Shulou(Shulou.com)06/01 Report--

Vgmp VRRP Group Management Protocol

When there is a problem with the equipment caused by the dual-computer hot backup, the back-and-forth path may be inconsistent, because the active and standby devices are switched.

Configure VGMP to ensure that all VRRP in a group is master. If one is not, then switch to slave.

HRP (Huawei Redundancy Protocol)

When there is a problem with the master equipment, the standby can quickly switch to the master, while ensuring the data synchronization between the master and the standby.

Firewalls only support two devices for dual hot standby, unlike routers for VRRP with multiple devices.

Backup group: the interface of two devices is in the same network segment and in the same broadcast domain, which is the concept of interface, not the concept of device.

VRRP sends advertisement messages (only one message) at the multicast address 224.0.0.18.

Vrrp active and standby election, switching time, priority

Simple VRRP configuration on the firewall is likely to lead to the failure of inconsistent back and forth paths.

VGMP (Huawei Private) solves the problem of inconsistent back and forth paths.

Establish neighbors: 1. Multicast builds neighbors 2. Unicast UDP establishes neighbors through port 18514 (for routing devices on the heartbeat line, not the same network segment)

UDP Header

VRRP Header

VGMP Header

DATA

Relationship between VGMP and VRRP: based on the proprietary protocol developed by VRRP Huawei, the structure of the message is changed, so the function of VRRP is extended, and VRRP is only responsible for exchanging messages within the VRRP backup group.

VRRP exists in name only, mainly through VGMP to control and manage the group of VRRP

VRRP: backup group

VGMP:active group and standby group

The message structure of VGMP:

As shown in the figure above, from the encapsulation sequence of VGMP messages, we can find that VGMP messages are rooted in VRRP messages.

Is encapsulated by the VRRP header. But this VRRP message is not a standard VRRP message, it is extended by Huawei.

And revised, the specific changes are as follows:

The "Type" field of a standard VRRP message has only a value of "1", and we have increased the value of "2". In other words, if Type=1, it is the standard VRRP message; if Type=2, it is our modified VRRP message.

The "Virtual Rtr ID" field of the standard VRRP message represents the VRRP backup group ID, while the modified VRRP message "Virtual Rtr ID" is fixed to "0".

The "IP Address" field of the standard VRRP message is removed from the modified VRRP message.

The "Priority" field in the standard VRRP message is modified to the "Type2" field in the VRRP header.

Dual machine hot standby

When Type2=1, the message is encapsulated as a heartbeat link probe message. The heartbeat link detection message is used to detect whether the heartbeat port of the peer device can normally receive the message of the local device, in order to determine whether the heartbeat port can be used.

When Type2=5, the message is encapsulated into a consistency check message. The consistency check message is used to check whether the two firewalls in the dual hot standby state are configured with the same policy.

When Type2=2, the VRRP message will further encapsulate the VGMP header, and according to the VGMP header

The "vType" field continues to be divided into three types of messages:

VGMP message (VGMP Hello message). The VGMP Hello message is used by the VGMP group between the two firewalls to negotiate the active and standby status. This is the answer to our question.

HRP heartbeat message (HRP Hello message). The HRP heartbeat message is used to detect whether the peer device is working. The active device sends HRP heartbeat messages to the standby device at regular intervals (the default is 1s) to notify the active device that it is working. If the standby device does not receive the HRP heartbeat message within three cycles, the active device is considered to have failed and the standby itself is switched to the active standby.

HRP data message. We also need to add the VGMP header after the HRP header in order to encapsulate the HRP data message. HRP Datagram is used for data backup between master and standby devices, including command line configuration backup and various status information backup.

Priority defaults to 65001 (master)

Priority defaults to 65000 (standby)

One interface down minus 2.

Hrp standly-device-active and standby

Hrp loadbalance-device-load

In dual-computer hot standby switching mode, when the upper and lower connections are layer 3 routing devices, it can only be load-sharing mode, otherwise one side will be blocked.

In the dual hot standby switching mode, when the upper and lower connections are layer 2 transparent bridges, it can only be the active and standby mode, otherwise a loop will be created and one side of the loop will be broken to prevent the loop.

Monitor the layer 3 interface through hrp track and set it to active status as the master

The three main features of VGMP:

Characteristics

Monitoring fault

Layer 2 interface: monitor VLAN interface and judge according to the interface added by VLAN

Layer 3 interface: direct monitoring interface, IP link,BFD

State switching

Traffic guidance

Layer 3 interface: adjust the interface cost of ospf. If there is an interface failure, set cost to 65500.

Layer 2 interface: adjust the priority of VGMP groups

Monitoring link failure

There are four modes:

Dual-computer hot standby network

Support scenarios

Fault monitoring

Traffic guidance

Firewall route pattern, both uplink and downlink are route patterns

Active / standby / load

Interface / IP link/BFD

Ospf modifies cost value to affect routing

Firewall route mode, both uplink and downlink are in switching mode

Active / standby / load

VLAN interface

When the active VLAN switches to standby, it will down, then up, refresh the layer 2 Mac address, and know where the new master is.

Firewall switching mode, both uplink and downlink are routing mode

Just for load.

Interface / IP link/BFD

Ospf modifies cost value to affect routing

Firewall switching mode, both uplink and downlink are switching mode

Only for the main and standby

VLAN interface

When the active VLAN switches to standby, it will down, then up, refresh the layer 2 Mac address, and know where the new master is.

VGMP status switching

The specific interaction process and actions of VGMP status master / slave switching between two firewalls can be divided into the following three situations:

Handoff due to interface or link failure

When this kind of failure occurs, the master device immediately sends the status information and the local priority to the standby device through the VGMP message, and the standby device compares the priority in the message with the local priority. If the switching condition is met, it will immediately switch, and the switching of business traffic will be completed instantly.

Handoff caused by the failure of the whole machine or heartbeat link

When this kind of fault occurs, because the master device is unable to send a status notification message to the standby, the fault can only be found by relying on the standby machine to detect heartbeat message (VGMP Hello message) timeout, so the switching time is three heartbeat message cycles.

Preemption process

In the handover process after fault recovery, since the standby device is in the normal forwarding state, it will switch back after the host failure is restored, so basically it will not affect the business.

Switching in active and standby mode

Active and standby handover under load sharing

VGMP state machine

After enabling the dual-machine hot backup feature, each VGMP group enters the Initialize (initialization) state.

1) when the Active group is enabled, the state of the Active group changes from Initialize to Active.

2) when the Standby group is enabled, the status of the Standby group changes from Initialize to Standby.

3) when the interface monitored by the local VGMP group fails, the status is changed from Active to ActiveToStandby, and a VGMP request message is sent to the VGMP group of the peer device.

4) when the local VGMP group receives the VGMP request message from the peer and finds that it has a high priority, it changes the status from Standby to Acitve and sends an VGMP confirmation message to the VGMP group of the peer device.

5) if the local VGMP group receives the VGMP confirmation message from the peer, confirming that the local end needs to switch the status, the local VGMP group status will be changed from ActiveToStandby to Standby.

6) if the peer VGMP group confirms that the local VGMP group does not need to switch status or does not respond to the local VGMP request message for three consecutive times, the local VGMP group status will be changed from ActiveToStandby to Active.

7) after the failure of the interface monitored by the local VGMP group, if the local VGMP group has a higher priority than the peer and the preemption feature is configured, the local VGMP group status will be changed from Standby to StandbyToAcitve, and a VGMP request message will be sent to the peer.

8) when the local VGMP group receives the VGMP request message from the peer and finds that the peer has a high priority, it changes the status from Active to Standby and sends an VGMP confirmation message to the VGMP group of the peer device.

9) if the local VGMP group receives the VGMP confirmation message from the peer, confirming that the local end needs to switch the status, the local VGMP group status will be changed from StandbyToAcitve to Active, and the preemption process will be completed.

10) if the peer VGMP group confirms that the local VGMP group does not need to switch status or does not respond to the local VGMP request message for three consecutive times, the local VGMP group status will be changed from StandbyToAcitve to Standby.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.