Mention firewall, usually think of enterprise edge device, the user is within the network and the Internet to pass. Firewall carries a lot of functions, such as: security rules, IPS, file type filtering, content filtering, and application layer filtering. It is also so important because of the firewall, if the firewall if there are problems, all the services of external communications will be interrupted, so the first thing to consider enterprise firewall is optimized and high availability.
Bowen outline:
a hot standby principle of dual-
two, VRRP protocol
(. 1) VRRP Protocol Overview
(2) the role of the VRRP
(. 3) VRRP state machine
(4) works VRRP is
three, of the VGMP protocol
(1) VGMP of works
(2) VGMP packet encapsulation
(3) hot standby backup mode
(4) when connecting two hot standby router
configuration Attaining the hot standby firewall
First, the hot standby principle
With the development of the Internet, and now most of the problems in people's lives can be resolved through the network, but at the same time, network security issues have been exposed. Deploy a firewall in the enterprise has become the norm. How to ensure uninterrupted network transmission network development becomes a problem need to be resolved!
Enterprise deployed in key business export a firewall, all external traffic to go through the firewall transmission, once the firewall fails, then the business will face the problem of network interruptions, no matter how good the performance of the firewall itself, how powerful. At this moment, they can not recoup their losses facing enterprises. So deploy two firewall products in the export enterprises, enterprises can increase security while ensuring basic transport services will not be interrupted, because the probability of failure of the two devices at the same time is very small. After deployment in the right diagram, from the point of view of topology, the network has a very high reliability, but from a technical point of view, the need to solve some problems, because the router has a firewall and works on essentially the difference , the firewall needs some special configuration.
Left, the internal network can be reached by R3 → R1 → R4 external network, can be reached by R3 → R2 → R4, if by R3 → R1 → R4 path cost (running OSPF) is relatively small, then by default, the internal network will be reached by R3 → R1 → R4 external network, when the device is damaged R1, OSPF will automatically converge, R3 R2 forwarded through the network to the outside.
Right, R1, R2 replace two firewalls, by default, the flow will be forwarded to the external network through FW1, this time recorded session table items corresponding to the number of users in the traffic FW1, when FW1 damaged by OSPF convergence, traffic will guide the FW2, but not before the flow of the session table, before returning to the FW2 transport session traffic will not pass FW2, and the subsequent flow of conversation need to re-checked security policy and generate conversation. This means that before all traffic will be terminated unless the connection is reestablished.
FIG Huawei hot backup firewall function by providing a dual-backup link (heartbeat), and standby state of the backup session table, Server-map table or the like negotiation operation between the firewall. Depending on the configuration of the firewall are elected main equipment and standby equipment, when the master device is working properly, the backup device does not provide packet forwarding, but the backup device in real-time download the current session table and Server-map table from the master device. To ensure that, when the master device malfunctions even if switching to the backup device, the device remains standby current traffic session table and Server-map table, to ensure traffic is not interrupted.
