Bowen directory:
First, what is the hot standby?
Second, what is VRRP?
Third, the two roles of VRRP
four, three VRRP state machine
five, VRRP Master router election process and Backup routers
six unified management VRRP group by VGMP
seven hot standby configuration of
eight summary
First, what hot standby that?
1, a hot standby action
Multiple devices running hot standby;
a device takes over the failure of other devices;
enhanced network stability;
ensure continuity of service;
Huawei hot standby hot standby and achieve load balancing by deploying two or more firewalls, firewalls two mutually cooperating, if a larger firewall.
2, the firewall Huawei hot standby modes of:
- Hot Standby mode: one time only one firewall to forward packets, other firewall does not forward packets, but synchronized session table and Server-map table.
- Load balancing mode: the same time, a plurality of firewalls forwarding data, but each other firewalls and as backup firewall devices, i.e., each firewall between the master device that is also the standby device, the firewall session table synchronization and Server-map table .
Load balancing mode for drawing ● flow, FW1 is a master device, FW2 is a backup device, so that the flow rate of default by FW1 forwarding, and for drawing ○ flow, FW2 is a master device, FW1 is a standby equipment unit, so that by default FW2 traffic forwarding. At the same time, and as a backup device ○ FWl flow, FW2 when damaged, can still FWl ○ forward traffic. Similarly, FW2 may be forwarded ● traffic when FW1 damage. As shown below:
Second, what is VRRP?
VRRP (virtual router redundancy protocol, virtual routing redundancy protocol), maintained by the IETF, single point of failure to solve the gateway routing protocols. VRRP can provide the application gateway redundancy in the router, a firewall may be used to do hot standby.
1, VRRP term
- VRRP router: router running VRRP protocol.
- Virtual Router: a backup group consisting of a master router and several backup routers in one VRRP group to provide a virtual gateway for clients.
- VRID: Virtual Router ID, the virtual router identifier, used to uniquely identify a backup group.
- Virtual IP Address: Gateway to the client's IP address, but also the IP address assigned to the virtual router configuration in all VRRP, only the master to provide the IP address of the ARP response equipment.
- Virtual MAC address: MAC address for the VRRP VRID generated when a client MAC address in the ARP protocol analysis by the gateway, the active router will provide the MAC address.
- IP address owner: if the IP address of the virtual router is configured as a real IP address of a physical interface member, then that member is called IP address owner.
- Priority: priority for identifying VRRP router by router priority election of each VRRP master device and the backup device.
- Preemption mode: In preemption mode, if the standby router higher priority than the other routers in the VRRP group (including the current active router), will immediately become the new active router.
- Non-preemptive mode: In a non-preemptive mode, the standby router if a higher priority than the other routers in the VRRP group (including the current active router), does not immediately become the active router, until the next fair elections (such as broken electricity, reboot, etc.).
2, details the difference between the HSRP and VRRP Cisco's Huawei
VRRP protocol is public, and HSRP are Sisco proprietary protocol.
VRRP virtual router IP address in the IP address of the member may be a router, but HSRP can not.
VRRP virtual MAC address prefix is 00-00-5e-00-01-VRID, and HSRP virtual MAC address prefix is 00-00-0C-07-AC- group number.
VRRP state machine has three, while HSRRP state machine contains five (initial, learning, listening, speaking, backup, activities).
VRRP is only one message, VRRP advertisement packets sent by the main router used for detecting parameters of the virtual router, while primary elections for the router. The HSRP has three packets (Hello, coup, resigned).
VRRP to track the interface does not support, and support for HSRP.
Third, the two roles of VRRP
- Master Router: normally the responsibility of the master and provide the ARP response packet forwarding, and the default advertisement every 1s the master current state information to other routers.
- Backup Router: a standby router the master is not available to forward packets normally, when the master fails, all backup routers in a higher priority router as the master router, succeeding packet forwarding work to ensure services are not interrupted.
Four, VRRP three state machines
- Initialize status: just configure the initial state of VRRP. In this state, no VRRP packets do anything, when the interface or interface failure shutdown will also enter this state.
- Master Status: current device state when the election becomes a master router. Routers will forward the service message, and periodically sends VRRP advertisement packets, in this state will respond to ARP requests initiated by the client in this state, the analog loopback client MAC address, the interface when closed, immediately switch to the Initialize state.
