Shulou(Shulou.com)06/01 Report--

Blog catalogue:

What is the dual-computer hot backup?

What is VRRP?

III. Two roles of VRRP

4. Three state machines of VRRP

5. The process of VRRP electing Master router and Backup router

6. Unified management of VRRP backup group through VGMP

7. Configuration of dual-computer hot backup

VIII. Summary

What is the dual-computer hot backup? 1. The function of dual-computer hot backup

Multiple devices run dual hot standby

One equipment failure and other equipment to take over the work

Enhance network stability

Ensure business continuity

Huawei's dual-computer hot backup is achieved by deploying two or more firewalls to achieve hot backup and load balancing. The two firewalls work together like a larger firewall.

2. Two hot backup modes of Huawei firewall: hot backup mode: only one firewall forwards packets at a time, other firewalls do not forward packets, but synchronize session table and Server-map table. Load balancing mode: at the same time, multiple firewalls forward data at the same time, but each firewall acts as a backup device for other firewalls, that is, each firewall is both an active device and a standby device, and session tables and Server-map tables are synchronized between firewalls.

In load balance mode, for ● traffic in the figure, FW1 is the primary device and FW2 is the standby device, so the traffic is forwarded through FW1 by default, while for ○ traffic in the figure, FW2 is the active device and FW1 is the standby device, so the traffic is forwarded through FW2 by default. At the same time, FW1 acts as a backup device for ○ traffic. When FW2 is damaged, FW1 can still forward ○ traffic. Similarly, FW2 can forward ● traffic if the FW1 is corrupted. As shown below:

What is VRRP?

VRRP (virtual router redundancy protocol, virtual routing redundancy protocol), maintained by IETF, is a routing protocol used to solve a single point of failure of a gateway. VRRP can be used in routers to provide gateway redundancy, or it can be used as a dual-computer hot standby in firewalls.

1. The term VRRP router of VRRP: a router running the VRRP protocol. Virtual router: a backup group consisting of an active router and several backup routers, and a backup group provides a virtual gateway to the client. VRID:Virtual Router ID, the virtual router identity, is used to uniquely identify a backup group. Virtual IP address: the gateway IP address provided to the client, which is also the IP address assigned to the virtual router, is configured in all VRRP, and only the active device provides the ARP response to that IP address. Virtual MAC address: based on the MAC address generated by VRID for VRRP, when the client resolves the MAC address of the gateway through the ARP protocol, the active router will provide this MAC address. IP address owner: if the IP address of a virtual router is configured as the real IP address of a member's physical interface, then the member is called the IP address owner. Priority: used to identify the priority of VRRP routers and to select active and standby devices based on the priority of each VRRP router. Preemption mode: in preemption mode, if the standby router takes precedence over other routers in the backup group (including the current active router), it will immediately become the new active router. Non-preemptive mode: in non-preemptive mode, if the standby router takes precedence over other routers in the backup group (including the current active router), it will not immediately become the active router until the next fair election (such as power outage, device restart, etc.). 2. The difference in HSRP details between Huawei VRRP and Cisco

VRRP is a public protocol, while HSRP is a Sisco private protocol.

The IP address of a virtual router in VRRP can be the IP address of a member router, but HSRP cannot.

The virtual MAC address prefix for VRRP is 00-00-5e-00-01-VRID, while the virtual MAC address prefix for HSRP is 00-00-0Cmur07murac-group number.

There are three state machines for VRRP and five state machines for HSRRP (initialization, learning, monitoring, speaking, backup, activity).

VRRP has only one kind of message, and the VRRP advertisement message is sent by the active router to detect the parameters of the virtual router and to elect the active router. HSRP has three messages (Hello, coup, resignation).

VRRP does not support interface tracking, while HSRP does.

