Shulou(Shulou.com)06/01 Report--

one。 Working principle of dual-computer hot standby

Huawei's dual hot backup implements hot backup and load balancing through the deployment of two or more firewalls. The two firewalls work together like a larger firewall.

Overview of dual-computer hot standby

With the development of the Internet, most of the problems in people's life can be solved through the network, but at the same time, the problem of network security is also gradually exposed. The dual hot backup of Huawei firewall includes the following two modes

1. Hot standby mode: only one firewall forwards packets at a time. Other firewalls do not forward packets, but synchronize session table and Server-map table.

2 load balancing mode: at the same time, multiple firewalls forward data at the same time, but each firewall acts as a backup device for other firewalls, that is, each firewall is both a primary device and a backup device, and session tables and Server-map tables are synchronized between firewalls.

In load balancing mode, for some traffic (such as black circle traffic), FW1 is the active device, and Fw2 is the standby device, so the traffic is forwarded through FW1 by default, while for other traffic (grey traffic), FW2 is the primary device and FW1 is the standby device, so traffic is forwarded through FW2 by default, and FW1 is used as a backup device for (gray) traffic. When FW2 is damaged, FW1 can still forward (gray) traffic. FW2 can also forward (black) traffic when FW1 is corrupted

VRRP

In dual-computer hot standby technology, even if the active device and standby device are selected, traffic is forwarded through the active device by default, while the standby device is in a backup state.

1.VRRP (Virtual Router Redundancy Protocol, Virtual routing redundancy Protocol) is a routing protocol maintained by IETF to solve the single point of failure of gateways. VRRP can be used in routers to provide gateway redundancy or as a hot standby in firewalls (1) VRRP routers: routers running VRRP protocol (2) Virtual routers: a backup group consisting of an active router and several standby routers, a backup group A backup group provides a virtual gateway (3) VRID:virtual Router ID to the client, a virtual router identity, which is used to uniquely identify a backup group (4) virtual IP address: the gateway IP address provided to the client, which is also the IP address assigned to the virtual router, configured in all VRRP, only the active device provides the ARP response to the IP address (5) Virtual MAC address: MAC address generated for VRRP based on VRID When the client resolves the MAC address of the gateway through the ARP protocol, the active router will provide the MAC address (6) the IP address owner: if the IP address of the virtual router is configured as the real IP address of a member's physical interface, then the member is called IP address owner (7) priority: used to identify the priority of the VRRP router And elect the active and backup devices (8) preemptive mode by the priority of each VRRP router: in preemptive mode, if the standby router has higher priority than other routers in the backup group (including the current active router), it will not immediately become the new active router (9) non-preemptive mode: in non-preemptive mode If the standby router has a higher priority than the other routers in the backup group (including the current active router), it will not immediately become the active router until the next fair election. The working principle of VRRP is basically the same as the HSRP of Cisco introduced earlier, except that there are some differences in details.

VRRP is a public protocol, while HSRP is a Cisco private protocol

The IP address of a virtual router in VRRP can be the IP address of a member router, but HSRP cannot

The virtual MAC address prefix for VRRP is 00-00-5e-00-01-VRID, while the virtual MAC address prefix for HSRP is 00-00-0cMurray 07murac-group number.

VRRP has three state machines, while HSRP has five (initialization, learning, monitoring, speaking, backup, activity).

VRRP has only one message, HSRP has three (hello, coup, resignation)

VRRP does not support interface tracking, while HSRP supports the role of VRRP

Routers operating in VRRP mode have two roles, namely Master router and Backup router

Master router: normally, the Master router is responsible for ARP response and packet forwarding, and every 1s advertises the current status information of the Master router to other routers by default.

Backup router: it is the backup router of Master router. Normally, it does not provide packet forwarding. When the Master router fails, the router with the highest priority of all Backup routers will become the new Master router, replacing the work of forwarding packets, thus ensuring that the service will not be interrupted.

State machine of 2.VRRP

VRRP defines three working states, namely

Initalize status, Master status, Backup status

How 3.VRRP works

The process for VRRP to elect Master and Backup routers is as follows

First, the device that elects the priority will be the Master router. If the router is the same, and then compare the IP address size of the interface, the device with the large IP address (high value) will become the Master router, while the other routers in the backup group will become the Backup router.

VGMP

working principle

The working principle of VGMP is as follows: the state of 1.VGMP determines the status of VRRP backup group, that is, the roles of devices (Master and Backup) are no longer elected by VRRP packets, but the status of managing 2.VGMP is determined by VGMP agreement. the high priority VGMP will become Active, and the low priority VGMP group will become Standby3. By default, the priority of the VGMP group is 450004.VGMP, which is automatically adjusted according to the status of the VRRP backup group within the group. Once it is detected that the status of the backup group becomes Initialize5.VGMP, the VGMP status information is negotiated through the heartbeat.

How VGMP works

Backup mode of dual-computer hot backup 1. Automatic backup: in this mode, the configuration commands related to dual-computer hot standby can only be configured on the active router device and automatically synchronized to the standby device, and the active device automatically synchronizes the status information to the standby device. Manual bulk backup: all configuration commands and status information on the active device are synchronized to the standby device only when the bulk backup command is executed manually. Quick backup: do not synchronize configuration commands, only synchronize status information

Turn on the dual-computer hot backup function

Configure automatic mode backup

When the dual-computer hot backup is enabled, there will be a (+ B) prompt when executing commands that can be synchronized.

Configure Quick backup commands

The examples are as follows:

1. Configure IP (the router configures a default route, the next hop is 10.1.1.100 of the virtual IP, and the PC1 gateway is the downstream virtual IP192.168.1.100)

Ip route-static 0.0.0.0 0.0.0.0 10.1.1.100

two。 Add the interface to the security zone and configure the security policy (FW1 and FW2 configuration are the same)

3. Configure VRRP backup groups (FW1 and FW2 configurations)

FW2 configuration

4. Configure heartbeat interface

5. Enable dual-computer hot backup

6. Configure backup method

The FW1 configuration is as follows

The FW2 configuration is as follows

7. Configuration check and check

View the status information of dual-computer hot backup

View heartbeat interface status

Ping router R1 on PC1

If you can ping IP the address-t all the time ping and then drop the g0 shudown of FW1, you will find that two packets have been lost in the process of ping.

You can also view security rules and session tables

!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.