- Backup Status: current device state when the election becomes a backup router. In this state does not forward any traffic packets, routers work in this state receives the master VRRP advertisement packets transmitted by the router, and is determined by the main router is working properly. In the hot standby mode will also dual-synchronization state information on the master device.
Switching relation between the above three states as shown below: 
the Initialize state is the initial state of VRRP, the shutdown when the interface, whether the router is the master or backup state, will immediately switch to the initialize state. When the router is configured IP address owner, its priority by default is 255, this time to switch directly from the router to the initialize state master state. When the router is not the IP address owner, its priority <255, then initialize the router directly switching to a backup state. If the router is the master receive greater priority or an equal priority local messages (usually issued by the master), resets the counter master_Down_Interval, if Master router has not received a VRRP advertisement packet transmission, to be after master_Down_Interval timer expires, by the backup master state to state.
Five, VRRP Master router and Backup router election process
VRRP election master router and a backup process is as follows:
First, high election priority devices become the master, the same priority, then compare the interface IP address size, IP address large (a large value) of the devices will become the master, and other routers in the backup group will be the backup router.The default interface VRRP priority of 100, ranging from 0 to 255, where 0 is reserved priority, priority 255 is reserved for the owner of the IP address, the IP address owner does not need to configure the priority, the default priority is 255.
Unless manually configure the router to the IP address owner (Priority = 255), or VRRP state switching is always the first experience Backup status, even if the highest priority of the router, also need to master the transition from state to state backup. In this case, backup status just a moment of transition state.
Sixth, to achieve unified management VRRP group by VGMP
通过前面的介绍可知,双机热备解决了网关设备切换且业务不中断的问题,VRRP解决了客户机网关自动切换问题。似乎双机热备 +VRRP已经可以正常工作,但实际情况下并非如此。
上个图大家看的更有助于理解,直观一些
从上图中可以看出,正常情况下PC去往外部网络的数据包通过备份组1的master设备(FW1)转发,外部网络返回的数据包由备份组2的master设备(FW1)转发,但是当FW1的G1/0/0接口出现故障时,备份组1可以检测到这一故障,并将FW2作为备份组1的master设备。PC发起的数据包由备份组1的master设备(FW2)进行转发,而备份组2的状态没有发生任何改变(FW1的G1/0/1接口正常工作),所以由外部网络返回的流量仍然由备份组2的master设备(FW1转发),显然,因为FW1的接口G1/0/0故障,数据包无法继续转发。
造成这种现象的原因就是两个VRRP备份组独立工作,所以需要使用VGMP(VRRP组管理协议)来实现对VRRP备份组的统一管理,以保证设备在各个备份组中的状态一致。
