Shulou(Shulou.com)06/01 Report--

When it comes to firewalls, we generally think of the boundary equipment of the enterprise, which is the only way for intranet users and the Internet. Firewall carries a lot of functions, such as: security rules, IPS, file type filtering, content filtering, application layer filtering and so on. It is precisely because the firewall is so important that if there is a problem with the firewall, all external communication services will be interrupted, so the first thing to consider in the enterprise is the optimization and high availability of the firewall.

Blog outline:

1. Working principle of dual-computer hot standby

II. VRRP protocol

(1) Overview of VRRP protocol

(2) the role of VRRP

(3) State machine of VRRP

(4) the working principle of VRRP

III. VGMP protocol

(1) the working principle of VGMP

(2) message encapsulation of VGMP

(3) backup mode of dual-computer hot backup

(4) dual-computer hot backup when connecting to the router

Fourth, realize the configuration of firewall dual-computer hot backup.

1. Working principle of dual-computer hot standby

With the development of the Internet, most of the problems in people's life can be solved through the network, but at the same time, the problem of network security is also gradually exposed. Deploying a firewall in an enterprise has become the norm. How to ensure the uninterrupted transmission of the network has become an urgent problem in the development of the network!

The enterprise deploys a firewall at the key business exit, and all the external traffic is transmitted through the firewall. once the firewall fails, the enterprise will face the problem of network interruption, no matter how good the performance of the firewall itself. how powerful it is. At this moment, it is impossible to recover the losses faced by the enterprise. Therefore, the deployment of two firewall products at the export of the enterprise can not only increase the security of the enterprise, but also ensure that the business transmission will not be interrupted, because the probability of the two devices failing at the same time is very small. After the deployment on the right side of the figure, from a topological point of view, the network has very high reliability, but from a technical point of view, there are still some problems to be solved, precisely because the firewall and the router are essentially different in working principle. so the firewall still needs some special configuration.

In the figure on the left, the internal network can reach the external network through R3 → R1 → R4 or through R3 → R2 → R4. If the cost through the R3 → R1 → R4 path (running OSPF protocol) is relatively small, then by default, the internal network will reach the external network through R3 → R1 → R4. When the R1 device is damaged, OSPF will automatically converge and R3 will forward through R2 to the external network.

In the figure on the right, R1 and R2 are replaced by two firewalls. By default, traffic will be forwarded to the external network through FW1. At this time, a large number of session entries corresponding to user traffic are recorded in FW1. When the FW1 is damaged, the traffic will be converged through OSPF, and the traffic will be directed to the FW2, but there is no session table for previous traffic on the FW2, and the returned traffic from the previous transmission session will not be able to pass through FW2. The subsequent traffic of the session needs to be re-checked by the security policy and the session is generated. This means that all previous traffic will be interrupted unless the connection is re-established.

As shown in the figure, the dual hot backup function of Huawei firewall is to provide a backup link (heartbeat line), negotiate the active and standby status between firewalls and backup session tables, Server-map tables and other operations. The active device and the standby device are selected according to the configuration of the firewall. When the active device is working normally, the standby device does not provide packet forwarding, but the standby device will download the current session table and Server-map table from the active device in real time. Thus, when the active equipment fails, even if the standby device is switched to the standby device, the standby device still has the conversation table and Server-map table of the current flow, thus ensuring that the service flow is uninterrupted.

In a dual-machine hot backup environment, the requirements are as follows:

(1) the interfaces used by two firewalls for heartbeats are added to the same security zone.

(2) the device number of the interface used by the two firewalls for the heartbeat must be the same, for example, both are G1max 0max 0.

(3) it is recommended that the two firewalls for dual-server hot backup use the same model and the same VRP version.

The dual hot backup of Huawei firewall includes the following two modes:

Hot standby mode: only one firewall is used to forward packets at a time, other firewalls do not forward packets, but session tables and Server-map tables are synchronized; load balancing mode: at the same time, multiple firewalls forward data at the same time, but each firewall acts as a standby device for other firewalls, that is, each firewall is both active and standby, and session tables and Server-map tables are synchronized between firewalls

The hot backup mode and load balancing mode of Huawei defense wall are shown in the figure:

II. VRRP protocol

In dual-computer hot standby technology, even if the active device and standby device are selected, traffic is forwarded through the active device by default, while the standby device is in a backup state. But the client usually specifies the network exit by specifying the gateway address, and when the client points the gateway to the active device, the traffic is naturally forwarded from the active device, but when the active device fails, the client does not automatically point the gateway to the standby device, so even if the dual hot standby itself can be switched, the client is still unable to communicate properly. Therefore, in order to ensure that the dual-computer hot standby can work properly, it is also necessary to solve the problem of automatic switching of the client gateway. VRRP technology can solve the problem of automatic gateway switching, and even make the device switching transparent to the client. VRRP is a very important part of the dual-computer hot standby technology of Huawei firewall.

