Shulou(Shulou.com)06/03 Report--

In the traditional networking, only one firewall is deployed at the exit. When the firewall fails, the communication between all the hosts in the internal network with the firewall as the default gateway and the external network is interrupted, and the communication reliability can not be guaranteed.

The emergence of dual-computer hot backup technology has changed the awkward state that the reliability is difficult to be guaranteed. By deploying two or more gateway devices at the network exit location, it ensures the smooth communication between the internal network and the external network.

As a security device, USG firewall is generally deployed between the protected network and the unprotected network, that is, it is located at the business interface point. At this point of business, if only one USG firewall device is used, no matter how reliable it is, the system may bear the risk of network outage caused by a single point of failure. In order to prevent the interruption of network service caused by an unexpected failure of a device, two firewalls can be used to form a dual backup. Solve a single point of failure, so as to achieve a smooth transition of the business (session tables need to be synchronized).

There are two deployment methods for dual-machine hot backup:

1. Active and standby mode

2. Load sharing

Three major agreements:

1. VRRP-Virtual routing redundancy Protocol

2.VGMP-VRRP Group Management Protocol (Huawei Private)

3. HRP-Huawei redundancy Agreement (Huawei Private)

VRRP (Virtual Router Redundancy Protocol) is a basic fault-tolerant protocol.

Backup group: a group of routers in the same broadcast domain are organized into a virtual router, and all the routers in the backup group work together to provide a virtual IP address as the gateway address of the internal network.

Primary (Master) router: among multiple routers in the same backup group, only one is active, and only the primary router can forward a message with a virtual IP address as the next hop.

Backup (Backup) routers: in multiple routers in the same backup group, except for the primary router, all routers are backup routers and are in a backup state.

The primary router periodically sends an advertisement message (HELLO) to the backup router through multicast, while the backup router is responsible for listening to the advertisement message to determine its status. Because the VRRP HELLO message is a multicast message, the routers in the backup group are required to be connected by layer 2 devices, that is, when VRRP is enabled, the uplink and downlink devices must have layer 2 switching function, otherwise the backup router can not receive the HELLO message sent by the main router. If the networking conditions are not met, VRRP cannot be used.

VGMP protocol:

The VGMP (VRRP Group Management Protocol) agreement is a proprietary agreement of Huawei. VGMP group is defined in VGMP protocol, and FW implements equipment active and standby state management based on VGMP group.

VGMP ensures that packets pass through the same firewall. When the primary firewall fails, all traffic is switched to the standby firewall. However, the Eudemon firewall is a stateful firewall. If there is no connection state data on the primary firewall on the standby firewall, a lot of traffic switching to the standby firewall will not be able to pass through the firewall, resulting in the interruption of the existing connection, and the user must restart the connection at this time.

In order to ensure that the active equipment can be smoothly replaced by the standby equipment when the active equipment fails, it is necessary to back up key configuration commands and session table status and other key information between the primary and standby devices.

VGMP Group Management:

 state consistency management

The VGMP management group to which each backup group belongs needs to be notified of the changes in the primary / standby status of each backup group, and it is up to the VGMP management group to decide whether or not to allow the VRRP backup group to switch the primary / standby state. If a switchover is required, the VGMP management group controls the unified switchover of all VRRP backup groups. After the VRRP backup group is joined to the administrative group, the status cannot be switched independently.

 preemption management

The VRRP backup group itself has preemption. That is, when the original failure of the main equipment failure recovery, its priority will also be restored, at this time you can re-preempt their own state.

The preemption function of the VGMP management group is similar to that of the VRRP backup group, where the priority of the management group is restored when the failed backup group in the management group recovers. At this point, VGMP can decide whether it is necessary to re-preempt the primary device.

When the VRRP backup group is added to the VGMP management group, the original preemption function on the backup group will be invalidated, and whether the preemption occurs or not must be decided by the VGMP management group.

HRP protocol:

HRP (Huawei Redundancy Protocol) Huawei redundancy protocol, which is used to synchronize data such as key configuration and connection status of the primary firewall to the backup firewall.

In the dual-computer hot standby network, when the main firewall fails, all traffic will be switched to the standby firewall. Because the USG firewall is a stateful firewall, if there is no connection state data such as the session table on the original primary firewall on the standby firewall, the traffic switched to the standby firewall will not be able to pass through the firewall, resulting in the interruption of the existing connection, and the user must restart the connection.

The HRP module provides the basic data backup mechanism and transmission function. Each application module collects the data that this module needs to back up and submits it to the HRP module. The HRP module is responsible for sending the data to the corresponding module of the corresponding firewall. The application module needs to parse the data submitted by the HRP module and add it to the dynamic running data pool of the firewall.

Backup content: the connection status data to be backed up include TCP/UDP session table, ServerMap table entry, dynamic blacklist, NO-PAT table entry, ARP table entry and so on.

Backup methods: there are three types of backup

 batch backup: after the first negotiation between the two devices, batch backup all information

 real-time backup: real-time backup of newly created or refreshed data while the device is running

 configuration of bulk backups consumes more resources and is turned off by default.

Backup channel: in general, a directly connected port on two devices acts as a backup channel, sometimes referred to as a "heartbeat" (VGMP also communicates through this channel).

CCIE Cisco Route switching, Cisco DC data Center, Cisco change, how to get ccie certification? How long is the ccie certification period? sp ccie, isp ccie, Cisco sp, sp

Teaching assistant: Ma Ji

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.