Table of contents
Basic Concepts of Dual-system Hot Standby
Dual-machine hot standby deployment solution
Basic Concepts of Dual-system Hot Standby
When the firewall (FW) is deployed at the egress of the network, if a fault occurs, it will affect the entire network service
In order to improve the reliability of the network, deploy two FWs to form a dual-machine hot backup (only two, no more, no less)
The hardware models, board types, and quantities of the two FWs must be the same.
Dual-machine hot standby related protocols: heartbeat, HRP, VGMP
Dual-machine hot standby deployment solution
Active/standby backup mode—simple routing planning
There are two devices, one active and one standby. Under normal circumstances, the business traffic is processed by the main device. When the main device fails, the business traffic is smoothly switched to the backup device for processing, and the business is not interrupted.
Load sharing mode - complex route planning
The two devices are mutually active and standby. Under normal circumstances, the two devices share the business traffic of the entire network. When one of them fails, the other one takes over all the business traffic.
heartbeat line
basic concept
Two FWs are connected through an independent link for information synchronization --- this link is called a heartbeat line
Five states of the heartbeat line
The first two are normal states, and the last three are abnormal states
Running
Normal operation, able to send messages
Ready
Normal operation, this interface is a backup backup channel, currently unused
Down
Both the physical state and the protocol state of the heartbeat interface are Down
Invalid
The IP address of the heartbeat interface is not specified, and the heartbeat interface works on the second layer
Negotiation failed
Negotiation between the local end and the peer end failed. It may be caused by inconsistency between the software versions of the local and peer devices, a configuration error at one end, the status of the heartbeat interface of the peer device as Down, changes to the HRP source or destination port numbers, or failure of the underlying link.
heartbeat wire transfer information
HRP heartbeat link detection message
Detect whether the heartbeat port of the peer device can normally receive the message of the local device
(Determine whether there is a heartbeat port available)
HRP consistency check message
Detect whether the key configurations of the two FWs are consistent
HRP Hello message (heartbeat message)
Cycle 1s, send heartbeat messages to each other to check whether the peer is alive
HRP datagram
Used to synchronize configuration commands and status information between two FWs
VGMP message
Determine whether the current VGMP group status of the local and peer devices is stable
Cycle 1s, (whether failover is required)
Precautions for the heartbeat interface
1. The MGMT interface (G0/0/0) cannot be used as a heartbeat interface
2. Two FW heartbeat interfaces must join the same security zone.
3. The interface configured with the VRRP Cirtual-mac enable command cannot be used as a heartbeat interface VGMP
4. The heartbeat interface type, interface number, and link protocol type of the two FWs must be the same
If the Eth-Trunk interface is used as the heartbeat line, the member interfaces of the Eth-Trunk must also be the same
If the Vlan interface is used as the heartbeat interface, the Layer 2 physical interfaces that actually send and receive packets must also be the same
5. An interface whose MTU value is less than 1500 cannot be used as a heartbeat interface.
The maximum length of the configuration and entry backup packets is 1500 bytes, and the packets do not support fragmentation.
If the MTU value of the heartbeat interface is less than 1500, packet sending will fail.
6. If a virtual system is configured on the FW, the heartbeat interface cannot be the interface of the virtual system, but must be the interface of the root system.
The configuration commands and entries of the virtual system can also be backed up to the peer device by planning the heartbeat interface of the root system.
7. The heartbeat interface can be on the second layer (generally, this is the case when the firewall works on the second layer), or it can be on the third layer (generally, the firewall works on the third layer)
VGMP
basic concept
The VGMP protocol is Huawei's proprietary protocol, which defines a VGMP group, and the FW implements active and standby state management based on the VGMP group.
Each FW has a VGMP group, and users cannot delete this VGMP group, nor can they create other VGMP groups.
VGMP four states
Initialize
initial state
Load-balance
When the priority of its own VGMP group is equal to that of the peer, the VGMP group status of the device is
Active
When the priority of the VGMP group of the device is higher than that of the peer, the VGMP group status of the device is
When the device does not receive the VGMP message from the peer, the device is also in this state
Standby
When the priority of the VGMP group of the device is lower than that of the peer, the VGMP group status of the device is
priority
When Active fails, the priority will decrease by 2
Mid-to-low end: (USG6000, NGFW Module)
The priority of the active device is 45000, and the priority of the standby device is 44998.