(1) Overview of VRRP protocol

VRRP can be used in routers to provide gateway redundancy, or it can be used as a double-click hot backup in firewalls.

The basic concepts of VRRP are as follows:

(1) VRRP router: a router running VRRP protocol

(2) Virtual router: a backup group consisting of an active router and several backup routers, and a backup group provides a virtual gateway to the client.

(3) VRID:Virtual Router ID, the virtual router ID, is used to uniquely identify a backup group

(4) Virtual IP address: the gateway IP address provided to the client, which is also the IP address assigned to the virtual router, is configured in all VRRP. Only the active device provides the ARP response of the IP address.

(5) Virtual MAC address: based on the MAC address generated by VRID for VRRP, when the client resolves the MAC address of the gateway through the ARP protocol, the active router provides the MAC address.

(6) IP address owner: if the IP address of a virtual router is configured as the real IP address of a member's physical interface, then the member is called the IP address owner.

(7) priority: used to indicate the priority of the VRRP router and to select the active and standby devices according to the priority of each VRRP router

(8) preemption mode: in preemption mode, if the standby router takes precedence over other routers in the backup group (including the current active router), it will immediately become the new active router.

(9) non-preemptive mode: in non-preemptive mode, if the standby router takes precedence over other routers in the backup group (including the current active router), it will not immediately become the active router. Until the next fair election (such as power outage, device restart, etc.)

The working principle of VRRP is basically the same as that of Cisco devices, except for a few details, as shown in the figure:

(2) the role of VRRP

Routers operating in VRRP mode have two roles, namely:

Master router: normally, the Master router is responsible for ARP response and packet forwarding, and by default advertises the current status information of the Master router to other routers every 1s. Backup router: the backup router of Master router, normally does not provide packet forwarding, when the Master router fails, the router with the highest priority of all Backup routers will become the new Master router to replace the work of forwarding packets, thus ensuring uninterrupted business; (3) VRRP state machine

VRRP defines three working states, as follows:

Initialize status: the initial state when you just configured VRRP. In this state, the VRRP message is not processed, and it will enter this state when the interface shutdown or interface fails; Master state: a state when the current device is elected as the active router. In this state, the service message will be forwarded and the VRRP advertisement message will be sent periodically. The router in this state will also respond to the ARP request initiated by the client and respond to the virtual MAC address to the client. When the interface is down, it immediately switches to the Initialize state; Backup state: a state in which the current device is elected as a standby router. In this state, no service message is forwarded, and the router working in this state will receive the VRRP advertisement message sent by the active router and judge whether the active router is working properly. The status information on the active device will also be synchronized in dual hot standby mode

The switching relationship between the three states is shown in the figure:

The Initialize state is the initial state of VRRP. When the interface shutdown, whether the router is in the Master state or the Backup state, it will immediately switch to the Initialize state. When the router is configured with the IP address owner, its priority defaults to 255.When the router switches directly from the Initialize state to the Master state, when the router is not the owner of the IP address, its priority

< 255，此时路由器直接由Initialize状态切换至Backup状态；处于Master状态的路由器如果收到优先级更大的VRRP报文，将由Master状态切换至Backup状态，而Backup状态的路由器如果收到一个优先级更大或者本地优先级相等的报文（通常是由Master路由器发出），将重置Master_DOWN_Interval计时器，如果一直没有接收到Master路由器发送的VRRP通过报文，待Master_DOWN_Interval计时器超时后，将由Backup状态切换至Master状态。 注意：除非手工将路由器配置为IP地址拥有者（优先级=255），否则VRRP的状态切换总是先经历Backup状态，即时路由器的优先级最高，也需要从Backup状态过渡到Master状态。此时Backup状态只是一个瞬间的过渡状态。 （4）VRRP的工作原理 VRRP选举Master路由器和Backup路由器的流程如下： 首先选举优先级高的设备成为Master路由器，如果优先级相同，再比较接口的IP地址大小，IP地址大（数值大）的设备将成为Master路由器，而备份组中其他的路由器将成为Backup路由器。 VRRP中的默认接口优先级值为100，取值范围为0~255。其中优先级0是系统保留，优先级255保留给IP地址拥有者，IP地址拥有者不需要配置优先级，优先级默认是255。 VRRP的工作原理如图：

