Principle Huawei firewall VRRP hot standby configuration in detail and

Bowen outline:

• First, what is the two hot standby?
• Second, the concept of VRRP
• Third, the two roles of VRRP
• Four, VRRP election process
• Five, three VRRP state
• Six, managed by the VRRP state VGMP unified
  . 1, VGMP packet encapsulation
  2, hot standby backup mode of
  3, the routing problem on upstream or downstream equipment
• Seven, configuration examples
• Eight, summary

First, what is the two hot standby?

So-called hot standby nothing more than to 7X24-hour uninterrupted service for the purpose of providing a variety of hot standby technology a lot, so a total of Huawei using this protocol hot standby agreement --VRRP.

Huawei hot standby hot standby and achieve load balancing by deploying two or more firewalls, firewalls two mutually cooperating, if a larger firewall.

Huawei hot standby firewall includes the following two modes:

• Hot Standby mode: one time only one firewall to forward data, other firewall does not forward, but will sync session table and server-map table, when the firewall goes down after the current work, the backup firewall takes over the work of forwarding data.
• Load balancing mode: the same time, a plurality of firewalls forward data, and backup for each other, each firewall both master devices are spare. Synchronization session table and server-map table between the firewall.

Second, the concept of VRRP

VRRP (virtual router redundancy protocol, Virtual Router Redundancy Protocol), used to address single points of failure gateway routing protocol. VRRP can provide the application gateway redundancy in the router, a firewall may be used to do hot standby.

VRRP-related terminology introduction:

• VRRP router: router running VRRP protocol.
• Virtual router by: a plurality of active router and standby router group consisting of a backup, a backup group of clients a virtual gateway.
• VRID: Virtual router identifier, used to uniquely identify a backup group.
• Virtual IP address: gateway address provided to the client, but also the IP address assigned to the virtual router configuration in all VRRP, only the master to provide the IP address of the ARP response equipment.
• Virtual MAC address: MAC address for the VRRP VRID generated when a client MAC address in the ARP protocol analysis by the gateway, the active router will provide the MAC address.
• IP address owner: if the IP address of the virtual router is configured as a real IP address of a physical interface member, then that member is called IP address owner.
• Priority: priority for identifying VRRP router by router priority election of each VRRP master device and the backup device.
• Preemption mode: In preemption mode, if the standby router backup group higher priority than the other routers (including the current active router), it will immediately become the new active router.
• Non-preemptive mode: In a non-preemptive mode, if the standby router backup group higher priority than the other routers (including the current active router), can not become the active router, until the next fair elections (e.g., reboot Wait).

Third, the two roles of VRRP

Work router in VRRP mode, there are two roles, namely Master Backup router and router.

• Master Router: normally the responsibility of the Master and the router provides the ARP response packet forwarding, and the default Master router advertisement every 1s current state information to other routers.
• Backup router: is the backup router Master router does not provide forward packets under normal circumstances, when the master router fails, all Backup routers highest priority router will become the new master router, take over the work of forwarding packets to ensure services are not interrupted.

Four, VRRP election process

VRRP election master router and a backup process is as follows:
First, high election priority devices become the master, the same priority, then compare the interface IP address size, IP address large (a large value) of the devices will become the master, and other routers in the backup group will be the backup router.

Unless manually configure the router to the IP address owner (Priority = 255), or VRRP state switching is always the first experience Backup status, even if the highest priority of the router, also need to master the transition from state to state backup. In this case, backup status just a moment of transition state.

The default interface VRRP priority of 100, ranging from 0 to 255, where 0 is reserved priority, priority 255 is reserved for the owner of the IP address, the IP address owner does not need to configure the priority, the default priority is 255.

Five, three VRRP state

VRRP defines three states, are as follows:

• Initalize Status: Just when configured with VRRP state, in this state, no VRRP packets do anything, when the interface interface failure or shutdown will also enter the state.
• Master Status: The current state of the device when the election becomes a master router will forward data packets in this state, and periodically sends VRRP advertisement, or when the interface is disabled after the device down immediately switches to the Initialize state.
• Backup status: Current election apparatus into a standby state when the router, the state does not forward any data packets, will only receive master sends VRRP packets, to detect whether or not the master work properly, and also synchronize the master device information on the status.

