Login
- Table of Contents
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 04-Reliability Command | 55 KB |
Table of Contents
Chapter 1 VRRP Configuration Commands
1.1 VRRP Configuration Commands
1.1.3 vrrp authentication-mode
1.1.8 vrrp vrid timer advertise
Chapter 1 VRRP Configuration Commands
1.1 VRRP Configuration Commands
& Note:
You can also use the following commands with SecBlade_VPN prompt character.
1.1.1 debugging vrrp
debugging vrrp { packet | state }
undo debugging vrrp { packet | state }
View
User view
packet: Enables VRRP packet debugging.
state: Enables VRRP state debugging.
Use the debugging vrrp command to enable VRRP debugging.
Use the undo debugging vrrp command to disable VRRP debugging.
By default, VRRP debugging is disabled.
# Enable VRRP packet debugging.
[SecBlade_FW] debugging vrrp packet
1.1.2 display vrrp
display vrrp [ interface type number [ virtual-router-ID ] ]
View
Any view
interface type number: Specifies an interface type and interface number.
virtual-router-ID: Standby group number.
Use the display vrrp command to view current configuration and state information about VRRP.
If neither the interface nor the standby group number is specified, the state information about all the standby groups is displayed. If only the interface is specified, the state information about all the standby groups on the specified interface is displayed. If both arguments are specified, the state information about the specified standby group is displayed.
# Display information about all standby groups.
<SecBlade_FW> display vrrp
Virtual Ip Ping : Disable
GigabitEthernet0/0.1 | Virtual Router 1
state : Initialize
Virtual IP : 22.2.2.2
Config Priority : 100
Run Priority : 100
Preempt : YES Delay Time : 0
Timer : 1
Auth Type : NONE
GigabitEthernet0/0.2 | Virtual Router 1
state : Initialize
Virtual IP : 1.1.11.1
Config Priority : 100
Run Priority : 100
Preempt : YES Delay Time : 0
Timer : 1
1.1.3 vrrp authentication-mode
vrrp authentication-mode { md5 key | simple key }
undo vrrp authentication-mode
View
Interface view
simple: Adopts plain text authentication.
md5: Adopts ciphertext authentication using the MD5 algorithm.
key: Authentication key. When the simple keyword is specified, the authentication key is in plain text of 1 to 8 characters. When the md5 keyword is specified, the authentication key is in MD5 ciphertext and the length of the key depends on its input format. If the key is input in plain text, it is of 1 to 8 characters, such as 1234567; if the key is input in ciphertext, it must be of 24 encrypted characters, such as _(TT8F]Y\5SQ=^Q`MAF4<1!!.
Description
Use the vrrp authentication-mode command to configure authentication type and authentication key for the VRRP standby groups on the interface.
Use the undo vrrp authentication-mode command to disable authentication in the VRRP standby groups on the interface.
By default, authentication is disabled.
With this command, all standby groups on the interface share the same authentication type and authentication key.
Note that the members of the same standby group must use the same authentication type and authentication key.
The authentication key is case sensitive.
# Set the authentication type and authentication key for all the VRRP standby groups on the sub-interface GigabitEthernet0/0.1.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp authentication-mode simple aabbcc
1.1.4 vrrp ping-enable
Syntax
vrrp ping-enable
undo vrrp ping-enable
View
System view
Parameter
None
Description
Use the vrrp ping-enable command to allow the virtual IP addresses of standby groups to be pinged.
Use the undo vrrp ping-enable command to disable the virtual IP addresses of standby groups from being pinged.
By default, the IP addresses of virtual standby groups cannot be pinged.
Note that you must configure this command before creating standby groups. Once a standby group is created, you cannot use this command and its undo form.
Example
# Allow the virtual IP addresses of standby groups to be pinged.
[SecBlade_FW] vrrp ping-enable
1.1.5 vrrp un-check ttl
Syntax
vrrp un-check ttl
undo vrrp un-check ttl
View
Interface view
Parameter
None
Description
Use the vrrp un-check ttl command to disable time to live (TTL) check for VRRP packets.
Use the undo vrrp ping-enable command to enable TTL check for VRRP packets.
As specified in the VRRP protocol, the TTL value of VRRP packets must be 255. If detecting that the TTL value of a packet is not 255, the backup security gateway drops the packet.
By default, TTL check is enabled for VRRP packets.
Example
# Disable TTL check for VRRP packets.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp un-check ttl
1.1.6 vrrp vrid preempt-mode
vrrp vrid virtual-router-ID preempt-mode [ timer delay delay-value ]
undo vrrp vrid virtual-router-ID preempt-mode
View
Interface view
virtual-router-ID: VRRP standby group number, in the range of 1 to 255.
delay-value: Delay in the range of 0 to 255 in seconds. By default, the preemption mode is adopted, and the delay-value argument is 0.
Use the vrrp vrid preempt-mode command to enable the preemption mode on the security gateway and configure the preemption delay in the specified standby group.
Use the undo vrrp vrid preempt-mode command to disable the preemption mode on the security gateway in the specified standby group.
To allow a backup security gateway with a higher priority in a standby group to preempt the current master, you must enable the preemption mode on it. If immediate preemption is not desired, you can set a preemption delay. The delay is automatically set to 0 seconds when the preemption mode is disabled.
By default, the preemption mode is adopted with the delay of 0 seconds.
# Enable preemption on the security gateway in standby group 1.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode
# Set the preemption delay to five seconds.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 preempt-mode timer delay 5
# Disable preemption on the security gateway in standby group 1.
[SecBlade_FW-GigabitEthernet0/0.1] undo vrrp vrid 1 preempt-mode
1.1.7 vrrp vrid priority
vrrp vrid virtual-router-ID priority priority-value
undo vrrp vrid virtual-router-ID priority
View
Interface view
virtual-router-ID: VRRP standby group number, in the range of 1 to 255.
priority-value: Priority value, in the range 1 to 254.
Use the vrrp vrid priority command to configure the priority of the security gateway in the specified standby group.
Use the undo vrrp vrid priority command to restore the default.
In VRRP, the role that a SecBlade card plays in a standby group depends on its priority. A higher priority means that the security gateway is more likely to become the master. Note that priority 0 is reserved for special use and 255 for the IP address owner.
By default, the priority is 100.
# Set the priority of the security gateway in standby group 1 to 150.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 priority 150
1.1.8 vrrp vrid timer advertise
vrrp vrid virtual-router-ID timer advertise adver-interval
undo vrrp vrid virtual-router-ID timer advertise
View
Interface view
virtual-router-ID: VRRP standby group number, in the range of 1 to 255.
adver-interval: Interval at which the master in the specified standby group sends VRRP packets. It is in the range of 1 to 255 in seconds.
Use the vrrp vrid timer advertise command to configure the Adver_Interval of the specified standby group.
Use the undo vrrp vrid timer advertise command to restore the default.
The Adver_Interval controls the interval at which the master sends VRRP packets.
By default, the value of the timer is 1 second.
# Set the master in standby group 1 to send VRRP packets at the interval of five seconds.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 timer advertise 5
1.1.9 vrrp vrid track
vrrp vrid virtual-router-ID track interface-type interface-number [ reduced priority-reduced ]
undo vrrp vrid virtual-router-ID track [ interface-type interface-number ]
View
Interface view
virtual-router-ID: VRRP standby group number, in the range of 1 to 255.
interface-type interface-number: Interface to be tracked.
priority-reduced: Value by which the priority is reduced. It is in the range of 1 to 255.
Use the vrrp vrid track command to configure the interface to be tracked.
Use the undo vrrp vrid track command to disable tracking the specified interface.
The interface tracking function expands the backup functionality of VRRP. It provides backup not only when a security gateway fails but also when a network interface goes down.
When the monitored interface specified in this command goes down, the priority of the security gateway owning this interface automatically decreased by the value specified by priority-reduced, allowing a higher priority member in the standby group to take over as the master. When the security gateway is the IP address owner, however, you cannot configure interface tracking on it.
By default, the priority is reduced by 10.
# Track GigabitEthernet0/0.1 sub-interface.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 track GigabitEthernet0/0.300 reduced 50
# Disable the tracking of GigabitEthernet0/0.1 sub-interface.
[SecBlade_FW-GigabitEthernet0/0.1] undo vrrp vrid 1 track GigabitEthernet0/0.300
1.1.10 vrrp vrid virtual-ip
vrrp vrid virtual-router-ID virtual-ip virtual-address
undo vrrp vrid virtual-router-ID virtual-ip [ virtual-address ]
View
Interface view
virtual-router-ID: VRRP standby group number, in the range of 1 to 255.
virtual-address: Virtual IP address.
Use the vrrp vrid virtual-ip command to create a standby group and add a virtual IP address to it. You can add up to 16 virtual IP addresses to a standby group.
Use the undo vrrp vrid virtual-ip virtual-router-ID command to remove a standby group.
Use the undo vrrp vrid virtual-router-ID virtual-ip virtual-address command to delete a virtual IP address from the specified standby group.
The system removes a standby group after you delete all the virtual IP addresses in it.
By default, no standby group exists.
# Create a standby group.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.10.10.10
# Add a virtual IP address to the existing standby group.
[SecBlade_FW-GigabitEthernet0/0.1] vrrp vrid 1 virtual-ip 10.10.10.11
# Delete a virtual IP address.
[SecBlade_FW-GigabitEthernet0/0.1] undo vrrp vrid 1 virtual-ip 10.10.10.10