Failover process:

By default, the Master device (FW1) sends VRRP advertisements to the Backup device periodically (every 1s), and the Backup device resets the Master_DOWN_Interval timer to 0 each time it receives a VRRP advertisement. When the Master device fails and cannot send out the VRRP notification message, the Backup device will not be able to receive the VRRP. After the Master_DOWN_Interval timeout, it will directly switch from the Backup state to the Master state, and FW2 will replace FW1 to become the new Master device. At the same time, a free ARP message is sent to the downstream switch to update the MAC address table of the downstream switch. FW2 will respond directly to the ARP request message initiated by the client for the virtual IP, and the message sent by the client will also be forwarded by FW2, and all these changes are transparent to the client. Because the virtual IP address is still available!

When FW1 resolves the failure and returns to normal operation, because the priority configuration of FW1 is higher than that of FW2, in preemptive mode, it will directly become a Master device, while FW2 will return to Backup again; in non-preemptive mode, FW2 will still be a Master device and FW1 will become a Backup device.

Recommendation: when there is little difference in performance between Master devices and Backup devices, and the network is large, it is recommended to configure it in non-preemptive mode, as this can reduce network fluctuations.

3. VGMP Protocol (1) the working principle of VGMP

If you only use dual-server hot backup + VRRP, the following will occur:

The reason for the following is that the two VRRP backup groups work independently, so is there any way to make the two backup groups work together to ensure the state consistency of the devices in the two backup groups? You need to use the-- VGMP protocol.

VGMP (VRRP Group Management Protocol) is used to realize the unified management of VRRP backup groups to ensure the state consistency of devices in each backup group. VGMP manages uniformly by adding all backup groups (backup group 1 and backup group 2) to one VGMP group on the devices (FW1 and FW2). Once a state change in a backup group (backup group 1) is detected (such as the interface enters the Initialize state), the VGMP group reduces its priority by 2 and renegotiates the Active group and the Standby group of the VGMP. The elected Active group will uniformly switch the state of all other backup groups (backup group 1 and backup group 2) (FW2 in backup group 1 and backup group 2 will become Master devices).

How VGMP works:

The status of the VGMP group determines the status of the VRRP backup group, that is, the roles of the devices (such as Master and Backup) are no longer elected by VRRP messages, but are managed directly through VGMP; the status of the VGMP group is determined by comparing priorities, the high priority VGMP group will become Active, and the low priority VGMP group will become Standby;. By default, the priority of the VGMP group is 45000. VGMP automatically adjusts the priority according to the status of the VRRP backup group within the group. Once the status of the backup group is detected to be Initialize, the priority of the VGMP group is automatically reduced by 2. The VGMP status information is negotiated through the heartbeat.

How VGMP works:

Note: after joining the VGMP group, the status identification in VRRP changes from Master and Backup to Active and Standby.

(2) message encapsulation of VGMP

VGMP negotiates the status information of VGMP through heartbeat, which is realized by sending VGMP message. VGMP messages come in the following two forms, as shown in the figure:

In the figure on the left, beware of the jumper directly connected, or when connected through a layer 2 switch, the message sent belongs to the multicast message, and the message package does not carry the UDP header information.

In the figure, when the heartbeat is connected through a layer 3 device (router), an additional UDP header message is added in the message encapsulation because the multicast message cannot pass through the layer 3 device. At this time, the message sent is unicast.

In practical application, message encapsulation should be chosen flexibly according to the actual topology. In Huawei firewall, use the following command to specify which type of encapsulation the message sent by the interface belongs to.