3. Two roles of VRRP Master router: normally, the master router is responsible for ARP response and packet forwarding, and by default advertises the current status information of the master router to other routers every 1s. Backup router: the backup router of master router, normally does not provide packet forwarding, when the master router fails, the router with high priority in all backup routers will become the new master router to replace the work of forwarding packets, so as to ensure that the service will not be interrupted. VRRP's three state machine Initialize states: the initial state when VRRP has just been configured. In this state, no processing is done to the VRRP message, and it will enter this state when the interface shutdown or interface fails. Master status: a state when the current device is elected as the active router. In this state, the service message will be forwarded and the VRRP advertisement message will be sent periodically. The router in this state will also respond to the ARP request initiated by the client and send the simulated MAC address back to the client. When the interface is shut down, it will immediately switch to the Initialize state. Backup status: a state when the current device is elected as a standby router. In this state, no service message is forwarded, and the router working in this state will receive the VRRP advertisement message sent by the active router and judge whether the active router is working properly. The status information on the active device will also be synchronized in dual hot standby mode.

The switching relationship between the above three states is shown in the following figure:

The Initialize state is the initial state of the VRRP, and when the interface shutdown, whether the router is in the master state or the backup state, it will immediately switch to the initialize state. When the router is configured as the owner of the IP address, its priority defaults to 255. the router switches directly from the initialize state to the master state. When the router is not the owner of the IP address, its priority

< 255，此时路由器直接由initialize状态切换至backup状态。处于master状态的路由器如果收到优先级更大或者和本地优先级相等的报文（通常有master路由器发出），将重置master_Down_Interval计数器，如果一直没有接收到Master路由器发送的VRRP通告报文，待master_Down_Interval计时器超时后，将由backup状态切换至master状态。 五、VRRP选举Master路由器和Backup路由器的流程 VRRP选举master路由器和backup路由器的流程如下： 首先选举优先级高的设备成为master路由器，如果优先级相同，再比较接口的IP地址大小，IP地址大（数值大）的设备将成为master路由器，而备份组中其他的路由器将成为backup路由器。 VRRP中的默认接口优先级为100，取值范围为0~255，其中优先级0是系统保留，优先级255保留给IP地址拥有者，IP地址拥有者不需要配置优先级，默认优先级就是255。 除非手工将路由器配置为IP地址拥有者（优先级=255），否则VRRP的状态切换总是先经历Backup状态，即使路由器的优先级最高，也需要从backup状态过渡到master状态。此时，backup状态只是一个瞬间的过渡状态。 六、通过VGMP实现VRRP备份组的统一管理 通过前面的介绍可知，双机热备解决了网关设备切换且业务不中断的问题，VRRP解决了客户机网关自动切换问题。似乎双机热备 +VRRP已经可以正常工作，但实际情况下并非如此。 上个图大家看的更有助于理解，直观一些

As you can see from the figure above, packets from PC destined for the external network are normally forwarded through the master device (FW1) of backup group 1, and the packets returned by the external network are forwarded by the master device (FW1) of backup group 2. However, when the G1Unipedia 0 interface of FW1 fails, backup group 1 can detect the failure and use the FW2 as the master device of backup group 1. The packets initiated by PC are forwarded by the master device (FW2) of backup group 1, while the state of backup group 2 has not changed (the G1UniUnix interface of FW1 is working properly), so the traffic returned by the external network is still forwarded by the master device of backup group 2 (FW1). Obviously, because of the failure of the interface of FW1, G1ripple 0, the packet cannot continue to be forwarded.

The reason for this is that the two VRRP backup groups work independently, so it is necessary to use VGMP (VRRP Group Management Protocol) to achieve unified management of VRRP backup groups to ensure that the state of the devices in each backup group is consistent.

VGMP (VRRP Group Management Protocol,VRRP Group Management Protocol) is used to realize the unified management of VRRP backup groups to ensure the state consistency of devices in each backup group. VGMP manages uniformly by adding all backup groups (backup group 1 and backup group 2) to one VGMP group on the devices (FW1 and FW2). Once a state change in a backup group (backup group 1) is detected (such as the interface enters the Initialize state), the VGMP group reduces its priority by 2 and renegotiates the active group and the standby group of the VGMP. The elected active group will uniformly switch the state of all other backup groups (backup group 1 and backup group 2) (FW2 in backup group 1 and backup group 2 will become Master devices).