In the hot standby duplex environment, the requirements are as follows:
(1) a firewall interface for two heartbeat was added the same security zone;
(2) two interfaces for the firewall apparatus must be consistent heartbeat number, such as are Gl / 0/0;
(. 3) recommended for two hot standby firewall using the same model, same VRP version;
Huawei hot standby firewall includes the following two modes:
- Hot Standby mode: the same time using only one data packet forwarded by the firewall, the firewall does not forward other packets, but the sync session table and Server-map table;
- 负载均衡模式:同一时间,多台防火墙同时转发数据,但每个防火墙又作为其他防火墙的备用设备,即每个防火墙即是主用设备也是备用设备,防火墙之间同步会话表及Server-map表;
关于华为防护墙的热备模式和负载均衡模式如图:
二、VRRP协议
在双机热备技术中,即使选举出了主用设备和备用设备,默认情况下流量也通过主用设备转发,而备用设备处于备份状态。但是客户机通常通过指定网关地址来指定网络出口,当客户机将网关指向主用设备时,流量自然从主用设备转发,但是当主用设备故障时,客户机并不会将网关自动指向备用设备,所以即使双机热备本身可以切换、客户机依然无法正常通信。所以要保证双机热备可以正常工作,还需解决客户机网关自动切换的问题。而VRRP技术可以解决网关自动切换的问题,甚至还能让设备切换对客户机而言是透明的。在华为防火墙的双机热备技术中,VRRP是非常重要的一个组成部分。
(1)VRRP协议概述
VRRP(虚拟路由冗余协议)由IETF进行维护。用来解决网关单点故障的路由协议。VRRP可以应用在路由器中提供网关冗余,也可以用在防火墙中做双击热备。
VRRP的基本概念如下:
(1)VRRP路由器:运行VRRP协议的路由器;
(2)虚拟路由器:由一个主用路由器和若干备用路由器组成的一个备份组,一个备份组对客户机提供一个虚拟网关;
(3)VRID:Virtual Router ID,虚拟路由器标识,用来唯一的表识一个备份组;
(4)虚拟IP地址:提供给客户端的网关IP地址,也是分配给虚拟路由器的IP地址,在所有的VRRP中配置,只有主用设备提供该IP地址的ARP响应;
(5)虚拟MAC地址:基于VRID生成的用于VRRP的MAC地址,在客户端通过ARP协议解析网关的MAC地址时,主用路由器提供该MAC地址;
(6)IP地址拥有者:若将虚拟路由器的IP地址配置为某个成员物理接口的真是IP地址,那么该成员被称为IP地址拥有者;
(7)优先级:用于表示VRRP路由器的优先级,并通过每个VRRP路由器的优先级选举主用设备及备用设备;
(8)抢占模式:在抢占模式下,如果备用路由器的优先级高于备份组中的其他路由器(包括当前的主用路由器),将立即成为新的主用路由器;
(9)非抢占模式:在非抢占模式下,如果备用路由器的优先级高于备份组中的其他路由器(包括当前的主用路由器),则不会立即成为主用路由器,直到下一次公平选举(如断电、设备重启等);
VRRP的工作原理与Cisco设备基本相同,只有一些细节上的一些区别,如图:
(2)VRRP的角色
工作在VRRP模式下的路由器有两种角色,分别是:
- Master路由器:正常情况下由Master路由器负责ARP响应及提供数据包的转发,并且默认每隔1s向其他路由器通告Master路由器当前的状态信息;
- Backup路由器:是Master路由器的备用路由器,正常情况下不提供数据包的转发,当Master路由器故障时,在所有的Backup路由器中优先级最高的路由器将成为新的Master路由器,接替转发数据包的工作,从而保证业务不间断;
(3)VRRP的状态机
VRRP定义了三种工作状态,如下:
- Initialize状态:刚配置VRRP时的初始状态。该状态下,不对VRRP报文做任何处理,当接口shutdown或接口故障时将进入该状态;
- Master状态:当前设备选举成为主用路由器时的一种状态。该状态下会转发业务报文,并周期性地发送VRRP通告报文,处于该状态的路由器还将响应客户机发起的ARP请求,并将虚拟MAC地址回应客户机。当接口关闭时,将立即切换至Initialize状态;
- Backup状态:当前设备选举成为备用路由器的一种状态。该状态下不转发任何业务报文,工作在该状态下的路由器会接收主用路由器发送的VRRP通告报文,并判断主用路由器是否正常工作。在双机热备模式中还将同步主用设备上的状态信息;