[USG6000V1] hrp int g 1-0-0 / / the eNSP simulator does not support this command [USG6000V1] hrp int g 1-0-0 remote 1.1.1.1

The hrp command is used to specify the interface for the heartbeat link, the command with remote parameter indicates that the message will encapsulate UDP and sends the unicast message, and the command without remote parameter indicates that the multicast message will be sent. 1.1.1.1 identifies that the peer is the IP address of the (heartbeat line peer-to-peer interface), which is required to be routable and needs to be specified only when the remote parameter is specified.

Note:

After joining VGMP, the function of heartbeat includes backup of state information (session table and Server-map table) and VGMP state negotiation. Huawei firewall releases multicast traffic (VGMP message without remote parameter) and forbids unicast traffic (VGMP message with remote parameter) by default, so the remote parameter is configured, and the security policy between Local area and heartbeat interface area needs to be configured. The interface with virtual IP address cannot be used as heartbeat port; if layer 2 interface is used as heartbeat interface, it cannot be configured directly on layer 2 interface, but layer 2 interface is added to VLAN and heartbeat interface is configured in VLAN; in eNSP simulator, when heartbeat interfaces are connected, remote parameters must also be configured, otherwise it cannot be configured; (3) backup mode of dual-computer hot backup

Double-click hot backup can be done in the following three ways:

Automatic backup: in this mode, the configuration commands related to dual-computer hot backup can only be configured on the active device and automatically synchronized to the standby device, and the active device automatically synchronizes the status information to the standby device. This mode is the default open mode of Huawei firewall and is mainly used in hot standby mode. Manual batch backup: in this mode, all configuration commands and status information on the active device are automatically synchronized to the standby device only when the batch backup command is manually specified. This mode is mainly used in scenarios where the configuration of the master and slave devices are not synchronized and need to be synchronized immediately. Fast backup: in this mode, the configuration commands are not synchronized, only the status information is synchronized. In a load-balanced dual-machine hot standby environment, this mode must be enabled to quickly update status information

(1) enable double-click hot backup function

[USG6000V1] hrp enableHRP_ S [USG6000V1] / / prompt changes after enabling dual hot backup

(2) configure automatic backup mode

HRP_ M[USG6000V1] hrp auto-sync

When the dual-computer hot backup is enabled, there will be a (+ B) prompt when executing commands that can be synchronized.

HRP_ M [USG6000V1] security-policy (+ B)

(3) configure manual batch backup mode

HRP_Mhrp sync config / / indicates manual synchronization command configuration HRP_Mhrp sync connection-status / / indicates manual synchronization status information / / Note, this command is executed in the user view

(4) configure fast backup mode

HRP_ M [USG6000V1] hrp mirror session enable (4) dual Hot standby when connecting to a Router

When configuring dual hot standby upstream or downstream is a switching device, you can detect the status of the interface or device through VRRP, but when the upstream or downstream device is a router, VRRP does not function properly (VRRP relies on multicast for failover). The practice of Huawei firewall is to monitor the status of its interface and cooperate with OSPF to achieve traffic switching.

Join the VGMP group directly through the interface. When the interface fails (even if the peer device fails, the physical characteristics of the local interface will be turned off), the VGMP will perceive the change of the interface state, thus reducing the priority of the VGMP group and switching from the Active state to the Stabdby state. The previous Standby group was promoted to the Active state. When the VGMP group in Standby publishes the OSPF route, it will automatically increase the cost value by 65500, through the automatic convergence of OSPF, and finally direct the traffic to the Active group device.

Fourth, realize the configuration of firewall dual-computer hot backup.

Experimental extension:

Case implementation:

(1) configure IP addresses for firewall interfaces, add them to their respective zones, and set corresponding security policies

