Configuring Clusters Using the Web UI

Procedure

1. Perform basic cluster configurations.
   1. Choose System > Inter-DC Cluster > Basic Configuration.
   2. Configure negotiation parameters.
      

      Configure cluster members one by one and keep the configurations consistent.

      The configuration cannot be directly modified. To modify it, you must first disable the cluster function (the device leaves the cluster).

      Parameter	Description
      Cluster	Enables the cluster function. After the cluster function is enabled, the system automatically generates a routing policy named cluster_rt.
      Cluster ID	A cluster ID identifies a cluster. Devices with the same cluster ID compose a cluster.
      Shared Key	Specifies the shared key for encrypting packets between cluster members. For security, the password must meet the minimum complexity requirement. That is, the password must contain two of the following, including upper-case letters (A to Z), lower-case letters (a to z), digits (0 to 9), and special characters (such as !, @, #, $, and %). After a cluster is established, you need to perform the following operations to add, delete, or change a shared key: Change the shared key on each member device. Click Commit on the management master device to make the new shared key take effect.
      Probe Packet Interval	Interval at which cluster members send detection packets. If no response packet is received after three consecutive detection packets are sent, a device considers the peer separated from the cluster.
      Hello Packet Detection Multiplier	After a cluster is created, management master and backup devices in the cluster periodically (Hello packet sending interval) send Hello packets to each other (backup devices will not send Hello packets to each other). If the management master device does not receive Hello packets from a peer within the timeout period, it considers the peer not in the cluster any more. Hello packet timeout period = Hello packet detection multiplier x Hello packet sending interval (default Hello packet sending interval: 1 second; default Hello packet detection multiplier: 3)
      Hello Packet Interval
      Service Backup Nodes	The default value is 2. For example, if the value is 2, sessions and service entries on the device will be backed up to other two member devices.
      Configurable Management Backup Device	By default, commands that can be backed up in the cluster can be configured only on the management master device. After the configuration, the commands can be synchronized to other members in real time. These commands cannot be directly configured on management backup devices. If Configurable Management Backup Device is enabled on the management master device, these commands can be configured on management backup devices. The configuration can be synchronized to other members in real time. For the features that can be backed up in a cluster, see Table 1.
      Traffic Aggregation	For services that require consistent forward and return paths, if the paths are inconsistent, traffic aggregation must be performed in the cluster to aggregates traffic on one device. By default, this function is disabled.
      Fast Session Synchronization	After the fast session synchronization function is enabled for the cluster, the TCP flow backup starts before the flow establishment; otherwise, the backup starts after the TCP flow establishment. After enabling the cluster traffic aggregation function, you must enable the fast session synchronization function. If the forward and return paths are inconsistent, you must enable the fast session synchronization function.
      Business Group Preemption	If this function is enabled and the original business master device recovers, it preempts to be the business master device. If this function is disabled, the original business master device preempts to be the business master device only when its health rating is higher than the current business master device. By default, this function is enabled.
      Preemption Delay	The preemption mechanism is enabled for business groups by default. In general, you are advised to set a preemption delay to preserve backup time for route convergence and entry backup. If the preemption delay is too short, it may result in service anomalies. The default value is 60 seconds.

   3. Configure cluster members.

      Perform configurations on each cluster member.

      Click Add to add all members.

      • Node ID: the ID of a member in the cluster.

      • Local node: the cluster member ID of the local device in the cluster.

      • Negotiation Address: the IP of negotiation channel.

      • Backup Address: the IP of backup channel.

      • Forwarding Address: the IP of forwarding channel.

   4. Configure business groups.

      Perform the configuration on the management master device. The configuration will be automatically synchronized to other members in the cluster.

      Click Add to create a business group.

      Parameter	Description
      Business Group ID	The ID of a cluster business group.
      Description	Business group description.
      Node Priority	A larger value indicates a higher priority and a higher possibility to become the business master device or optimal backup device. In a business group, devices must have different priorities. Click to specify the priorities of all nodes in sequence.