1. The working principle of VGMP the state of VGMP group determines the state of VRRP backup group, that is, the roles of devices (such as Master and Backup) are no longer elected by VRRP messages, but are managed directly through VGMP. The status of the VGMP group is determined by comparing priorities. The high-priority VGMP group will become Active, and the low-priority VGMP group will become Standby. By default, the priority of the VGMP group is 4500. VGMP automatically adjusts the priority according to the status of the VRRP backup group within the group. Once the status of the backup group is detected to be Initialize, the priority of the VGMP group is automatically reduced by 2. VGMP negotiates VGMP status information through the heartbeat. After joining the VGMP group, the status identification in VRRP has changed from master and backup to active and standby. 2. Message encapsulation of VGMP

VGMP negotiates the status information of VGMP through heartbeat, which is realized by sending VGMP message. VGMP messages come in the following two forms, as shown in the following figure:

In the network diagram on the left in the following figure, when the jumper is connected directly or connected through a layer 2 switch, the message sent is a multicast message and the UDP header information is not carried in the message encapsulation. When the jumper is connected through the layer 3 device (router), because the multicast message cannot pass through the layer 3 device, an additional UDP header message will be added in the message encapsulation, and the message sent at this time belongs to unicast.

In practical application, message encapsulation should be flexibly selected according to the actual environment. In Huawei firewall, the following commands are used to specify which types of encapsulation messages sent through the interface belong to.

[FW1] hrp interface GigabitEthernet 1-0-0 [FW1] hrp interface GigabitEthernet 1-0-0 remote 1.1.1.1

Additional considerations for configuring VGMP:

After joining VGMP, the function of heartbeat includes backup of state information (session table and server-map table) and VGMP status negotiation. By default, Huawei firewall releases multicast traffic (such as VGMP messages without remote parameters) and forbids unicast traffic (such as VGMP messages with remote parameters). Therefore, if the remote parameter is configured, you also need to configure a security policy between the local area and the area where the heartbeat interface is located. An interface configured with VRRP virtual-mac enable cannot be used as a heartbeat. If the layer 2 interface is used as the heartbeat interface, it cannot be configured directly on the layer 2 interface. Instead, the layer 2 interface is added to the vlan and the heartbeat interface is configured in the vlan. In the eNSPoint simulator, even if the heartbeat interfaces are connected, the remote parameter must be configured, otherwise it cannot be configured. 3. Backup mode of dual-computer hot backup

The backup methods of dual-computer hot backup include the following three ways:

Automatic backup: in this mode, the configuration related to dual-computer hot backup can only be configured on the active device and automatically synchronized to the standby device, and the active device automatically synchronizes the status information to the standby device. Manual bulk backup: in this mode, all configuration commands and status information on the active device are automatically synchronized to the standby device only when the bulk backup command is executed manually. This mode is mainly used in scenarios where the configuration of the primary device and the standby device are not synchronized and need to be synchronized immediately. Fast backup: in this mode, the configuration command is not synchronized, but only the status information is synchronized. In the load balancer hot backup environment, this default must be enabled to quickly update the status information.

The configuration commands for each mode are as follows:

1) enable the dual-computer hot backup feature:

[FW1] hrp enable HRP_ S[FW1]

2) configure automatic backup mode:

HRP_ M [FW1] hrp auto-sync HRP_ M [FW1] security-policy (+ B)

3) configure manual batch backup mode:

HRP_Mhrp sync [config | connection-status]

4) configure fast backup mode:

HRP_ S [FW1] hrp mirror session enable HRP_ M [FW1] 4, dual hot standby when connecting to the router

When the upstream or downstream of a dual-computer hot backup device is a switching device, the status of the interface or device can be detected through VRRP, but when the upstream or downstream device is a router, VRRP cannot function properly (VRRP relies on multicast for failover). Huawei Firewall monitors the status of other interfaces and cooperates with OSPF to switch traffic, as shown below:

By adding the interface directly to the VGMP group, when the interface fails (even if the peer device fails, the physical characteristics of the local interface will be turned off), the VGMP will perceive the change of the interface state, thus reducing the priority of the VGMP group and switching from the active state to the standby state. The previous standby group will be promoted to the active state. When the VGMP group in standby publishes the OSPF route, it will automatically increase the cost value by 65500, through the automatic convergence of OSPF, and finally direct the traffic to the Active group device.

