Virtual Router Redundancy Protocol (VRRP) combines a group of routing devices on a LAN into a backup group that functions as a virtual router. From the host perspective in the LAN, it only needs the IP address of the virtual router rather than the IP address of a specific device in the backup group. Virtual IP address must be set as a default gateway for the host in the LAN. VRRP dynamically associates the virtual router with a physical device that transmits services. When the device fails, the second device is selected to handover traffic. The switchover should be transparent to users, allowing the internal and external networks to communicate without interruption. It, of course, depends on configured services. Most sensitive services need higher reliability and VRRP itself is not enough. But I will mention about it later in the post.

Let’s switch from theory to more practical things.

VRRP topology:

Assure communication between all elements in the network. It is omitted here.

Configure VRRP on labnario_1 and labnario_2. Set VRRP priority to 120 for labnario_1:

[labnario_1]interface Vlanif 100
[labnario_1-Vlanif100]ip address 10.0.0.10 255.255.255.0
[labnario_1-Vlanif100]vrrp vrid 100 virtual-ip 10.0.0.254
[labnario_1-Vlanif100]vrrp vrid 100 priority 120

[labnario_2]interface Vlanif 100
[labnario_2-Vlanif100]ip add 10.0.0.11 255.255.255.0
[labnario_2-Vlanif100]vrrp vrid 100 virtual-ip 10.0.0.254

[labnario_1]display vrrp brief 
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
100   Master       Vlanif100                Normal   10.0.0.254     
----------------------------------------------------------------
Total:1     Master:1     Backup:0     Non-active:0     

[labnario_2]display vrrp brief 
VRID  State        Interface                Type     Virtual IP     
----------------------------------------------------------------
100   Backup       Vlanif100                Normal   10.0.0.254     
----------------------------------------------------------------
Total:1     Master:0     Backup:1     Non-active:0

Now we can check how traffic is going through our network:

PC>tracert 1.1.1.1
traceroute to 1.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
 1  10.0.0.10   16 ms  ping 1.1.1.1 -t
Ping 1.1.1.1: 32 data bytes, Press Ctrl_C to break
From 1.1.1.1: bytes=32 seq=1 ttl=254 time=62 ms
From 1.1.1.1: bytes=32 seq=2 ttl=254 time=47 ms
From 1.1.1.1: bytes=32 seq=3 ttl=254 time=140 ms
From 1.1.1.1: bytes=32 seq=4 ttl=254 time=31 ms
--- 1.1.1.1 ping statistics ---
  4 packet(s) transmitted
  4 packet(s) received
  0.00% packet loss
  round-trip min/avg/max = 31/70/140 ms

As we can see traffic is going through labnario_1, what confirms that VRRP is working in a proper way. Only Master can forward traffic to labnario_GW.

Let’s look at output of display vrrp command on both routers:

[labnario_1]display vrrp
  Vlanif100 | Virtual Router 100
    State : Master
    Virtual IP : 10.0.0.254
    Master IP : 10.0.0.10
    PriorityRun : 120
    PriorityConfig : 120
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0164
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2013-01-22 12:35:04 UTC-08:00
    Last change time : 2013-01-22 12:42:53 UTC-08:00

[labnario_2]display vrrp
  Vlanif100 | Virtual Router 100
    State : Backup
    Virtual IP : 10.0.0.254
    Master IP : 10.0.0.10
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0164
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2013-01-22 12:35:32 UTC-08:00
    Last change time : 2013-01-22 12:42:53 UTC-08:00

Router labnario_1 is Master in VRRP group and it forwards traffic. Its config and running priority is 120. VRRP priority for labnario_2 is 100 by default.

Let’s simulate 2 cases:

• Labnario_1 is broken. We can simulate it by making interface VlanIf100 DOWN.
• Failure in LAN network by making interface Eth0/0/0 DOWN.