High end:
VGMP initial priority=45000+1000*the number of subcards on the interface board+2*the number of CPUs on the service board
VGMP group failover
- The FW receives the VGMP packets of the peer device through the heartbeat line, learns the VGMP group priority of the peer device, and determines whether to perform failover by comparing the VGMP group priorities of the local end and the peer end.
- When a board, interface, or link of the FW fails, the priority of the VGMP group will decrease. If the priority of the VGMP group at the local end is lower than that of the remote end, the state of the VGMP group at the local end will switch to standby . At the same time, the FW will send a VGMP packet to the peer device to notify the peer device of failover.
- At this time, the primary VGMP group becomes the standby, and the standby becomes the primary
The default preemption delay of the VGMP group is 60s
working principle
Linkage with VRRP (Layer 2)——VGMP uniformly controls the state of VRRP backup group to keep the state consistent
VRRP is a virtual routing redundancy protocol, see VRRP protocol explanation for details
Without using VGMP:
FW1 and FW2 are running normally, 1.1.1.1 accesses the path of 2.2.2.2
The path to go - LSW1→FW1→LSW2
Return path——LSW2→FW1→LSW1
When the downlink interface of FW1 fails, 1.1.1.1 accesses the path of 2.2.2.2
The path to go - LSW1→FW2→LSW2
Return path——LSW2→FW1→FW2→LSW1
Causes the problem of inconsistency in the round-trip path. When the return message passes through FW1, its session table has no relevant entries, resulting in service loss.
(Although HRP can solve the problem of entry synchronization, HRP messages are carried in VGMP messages)
The method to solve the inconsistency of the back and forth path (the status of the backup group is inconsistent):
1. Using VRRP, configure a VRRP backup group to track uplink and downlink interfaces
2. Use VGMP to uniformly manage VRRP backup groups (that is, FW1 is in the same state for multiple backup groups, both master or backup)
Although method 1 can solve the problem of inconsistent back and forth paths, it cannot solve the problem of session table and command synchronization
The session table and command synchronization need to use the HRP protocol, and the HRP management protocol is encapsulated in the Data of VGMP
So it is most appropriate to use VGMP to solve the shortcomings of VRRP
Relationship between VGMP group status and VRRP group status:
Configuration: vrrp vrid backup group virtual-ip virtual gateway address active/standby
active/stanbdy is VGMP status
1. When the VGMP group status is active , the status of the VRRP backup group is Master .
2. When the state of the VGMP group is standby , the state of the VRRP backup group is Backup .
3. When the state of the VGMP group is load-balance , the state of the VRRP backup group is determined by the configuration of the VRRP backup group.
Linkage with dynamic routing (layer 3) - VGMP group controls the overhead of dynamic routing
Relationship between VGMP state and dynamic routing overhead:
hrp standby-device The device with this command is the standby device, and the VGMP status is Standby
1. When the VGMP group status is active, the FW will normally advertise routes according to the OSPF/OSPFv3/BGP routing configuration.
2. When the VGMP group status is standby, the FW will adjust the cost value of the route advertised by OSPF and OSPFv3 and the MED value of the route advertised by BGP according to the following method
Adjust the route cost advertised by OSPF to 65500
Adjust the route cost advertised by OSPFV3 to 65500
Add 100 to the BGP MED value configured by the user as the MED value when BGP advertises routes
3. When the VGMP group status is load-balance , the FW will advertise routes normally according to the configuration of OSPF/OSPFv3/BGP routing by default.
