Shulou(Shulou.com)06/01 Report--

[network knowledge points] active and standby redundancy technology of firewall

This article takes the Cisco Failover technology as the active and standby redundancy technology, and the active and standby redundancy technology of Huawei is VRRP+HRP, and you can view the relevant configuration information of Huawei by yourself. in fact, there is no difference between the two, but there is some difference in principle. Huawei is easier to do mutual active and standby A, and it is more complicated if Cisco needs to use multi-mode virtual technology.

Amax S mode:

Experimental environment:

Through GNS3 simulation, the firewall image is pix804.bin, the router is c3640-jk9o3s-mz.124-10a.bin, and the switch is c3640-jk9o3s-mz.124-10a.bin + switch port board + no ip routing.

Note: 1. The firewall needs certificate activation to use more features: activate the command activation-key 0xd2390d2c 0x9fc4b36d 0x98442d99 0xeef7d8b1 and then reload 2. If you need to test ping, the firewall needs to enable ICMP protocol correction and ICMP stateful detection. The command is fixup protocol icmp.

Details of the main configurations:

Primary firewall configuration:

# configure internal and external interface addresses

Interface Ethernet0

Shutdown

No nameif

No security-level

No ip address

Interface Ethernet1

Nameif inside

Security-level 100

Ip address 192.168.1.254 255.255.255.0 standby 192.168.1.253 # must have standby, which is used to detect the port address of the backup firewall. Without standby, it cannot detect the status of the primary and standby ports, and then switch between the active and standby firewalls according to the status.

Interface Ethernet2

Nameif outside

Security-level 0

Ip address 100.1.1.1 255.255.255.0 standby 100.1.1.2

Interface Ethernet3-4

No shut # 3 and 4 only need noshut

# configure default Route

Route outside 0.0.0.0 0.0.0.0 100.1.1.3 1

Route inside 1.1.1.1 255.255.255.255 192.168.1.1 1

# main configuration of failover

Failover

Failover lan unit primary # defines the active and standby devices. This is the only difference in the configuration of the active and standby devices.

Failover lan interface PZ Ethernet3 # configuration configuration synchronization Port

Failover lan enable

Failover key vrfxie # configuration Authentication

Failover link ZT Ethernet4 # configure status synchronization Port

Failover interface ip PZ 10.1.12.1 255.255.255.0 standby 10.1.12.2

Failover interface ip ZT 10.2.12.1 255.255.255.0 standby 10.2.12.2

Alternate firewall configuration:

Failover

Failover lan unit secondary

Failover lan interface PZ Ethernet3

Failover lan enable

Failover key vrfxie

Failover link ZT Ethernet4

Failover interface ip PZ 10.1.12.1 255.255.255.0 standby 10.1.12.2

Failover interface ip ZT 10.2.12.1 255.255.255.0 standby 10.2.12.2

Nothing else needs to be configured! It automatically synchronizes the configuration of the main firewall when port e3jue 4 is opened, which is the key point of the whole configuration. Many partners have multi-hand configuration of e1Power2, which causes the configuration to conflict with the master, and failover fails.

Finally, no shut e3jue 4 port starts synchronization. If the following message appears, the synchronization is successful.

Detected an Active mate

Beginning configuration replication from mate.

End configuration replication from mate.

Test:

Close the port or disconnect the link of the up and down switch in the main firewall, and the following message appears in the main firewall

Pixfirewall (config) #

Switching to Standby

Then the backup becomes activie, and the port or corresponding link of the switch on and off the main firewall is restored, then the port of the switch on and off the backup firewall is closed or its link is disconnected, and the main firewall becomes activite again.

Switching to Active

The switching time is about 30 seconds, which is not ideal for practical commercial applications. It may be the simulator, the real machine may not be so slow.

R1 maintains a TCP connection with R2 before the failure, and after failover, TCP does not need to reconnect to continue to use

The test was successful!

Analysis:

0. Compared with the VRRP+ transparent mode firewall as the active and standby firewall, the switching time is slightly slower, but it has stateful backup, and the business connection does not need to be reconnected after the active / standby switch.

1. Handover mechanism: polling detection is carried out on both sides of outside and inside, and it will be switched only if the interface of the other party is detected to be broken. The switching time of GN3 simulation test is about 30 seconds. PS: the heartbeat is broken. Polling is good. It won't be switched.

two。 The switch of the firewall will not be preempted. After the switch, even if the master is good, it will not be restored. You need to use the command fiallover active to switch back manually.

3. All physical interfaces are tracked by default. If there are subinterfaces, you need to configure them through monitor-interface.

A _ A _ A mode:

Implementation environment:

Through GNS3 simulation, the firewall image is pix804.bin, the router is c3640-jk9o3s-mz.124-10a.bin, and the switch is c3640-jk9o3s-mz.124-10a.bin + switch port board + no ip routing.

This architecture is more in line with practical application. The redundant backup between the two firewalls and double activite and double exits will not waste bandwidth resources on one side. If you really want to find shortcomings, you need higher bandwidth requirements on both sides. After all, when a failure occurs, you have to bear all the traffic on one side and plan well.

Details of the main configurations:

The partial configuration of the switch here is not shown. The very simple configuration is almost all used by layer 2 switching. The focus is on the firewall to realize the mutual active and standby configuration through multi-mode.

PIX1 configuration:

Mode multiple # switch firewall to multi-mode before you can configure virtual subfirewall

Interface Ethernet0 and so on # no shut all interfaces to be associated to sub-firewalls

No shutdown

Failover group 1 # configure failover group 1 to create up to two failover group

Primary # group 1 enables preemption on primary physical devices, giving priority to active

Preempt # when failover occurs, the original active state changes to standby state. If the failover group or device becomes normal, the sub-firewall preemption added to group 1 on the primary device becomes active.

