initialize VRRP is unavailable. The device in Initialize state cannot

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 83

Master The VRRP device in Master state performs the following

Backup The VRRP device in Backup state performs the following

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 84

VRRP Working Process

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 85

– If the master priority in VRRP Advertisement packets is lower than the

3.2.4 Basic VRRP Functions

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 86

After SwitchA recovers, it becomes the master in preemption mode or remains in

Figure 3-4 VRRP active/standby

SwitchC Data flow1

On the network shown in Figure 3-4:

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 87

Advertisement packets to SwitchB and SwitchC, notifying them that the

3.2.4.2 VRRP Load Balancing

3.2.4.3 VRRP Smooth Switching

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 88

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 89

Figure 3-5 mVRRP networking

3.2.6 VRRP Association

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 90

VRRP Monitoring the Status of the Interface Connected to the Uplink

HostB SwitchB SwitchD

HostB SwitchB SwitchD

As shown in Figure 3-6, a VRRP group is configured between SwitchA and

Issue 10 (2020-04-15) Copyright © Huawei Technologies Co., Ltd. 91