HP Unified Wired-WLAN Products High Availability Configuration Guide HP 830 Unified Wired-WLAN PoE+ Switch Series HP 850 Unified Wired-WLAN Appliance HP 870 Unified Wired-WLAN Appliance HP 11900/10500/7500 20G Unified Wired-WLAN Module Part number: 5998-4785 Software version: 3507P22 (HP 830 PoE+ Switch Series) 2607P22 (HP 850 Appliance) 2607P22 (HP 870 Appliance) 2507P22 (HP 11900/10500/7500 20G Module) Document version: 6W101-20140418
Legal and notice information © Copyright 2014 Hewlett-Packard Development Company, L.P. No part of this documentation may be reproduced or transmitted in any form or by any means without prior written consent of Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Contents High availability overview··········································································································································· 1 Availability requirements ·················································································································································· 1 Availability evaluation ········································································································································
Associating Track with VRRP ································································································································ 42 Associating Track with static routing ··················································································································· 44 Associating Track with WLAN uplink detection ································································································· 45 Displaying and maintaining track entries ········
High availability overview Because communication interruptions can seriously affect widely-deployed, value-added services such as IPTV and video conference, basic network infrastructures must be able to provide high availability. The following are the effective ways to improve availability: • Increasing fault tolerance. • Speeding up fault recovery. • Reducing impact of faults on services.
MTTR = fault detection time + hardware replacement time + system initialization time + link recovery time + routing time + forwarding recovery time. A smaller value of each item means a smaller MTTR and a higher availability. High availability technologies Increasing MTBF or decreasing MTTR can enhance the availability of a network. The high availability technologies described in this section meet the level 2 and level 3 high availability requirements in the aspect of decreasing MTTR.
Fault detection technologies Fault detection technologies enable detection and diagnosis of network faults: • NQA is used for diagnosis and evaluation of network quality. • Track works along with other high availability technologies to detect faults through a collaboration mechanism.
Configuring VRRP The term "router" in this document refers to both routers and routing-capable HP wireless products. Support for this feature depends on the device model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products. The interfaces that VRRP involves can be only VLAN interfaces. VRRP overview As shown in Figure 1, you can typically configure a default route with the gateway as the next hop for every host on a LAN.
• Load balancing mode—Extends the standard mode and realizes load balancing. For more information, see "VRRP load balancing mode." VRRP standard mode VRRP group VRRP combines a group of routers (including a master and multiple backups) on a LAN into a virtual router called VRRP group. A VRRP group has the following features: • A virtual router has a virtual IP address. A host on the LAN only needs to know the IP address of the virtual router and uses the IP address as the next hop of the default route.
VRRP priority is in the range of 0 to 255, and the greater the number, the higher the priority. Priorities 1 to 254 are configurable. Priority 0 is reserved for special uses and priority 255 is for the IP address owner. The router acting as the IP address owner in a VRRP group always has the running priority 255 and acts as the master as long as it works properly. 2. Working mode A router in a VRRP group operates in either of the following modes: { { 3.
VRRP packets are encapsulated in IP packets, with the protocol number being 112. Figure 3 shows the VRRPv2 packet format. Figure 3 VRRPv2 packet format A VRRP packet comprises the following fields: • Version—Version number of the protocol, 2 for VRRPv2. • Type—Type of the VRRP packet. It must be VRRP advertisement, represented by 1. • Virtual Rtr ID (VRID)—ID of the virtual router, in the range of 1 to 255. • Priority—Priority of the router in the VRRP group, in the range of 0 to 255.
• When multiple routers in a VRRP group declare that they are the master because of inconsistent configuration or network problems, the one with the highest priority becomes the master. If two routers have the same priority, the one with the highest IP address becomes the master. • When a backup router receives an advertisement, it compares its priority with the advertised priority. If its priority is higher, it takes over the master.
Figure 4 VRRP in master/backup mode Assume that Router A is acting as the master to forward packets to external networks, and Router B and Router C are backups in listening state. When Router A fails, Router B and Router C elect a new master to forward packets for hosts on the LAN. 2. Load sharing More than one VRRP group can be created on an interface of a router to allow the router to be the master of one VRRP group but a backup of another at the same time.