Failover group 2

Secondary # group 2 enables preemption on physical devices of secondary, giving priority to preempt becoming active

Preempt

Admin-context admin # configure the management sub-firewall. The admin behind it can be written freely. Admin-context means to create a management sub-firewall.

Context admin # enter admin sub-firewall configuration

Config-url flash:/admin.cfg # configuration file storage directory

Context C1 # configuration subfirewall, command name C1

Allocate-interface Ethernet0 # correlates the relevant physical interface to the subwall, so that you can see the interface in the subwall, as below

Allocate-interface Ethernet3

Config-url flash:/c1.cfg

Join-failover-group 1 # add C1 subwall to failover group 1

Context c2 # ditto

Allocate-interface Ethernet0

Allocate-interface Ethernet4

Config-url flash:/c2.cfg

Join-failover-group 2

Failover # take a look at the explanation of Agamot S above.

Failover lan unit primary

Failover lan interface PZ Ethernet1

Failover lan enable

Failover key vrfxie

Failover link ZT Ethernet2

Failover interface ip PZ 10.1.12.1 255.255.255.0 standby 10.1.12.2

Failover interface ip ZT 10.2.12.1 255.255.255.0 standby 10.2.12.2

# Analysis: use the status chain and configuration chain of failover to synchronize the configuration on the right side, so you don't need to configure it again on the right side. The state chain and configuration chain are shared by all sub-firewalls.

PIX2 Firewall configuration:

Show model # check whether the firewall is in multi-mode or single mode

Mode multiple# changes the firewall to work in multiple modes

Failover

Failover lan unit secondary

Failover lan interface PZ Ethernet1

Failover lan enable

Failover key vrfxie

Failover link ZT Ethernet2

Failover interface ip PZ 10.1.12.1 255.255.255.0 standby 10.1.12.2

Failover interface ip ZT 10.2.12.1 255.255.255.0 standby 10.2.12.2

PIX2 only needs no shut E1 and wait for PIX1,2 synchronization!

The PIX2 firewall configuration is complete, and after completing these steps, the two firewalls begin to elect their own Active or Standby. After the election, the C1 subwall of the PXI1 firewall becomes Active state, the c2 subwall becomes Standby state, the c1 subwall of PIX2 becomes Standby state, and the c2 subwall becomes Active state. All configurations will be configured on the subwalls of the Active role, and the subwalls of the Standby status can only view the configuration and synchronize the configuration of the Active, and check the health status of the Active, ready to switch.

View the failover status, on the principal (changeto system) of the respective firewall:

Pixfirewall/pri/act (config) # show failover

Failover On

Cable status: NCMA-LAN-based failover enabled

Failover unit Primary

Failover LAN Interface: PZ Ethernet1 (up)

Unit Poll frequency 15 seconds, holdtime 45 seconds

Interface Poll frequency 5 seconds, holdtime 25 seconds

Interface Policy 1

Monitored Interfaces 4 of 250 maximum

Version: Ours 8.0 (4), Mate 8.0 (4)

Group 1 last failover at: 15:28:42 UTC Mar 23 2017

Group 2 last failover at: 14:34:48 UTC Mar 23 2017

This host: Primary

Group 1 State: Active

Active time: 3615 (sec)

Group 2 State: Standby Ready

Active time: 525 (sec)

C1 Interface outside (100.1.1.1): Normal (Waiting)

C1 Interface inside (192.168.10.254): Normal (Waiting)

C2 Interface outside (100.1.1.4): Normal

C2 Interface inside (192.168.20.253): Normal

Other host: Secondary

Group 1 State: Standby Ready

Active time: 150 (sec)

Group 2 State: Active

Active time: 3240 (sec)

C1 Interface outside (100.1.1.3): Normal (Waiting)

C1 Interface inside (192.168.10.253): Normal (Waiting)

C2 Interface outside (100.1.1.2): Normal

C2 Interface inside (192.168.20.254): Normal

The IP and routing of C1 and C2 sub-firewalls should be configured on the sub-firewalls in Active state, while those in Standby state cannot be configured.

Prompt hostname priority state context# modifies the display character before "#" and configures it under the physical device so that it is easy to view

Configure C1 in PIX1:

Changeto context caches switch to C1 sub-firewall for configuration

Interface Ethernet0 # refer to the resolution of Abank S above, the same

Nameif outside

Security-level 0

Ip address 100.1.1.1 255.255.255.0 standby 100.1.1.3

Interface Ethernet3

Nameif inside

Security-level 100

Ip address 192.168.10.254 255.255.255.0 standby 192.168.10.253

Configure c2 in PIX2:

Changeto context c2

Interface Ethernet0

Nameif outside

Security-level 0

Ip address 100.1.1.2 255.255.255.0 standby 100.1.1.4

Interface Ethernet4

Nameif inside

Security-level 100

Ip address 192.168.20.254 255.255.255.0 standby 192.168.20.253

Finally, the route should be configured. I will share the configuration of the route here, which is basically equipped with the default route.

Test:

Disconnect the uplink switch port of the PIX1

Restore the switch port

Analysis:

1. After the switch is successful, the original state can be automatically restored after recovery, which is different from the Agamot S mode!

two。 The switching speed is fast! In five seconds!

3. It has great advantages in terms of both architecture and efficiency compared with the Agamot S model.

If there are any questions in this article, you are welcome to leave a message. Thank you!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.