三种状态之间的切换关系如图:
Initialize状态是VRRP的初始状态,当接口shutdown时,无论路由器处于Master状态还是Backup状态,都将立即切换至Initialize状态;当路由器配置IP地址拥有者时,其优先级默认为255,此时路由器直接由Initialize状态切换至Master状态;当路由器不是IP地址拥有者时,其优先级< 255,此时路由器直接由Initialize状态切换至Backup状态;处于Master状态的路由器如果收到优先级更大的VRRP报文,将由Master状态切换至Backup状态,而Backup状态的路由器如果收到一个优先级更大或者本地优先级相等的报文(通常是由Master路由器发出),将重置Master_DOWN_Interval计时器,如果一直没有接收到Master路由器发送的VRRP通过报文,待Master_DOWN_Interval计时器超时后,将由Backup状态切换至Master状态。
注意:除非手工将路由器配置为IP地址拥有者(优先级=255),否则VRRP的状态切换总是先经历Backup状态,即时路由器的优先级最高,也需要从Backup状态过渡到Master状态。此时Backup状态只是一个瞬间的过渡状态。
(4)VRRP的工作原理
VRRP选举Master路由器和Backup路由器的流程如下:
首先选举优先级高的设备成为Master路由器,如果优先级相同,再比较接口的IP地址大小,IP地址大(数值大)的设备将成为Master路由器,而备份组中其他的路由器将成为Backup路由器。
VRRP中的默认接口优先级值为100,取值范围为0~255。其中优先级0是系统保留,优先级255保留给IP地址拥有者,IP地址拥有者不需要配置优先级,优先级默认是255。
VRRP的工作原理如图:
故障切换过程:
默认情况下,Master设备(FW1)会周期性(每1s)地向Backup设备发送VRRP通告,而Backup设备每次收到VRRP通告,就将Master_DOWN_Interval计时器重置为0。当Master设备出现故障,无法发出VRRP通告报文时,Backup设备将无法接收到VRRP,在Master_DOWN_Interval超时后,将直接由Backup状态切换为Master状态,FW2代替FW1成为新的Master设备。同时会向下游交换机发出免费ARP报文,以更新下游交换机的MAC地址表。而后续客户机发起的针对虚拟IP的ARP请求报文,FW2将直接代为回应,客户机发出的报文也将由FW2转发,而这一切变化对客户机而言都是透明的。因为虚拟IP地址仍然可用!
当FW1解决故障恢复正常运行时,因为FW1的优先级配置比FW2高,在抢占模式下,其将直接成为Master设备,而FW2再次回到Backup状态;在非抢占模式下,FW2依然是Master设备,而FW1成为Backup设备。
建议:当Master设备和Backup设备性能相差不大,同时网络规模较大时,建议配置为非抢占模式,因为这样可以减少网络的波动。
三、VGMP协议
(1)VGMP的工作原理
如果仅仅使用双机热备+VRRP就会出现以下情况:
造成以下现象的原因是两个VRRP备份组各自独立工作,,那么有没有什么办法可以使两个备份组协同工作,以保证设备在两个备份组的状态一致性呢?就需要使用到——VGMP协议。
VGMP(VRRP组管理协议)用来实现VRRP备份组的统一管理,以保证设备在各个备份组中的状态一致性。VGMP通过在设备(FW1和FW2)上将所有的备份组(备份组1和备份组2)加入一个VGMP组中进行统一管理,一旦检测到某个备份组(备份组1)中的状态变化(如接口进入Initialize状态),VGMP组将自身优先级减2,并重新协商VGMP的Active组和Standby组。选举出的Active组将所有的其他备份组(备份组1和备份组2)统一进行状态切换(备份组1和备份组2中的FW2将成为Master设备)。
VGMP的工作原理:
- VGMP组的状态决定了VRRP备份组的状态,即设备的角色(如Master和Backup)不再通过VRRP报文选举,而是直接通过VGMP统一管理;
- VGMP组的状态通过比较优先级决定,优先级高的VGMP组将成为Active,优先级低的VGMP组将成为Standby;
- 默认情况下,VGMP组的优先级为45000;
- VGMP根据组内VRRP备份组的状态自动调整优先级,一旦检测到备份组的状态变成Initialize状态,VGMP组的优先级会自动减2;
- 通过心跳线协商VGMP状态信息;
VGMP的工作原理:
注意:在加入了VGMP组之后,VRRP中的状态标识从Master和Backup变成Active和Standby。
(2)VGMP的报文封装
VGMP通过心跳线协商VGMP的状态信息,通过发送VGMP报文实现。VGMP报文有以下两种形式,如图:
左图中,当心跳线直连,或者通过二层交换机相连时,发送的报文属于组播报文,报文封装中不携带UDP头部信息;
右图中,心跳线通过三层设备(路由器)连接时,因为组播报文无法通过三层设备,所以在报文封装中会额外增加一个UDP头部信息,此时发送的报文属于单播;