{ VRRP group 1—Router A is the master. Router B and Router C are the backups. { VRRP group 2—Router B is the master. Router A and Router C are the backups. { VRRP group 3—Router C is the master. Router A and Router B are the backups. For load sharing among Router A, Router B, and Router C, hosts on the LAN need to be configured to use VRRP group 1, 2, and 3 as the default gateways, respectively.
2. When an ARP request arrives, the master (Router A) selects a virtual MAC address based on the load balancing algorithm to answer the ARP request. In this example, Router A returns the virtual MAC address of itself in response to the ARP request from Host A. It returns the virtual MAC address of Router B in response to the ARP request from Host B (see Figure 7). Figure 7 Answering ARP requests Network Router A Master Router B Backup Virtual IP: 10.1.1.
routers. Each VF associates with a virtual MAC address in the VRRP group and forwards packets sent to this virtual MAC address. VFs are created on the routers in a VRRP group, as follows: a. The master assigns virtual MAC addresses to all routers in the VRRP group. Each member router creates a VF for this MAC address and becomes the owner of this VF. b. Each router advertises its VF information to the other member routers. c.
Figure 9 VF information Figure 9 shows the VF table on each router in the VRRP group and how the routers back up one another. The master, Router A, assigns virtual MAC addresses 000f-e2ff-0011, 000f-e2ff-0012, and 000f-e2ff-0013 to itself, Router B, and Router C, and each router creates VF 1, VF 2, and VF 3 for the virtual MAC addresses, respectively. The VFs for the same virtual MAC address on different routers back up one another.
5. VF tracking The AVF forwards packets destined to the MAC address of the AVF. If the uplink of the AVF fails and no LVF is notified to take over the AVF role, hosts on the LAN that use the MAC address of the AVF as their gateway MAC address cannot access the external network. This problem can be solved by the VF tracking function. You can monitor the uplink state by using NQA, and establish the collaboration between the VF and the NQA through the tracking function.
Task Remarks Configuring router priority, preemptive mode and tracking function Optional. Optional. Configuring VF tracking The VF tracking function applies to only the VRRP load balancing mode. Configuring VRRP packet attributes Optional. Enabling the trap function for VRRP Optional. Specifying a VRRP operating mode A VRRP group operates in one of the following modes: • Standard mode—Only the master can forward packets. • Load balancing mode—All members that have an AVF can forward packets.
When VRRP operates in load balancing mode, the address mapping setting does not take effect, and virtual IP addresses are always mapped to virtual MAC addresses. To specify the type of MAC addresses mapped to virtual IP addresses: Step 1. 2. Command Enter system view. Specify the type of MAC addresses mapped to virtual IP addresses. system-view vrrp method { real-mac | virtual-mac } Remarks N/A Optional. Virtual MAC address by default.
Step Command Remarks 1. Enter system view. system-view N/A 2. Enter the specified interface view. interface interface-type interface-number N/A 3. Create a VRRP group and configure a virtual IP address for the VRRP group. vrrp vrid virtual-router-id virtual-ip virtual-address VRRP group is not created by default. NOTE: The maximum number of VRRP groups on an interface depends on the device model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products.
Step Command Remarks Optional. 4. Configure the router in the VRRP group to operate in preemptive mode and configure preemption delay. vrrp vrid virtual-router-id preempt-mode [ timer delay delay-value ] The router in the VRRP group operates in preemptive mode and the preemption delay is 0 seconds by default. 5. Configure the interface to be tracked. vrrp vrid virtual-router-id track interface interface-type interface-number [ reduced priority-reduced ] Optional. 6.
Step Command Remarks • Configure the VF tracking function to monitor a specified track entry and specify the value by which the weight decreases: vrrp vrid virtual-router-id weight track track-entry-number [ reduced weight-reduced ] Configure VF tracking. 3. • Configure the VF tracking function to monitor an AVF on a specified router: vrrp vrid virtual-router-id track track-entry-number forwarder-switchover member-ip ip-address Use either approach.
Step 4. Configure the time interval for the master in the VRRP group to send VRRP advertisements. Command Remarks vrrp vrid virtual-router-id timer advertise adver-interval Optional. 1 second by default. Optional. 5. Disable TTL check on VRRP packets. vrrp un-check ttl By default, TTL check on VRRP packets is enabled. You do not need to create a VRRP group before executing this command.
VRRP configuration examples The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models. When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide.
[AC1] vlan 2 [AC1-vlan2] quit [AC1] interface WLAN-ESS 1 [AC1-WLAN-ESS1] port link-type hybrid [AC1-WLAN-ESS1] undo port hybrid vlan 1 [AC1-WLAN-ESS1] port hybrid vlan 2 untagged [AC1-WLAN-ESS1] port hybrid pvid vlan 2 [AC1-WLAN-ESS1] port-security port-mode psk [AC1-WLAN-ESS1] port-security preshared-key pass-phrase 12345678 [AC1-WLAN-ESS1] port-security tx-key-type 11key [AC1-WLAN-ESS1] quit [AC1] interface vlan-interface 2 [AC1-Vlan-interface2] ip address 202.38.160.1 255.255.255.
# Configure VLAN 2. system-view [AC2] vlan 2 [AC2-vlan2] quit [AC2] interface WLAN-ESS 1 [AC2-WLAN-ESS1] port link-type hybrid [AC2-WLAN-ESS1] undo port hybrid vlan 1 [AC2-WLAN-ESS1] port hybrid vlan 2 untagged [AC2-WLAN-ESS1] port hybrid pvid vlan 2 [AC2-WLAN-ESS1] port-security port-mode psk [AC2-WLAN-ESS1] port-security preshared-key pass-phrase 12345678 [AC2-WLAN-ESS1] port-security tx-key-type 11key [AC2-WLAN-ESS1] quit [AC2] interface vlan-interface 2 [AC2-Vlan-interface2] ip address 202.38.160.
Run Method : Virtual MAC Total number of virtual routers : 1 Interface Vlan-interface2 VRID : 1 Adver Timer : 1 Admin Status : Up State : Master Config Pri : 110 Running Pri : 110 Preempt Mode : Yes Delay Time : 5 Auth Type : None Virtual IP : 202.38.160.111 Virtual MAC : 0000-5e00-0101 Master IP : 202.38.160.1 # Display information about VRRP group 1 on AC 2.
[AC1-Vlan-interface2] display vrrp verbose IPv4 Standby Information: Run Mode : Standard Run Method : Virtual MAC Total number of virtual routers : 1 Interface Vlan-interface2 VRID : 1 Adver Timer : 1 Admin Status : Up State : Master Config Pri : 110 Running Pri : 110 Preempt Mode : Yes Delay Time : 5 Auth Type : None Virtual IP : 202.38.160.111 Virtual MAC : 0000-5e00-0101 Master IP : 202.38.160.
2. Configure AC 1: # Enable port security. system-view [AC1] port-security enable # Configure VLAN 2 and VLAN 3.
[AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Create an AP template with name ap1 and model MSM460-WW, and configure its serial ID as CN2AD330S7. [AC1] wlan ap ap1 model MSM460-WW [AC1-wlan-ap-ap1] serial-id CN2AD330S7 # Map service template 1 to radio 1 of AP 1. [AC1-wlan-ap-ap1] radio 1 type dot11an [AC1-wlan-ap-ap1-radio-1] service-template 1 [AC1-wlan-ap-ap1-radio-1] radio enable 3. Configure AC 2: # Enable port security.
[AC2-wlan-st-1] cipher-suite ccmp [AC2-wlan-st-1] authentication-method open-system [AC2-wlan-st-1] service-template enable [AC2-wlan-st-1] quit # Create an AP template with name ap2 and model MSM460-WW, and configure its serial ID as CN2AD330S8. [AC2] wlan ap ap2 model MSM460-WW [AC2-wlan-ap-ap2] serial-id CN2AD330S8 # Map service template 1 to radio 1 of AP 2. [AC2-wlan-ap-ap2] radio 1 type dot11an [AC2-wlan-ap-ap2-radio-1] service-template 1 [AC2-wlan-ap-ap2-radio-1] radio enable 4.