   5. Click Apply.
2. Configure cluster traffic diversion.
   Select a traffic diversion mode based on the scenario:

   • Service-based traffic diversion

     • The cluster uses the NAT service, so the NAT address pool route must be advertised.
     • The cluster uses the IPSec service, so traffic needs to be diverted to cluster member devices for IPSec processing.

   • Route-based traffic diversion

     The business group associates with the routing protocol. The cost value of advertised routes is adjusted based on the business group status, so that the optimal route can be selected.

   • VRRP-based traffic diversion

     The device connects to a Layer-2 device and locates in a Layer-2 network with a VM. The VM's gateway address is the VRRP address of the device.

   You should configure route-based and service traffic diversion on the management master device. The configuration will be automatically synchronized to other members in the cluster. For VRRP-based traffic diversion, configure it on each member device in a business group.

   1. Choose System > Inter-DC Cluster > Traffic Diversion Configuration.
   2. Configure service traffic diversion.

      The traffic diversion address indicates the device's UNR that needs to be advertised. After the address is configured, the cluster advertises the route regarding the traffic diversion address for traffic diversion of upstream and downstream services.

      

      In IPSec, 32-bit UNRs should not be delivered for cluster traffic diversion. When a UNR is generated, traffic diversion addresses may be merged. For example, 10.1.1.2 and 10.1.1.3 can be merged into 10.1.1.2/31, and the route can be advertised. If the traffic diversion addresses are 10.1.1.1 and 10.1.1.2, they cannot be merged, and such routes conflict with direct routes on interfaces.

      Do not set the IP address of any interface on the device as a traffic diversion address.

      1. On the Service Traffic Diversion tab, click Add and configure the traffic diversion address.

         Parameter	Description
         IP Address Range	Traffic diversion address of a cluster business group.
         Source Virtual System	Source virtual system.
         Destination Virtual System	Destination virtual system.
         Business Group ID	The ID of a cluster business group.

      2. Select a routing protocol for advertising UNRs.

         Adjust the cost of the imported route in the routing policy cluster_rt to ensure the route of the highest priority with the lowest cost. After the cluster function is enabled, the system automatically generates a routing policy named cluster_rt. The routing policy configuration is as follows:

         #
         route-policy cluster_rt permit node 0
          if-match preference 57
          apply cost + 1
         #
         route-policy cluster_rt permit node 1
          if-match preference 58
          apply cost + 5
         #
         route-policy cluster_rt permit node 2
          if-match preference 59
          apply cost + 10
         #

   3. Configure route-based traffic diversion.

      On the Route-based Traffic Diversion tab, click Add and select the route type and process ID.

   4. Configure VRRP-based traffic diversion.

      On the VRRP Traffic Diversion tab, click Add.

      Parameter	Description
      Interface	Interface added to a VRRP group. This interface must be a downlink service interface of the device.
      Interface IP Address/Mask	After you select Interface, the IP address/mask of the interface is automatically displayed.
      VRID	ID of a VRRP group.
      Virtual IP Address/Mask	Indicates the virtual IP address and mask of the VRRP group. The virtual IP address cannot be an interface IP address. If the virtual IP address and interface IP address of a VRRP group are in different network segments, the subnet mask is required.
      Business Group ID	The ID of a cluster business group.

3. Configure cluster monitoring.

   Dynamically adjust the health rating of cluster members by monitoring specific objects. If a monitored object is faulty, the device health rating decreases, triggering the switchover in the business group.

   Perform the following configurations on each cluster member:

   1. Choose System > Inter-DC Cluster > Monitoring Configuration.
   2. Configure the monitored object and weight.
      • The following objects can be monitored: interface, IP-link, and BFD session.
      • Weight: The default value is 1. Reduced device health rating = Weight x Points reduced due to faults