Sixth, unified management by the state of VRRP VGMP

VRRP use on a network device and in other situations (Linux is also used KeepAlived VRRP protocol) used are not the same, the reason for the existence follows:

As can be seen from the figure above, normally a packet destined for an external network PC forwarded by the master device backup group (FW1) 1, the external network returns the packet forwarding by the backup master device group 2 (FWl), but when FW1 the G1 / 0/0 Interface failure occurs, the backup group 1 can detect this failure, the master device and the backup as FW2 group 1. PC initiates data packets forwarded by the backup group master device (FW2) 1, and the state of the VRRP group 2 without any change (FWl the G1 / 0/1 Interface normal operation) occurs, the return traffic from the external network is still a backup master device group 2 (FWl forwarding), apparently, because the interface G1 FW1 / 0/0 fault, the packet can not continue forward.

The reason for this phenomenon is that two VRRP groups work independently, so it is necessary to use VGMP (VRRP Group Management Protocol) to achieve unified management of the VRRP backup group, to ensure a consistent backup device status in each group. VGMP on the device by (FWl and FW2) groups all backup (backup backup group 1 and group 2) was added in a unified management VGMP group, upon detection of a change in a backup group (backup group 1) Interface (the interface enters the Initialize state), the priority of itself VGMP group minus 2, and renegotiation VGMP group of Active and standby group. Active group elected all the other backup group (backup group 1 and backup group 2) were unified state switch (backup group backup group 2 FW2 1 and will be the master device).

It can be simply understood as, VGMP is used to unify the state of equipment in different backup groups.

VGMP works as follows:

• State VGMP group determines the VRRP status, that is the role of the device (such as master and backup) is no longer VRRP packets through elections, but directly by VGMP unified management.
• State VGMP group determined by comparing the priority, the highest priority will become the Active VGMP group, a lower priority VGMP group becomes standby.
• By default, the priority VGMP group was 45,000.
• VGMP according to automatically adjust the priority status of the group of VRRP backup group, once the status of the backup group becomes Initialize state is detected, the priority is automatically reduced VGMP group 2.
• VGMP negotiation VGMP status information via the heartbeat.

After addition VGMP group, from the identification of the state of the VRRP master and backup becomes active and standby.

1, VGMP packet encapsulation

VGMP negotiation state information VGMP by heartbeat, VGMP achieved by sending a message. VGMP message has the following two forms:

The figure above the left side of FIG network, the heartbeat (G1 / 0/0) and the end of the heartbeat is directly connected, or connected through the switcher, the packets belonging to the multicast packets, packet encapsulation does not carry the UDP header information, while careful jumper connector layer 3 device (of course, this situation is rare), not because multicast packets, is increased in a UDP packet encapsulation header in the layer 3 device extra message, the message sent at this time belongs to unicast.

通过以下命令指定通过接口发送的报文属于哪种类型的封装。

[USG6000V1]hrp interface GigabitEthernet 1/0/0       <!--eNSP模拟器中不支持该配置-->
[USG6000V1]hrp interface GigabitEthernet 1/0/0 remote 1.1.1.1
<!--hrp命令用来指定用于心跳链路的接口编号，
1.1.1.1是心跳线对端接口的IP地址，该地址要求路由可达，
带remote参数的命令将封装UDP，并发送单播报文不带remote参数将发送组播报文-->

关于配置VGMP的其他注意事项：

• 加入了VGMP后，心跳线的作用包含状态信息备份（会话表和server-map表）及VGMP状态协商。
• 华为防火墙在默认情况下放行组播流量（如不带remote参数的VGMP报文）禁止单播流量（如带remote参数的VGMP报文），所以如果配置了remote参数，还需要配置local区域和心跳线接口所在的区域之间配置安全策略。
• 配置了VRRP virtual-mac enable的接口不能作为心跳口。
• 如果使用二层接口作为心跳接口，不能直接在二层接口上配置，而是将二层接口加入vlan，在vlan中配置心跳接口。
• eNSPoint模拟器中，即使心跳接口之间相连，也必须配置remote参数，否则无法配置。