I was thinking how to show you that VRRP is working properly. Please look at this link. You will find exe file there with this simulation. You do not have to install anything. Just open the file. I did like that because WordPress does not allow to add such files directly.

VRRP switchover simulation

In both cases labnario_1 is initialize state. It means that there is no connection between VRRP routers. Labnario_2 is now Master in VRRP group.

What will happen if interface Ethernet0/0/1 goes into DOWN state?

Let’s shutdown interface Ethernet0/0/1 of labnario_1:

PC>tracert 1.1.1.1
traceroute to 1.1.1.1, 8 hops max
(ICMP), press Ctrl+C to stop
 1  10.0.0.10   15 ms  16 ms  31 ms
 2  10.0.0.11   31 ms  32 ms  15 ms
 3  1.1.1.1   63 ms  46 ms  47 ms

Traffic is still directed to labnario_1, which is VRRP Master. There is no VRRP switchover because Ethernet0/0/1 is not in the LAN.

We can avoid such situation by tracking interface Ethernet 0/0/1 in VRRP of labnario_1 router. In case of Eth0/0/1 failure, switchover will be performed between labnario_1 and labnario_2 and labnario_2 will become VRRP Master. VRRP priority of labnario_2 will be reduced to 80.

Let’s configure interface tracking:

[labnario_1]int Vlanif  100
[labnario_1-Vlanif100]vrrp vrid 100 track interface Ethernet 0/0/1 reduced 40

[labnario_1]dis vrrp
  Vlanif100 | Virtual Router 100
    State : Master
    Virtual IP : 10.0.0.254
    Master IP : 10.0.0.10
    PriorityRun : 120
    PriorityConfig : 120
    MasterPriority : 120
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0164
    Check TTL : YES
    Config type : normal-vrrp
    Track IF : Ethernet0/0/1   Priority reduced : 40
    IF state : UP
    Create time : 2013-01-22 12:35:04 UTC-08:00
    Last change time : 2013-01-22 13:46:34 UTC-08:00

Let’s shutdown interface Eth0/0/1 once again and check what will happen:

[labnario_1-Ethernet0/0/1]shutdown

[labnario_1-Ethernet0/0/1]dis vrrp
  Vlanif100 | Virtual Router 100
    State : Backup
    Virtual IP : 10.0.0.254
    Master IP : 10.0.0.11
    PriorityRun : 80
    PriorityConfig : 120
    MasterPriority : 100
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0164
    Check TTL : YES
    Config type : normal-vrrp
    Track IF : Ethernet0/0/1   Priority reduced : 40
    IF state : DOWN
    Create time : 2013-01-22 12:35:04 UTC-08:00
    Last change time : 2013-01-22 14:17:44 UTC-08:00

[labnario_2]dis vrrp
  Vlanif100 | Virtual Router 100
    State : Master
    Virtual IP : 10.0.0.254
    Master IP : 10.0.0.11
    PriorityRun : 100
    PriorityConfig : 100
    MasterPriority : 100
    Preempt : YES   Delay Time : 0 s
    TimerRun : 1 s
    TimerConfig : 1 s
    Auth type : NONE
    Virtual MAC : 0000-5e00-0164
    Check TTL : YES
    Config type : normal-vrrp
    Create time : 2013-01-22 12:35:32 UTC-08:00
    Last change time : 2013-01-22 14:17:45 UTC-08:00

How to make VRRP switchover faster?

You can configure BFD session between VRRP routers (on both routers) and track this BFD session in VRRP labnario_2 router. If LAN connection between both routers fails, BFD session will go DOWN, what will trigger VRRP switchover in milliseconds.