在实际应用中,应根据实际的拓补灵活选择报文封装。在华为防火墙中,通过以下命令指定接口发送的报文属于哪种类型的封装。
[USG6000V1]hrp int g 1/0/0 //eNSP模拟器不支持这条命令
[USG6000V1]hrp int g 1/0/0 remote 1.1.1.1其中hrp命令用来指定用于心跳链路的接口,带remote参数的命令表示报文将封装UDP,并发送单播报文,不带remote参数的命令表示将发送组播报文。1.1.1.1标识对端是被(心跳线对端接口)的IP地址,该地址要求可路由,只有指定remote参数时才需要指定。
注意:
- 加入VGMP后,心跳线的作用包含状态信息备份(会话表和Server-map表)及VGMP状态协商;
- 华为防火墙在默认情况下放行组播流量(不带remote参数的VGMP报文),禁止单播流量(带remote参数的VGMP报文),所以配置了remote参数,还需要配置Local区域和心跳接口区域之间的安全策略;
- 配置了虚拟IP地址的接口不能作为心跳口;
- 如果使用二层接口作为心跳接口,不能直接在二层接口上配置,而是将二层接口加入VLAN,在VLAN中配置心跳接口;
- eNSP模拟器中,及时心跳接口之间相连,也必须配置remote参数,否则无法配置;
(3)双机热备的备份方式
双击热备的备份方式包括以下三种:
- 自动备份:该模式下,和双机热备有关的配置命令只能在主用设备上配置,并自动同步到备用设备中,主用设备自动将状态信息同步到备用设备中,该模式是华为防火墙的默认开启模式,主要应用于热备模式;
- 手工批量备份:该模式下,主用设备上所有的配置命令和状态信息,只有在手工指定批量备份命令时才会自动同步到备用设备,该模式主要应用于主、备设备配置不同步,需要立即进行同步的场景中;
- 快速备份:该模式下,不同步配置命令,只同步状态信息。在负载均衡方式的双机热备环境中,该模式必须启用,以快速更新状态信息;
(1)开启双击热备功能
[USG6000V1]hrp enable
HRP_S[USG6000V1] //开启双机热备后,提示符发生变化(2)配置自动备份模式
HRP_M[USG6000V1]hrp auto-sync 开启双机热备后,执行可以同步的命令时会有(+B)的提示
HRP_M[USG6000V1]security-policy (+B)(3)配置手工批量备份模式
HRP_M<USG6000V1>hrp sync config //表示手工同步命令配置
HRP_M<USG6000V1>hrp sync connection-status //表示手工同步状态信息
//注意,此命令是在用户视图下执行的(4)配置快速备份模式
HRP_M[USG6000V1]hrp mirror session enable (4)连接路由器时的双机热备
When stateful failover configuration upstream or downstream of a switching device, by detecting the state of VRRP interface or device, but when the upstream or downstream device is a router, VRRP does not work properly (VRRP multicast relies on failover). Huawei firewall approach is to monitor the status of its interface, and with the realization of OSPF traffic switching. 
Through the interface directly into the VGMP group, when an interface failure (even if the remote equipment failure, the physical characteristics of the local interface will be closed), VGMP perceives interface state change, thereby decreasing priority VGMP group is switched from the Active state to Stabdby state. And before the Standby group promoted to Active state. The VGMP group is in a Standby OSPF routing when released, will automatically increase the cost value of 65500, an automatic convergence by the OSPF, eventually to the Active set flow guide device.