VGMP(VRRP Group Management Protocol,VRRP组管理协议)用来实现对VRRP备份组的统一管理,以保证设备在各个备份组中的状态一致性。VGMP通过在设备(FW1和FW2)上将所有的备份组(备份组1和备份组2)加入一个VGMP组中进行统一管理,一旦检测到某个备份组(备份组1)中的状态变化(如接口进入Initialize状态),VGMP组将自身优先级减2,并重新协商VGMP的active组和standby组。选举出的active组将所有的其他备份组(备份组1和备份组2)统一进行状态切换(备份组1和备份组2中的FW2将成为Master设备)。
1、VGMP的工作原理
- VGMP组的状态决定了VRRP备份组的状态,即设备的角色(如Master和Backup)不再通过VRRP报文选举,而是直接通过VGMP统一管理。
- VGMP组的状态通过比较优先级决定,优先级高的VGMP组将成为Active,优先级低的VGMP组将成为Standby。
- 默认情况下,VGMP组的优先级为4500。
- VGMP根据组内VRRP备份组的状态自动调整优先级,一旦检测到备份组的状态变成Initialize状态,VGMP组的优先级会自动减2。
- VGMP通过心跳线协商VGMP状态信息。
- 在加入VGMP组之后,VRRP中的状态标识从master和backup变成了active和standby。
2、VGMP的报文封装
VGMP通过心跳线协商VGMP的状态信息,通过发送VGMP报文实现。VGMP报文有以下两种形式,如下图:
如下图中左边的网络图中,当心跳线直接相连,或者通过二层交换机相连时,发送的报文属于组播报文,报文封装中不携带UDP头部信息。而当心跳线通过三层设备(路由器)连接时,因为组播报文无法通过三层设备,所以在报文封装中会额外增加一个UDP头部信息,此时发送的报文属于单播。
在实际应用中,应根据实际的环境灵活选择报文封装,在华为防火墙中,通过以下命令指定通过接口发送的报文属于哪几种类型的封装。
[FW1]hrp interface GigabitEthernet 1/0/0 <!--eNSP模拟器中不支持该配置-->
[FW1]hrp interface GigabitEthernet 1/0/0 remote 1.1.1.1
<!--hrp命令用来指定用于心跳链路的接口编号,
1.1.1.1是心跳线对端接口的IP地址,该地址要求路由可达,
带remote参数的命令将封装UDP,并发送单播报文不带remote参数将发送组播报文-->配置VGMP的其他注意事项:
- 加入了VGMP后,心跳线的作用包含状态信息备份(会话表和server-map表)及VGMP状态协商。
- 华为防火墙在默认情况下放行组播流量(如不带remote参数的VGMP报文)禁止单播流量(如带remote参数的VGMP报文),所以如果配置了remote参数,还需要配置local区域和心跳线接口所在的区域之间配置安全策略。
- 配置了VRRP virtual-mac enable的接口不能作为心跳口。
- 如果使用二层接口作为心跳接口,不能直接在二层接口上配置,而是将二层接口加入vlan,在vlan中配置心跳接口。
- eNSPoint模拟器中,即使心跳接口之间相连,也必须配置remote参数,否则无法配置。
3、双机热备的备份方式
双机热备的备份方式包括以下三种:
- 自动备份:该模式下,和双机热备有关的配置只能在主用设备上配置,并自动同步到备用设备中,主用设备自动将状态信息同步到备用设备中。
- 手工批量备份:该模式下,主用设备上所有的配置命令和状态信息,只有在手工执行批量备份命令时才会自动同步到备用设备。该模式主要应用于主设备和备用设备配置不同步,需要立即进行同步的场景。
- 快速备份:该模式下,不同步配置命令,只同步状态信息,在负载均衡方式的双机热备环境中,该默认必须启用,以快速更新状态信息。
各模式的配置命令如下:
1)开启双机热备功能:
[FW1]hrp enable
HRP_S[FW1] <!--开启双机热备功能后,命令提示符发生变化-->2)配置自动备份模式:
HRP_M[FW1]hrp auto-sync
HRP_M[FW1]security-policy (+B)
<!--开启双机热备后,执行可以同步的命令会有(+B)的提示-->3)配置手工批量备份模式:
HRP_M<FW1>hrp sync [ config | connection-status ]
<!--
在用户模式下执行该命令,其中config参数表示手工同步命令配置,
connection-status参数表示手工同步状态信息。
-->4)配置快速备份模式:
HRP_S[FW1]hrp mirror session enable
HRP_M[FW1] <!--配置快速备份模式后,开头会变成HRP_M.....-->4、连接路由器时的双机热备
当配置双机热备的设备上游或者下游是交换设备时,可以通过VRRP检测接口或者设备的状态,但是当上游或者下游设备是路由器时,VRRP无法正常运行(VRRP依靠组播实现故障切换)。华为防火墙的做法时监控其他接口状态,并配合OSPF实现流量切换,如下图:
通过将接口直接加入VGMP组中,当接口故障时(即使对端设备故障,本端接口的物理特性也将关闭),VGMP会感知接口状态变化,从而降低VGMP组的优先级,从active状态切换至standby状态。而之前的standby组将提升为active状态。而处于standby的VGMP组在发布OSPF路由时,会自动将cost值增加65500,通过OSPF的自动收敛,最终将流量引导至Active组设备中。
七、双机热备的配置
环境如下:
需求如下:
LSW1和LSW2是二层交换机,FW1、FW2、LSW1、LSW2组成双机热备网络,正常情况下,PC1发起的访问R1的流量通过FW1转发,当FW1出现故障时,在PC1不做任何调整的前提下,可以自动通过FW2转发。
Recommended steps:
Configure parameters of the basic network topology according to
firewall interfaces with different regions
configured security policy
to configure the NAT address translation PAPT