[labnario_1]bfd VRRP_test bind peer-ip 10.0.0.11 interface Vlanif 100
[labnario_1-bfd-session-VRRP_test]discriminator local 1
[labnario_1-bfd-session-VRRP_test]discriminator remote 2	
[labnario_1-bfd-session-VRRP_test]commit 

[labnario_2]bfd VRRP_test bind peer-ip 10.0.0.10 interface Vlanif 100	
[labnario_2-bfd-session-VRRP_test]discriminator local 2
[labnario_2-bfd-session-VRRP_test]discriminator remote 1
[labnario_2-bfd-session-VRRP_test]commit 

[labnario_2]dis bfd ses all
--------------------------------------------------------------------------------

Local Remote     PeerIpAddr      State     Type        InterfaceName            

--------------------------------------------------------------------------------
2     1          10.0.0.10       Up        S_IP_IF     Vlanif100                

--------------------------------------------------------------------------------

     Total UP/DOWN Session Number : 1/0

[labnario_2-Vlanif100]vrrp vrid 100 track bfd-session 2 increased 40

In case of LAN connection failure between both routers, VRRP priority of labnario_2 will increase to 140 and labnario_2 will become Master in VRRP group.

To assure communication between routers in VRRP group, it is recommended to add direct L2 connection between them. In practice we can use trunk or Eth-trunk interfaces. How to configure Eth-trunk interfaces you can find in link aggregation (EEE802.3ad) on Huawei S5700.

In case of Ethernet 0/0/0 of labnario_1 failure, labnario_1 keeps to be Master, because connection between VRRP routers is assured and traffic is going to labnario_2 and then to labnario_1 by Eth-trunk links.

Final configs:

sysname labnario_1
#
vlan batch 100
#
bfd
#
interface Vlanif100
 ip address 10.0.0.10 255.255.255.0
 vrrp vrid 100 virtual-ip 10.0.0.254
 vrrp vrid 100 priority 120
 vrrp vrid 100 track interface Ethernet0/0/1 reduced 40
#
interface Ethernet0/0/0
 portswitch
 port link-type access
 port default vlan 100
#
interface Ethernet0/0/1
 ip address 172.16.0.1 255.255.255.0
#
bfd VRRP_test bind peer-ip 10.0.0.11 interface Vlanif100
 discriminator local 1
 discriminator remote 2
 commit
#
ospf 1
 area 0.0.0.0
  network 10.0.0.0 0.0.0.255
  network 172.16.0.0 0.0.0.255

sysname labnario_2
#
vlan batch 100
#
bfd
#
interface Vlanif100
 ip address 10.0.0.11 255.255.255.0
 vrrp vrid 100 virtual-ip 10.0.0.254
 vrrp vrid 100 track bfd-session 2
#
interface Ethernet0/0/0
 portswitch
 port hybrid pvid vlan 100
#
interface Ethernet0/0/1
 ip address 172.16.1.1 255.255.255.0
#
bfd VRRP_test bind peer-ip 10.0.0.10 interface Vlanif100
 discriminator local 2
 discriminator remote 1
 commit
#
ospf 1
 area 0.0.0.0
  network 10.0.0.0 0.0.0.255
  network 172.16.1.0 0.0.0.255

sysname labnario_GW
#
interface Ethernet0/0/0
 ip address 172.16.0.2 255.255.255.0
#
interface Ethernet0/0/1
 ip address 172.16.1.2 255.255.255.0
#
interface LoopBack0
 ip address 1.1.1.1 255.255.255.255
#
ospf 1
 area 0.0.0.0
  network 1.1.1.1 0.0.0.0
  network 172.16.0.0 0.0.0.255
  network 172.16.1.0 0.0.0.255

How to secure communication between two sites connected to the Internet?

Use Site-to-Site IPsec VPN tunnel between two Huawei routers. IPsec VPN is an open standard protocol suite, defined by the IETF in the following RFCs: 2401, 2402-2412, 2451. IPSec is a widely used protocol for securing traffic on IP networks, including the Internet. IPSec can encrypt data between various devices, including router to router, firewall to router, desktop to router, and desktop to server.

How to configure IPsec VPN using Huawei CLI?