2、双机热备的备份方式

双机热备的备份方式包括以下三种：

• 自动备份：该模式下，和双机热备有关的配置只能在主用设备上配置，并自动同步到备用设备中，主用设备自动将状态信息同步到备用设备中。
• 手工批量备份：该模式下，主用设备上所有的配置命令和状态信息，只有在手工执行批量备份命令时才会自动同步到备用设备。该模式主要应用于主设备和备用设备配置不同步，需要立即进行同步的场景。
• 快速备份：该模式下，不同步配置命令，只同步状态信息，在负载均衡方式的双机热备环境中，该默认必须启用，以快速更新状态信息。

各个模式的配置命令如下：

（1）开启双机热备功能：

[USG6000V1]hrp enable    
HRP_S[USG6000V1]       <!--开启双机热备功能后，命令提示符发生变化-->

（2）配置自动备份模式：

HRP_M[USG6000V1]hrp auto-sync 
HRP_M[USG6000V1]security-policy  (+B)
 <!--开启双机热备后，执行可以同步的命令会有（+B）的提示-->

（3）配置手工批量备份模式：

HRP_M<USG6000V1>hrp sync [ config | connection-status ]   
       <!--
 在用户模式下执行该命令，其中config参数表示手工同步命令配置，
 connection-status参数表示手工同步状态信息。
              -->

（4）配置快速备份模式：

HRP_S[USG6000V1]hrp mirror session enable 
HRP_M[USG6000V1]      <!--配置快速备份模式后，开头会变成HRP_M.....-->

3、关于上游或下游设备的选路问题

当双机热备的设备上游或下游是交换机时，是通过VRRP检测接口或设备的状态，但当上游或下游设备是路由器时，VRRP无法正常运行（VRRP依靠组播实现故障切换）。华为防火墙的做法是监控其接口状态，并配置OSPF实现流量切换，通过直接将接口加入VGMP组中，当接口故障时（即使是对端设备故障，本端接口的物理特性也将关闭）VGMP会感知接口状态变化，从而降低VGMP组的优先级，从Active状态切换至standby状态。而之前的standby组将提升为active状态，而处于standby的VGMP组在发布OSPF路由时，会自动将cost值增加65500，通过OSPF的自动收敛，最终将流量引导至active组设备中。

七、配置实例

环境如下（别看上面啰嗦了那么一堆概念，但真正配置起来，简单的很，但是若要排错，还是要理解透彻它的工作原理）：

声明：该环境不以实际环境为目的，目的是为了介绍防火墙的双机热备，所以这是一个简化环境。

需求如下：

LSW1和LSW2是二层交换机，FW1、FW2、LSW1、LSW2组成双机热备网络，正常情况下，PC1发起的访问R1的流量通过FW1转发，当FW1出现故障时，在PC1不做任何调整的前提下，可以自动通过FW2转发。

开始配置：

FW1配置如下：

<USG6000V1>sys      <!--进入系统视图-->
<!--以下是在配置相应接口IP-->
[USG6000V1]in g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip add 10.1.1.101 24
[USG6000V1-GigabitEthernet1/0/0]in g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip add 172.16.1.1 24
[USG6000V1-GigabitEthernet1/0/1]in g1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip add 192.168.1.101 24
[USG6000V1-GigabitEthernet1/0/2]quit
<!--以下是在将接口添加至相应区域-->
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add in g1/0/2
[USG6000V1-zone-trust]firewall zone dmz
[USG6000V1-zone-dmz]add in g1/0/1
[USG6000V1-zone-dmz]firewall zone untrust
[USG6000V1-zone-untrust]add in g1/0/0
[USG6000V1-zone-untrust]quit
<!--以下是设置一个策略，放行本地到dmz区域的流量，以便使VGMP报文通过-->
[USG6000V1]security-policy 
[USG6000V1-policy-security]rule name permit_heat
[USG6000V1-policy-security-rule-permit_heat]source-zone local
[USG6000V1-policy-security-rule-permit_heat]destination-zone dmz
[USG6000V1-policy-security-rule-permit_heat]action permit 
[USG6000V1-policy-security-rule-permit_heat]quit
[USG6000V1-policy-security]quit
<!--其实在配置完双机热备再配置该策略也可以，但是为了保险起见，就先配置上这个策略-->
 <!--以下是在配置VRRP备份组-->
[USG6000V1]in g1/0/0
[USG6000V1-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 10.1.1.100 active
[USG6000V1-GigabitEthernet1/0/0]in g1/0/2
[USG6000V1-GigabitEthernet1/0/2]vrrp vrid 1 virtual-ip  192.168.1.100 active
[USG6000V1-GigabitEthernet1/0/2]quit