The output shows that in VRRP group 1 AC 1 is the master and AC 2 is the backup. AC 1 forwards the packets that the client sends to the host. # If VLAN-interface 3 is not available, verify that the client can still ping the host. (Details not shown.
• In VRRP group 1, AC 1 has a higher priority than AC 2. In VRRP group 2, AC 2 has a higher priority than AC 1. In this case, hosts in VLAN 2 and VLAN 3 can communicate with external networks through AC 1 and AC 2, respectively, and when AC 1 or AC 2 fails, the hosts can use the other switch to communicate with external networks to avoid communication interruption. Figure 12 Network diagram Configuration procedure 1. Perform basic configurations according to the topology requirements.
[AC1-wlan-st-1] bind WLAN-ESS 1 [AC1-wlan-st-1] security-ie rsn [AC1-wlan-st-1] cipher-suite ccmp [AC1-wlan-st-1] authentication-method open-system [AC1-wlan-st-1] service-template enable [AC1-wlan-st-1] quit # Create an AP template with name ap1 and model MSM460-WW, and configure its serial ID as CN2AD330S7. [AC1] wlan ap ap1 model MSM460-WW [AC1-wlan-ap-ap1] serial-id CN2AD330S7 # Map service template 1 to radio 1 of AP 1.
[AC2] interface vlan-interface 2 [AC2-Vlan-interface2] ip address 202.38.160.2 255.255.255.128 # Create a VRRP group 1 on VLAN-interface 2 and set its virtual IP address to 202.38.160.100. [AC2-Vlan-interface2] vrrp vrid 1 virtual-ip 202.38.160.100 [AC2-Vlan-interface2] quit # Configure VLAN 3.
# Display information about the VRRP group on AC 2. [AC2-Vlan-interface3] display vrrp verbose IPv4 Standby Information: Run Mode : Standard Run Method : Virtual MAC Total number of virtual routers : 2 Interface Vlan-interface2 VRID : 1 Adver Timer : 1 Admin Status : Up State : Backup Config Pri : 100 Running Pri : 100 Preempt Mode : Yes Delay Time : 0 Become Master : 2200ms left Auth Type : None Virtual IP : 202.38.160.100 Master IP : 202.38.160.
Multiple masters appear in a VRRP group Symptom Multiple masters are present in the same VRRP group. Analysis • Multiple masters coexist for a short period. This is normal and requires no manual intervention. • Multiple masters coexist for a long period. This is because devices in the VRRP group cannot receive VRRP packets or the received VRRP packets are illegal. Solution Ping between these masters and do the following: • If the ping fails, check network connectivity.
Configuring stateful failover Support for this feature depends on the device model. For more information, see About the Configuration Guides for HP Unified Wired-WLAN Products. Stateful failover overview Some customers require the key entries or access points of their networks, such as the Internet access point of an enterprise or a database server of a bank, to be highly reliable to ensure continuous data transmission.
Figure 14 Network diagram for stateful failover Internet GE1/1 GE1/1 GE1/2 Device A GE1/2 Device B Failover link GE1/3 GE1/3 Internal network Host A Host B Stateful failover states Stateful failover includes the following states: • Silence—The device has just started, or is transiting from synchronization state to independence state. • Independence—The silence timer has expired, but no failover link is established.
Service backup configuration. It can implement real-time service backup between the two devices. • This configuration guide only introduces the service backup configuration. Complete the following tasks to configure stateful failover: Task Remarks Enabling stateful failover Required. Configuring the backup VLAN Required. Optional. A device providing DHCP server services automatically backs up related information to the backup device after the configurations take effect.
The interfaces assigned to a backup VLAN can forward other types of packets in addition to stateful failover packets. To configure a backup VLAN: Step Command Remarks 1. Enter system view. system-view N/A 2. Create a VLAN and assign interfaces to the VLAN. See Layer 2 Configuration Guide. N/A 3. Return to system view. quit N/A 4. Specify the VLAN as a backup VLAN. dhbk vlan vlan-id Not specified by default.
Configuring Track Overview The Track module collaborates with application and detection modules, as shown in Figure 16. After you associate the Track module with a detection module and an application module, collaboration is enabled. The detection module probes specific objects such as interface status, link status, network reachability, and network performance, and informs the Track module of detection results. The Track module sends the detection results to the associated application module.
Collaboration between the Track module and an application module After you associate the Track module with an application module, and the status of the track entry changes, the Track module notifies the application module, which then takes actions as configured. The following application modules can be associated with the Track module: • VRRP. • Static routing. • WLAN uplink detection.
Task Remarks Associating the Track module with a detection module Associating Track with NQA Required. Associating Track with interface management Use one of the methods. Associating Track with VRRP Associating the Track module with an application module Required. Associating Track with static routing Associating Track with WLAN uplink detection Use one of the methods.
• When the physical or network-layer protocol status of the interface changes to up, the interface management module notifies the Track module of the change and the Track module sets the track entry to Positive. • When the physical or network-layer protocol status of the interface changes to down, the interface management module notifies the Track module of the change and the Track module sets the track entry to Negative. To associate Track with interface management: Step 1. Enter system view.
gateway to take over. This makes sure the hosts in the network segment can uninterruptedly communicate with external networks. When VRRP is operating in standard protocol mode or load balancing mode, associate the Track module with the VRRP group to implement the following actions: • Change the priority of a router according to the status of the uplink. If a fault occurs on the uplink of the router, the VRRP group is not aware of the uplink failure.
Associating Track with a VRRP VF Step Command Remarks 1. Enter system view. system-view N/A 2. Enter interface view. interface interface-type interface-number N/A 3. Create a VRRP group and configure its virtual IP address. vrrp vrid virtual-router-id virtual-ip virtual-address No VRRP group is created by default. • Associate a track entry with the VRRP VF: vrrp [ ipv6 ] vrid virtual-router-id weight track track-entry-number [ reduced weight-reduced ] 4. Associate Track with a VRRP VF.
If a static route needs route recursion, the associated track entry must monitor the next hop of the recursive route instead of the next hop of the static route. Otherwise, a valid route may be considered invalid. For more information about static route configuration, see Layer 3 Configuration Guide. • To associate Track with static routing: Step Command Remarks 1. Enter system view. system-view N/A 2. Associate the static route with a track entry to check the accessibility of the next hop.
Track configuration examples The configuration examples were created on the 11900/10500/7500 20G unified wired-WLAN module and might vary with device models. When configuring the 11900/10500/7500 20G unified wired-WLAN module, make sure the settings are correct (including VLAN settings) on the internal Ethernet interface that connects the module to the switch. For more information, see HP 11900/10500/7500 20G Unified Wired-WLAN Module Basic Configuration Guide.
# Create an NQA operation with the administrator name admin and the operation tag test. system-view [AC1] nqa entry admin test # Configure the operation type as ICMP echo. [AC1-nqa-admin-test] type icmp-echo # Configure the destination address as 10.1.2.2. [AC1-nqa-admin-test-icmp-echo] destination ip 10.1.2.2 # Configure the ICMP echo operation to repeat at an interval of 100 milliseconds.
[AC2-Vlan-interface2] vrrp vrid 1 preempt-mode timer delay 5 Verifying the configuration # Ping Host from Client to verify that Host is reachable. (Details not shown.) # Display detailed information about VRRP group 1 on AC 1.
Admin Status : Up State : Backup Config Pri : 110 Running Pri : 80 Preempt Mode : Yes Delay Time : 5 Become Master : 2200ms left Auth Type : Simple Key : ****** Virtual IP : 10.1.1.10 Master IP : 10.1.1.2 VRRP Track Information: Track Object : 1 State : Negative Pri Reduced : 30 # Display detailed information about VRRP group 1 on AC 2.
Figure 19 Network diagram AC 2 Vlan-int2 10.1.1.2/24 Vlan-int5 10.2.1.2/24 AC 1 20.1.1.0/24 Vlan-int6 20.1.1.1/24 Vlan-int2 10.1.1.1/24 Vlan-int5 10.2.1.4/24 Vlan-int3 10.3.1.1/24 AC 4 Vlan-int7 30.1.1.1/24 30.1.1.0/24 Vlan-int4 10.4.1.4/24 Vlan-int3 10.3.1.3/24 Vlan-int4 10.4.1.3/24 AC 3 Configuration procedure 1. Create VLANs, assign ports to the VLANs, and configure the IP address of each VLAN interface as shown in Figure 19. (Details not shown.) 2.
# Configure track entry 1, and associate it with reaction entry 1 of the NQA operation. [AC1] track 1 nqa entry admin test reaction 1 3. Configure AC 2: # Configure a static route to 30.1.1.0/24 with the next hop 10.2.1.4. system-view [AC2] ip route-static 30.1.1.0 24 10.2.1.4 # Configure a static route to 20.1.1.0/24 with the next hop 10.1.1.1. [AC2] ip route-static 20.1.1.0 24 10.1.1.1 4. Configure AC 3: # Configure a static route to 30.1.1.0/24 with the next hop 10.4.1.4.
[AC1] display track all Track ID: 1 Status: Positive Duration: 0 days 0 hours 0 minutes 32 seconds Notification delay: Positive 0, Negative 0 (in seconds) Reference object: NQA entry: admin test Reaction: 1 The output shows that the status of the track entry is Positive, indicating that the NQA operation has succeeded and the master route is available. # Display the routing table of AC 1.
Destinations : 10 Routes : 10 Destination/Mask Proto Cost NextHop Interface 10.1.1.0/24 Direct 0 Pre 0 10.1.1.1 Vlan2 10.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 10.2.1.0/24 Static 60 0 10.1.1.2 Vlan2 10.3.1.0/24 Direct 0 0 10.3.1.1 Vlan3 10.3.1.1/32 Direct 0 0 127.0.0.1 InLoop0 20.1.1.0/24 Direct 0 0 20.1.1.1 Vlan6 20.1.1.1/32 Direct 0 0 127.0.0.1 InLoop0 30.1.1.0/24 Static 80 0 10.3.1.3 Vlan3 127.0.0.0/8 Direct 0 0 127.0.0.1 InLoop0 127.0.0.
VRRP-Track-interface management collaboration configuration example Network requirements As shown in Figure 20: • Client requires access to Host on the Internet. The default gateway of Client is 10.1.1.10/24. • AC 1 and AC 2 belong to VRRP group 1. The virtual IP address of VRRP group 1 is 10.1.1.10.
system-view [AC2] interface vlan-interface 2 [AC2-Vlan-interface2] vrrp vrid 1 virtual-ip 10.1.1.10 Verifying the configuration # Ping Host from Client to verify that Host is reachable. (Details not shown.) # Display detailed information about VRRP group 1 on AC 1.
IPv4 Standby Information: Run Mode : Standard Run Method : Virtual MAC Total number of virtual routers : 1 Interface Vlan-interface2 VRID : 1 Adver Timer : 1 Admin Status : Up State : Backup Config Pri : 110 Running Pri : 80 Preempt Mode : Yes Delay Time : 0 Become Master : 2200ms left Auth Type : None Virtual IP : 10.1.1.10 Master IP : 10.1.1.
Support and other resources Contacting HP For worldwide technical support information, see the HP support website: http://www.hp.
Conventions This section describes the conventions used in this documentation set. Command conventions Convention Description Boldface Bold text represents commands and keywords that you enter literally as shown. Italic Italic text represents arguments that you replace with actual values. [] Square brackets enclose syntax choices (keywords or arguments) that are optional. { x | y | ... } Braces enclose a set of required syntax choices separated by vertical bars, from which you select one.
Network topology icons Represents a generic network device, such as a router, switch, or firewall. Represents a routing-capable device, such as a router or Layer 3 switch. Represents a generic switch, such as a Layer 2 or Layer 3 switch, or a router that supports Layer 2 forwarding and other Layer 2 features. Represents an access controller, a unified wired-WLAN module, or the switching engine on a unified wired-WLAN switch. Represents an access point.
Index ACDEHORSTV A High availability technologies,2 Associating the Track module with a detection module,41 O Overview,39 Associating the Track module with an application module,42 R Availability evaluation,1 Related information,57 Availability requirements,1 S C Stateful failover configuration example,38 Configuration guidelines,38 Stateful failover configuration task list,36 Configuring the backup VLAN,37 Stateful failover overview,35 Configuring VRRP,14 T Contacting HP,57 Track configu