Let’s assume that we have two sites, Site1 and Site2. Both sites have PCs connected to the LAN network, PC1 and PC2 respectively. The sites are connected through WAN network (in our case labnarioR2 router simulates WAN). We want to secure communication between PC1 and PC2. To do so, we have to configure IPSec VPN tunnel between both sites. In our case tunnel will be established between labnarioR1 and labnarioR3 routers. Both routers will be responsible for data encryption and decryption using specified algorithms.

To secure IPSec tunnel, I will use:

• shared key between labnarioR1 and labnarioR3 routers
• ESP protocol for security algorithms negotiation
• SHA1 for authentication and 3DES for encryption
• IKE for key exchange and SA establishment.

Traffic encryption/decryption will be done on both, labnarioR1 and labnarioR3 routers. So I have to configure those two routers, to be able to establish IPsec VPN tunnel. LabnarioR2 router simulates WAN cloud. It has nothing to do with IPSec.

Do not forget to provide IP connectivity between routers and PCs. This is omitted here.

I want to encrypt IP traffic travelling between LAN networks 10.1.1.0/24 and 172.16.1.0/24. To do so, I need to match this traffic using ACL on labnarioR1 and labnarioR3:

[labnarioR1]acl 3000
[labnarioR1-acl-adv-3000]rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255

[labnarioR3]acl 3000
[labnarioR3-acl-adv-3000]rule 10 permit ip source 172.16.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255

Now I can configure IPSec proposal and define the following parameters:

• Packet encapsulation format (tunnel or transport, I will use tunnel as this is site-to-site model)
• Security protocol (I will use ESP)
• Encryption and authentication algorithms (as mentioned above, SHA1 and 3DES respectively).

[labnarioR1]ipsec proposal PROPOSAL1
[labnarioR1-ipsec-proposal-PROPOSAL1]encapsulation-mode tunnel
[labnarioR1-ipsec-proposal-PROPOSAL1]transform esp
[labnarioR1-ipsec-proposal-PROPOSAL1]esp authentication-algorithm sha1
[labnarioR1-ipsec-proposal-PROPOSAL1]esp encryption-algorithm 3des

To define IKE peer:

[labnarioR1]ike peer PEER-LABNARIOR3 V1	
[labnarioR1-ike-peer-PEER-LABNARIOR3]pre-shared-key simple LaBnArIoKeY
[labnarioR1-ike-peer-PEER-LABNARIOR3]remote-address 150.100.23.3

Now I can define IPSec policy:

[labnarioR1]ipsec policy POLICY1 10 isakmp 	
[labnarioR1-ipsec-policy-isakmp-POLICY1-10]proposal PROPOSAL1
[labnarioR1-ipsec-policy-isakmp-POLICY1-10]security acl 3000
[labnarioR1-ipsec-policy-isakmp-POLICY1-10]ike-peer PEER-LABNARIOR3

To attach IPSec policy to my WAN interface:

[labnarioR1]int Ethernet0/0/0
[labnarioR1-Ethernet0/0/0]ipsec policy POLICY1

The same configuration should be done on labnarioR3 router:

#
ipsec proposal PROPOSAL1
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike peer PEER-LABNARIOR1 v1
 pre-shared-key simple LaBnArIoKeY
 remote-address 150.100.12.1
#
ipsec policy POLICY1 10 isakmp
 security acl 3000
 ike-peer PEER-LABNARIOR1
 proposal PROPOSAL1
#
interface Ethernet0/0/1
 ip address 150.100.23.3 255.255.255.0
 ipsec policy POLICY1

To bring IPsec VPN tunnel up, IP traffic should be generated between PC1 and PC2. To do so, just ping PC2 from PC1 or vice versa. Let’s verify if our tunnel is up.