 [USG6000V1]hrp in g1/0/1 remote 172.16.1.2    <!--配置心跳接口，指定对端设备-->
[USG6000V1]hrp enable    <!--启用双机热备-->
HRP_S[USG6000V1]hrp auto-sync <!--配置备份方式为自动备份-->

至此，FW1的配置暂时就完成了。开始配置FW2，FW2的配置与FW1的配置类似，就不写注释了（体谅一下我这个懒货）。

FW2配置如下：

<USG6000V1>sys
[USG6000V1]in g1/0/0
[USG6000V1-GigabitEthernet1/0/0]ip add 10.1.1.102 24
[USG6000V1-GigabitEthernet1/0/0]in g1/0/1
[USG6000V1-GigabitEthernet1/0/1]ip add 172.16.1.2 24
[USG6000V1-GigabitEthernet1/0/1]in g1/0/2
[USG6000V1-GigabitEthernet1/0/2]ip add 192.168.1.102 24
[USG6000V1-GigabitEthernet1/0/2]quit
[USG6000V1]firewall zone trust
[USG6000V1-zone-trust]add in g1/0/2
[USG6000V1-zone-trust]firewall zone untrust
[USG6000V1-zone-untrust]add in g1/0/0
[USG6000V1-zone-untrust]firewall zone dmz
[USG6000V1-zone-dmz]add in g1/0/1
[USG6000V1-zone-dmz]quit
[USG6000V1]security-policy 
[USG6000V1-policy-security]rule name permit_heat
[USG6000V1-policy-security-rule-permit_heat]source-zone local
[USG6000V1-policy-security-rule-permit_heat]destination-zone dmz
[USG6000V1-policy-security-rule-permit_heat]action permit
[USG6000V1-policy-security-rule-permit_heat]quit
[USG6000V1-policy-security]quit
[USG6000V1]in g1/0/0
[USG6000V1-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 10.1.1.100 standby 
[USG6000V1-GigabitEthernet1/0/0]in g1/0/2
[USG6000V1-GigabitEthernet1/0/2]vrrp vrid 1 virtual-ip  192.168.1.100 standby 
[USG6000V1-GigabitEthernet1/0/2]quit
[USG6000V1]hrp in g1/0/1 remote 172.16.1.1
[USG6000V1]hrp enable
HRP_S[USG6000V1]hrp auto-sync

配置至此，双机热备状态已经同步了，现在FW2为备份状态，多数配置已经无法在FW2上进行，只能在FW1上配置后，自动同步到FW2，那么现在在FW1配置一条策略，以便允许trust区域访问untrust区域，并且在FW2防火墙设备上查看是否同步到这条策略。

FW1配置如下：

 <!--可以看到每条命令后面自动跟一个“（+B），表示该命令可以同步。”-->
HRP_M[USG6000V1]security-policy  (+B)
HRP_M[USG6000V1-policy-security]rule name test1 (+B)
HRP_M[USG6000V1-policy-security-rule-test1]source-zone trust  (+B)
HRP_M[USG6000V1-policy-security-rule-test1]destination-zone untrust  (+B)
HRP_M[USG6000V1-policy-security-rule-test1]action permit  (+B)
HRP_M[USG6000V1-policy-security-rule-test1]quit
HRP_M[USG6000V1-policy-security]quit