configure each heartbeat transmission
configuration VRRP
firewall configuration default route
authentication
Start the configuration:
FW1 configuration is as follows:
[FW1]int g1/0/0 <!--进入该接口-->
[FW1-GigabitEthernet1/0/0]ip add 10.1.1.1 24 <!--接口配置IP地址-->
[FW1-GigabitEthernet1/0/0]quit
[FW1]int g1/0/1 <!--进入该接口-->
[FW1-GigabitEthernet1/0/1]ip add 10.2.1.1 24 <!--接口配置IP地址-->
[FW1-GigabitEthernet1/0/1]quit
[FW1]int g1/0/2 <!--进入该接口-->
[FW1-GigabitEthernet1/0/2]ip add 10.3.1.1 24 <!--接口配置IP地址-->
[FW1-GigabitEthernet1/0/2]quit
[FW1]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 1.1.1.2
<!--配置去往untrust区域的默认路由-->
[FW1]firewall zone untrust <!--进入untrust区域-->
[FW1-zone-untrust]add int GigabitEthernet 1/0/0 <!--该接口加入untrust区域-->
[FW1-zone-untrust]quit
[FW1]firewall zone dmz <!--进入dmz区域-->
[FW1-zone-dmz]add int GigabitEthernet 1/0/1 <!--该接口加入dmz区域-->
[FW1-zone-dmz]quit
[FW1]firewall zone trust <!--进入trust区域-->
[FW1-zone-trust]add int GigabitEthernet 1/0/2 <!--该接口加入trust区域-->
[FW1-zone-trust]quit
[FW1]security-policy <!--配置安全策略-->
[FW1-policy-security]rule name ha <!--安全策略名字为ha-->
[FW1-policy-security-rule-ha]source-zone local <!--指定源区域-->
[FW1-policy-security-rule-ha]source-zone dmz <!--指定源区域-->
[FW1-policy-security-rule-ha]destination-zone local <!--指定目标区域-->
[FW1-policy-security-rule-ha]destination-zone dmz <!--指定目标区域-->
[FW1-policy-security-rule-ha]action permit <!--允许dmz区域和local区域相互访问-->
[FW1-policy-security-rule-ha]quit
[FW1-policy-security]quit
[FW1]security-policy <!--配置安全策略 -->
[FW1-policy-security]rule name nat <!--安全策略名字为nat-->
[FW1-policy-security-rule-nat]source-zone trust <!--指定源区域-->
[FW1-policy-security-rule-nat]destination-zone untrust <!--指定目标区域-->
[FW1-policy-security-rule-nat]action permit <!--允许流量通过-->
[FW1-policy-security-rule-nat]quit
[FW1-policy-security]qui
[FW1]nat address-group NAPAT <!--地址池的名字为NAPAT-->
[FW1-address-group-napat]section 0 1.1.1.1 1.1.1.1 <!--地址池范围-->
[FW1-address-group-napat]quit
[FW1]nat-policy <!--配置NAT策略-->
[FW1-policy-nat]rule name natpolicy <!--NAT策略名字为natpolicy-->
[FW1-policy-nat-rule-natpolicy]source-zone trust <!--定义转换源区域-->
[FW1-policy-nat-rule-natpolicy]destination-zone untrust <!--定义转换目标区域-->
[FW1-policy-nat-rule-natpolicy]action nat address-group NAPAT
<!--定义转换源和地址池建立映射关系-->
[FW1-policy-nat-rule-natpolicy]quit
[FW1-policy-nat]quit
[FW1]hrp int g 1/0/1 remote 10.2.1.2 <!--配置心跳信息传输到FW2-->
[FW1]hrp enable <!--开启hrp功能-->
HRP_S[FW1]Referring FW2 configuration is as follows :( FW1 comments, FW1 and FW2 basically the same configuration)
[FW2]int g1/0/0
[FW2-GigabitEthernet1/0/0]ip add 10.1.1.2 24
[FW2-GigabitEthernet1/0/0]int g1/0/1
[FW2-GigabitEthernet1/0/1]ip add 10.2.1.2 24
[FW2-GigabitEthernet1/0/1]int g1/0/2