To display IKE security associations:

[labnarioR1]display ike sa 
    Conn-ID  Peer            VPN   Flag(s)                Phase  
  ---------------------------------------------------------------
       52    150.100.23.3    0     RD|ST                  2     
       28    150.100.23.3    0     RD|ST                  1     

  Flag Description:
  RD--READY   ST--STAYALIVE   RL--REPLACED   FD--FADING   TO--TIMEOUT
  HRT--HEARTBEAT   LKG--LAST KNOWN GOOD SEQ NO.   BCK--BACKED UP

To display IPsec security associations:

[labnarioR1]display ipsec sa brief

Number of SAs:0
    Src address     Dst address        SPI    VPN  Protocol     Algorithm
-------------------------------------------------------------------------------
   150.100.23.3    150.100.12.1  641342674      0    ESP   E:3DES A:SHA1-96
   150.100.12.1    150.100.23.3  228173657      0    ESP   E:3DES A:SHA1-96

To check if traffic between PC1 and PC2 is travelling through VPN tunnel, check ACL matchings and IKE/IPsec packets statistics:

[labnarioR1]dis acl 3000
Advanced ACL 3000, 1 rule
ACL's step is 5
 rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255 (10
 times matched)

[labnarioR1]dis ike statistics v1 

----------------------------------------------------------

 IKE V1 statistics information
 Number of total peers                        : 18
 Number of policy peers                       : 1
 Number of profile peers                      : 17
 Number of proposals                          : 1
 Number of established V1 phase 1 SAs         : 1
 Number of established V1 phase 2 SAs         : 1
 Number of total V1 phase 1 SAs               : 1
 Number of total V1 phase 2 SAs               : 1
 Number of total SAs                          : 2
 Keep alive time                              : 0
 Keep alive interval                          : 0
 keepalive spi list                           : Disable
----------------------------------------------------------

[labnarioR1]dis ipsec statistics esp 
 Inpacket count            : 3435973836
 Inpacket auth count       : 3435973836
 Inpacket decap count      : 3435973836
 Outpacket count           : 3435973836
 Outpacket auth count      : 3435973836
 Outpacket encap count     : 3435973836
 Inpacket drop count       : 3435973836
 Outpacket drop count      : 3435973836
 BadAuthLen count          : 3435973836
 AuthFail count            : 3435973836
 PktDuplicateDrop count    : 3435973836
 PktSeqNoTooSmallDrop count: 3435973836
 PktInSAMissDrop count     : 3435973836

As you see, IPsec statistics look a little bit strange. This is because these commands were done on eNSP. It looks like IPsec is not working on eNSP even though there are all configuration and display commands. When tested on AR19 routers, everything was fine.

Debugging commands:

<labnarioR1>debugging ike ?
  all        All IKE debugging functions
  dpd        IKE debug for dpd
  error      Error debugging functions
  exchange   IKE exchange debugging functions
  message    IKE message debugging functions
  misc       All other debugging functions
  packet     IKE packet content debugging function
  sa         Security Association
  sysdep     Information with IPSec debugging functions
  task       IKE debug for main task entry
  transport  Transport debugging functions
  xauth      Information with IPSec debugging functions

<labnarioR1>debugging ipsec ?
  all     All switches
  hw      Hardware infomation
  misc    All other debugging function
  packet  Packet debugging function
  sa      SA debugging function

Final configs:

sysname labnarioR1
#
acl number 3000
 rule 10 permit ip source 10.1.1.0 0.0.0.255 destination 172.16.1.0 0.0.0.255
#
ipsec proposal PROPOSAL1
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike peer PEER-LABNARIOR3 v1
 pre-shared-key simple LaBnArIoKeY
 remote-address 150.100.23.3
#
ipsec policy POLICY1 10 isakmp
 security acl 3000
 ike-peer PEER-LABNARIOR3
 proposal PROPOSAL1
#
interface Ethernet0/0/0
 ip address 150.100.12.1 255.255.255.0
 ipsec policy POLICY1

sysname labnarioR3
#
acl number 3000
 rule 10 permit ip source 172.16.1.0 0.0.0.255 destination 10.1.1.0 0.0.0.255
#
ipsec proposal PROPOSAL1
 esp authentication-algorithm sha1
 esp encryption-algorithm 3des
#
ike peer PEER-LABNARIOR1 v1
 pre-shared-key simple LaBnArIoKeY
 remote-address 150.100.12.1
#
ipsec policy POLICY1 10 isakmp
 security acl 3000
 ike-peer PEER-LABNARIOR1
 proposal PROPOSAL1
interface Ethernet0/0/1
 ip address 150.100.23.3 255.255.255.0
 ipsec policy POLICY1