FW2设备上查看是否有FW1创建的策略：

HRP_S[USG6000V1]security-policy         <!--抱歉，备份设备已经进不去安全策略模式了-->
 Error: The device is in HRP standby state, so this command can not be executed.
 HRP_S[USG6000V1]dis current-configuration  <!--别担心，还可以查看当前所有策略嘛-->
         ...................... <!--省略部分内容-->
security-policy
 rule name permit_heat
  source-zone local
  destination-zone dmz
  action permit
 rule name test1        <!--可以看到刚才创建的名为test1策略已经同步过来了-->
  source-zone trust
  destination-zone untrust
  action permit

配置R1路由器及PC及的IP地址，并ping通。

R1 router configuration is as follows (corresponding to the R1 router operator public Internet router, here just to simulate such an environment a):

<Huawei>sys
[Huawei]in g0/0/0
[Huawei-GigabitEthernet0/0/0]ip add 10.1.1.1 24
[Huawei-GigabitEthernet0/0/0]quit
[Huawei]ip route-static 192.168.1.0 24 10.1.1.100     
           <!--
添加一条去往内网的路由，在实际环境中，可是不会有这条路由的哦，
实际中一般会将内网的地址映射为和该路由器同一网段的公网IP。
                  -->

IP address of PC1 is as follows:

PC1 and router R1 ping test (preferably the last command plus "-t" option, continuous ping, to view the session table, otherwise the session table will be aging, finding the appropriate data):

View Conversation table FW1:

HRP_M[USG6000V1]dis firewall session table 
 Current Total Sessions : 24
 icmp  ×××: public --> public  192.168.1.1:17547 --> 10.1.1.1:2048
 icmp  ×××: public --> public  192.168.1.1:18059 --> 10.1.1.1:2048
 icmp  ×××: public --> public  192.168.1.1:14987 --> 10.1.1.1:2048

View Conversation table FW2:

HRP_S[USG6000V1]dis firew se ta
 Current Total Sessions : 26
 icmp  ×××: public --> public  Remote 192.168.1.1:9099 --> 10.1.1.1:2048
 icmp  ×××: public --> public  Remote 192.168.1.1:9611 --> 10.1.1.1:2048
 icmp  ×××: public --> public  Remote 192.168.1.1:10891 --> 10.1.1.1:2048
 icmp  ×××: public --> public  Remote 192.168.1.1:12171 --> 10.1.1.1:2048

Can be seen in the session table of contents on both firewalls are not the same (but does not affect the failover).

So now you can verify slightly failover!

Simulation equipment failure FW1 (close to interface to any one of FW1, Note: this time PC1 continues pingR1, we can see the effect failover):

HRP_M[USG6000V1]in g1/0/0 (+B)
HRP_M[USG6000V1-GigabitEthernet1/0/0]shutdown
 <!--“shutdown”命令系统是不会同步到对端防火墙的，要不然就没得玩了，
 你看它后面都没有 (+B)-->

In a second or two after the closing interface, PC1 can see a lost packet, in turn returned to normal, indicating successful failover. as follows:

Configuring this end, the following is on hot standby, some query command:

 <!--查看双机热备的状态信息，主要看是Role和peer的信息，
 Role表示本端，peer表示对端。
 Running priority表示本端的优先级，peer表示对端的优先级。
 -->
HRP_S[USG6000V1]display hrp state     
 Role: standby, peer: active (should be "active-standby")
 Running priority: 44998, peer: 45000
                      ......................        <!--省略部分内容-->

HRP_S[USG6000V1]dis hrp interface           <!--查看心跳接口状态-->     
             GigabitEthernet1/0/1 : running

Eight, summary

1, an interface for heartbeat two firewalls requires the addition of the same security zone.
2, an interface for number two firewalls must be consistent heartbeat, as is G1 / 0/1.
3, is recommended for both stateful firewalls prepared using the same type, the same version of the VRP. Connected to the same device (router or switch) use the same interface ID.

-------- end of this article so far, thanks for reading --------