[FW1] int g1/0/0 [FW1-GigabitEthernet1/0/0] ip add 10.1.1.101 24 [FW1-GigabitEthernet1/0/0] int g1/0/1 [FW1-GigabitEthernet1/0/1] ip add 172.16.1.1 24 [FW1-GigabitEthernet1/0/1] int g1/0/2 [FW1-GigabitEthernet1/0/2] ip add 192.168.1.101 24 [FW1-GigabitEthernet1/0/2] quit[FW1] firewall zone untrust [FW1-zone-untrust] add Int g1racer 0 [FW1-zone-untrust] quitFW1 firewall zone dmz [FW1-zone-dmz] add int G1 raceme 1 [FW1-zone-dmz] quitFW1 firewall zone trust [FW1-zone-trust] add int G1 Unique 2 [FW1-zone-trust] quitFW1 security-policy [FW1-policy-security] rule name trust_to_ untruth [FW1-policy-security-rule-trust_to_untrust] source-zone trust [FW1-policy-security-rule-trust_ To_untrust] destination-zone untrust [FW1-policy-security-rule-trust_to_untrust] action permit / / configure security policy: internal traffic can be sent to external [FW1-policy-security-rule-trust_to_untrust] quit [FW1-policy-security] rule name local_to_dmz [FW1-policy-security-rule-local_to_dmz] source-zone local [FW1-policy-security-rule-local_to_dmz] destination-zone dmz [FW1-policy-security-rule- Local_to_dmz] action permit / / configure security policy: the configuration of [FW1-policy-security-rule-local_to_dmz] quit [FW1-policy-security] quit//FW2 is almost identical to that of FW1 from the firewall itself to the DMZ area (establishing heartbeat). I won't say much here. / / Note that the same rules need to be set on FW2.

(2) configure VRRP backup group

The configuration of FW1 is as follows:

[FW1] int g1/0/2 [FW1-GigabitEthernet1/0/2] vrrp vrid 1 virtual-ip 192.168.1.100 active [FW1-GigabitEthernet1/0/2] int g1/0/0 [FW1-GigabitEthernet1/0/0] vrrp vrid 2 virtual-ip 10.1.1.100 active

The configuration of FW2 is as follows:

[FW2] int g1/0/2 [FW2-GigabitEthernet1/0/2] vrrp vrid 1 virtual-ip 192.168.1.100 standby [FW2-GigabitEthernet1/0/2] int g1/0/0 [FW2-GigabitEthernet1/0/0] vrrp vrid 2 virtual-ip 10.1.1.100 standby

(3) configure heartbeat interface

[FW1] hrp int g1DMZ remote 172.16.1.2//FW1 specifies the heartbeat interface and specifies the peer interface IP address [FW2] hrp int g1and1 remote 172.16.1.1//FW ditto, which is why the firewall needs to set the policy from the local to the DMZ zone

(4) enable dual-computer hot backup

[FW1] hrp enableHRP_ S [FW1] / / FW1 configuration, command prompt has changed [FW2] hrp enableHRP_ S [FW2] / / FW2 ditto

(5) configure backup method

HRP_ S [FW1] hrp auto-sync// configuration automatic backup HRP_ S [FW2] hrp auto-sync

(6) configuration check and verification

① to view the status information of dual-computer hot backup.

HRP_ M [FW1] display hrp state Role: active, peer: standby / / Local status is Active, peer is Standby Running priority: 45000, peer: 45000 / / Local priority is 45000 The opposite end is 45000 Core state: normal, peer: normal Backup channel usage: 0.005% Stable time: 0 days, 0 hours, 9 minutes Last state change information: 2019-10-26 6:29:53 HRP core state changed, old_state = abnormal (active), new_state = normal, local_priority = 45000, peer_priority = 45000.

② to check the status of heartbeat interface

HRP_ M[FW1] display hrp interface GigabitEthernet1/0/1: running

③ two PC are configured with IP address and gateway (virtual address), using PC1pingPC2

④ looks at the firewall session table

HRP_ M [FW1] display firewall session table Current Total Sessions: 2 udp: public-- > public 172.16.1.2 udp 49152-- > 172.16.1.1 udp 18514 udp: public-- > public 172.16.1.1 udp 49152-- > 172.16.1.2 Vuit18514

⑤ PC1 continuous pingPC2 to simulate FW1 interface failure

HRP_ M [FW1] int g1go 0Universe 2 (+ B) HRP_ M [FW1-GigabitEthernet1/0/2] shutdown

⑥ to view the status of FW2 double-click hot backup

HRP_ M [FW2] display hrp state Role: active, peer: standby (should be "standby-active") / / status has changed Running priority: 45000, peer: 44998 / / FW1 priority minus 2 Core state: abnormal (active), peer: abnormal (standby) Backup channel usage: 0.00% Stable time: 0 days, 0 hours 1 minutes Last state change information: 2019-10-26 6:49:06 HRP core state changed, old_state = normal, new_state = abnormal (active), local_priority = 45000, peer_priority = 44998.

The experiment is complete!

-this is the end of this article. Thank you for reading-

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.