If a router wants you to know something, it wants you to know right now!

Let’s look what will happen if you are entering a long command and the device wants you to be informed about a link’s failure:

[Huawei-acl-adv-3000]rule 10 permit ip vpn-instance vpn_labnario source 1.1.1.1 0.0.0.255 destination 1.1.1.2
Jan 15 2013 11:04:18-08:00 Huawei %%01PHY/1/PHY(l)[5]:    GigabitEthernet0/0/0:
change status to down
Jan 15 2013 11:04:18-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[6]:The line protocol
IP on the interface GigabitEthernet0/0/0 has entered the DOWN state.
^
Error:Incomplete command found at '^' position.

When you click ‘Enter’ you will have to write the command once again. It is frustrating for all network administrators.

Unfortunately we cannot change it, like on Cisco’s devices, by ‘logging synchronous‘ command.

Instead you have 3 ways to do this on Huawei’s devices:

If you remember the syntax of the command just continue writing:

[Huawei-acl-adv-3000]rule 10 permit ip vpn-instance vpn_labnario source 1.1.1.1 0.0.0.255 destination 1.1.1.2 
Jan 15 2013 11:19:15-08:00 Huawei %%01PHY/1/PHY(l)[21]:    GigabitEthernet0/0/0:
 change status to down
Jan 15 2013 11:19:15-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[22]:The line protoco
l IP on the interface GigabitEthernet0/0/0 has entered the DOWN state.0.0.0.255
[Huawei-acl-adv-3000]

You can just use question mark ‘?‘ to know the syntax of the command:

[Huawei-acl-adv-3000]rule 10 permit ip vpn-instance vpn_labnario source 1.1.1.1 0.0.0.255 destination 1.1.1.2 
Jan 15 2013 11:21:28-08:00 Huawei %%01PHY/1/PHY(l)[23]:    GigabitEthernet0/0/0:
 change status to up
Jan 15 2013 11:21:28-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[24]:The line protoco
l IP on the interface GigabitEthernet0/0/0 has entered the UP state.?
  0        Wildcard bits : 0.0.0.0 ( a host )
  X.X.X.X  Wildcard of destination
[Huawei-acl-adv-3000]rule 10 permit ip vpn-instance vpn_labnario source 1.1.1.1 0.0.0.255 destination 1.1.1.2 0.0.0.255

You can just click CTRL_R to repeat the display of the information of the current line:

[Huawei-acl-adv-3000]rule 10 permit ip vpn-instance vpn_labnario source 1.1.1.1 0.0.0.255 destination 1.1.1.2 
Jan 15 2013 11:24:35-08:00 Huawei %%01PHY/1/PHY(l)[25]:    GigabitEthernet0/0/0:
 change status to down
Jan 15 2013 11:24:35-08:00 Huawei %%01IFNET/4/LINK_STATE(l)[26]:The line protoco
l IP on the interface GigabitEthernet0/0/0 has entered the DOWN state.
CTRL_R
[Huawei-acl-adv-3000]rule 10 permit ip vpn-instance vpn_labnario source 1.1.1.1 0.0.0.255 destination 1.1.1.2

Unfortunately you have to repeat it each time when the router wants you to know about something.

All system-defined shortcut keys you can find in huawei CLI introduction.

New year, a new version of Huawei Network Simulation Platform eNSP has been released.

You can download it clicking on the below link: