I. working principle of hot standby
Huawei hot standby by deploying two or more firewalls hot standby and load balancing, two mutually cooperating firewall, the firewall if a larger
- Hot Standby Overview
With the development of the Internet, most of the problems in people's lives can be solved by the network, but at the same time, network security issues have been exposed. - Huawei firewall hot standby modes comprising two
1. Hot Standby mode: one time only one firewall to forward packets, other firewall does not forward packets, but synchronized session table and Server-map table.
Load balancing mode 2: the same time, a plurality of firewalls forwarding data, but each other firewalls and as backup firewall devices, i.e., each firewall is a master device is a backup device, the synchronization session between the firewall and Server-map table Table
load equilibrium mode for some traffic (e.g., black circles flow), FW1 is the master device, Fw2 a standby device, so that the flow rate of default by FW1 forward, while for others the flow rate (gray flow), FW2 is a master device, FW1 is spare equipment, so that the flow rate change by default forwarding FW2, FW1 and as a standby device (gray) traffic, FW2 when damaged, can still forwards FW1 (gray) traffic Similarly, FW2 may be forwarded (black) at the time of damage FW1 flow
- VRRP
In dual-art hot standby, even if the elected primary and backup devices, default traffic is also forwarded by the master device, the backup device is in the standby state
1.VRRP (Virtual Router Redundancy Protocol, Virtual Router Redundancy protocol) is maintained by the IETF, single point of failure to solve the gateway routing protocol, the VRRP may be applied to provide redundancy in the router gateway, a firewall can also be used in a hot standby to do
(1)VRRP路由器:运行VRRP协议的路由器
(2)虚拟路由器:由一个主用路由器和若干个备用路由器组成的一个备份组,一个备份组,一个备份组对客户端提供一个虚拟网关
(3)VRID:virtual Router ID ,虚拟路由器标识,用来唯一的标识一个备份组
(4)虚拟IP地址:提供给客户端的网关IP地址,也是分配给虚拟路由器的IP地址,在所有的VRRP中配置,只有主用设备提供该IP地址的ARP响应
(5)虚拟MAC地址:基于VRID生成的用于VRRP的MAC地址,在客户端通过ARP协议解析网关的MAC地址时,主用路由器将提供该MAC地址
(6)IP地址拥有者:若将虚拟路由器的IP地址配置为某个成员物理接口的真实IP地址,那么该成员被称为IP地址拥有者
(7)优先级:用于标识VRRP路由器的优先级,并通过每个VRRP路由器的优先级选举主用设备及备份设备
(8)抢占模式:在抢占模式下,如果备用路由器的优先级高于备份组中的其他路由器(包括当前的主用路由器),则不会立即成为新的主用路由器
(9)非抢占模式:在非抢占模式下,如果备用路由器的优先级高于备份组中的其他路由器(包括当前的主用路由器),则不会立即成为主用路由器,直到下一次公平选举- VRRP works and Cisco's HSRP before the introduction of basically the same, but there are some differences in the details
-
VRRP protocol is public, but HSRP is a Cisco proprietary protocol
-
VRRP virtual router's IP address can be the IP address of a member of the router, but not HSRP
-
VRRP virtual MAC address prefix is 00-00-5e-00-01-VRID, and HSRP virtual MAC address prefix is 00-00-0c-07-AC- group number
-
VRRP state machine has three, and HSRP state machine contains five (initial, learning, listening, speaking, backup, activity)
-
Only one VRRP packets, HSRP has three (hello, coup, resigned)
- VRRP to track the interface does not support, and support for HSRP
- VRRP role of
work in the router in VRRP mode there are two kinds of roles, namely Master router and router Backup
Master router: Under normal circumstances responsible for the ARP response by the Master router and provide packet forwarding, and default notices to other routers every 1s Master router's current status and
Backup router: is the backup router Master router does not provide forward packets under normal circumstances, when the Master router fails, all Backup routers highest priority router will become the new Master router take over the work of forwarding packets to ensure services are not interrupted
2.VRRP state machine
VRRP defines three modes of operation, namely
Initalize state, Master state, Backup status
It works 3.VRRP of
VRRP router election Master and Backup routers process is as follows
First Elected priority device to become Master router, if the router is the same, compare the size of the interface IP address, IP address large (large value) of the device will become Master other routers routers, and backup group will be the backup router
- VGMP
works
VGMP performance of work to do the following principles:
1.VGMP的状态决定了VRRP备份组的状态,即设备的角色(Master和Backup)不再通过VRRP报文选举,而是通过VGMP同意管理
2.VGMP的状态通过比较优先级决定,优先级高的VGMP将成为Active,优先级低的VGMP组成为Standby
3.默认情况下,VGMP组的优先级为45000
4.VGMP根据组内VRRP备份组的状态自动调整优先级,一旦检测到备份组的状态变成Initialize
5.VGMP通过心跳线协商VGMP状态信息VGMP works
- Hot standby backup method
1.自动备份:该模式下,和双机热备相关的配置命令只能在主用路由器设备上配置,并自动同步到备用设备中,主用设备自动将状态信息同步到备用设备中
2.手工批量备份:主用设备上所有的配置命令和状态信息,只有在手工执行批量备份命令时才会同步到备用设备
3.快速备份:不同步配置命令,只同步状态信息Open function Dual Hot Standby
Auto Configure mode backup 
after turning hot standby, when executing the command can be synchronized (+ B) Tips
Configuring fast backup command
Case are as follows: 
1. Configure IP omitted (a router configured default route, the next hop is the virtual IP 10.1.1.100, PC1 IP192.168.1.100 downstream virtual gateway)
IP route-static 0.0.0.0 0.0.0.0 10.1. 1.100
2. Add an interface to configure security zones and security policy (FW1 and FW2 the same configuration)
3. VRRP backup group (FWl and FW2 configuration)
FW2 Configuration
Configuring heartbeat interfaces
5. Enable Hot Standby
6. Configure backup
FW1 configuration is as follows
FW2 configuration is as follows
7. Configuration Check and inspection
See hot standby state information
View Heartbeat interface status
On PC1 ping R1 router 
can ping IP address then ping -t been FW1 of g0 / 1/2 Kou shudown out, you will find ping in the process lost two packages
You can also view safety rules and session table
!!!!!!!!!!!!!!!!!!!!!!!!!