Attaining the hot standby configuration of the firewall
Experimental topology:
Case Implementation:
(1) the IP address of the firewall interface configuration, and add the respective regions, and set the security policy
[FW1]int g1/0/0
[FW1-GigabitEthernet1/0/0]ip add 10.1.1.101 24
[FW1-GigabitEthernet1/0/0]int g1/0/1
[FW1-GigabitEthernet1/0/1]ip add 172.16.1.1 24
[FW1-GigabitEthernet1/0/1]int g1/0/2
[FW1-GigabitEthernet1/0/2]ip add 192.168.1.101 24
[FW1-GigabitEthernet1/0/2]quit
[FW1]firewall zone untrust
[FW1-zone-untrust]add int g1/0/0
[FW1-zone-untrust]quit
[FW1]firewall zone dmz
[FW1-zone-dmz]add int g1/0/1
[FW1-zone-dmz]quit
[FW1]firewall zone trust
[FW1-zone-trust]add int g1/0/2
[FW1-zone-trust]quit
[FW1]security-policy
[FW1-policy-security]rule name trust_to_untrust
[FW1-policy-security-rule-trust_to_untrust]source-zone trust
[FW1-policy-security-rule-trust_to_untrust]destination-zone untrust
[FW1-policy-security-rule-trust_to_untrust]action permit
//配置安全策略:内部流量可以到外部
[FW1-policy-security-rule-trust_to_untrust]quit
[FW1-policy-security]rule name local_to_dmz
[FW1-policy-security-rule-local_to_dmz]source-zone local
[FW1-policy-security-rule-local_to_dmz]destination-zone dmz
[FW1-policy-security-rule-local_to_dmz]action permit
//配置安全策略:从防火墙本身可以到DMZ区域(建立心跳线)
[FW1-policy-security-rule-local_to_dmz]quit
[FW1-policy-security]quit
//FW2的配置与FW1几乎是一模一样的,这里就不多说了
//注意FW2上也需设置相同的规则(2) VRRP backup group
FW1 is as follows:
[FW1]int g1/0/2
[FW1-GigabitEthernet1/0/2]vrrp vrid 1 virtual-ip 192.168.1.100 active
[FW1-GigabitEthernet1/0/2]int g1/0/0
[FW1-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 10.1.1.100 active FW2 is as follows:
[FW2]int g1/0/2
[FW2-GigabitEthernet1/0/2]vrrp vrid 1 virtual-ip 192.168.1.100 standby
[FW2-GigabitEthernet1/0/2]int g1/0/0
[FW2-GigabitEthernet1/0/0]vrrp vrid 2 virtual-ip 10.1.1.100 standby (3) Configuration heartbeat interfaces
[FW1]hrp int g1/0/1 remote 172.16.1.2
//FW1指定心跳接口,并指定对端接口IP地址
[FW2]hrp int g1/0/1 remote 172.16.1.1
//FW同上,这就是为什么防火墙需要设置从本地到DMZ区域的策略(4) to enable hot standby
[FW1]hrp enable
HRP_S[FW1]
//FW1的配置,命令提示符出现了变化
[FW2]hrp enable
HRP_S[FW2]
//FW2同上(5) arranged backup
HRP_S[FW1]hrp auto-sync
//配置自动备份HRP_S[FW2]hrp auto-sync(6) Check the configuration and authentication
① view hot standby state information
HRP_M[FW1]display hrp state
Role: active, peer: standby //本端状态为Active,对端为Standby
Running priority: 45000, peer: 45000 //本端优先级为45000,对端为45000
Core state: normal, peer: normal
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 9 minutes
Last state change information: 2019-10-26 6:29:53 HRP core state changed, old_s
tate = abnormal(active), new_state = normal, local_priority = 45000, peer_priori
ty = 45000.② view the heartbeat interface status
HRP_M[FW1]display hrp interface
GigabitEthernet1/0/1 : running③ two PC configuration IP address and gateway (virtual addresses), with PC1pingPC2 
view the firewall session table ④
HRP_M[FW1]display firewall session table
Current Total Sessions : 2
udp : public --> public 172.16.1.2:49152 --> 172.16.1.1:18514
udp : public --> public 172.16.1.1:49152 --> 172.16.1.2:18514⑤PC1 continued pingPC2, analog interface failure FW1
HRP_M[FW1]int g1/0/2(+B)
HRP_M[FW1-GigabitEthernet1/0/2]shutdown
⑥ check the status of the hot spare FW2 double-click
HRP_M[FW2]display hrp state
Role: active, peer: standby (should be "standby-active") //状态发生了变化
Running priority: 45000, peer: 44998 //FW1的优先级减2
Core state: abnormal(active), peer: abnormal(standby)
Backup channel usage: 0.00%
Stable time: 0 days, 0 hours, 1 minutes
Last state change information: 2019-10-26 6:49:06 HRP core state changed, old_s
tate = normal, new_state = abnormal(active), local_priority = 45000, peer_priori
ty = 44998.Completion of the experiment!
-------- end of this article so far, thanks for reading --------