7. Configuration of dual-computer hot backup

The environment is as follows:

The requirements are as follows:

LSW1 and LSW2 are layer 2 switches, and FW1, FW2, LSW1 and LSW2 form a dual hot backup network. Normally, the traffic initiated by PC1 to access R1 is forwarded through FW1. When FW1 fails, it can be automatically forwarded through FW2 without any adjustment by PC1.

Recommended steps:

Configure basic network parameters according to the topology diagram

Firewall interfaces are added to different zones

Configure security policy

Configure NAT address translation to use PAPT

Configure the heartbeat for mutual transmission

Configure VRRP

Firewall configuration default rout

Verification

Start the configuration:

The FW1 configuration is as follows:

[FW1] int g1/0/0 [FW1-GigabitEthernet1/0/0] ip add 10.1.1.1 24 [FW1-GigabitEthernet1/0/0] quit [FW1] int g1/0/1 [FW1-GigabitEthernet1/0/1] ip add 10.2.1.1 24 [FW1-GigabitEthernet1/0/1] quit[FW1] int g1/0/2 [FW1-GigabitEthernet1/0/2] ip add 10.3.1.1 24 [ FW1-GigabitEthernet1/0/2] quit [FW1] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet1/0/ 0 1.1.1.2 [FW1] firewall zone untrust [FW1-zone-untrust] add int GigabitEthernet1/0/ 0 [FW1-zone-untrust] quit [FW1] firewall zone dmz [FW1-zone-dmz] add int GigabitEthernet1/0/ 1 [FW1-zone-dmz] quit [FW1] firewall zone trust [FW1-zone-trust] add int GigabitEthernet 1-0-2 [FW1-zone-trust] quit[FW1] security-policy [FW1-policy-security] rule name ha [FW1-policy-security-rule-ha] source-zone local [FW1-policy-security-rule-ha] source-zone dmz [FW1-policy-security-rule-ha] destination-zone local [FW1-policy-security- Rule-ha] destination-zone dmz [FW1-policy-security-rule-ha] action permit [FW1-policy-security-rule-ha] quit [FW1-policy-security] quit[FW1] security-policy [FW1-policy-security] rule name nat [FW1-policy-security-rule-nat] source-zone trust [FW1-policy-security-rule-nat] destination-zone untrust [FW1-policy-security-rule-nat] Action permit [FW1-policy-security-rule-nat] quit [FW1-policy-security] qui[FW1] nat address-group NAPAT [FW1-address-group-napat] section 0 1.1.1.1 1.1.1.1 [FW1-address-group-napat] quit[FW1] nat-policy [FW1-policy-nat] rule name natpolicy [FW1-policy-nat-rule-natpolicy] source-zone trust [FW1-policy-nat- Rule-natpolicy] destination-zone untrust [FW1-policy-nat-rule-natpolicy] action nat address-group NAPAT [FW1-policy-nat-rule-natpolicy] quit [FW1-policy-nat] quit[FW1] hrp int g 1-0-1 remote 10.2.1.2 [FW1] hrp enable HRP_ S[FW1]

The FW2 configuration is as follows: (please refer to the FW1 comments, FW1 and FW2 configurations are basically the same)