[FW2-GigabitEthernet1/0/2]ip add 10.3.1.2 24
[FW2-GigabitEthernet1/0/2]quit
[FW2]ip route-static 0.0.0.0 0.0.0.0 GigabitEthernet 1/0/0 1.1.1.2
[FW2]firewall zone untrust
[FW2-zone-untrust]add int GigabitEthernet 1/0/0
[FW2-zone-untrust]quit
[FW2]firewall zone dmz
[FW2-zone-dmz]add int GigabitEthernet 1/0/1
[FW2-zone-dmz]quit
[FW2]firewall zone trust
[FW2-zone-trust]add int GigabitEthernet 1/0/2
[FW2-zone-trust]quit
[FW2]security-policy
[FW2-policy-security]rule name ha
[FW2-policy-security-rule-ha]source-zone local
[FW2-policy-security-rule-ha]source-zone dmz
[FW2-policy-security-rule-ha]destination-zone local
[FW2-policy-security-rule-ha]destination-zone dmz
[FW2-policy-security-rule-ha]action permit
[FW2-policy-security-rule-ha]quit
[FW2-policy-security]quit
[FW2]security-policy
[FW2-policy-security]rule name nat
[FW2-policy-security-rule-nat]source-zone trust
[FW2-policy-security-rule-nat]destination-zone untrust
[FW2-policy-security-rule-nat]action permit
[FW2-policy-security-rule-nat]quit
[FW2-policy-security]quit
[FW2]nat address-group NAPAT
[FW2-address-group-napat]section 0 1.1.1.1 1.1.1.1
[FW2-address-group-napat]quit
[FW2]nat-policy
[FW2-policy-nat]rule name natpolicy
[FW2-policy-nat-rule-natpolicy]source-zone trust
[FW2-policy-nat-rule-natpolicy]destination-zone untrust
[FW2-policy-nat-rule-natpolicy]action nat address-group NAPAT
[FW2-policy-nat-rule-natpolicy]quit
[FW2-policy-nat]quit
[FW2]hrp int g1/0/1 remote 10.2.1.1
[FW2]hrp enable
HRP_S[FW2]hrp standby-deviceBegin configuring VRRP
FW1 VRRP configuration as follows:
HRP_M[FW1]int g1/0/0 (+B) <!--进入接口-->
HRP_M[FW1-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active
<!--VRRP1组主设备,虚拟IP网关1.1.1.1-->
HRP_M[FW1-GigabitEthernet1/0/0]quit
HRP_M[FW1]int g1/0/2 (+B) <!--进入接口-->
HRP_M[FW1-GigabitEthernet1/0/2]vrrp vrid 2 virtual-ip 10.3.1.3 active
<!--VRRP2组主设备,虚拟IP网关10.3.1.3-->
HRP_M[FW1-GigabitEthernet1/0/2]quitFW2 VRRP configuration as follows:
HRP_S[FW2]int g1/0/0 <!--进入接口-->
HRP_S[FW2-GigabitEthernet1/0/0]vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 standby
<!--VRRP1备份设备,虚拟IP网关1.1.1.1-->
HRP_S[FW2-GigabitEthernet1/0/0]quit
HRP_S[FW2]int g1/0/2 <!--进入接口-->
HRP_S[FW2-GigabitEthernet1/0/2]vrrp vrid 2 virtual-ip 10.3.1.3 standby
<!--VRRP2组备份设备,虚拟IP网关10.3.1.3-->
HRP_S[FW2-GigabitEthernet1/0/2]quit
HRP_S[FW2]dis hrp state <!--查看hrp状态-->Configuring R1 and IP address of the PC, and the IP address pingR1.
R1 configured as follows:
[R1]int g0/0/0
[R1-GigabitEthernet0/0/0]ip add 1.1.1.2 24
[R1-GigabitEthernet0/0/0]quit
<!--进入接口给接口配置IP地址-->
[R1]ip route-static 10.3.1.0 24 10.1.1.1
[R1]ip route-static 10.3.1.0 24 10.1.1.2
<!--
添加两条去往内网的路由,在实际环境中,可是不会有这条路由的哦,
实际中一般会将内网的地址映射为和该路由器同一网段的公网IP。 -->