VGMP message
There is only one type of VGMP message, which is the VGMP Hello message, which is sent every 1s (divided into unicast and multicast)
Multicast VGMP packets (linkage with VRRP)
When using VGMP, VRRP packets will change: VRRP packets are explained in the VRRP protocol
1. The Type field has changed
Add 2 values
Type=1——represents standard VRRP packets
Type=2——represents the modified VRRP message
2. Delete the priority field and add the Type2 field
1 means that the packet is encapsulated as a heartbeat detection packet - no VGMP packet header is encapsulated
5 means that the packet is encapsulated as an HRP consistency check packet——does not encapsulate the VGMP packet header
2 means that the VRRP packet will further encapsulate the VGMP packet header, and continue to divide according to the vType field in VGMP
3. The fixed value of Virtual Rtr ID is 0
4. Remove the IP Address field
VGMP message format
1. vType: This field takes effect only when the Type2 field in the VRRP packet is 2
HRP Hello message
HRP data message - will further encapsulate the HRP message header
VGMP packet (VGMP Hello packet)
2.vPriority:
Stands for VGMP priority
Unicast VGMP packets (linkage with dynamic routing)
HRP
basic concept
basic concept
The Huawei hot backup protocol is generally carried on VGMP packets for transmission.
Responsible for synchronizing the key configuration and session table status data of the primary firewall to the backup firewall
HRP data backup method
automatic backup
(default open)
After automatic backup is enabled, when the active device configures a command that can be backed up or generates a session table state that can be backed up, it will be directly backed up to the backup device
Notes on backup:
batch backup
(default off)
You need to manually type the backup command to back up the data, and the backup content is the same as the automatic backup
quick backup
(default off)
Do not back up configuration commands, only back up the state of the session table
After the fast backup is enabled, the state information table items of the master device will be quickly backed up to the backup device
Notes on backup:
HRP can back up content
Backup configuration:
Policy: including security policy, NAT policy, bandwidth management, authentication policy, attack defense, blacklist, ASPF, etc.
Objects: including mail address groups, signatures, security configuration files (anti-virus, intrusion prevention system, URL filtering, file filtering, content filtering, application behavior control, mail filtering, etc.)
Network: including new logical interface, security zone, DNS, IPSEC, SSL VPN, TSM linkage, etc.
System: including administrator configuration and log configuration, etc.
Available backup state information:
Session table, SeverMap table, IP monitoring table, fragment cache table, GTP table, blacklist, PAT mode port mapping table, NO-PAT mode address mapping table
HRP message
message type
HRP Hello: Exchange heartbeat messages to check whether the peer is alive. The cycle is 1s, if it is not received in 5s, it is considered to be a failure
HRP Consistency Check: Check whether the key configurations of the two FWs are consistent
HRP heartbeat link detection: detect whether the heartbeat port of the peer device is available
HRP data telegram: synchronization data
Message format: Take the heartbeat port as an example of three layers (the second layer is to cancel the UDP header and VGMP extension header)
The heartbeat line specifies the Remote address, and the use of unicast UDP requires a release policy
If not, it is a direct connection, and there is no need to specify the Remote address, and the multicast address is sent using the multicast 224.0.0.18
Management plane HRP message - no need to encapsulate the HRP header - specify the backup data type
HRP Hello Packet Encapsulation Format
HRP heartbeat link detection, HRP consistency check message encapsulation format
Data plane HRP message - need to encapsulate the HRP header for data synchronization - perform data synchronization
HRP data packet encapsulation format
The above content is for reference only, please correct me if I am wrong
Dual-machine hot backup - master and backup backup of upper and lower switches 2522request%255Fid%2522%253A%2522167109451016782395381239%2522%252C%2522scm%2522%253A%252220140713.130102334.pc%255Fblog.%2522%25 7D&request_id=167109451016782395381239&biz_id=0&utm_medium=distribute.pc_search_result.none-task-blog-2~blog~first_rank_ecpm_v1 ~rank_v31_ecpm-4-125041403-null-null.nonecase&utm_term=%E5%8F%8C%E6%9C%BA&spm=1018.2226.3001.4450 Dual-machine hot backup——upper and lower router master backup (load sharing)_Thank you for thinking blog -CSDN blog 
https://blog.csdn.net/m0_49864110/article/details/125041562 Dual machine hot backup - load sharing of upper and lower switches_Thank you for thinking blog - CSDN blog https://blog.csdn.net/m0_49864110 /article/details/125041710