[FW2] int g1/0/0 [FW2-GigabitEthernet1/0/0] ip add 10.1.1.2 24 [FW2-GigabitEthernet1/0/0] int g1/0/1 [FW2-GigabitEthernet1/0/1] ip add 10.2.1.2 24 [FW2-GigabitEthernet1/0/1] int g1/0/2 [FW2-GigabitEthernet1/0/2] ip add 10.3.1.2 24 [FW2-GigabitEthernet1/0/2] quit[FW2] ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1-0-0 1.1.1.2[FW2] firewall zone untrust [FW2-zone-untrust] add int GigabitEthernet 1-0-0 [FW2-zone-untrust] quit[FW2] firewall zone dmz [FW2-zone-dmz] add int GigabitEthernet 1-0-1 [FW2-zone-dmz] quit[FW2] firewall zone trust [FW2-zone-trust] add int GigabitEthernet 1-0-2 [FW2-zone-trust] quit[FW2] security-policy [FW2-policy-security] Rule name ha [FW2-policy-security-rule-ha] source-zone local [FW2-policy-security-rule-ha] source-zone dmz [FW2-policy-security-rule-ha] destination-zone local [FW2-policy-security-rule-ha] destination-zone dmz [FW2-policy-security-rule-ha] action permit [FW2-policy-security-rule-ha] quit [FW2-policy-security] quit[FW2] security-policy [FW2-policy-security] rule name nat [FW2-policy-security-rule -nat] source-zone trust [FW2-policy-security-rule-nat] destination-zone untrust [FW2-policy-security-rule-nat] action permit [FW2-policy-security-rule-nat] quit [FW2-policy-security] quitFW2 nat address-group NAPAT [FW2-address-group-napat] section 0 1.1.1.1 1.1.1.1 [FW2-address-group-napat] quitFW2] nat-policy [FW2-policy-nat] rule name natpolicy [FW2-policy-nat -rule-natpolicy] source-zone trust [FW2-policy-nat-rule-natpolicy] destination-zone untrust [FW2-policy-nat-rule-natpolicy] action nat address-group NAPAT [FW2-policy-nat-rule-natpolicy] quit [FW2-policy-nat] quitFW2] hrp int G1 and 0 remote 10.2.1.1 [FW2] hrp enableHRP_ S [FW2] hrp standby-device

Start configuring VRRP

The FW1 configuration VRRP is as follows:

HRP_ M [FW1] int g1x0and0 (+ B) HRP_ M [FW1-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active HRP_ M [FW1-GigabitEthernet1/0/0] quitHRP_ M [FW1] int g1and0and2 (+ B) HRP_ M [FW1-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.3.1.3 active HRP_ M [FW1-GigabitEthernet1/0/2] quit

The FW2 configuration VRRP is as follows:

HRP_ S [FW2] int g1x0 virtual-ip 0 HRP_ S [FW2-GigabitEthernet1/0/0] vrrp vrid 1 virtual-ip 1.1.1.1.1 255.255.255.0 standby HRP_ S [FW2] int g1par 0GigabitEthernet1/0/0 2 HRP_ S [FW2-GigabitEthernet1/0/2] vrrp vrid 2 virtual-ip 10.3.1.3 standby HRP_ S [FW2-GigabitEthernet1/0/2] quitHRP_ S [FW2] dis hrp state

Configure the IP address of R1 and PC, and the IP address of pingR1.

R1 is configured as follows:

[R1] int g0/0/0 [R1-GigabitEthernet0/0/0] ip add 1.1.1.2 24 [R1-GigabitEthernet0/0/0] quit [R1] ip route-static 10.3.1.0 24 10.1.1.1[R1] ip route-static 10.3.1.0 24 10.1.1.2

The PC configuration is as follows:

Verification

Use PC1pingR1 router, then go to FW1 and FW2 firewall to check the session table, their contents are different.

FW1 session list:

Grab the packet to view the traffic conversion

Simulates the failure of FW1's F1UniComp0 interface, client ping router R1

HRP_ M [FW1] int g1prime 0 (+ B) HRP_ M [FW1-GigabitEthernet1/0/0] shutdown

PC1 client ping router R1, firewall FW2 view session table

Grab the bag and check.

PC2 client ping router R1, firewall view session table in FW2

Configuration complete.

Summarize that the interfaces used by two firewalls for heartbeat need to be added to the same security zone. The number of the interface used by the two firewalls for the heartbeat must be the same, for example, G1UniUniUniUniUnix1. The two firewalls used for dual hot backup are of the same model and the same VRP version. Connect to the same device (router or switch) using the same interface number. When a device in a hot backup group is broken, a new device is purchased to join the hot backup group. When configuring, the original broken device is configured with active in VGMP. Even if there is a device in the backup group in active status, the newly purchased device must also be configured with active status, otherwise it cannot be negotiated.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.