Scribd Logo
Upload

Welcome to Scribd!

  • 198 views

    HCSCA112 Dual-System Hot Standby

    Uploaded by

    mangla\
    This document discusses dual-system hot standby, which uses two firewalls to ensure network communication reliability. It provides redundancy by allowing one firewall to take over if the other fails. The document covers the technical principles, basic configuration, use of VRRP and VGMP for multi-zone backup, and HRP for backing up dynamic data between firewalls. Dual-system hot standby ensures uninterrupted network transmission.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd

    HCSCA112 Dual-System Hot Standby

    Uploaded by

    mangla\
    198 views31 pages
    This document discusses dual-system hot standby, which uses two firewalls to ensure network communication reliability. It provides redundancy by allowing one firewall to take over if the other fails. The document covers the technical principles, basic configuration, use of VRRP and VGMP for multi-zone backup, and HRP for backing up dynamic data between firewalls. Dual-system hot standby ensures uninterrupted network transmission.

    Copyright

    © © All Rights Reserved

    Available Formats

    PPTX, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    This document discusses dual-system hot standby, which uses two firewalls to ensure network communication reliability. It provides redundancy by allowing one firewall to take over if the other fails. The document covers the technical principles, basic configuration, use of VRRP and VGMP for multi-zone backup, and HRP for backing up dynamic data between firewalls. Dual-system hot standby ensures uninterrupted network transmission.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    198 views31 pages

    HCSCA112 Dual-System Hot Standby

    Uploaded by

    mangla\
    This document discusses dual-system hot standby, which uses two firewalls to ensure network communication reliability. It provides redundancy by allowing one firewall to take over if the other fails. The document covers the technical principles, basic configuration, use of VRRP and VGMP for multi-zone backup, and HRP for backing up dynamic data between firewalls. Dual-system hot standby ensures uninterrupted network transmission.

    Copyright:

    © All Rights Reserved
    Download as PPTX, PDF, TXT or read online from Scribd
    Download as pptx, pdf, or txt
    You are on page 1of 31

    Dual-System Hot Standby

    Foreword

     With the rapid development of services such as mobile office, online shopping,
    instant messaging, Internet finance, and Internet education, networks carry
    increasing services and therefore become more important. How to ensure
    uninterrupted network transmission is an issue that needs to be solved urgently
    during network development.
     Dual-system hot standby improves reliability. Two firewalls can be deployed at the
    egress of a network to ensure the communication between the intranet and Internet.

    3 Huawei Confidential
    Objectives

    On completion of this course, you will be able to:


     Master the technical principles of dual-system hot standby.
     Master the basic configuration of dual-system hot standby.

    4 Huawei Confidential
    Contents

    1. Technical Principles of Dual-System Hot Standby


    2. Basic Networking and Configuration of Dual-System Hot Standby

    5 Huawei Confidential
    Why Dual-System Hot Standby?
     The following figure shows a traditional networking mode: packets exchanged between intranet
    and Internet users are transmitted through Firewall A. If Firewall A is faulty, intranet hosts that
    use Firewall A as the default gateway cannot communicate with the Internet, affecting
    communication reliability.
    PC 10.100.10.1/24

    Intranet

    Firewall A

    Server

    10.100.10.0/24

    6 Huawei Confidential
    Redundancy Deployment Solution for Routers
     In router networking, Virtual Router Redundancy Protocol (VRRP) is used for router redundancy.

    10.100.10.2
    Master
    Router A

    PC

    10.100.10.3
    Intranet Backup
    10.100.10.0/24

    Router B

    Server
    Backup

    VRRP group Router C


    Virtual IP address
    10.100.10.1 10.100.10.4

    7 Huawei Confidential
    Application of VRRP in Multi-zone Firewall Networking
     To provide dual-system hot standby for multiple zones on firewalls, you must configure multiple
    VRRP groups.

    VRRP group 1
    Virtual IP address
    10.100.10.1
    Trust Master

    10.100.10.0/24 USG A
    Untrust
    Backup

    VRRP group 3
    DMZ Virtual IP address
    USG B 202.38.10.1
    VRRP group 2
    10.100.20.0/24 Virtual IP address
    10.100.20.1

    8 Huawei Confidential
    Defect of VRRP in Firewall Applications
     In traditional VRRP mode, the status of the master firewall cannot be consistent with that of the
    backup firewall.

    (2) Session entries


    PC1
    (1) Master
    (3)

    (4) PC2
    Trust USG A
    (7) (6)
    (5)
    Backup
    Untrust

    Server (9)
    (8) USG B
    Actual cable connection
    Packet path
    DMZ

    9 Huawei Confidential
    Use of VRRP for Firewall Multi-zone Backup
     To ensure the switchover consistency of all VRRP groups, the VRRP Group Management
    Protocol (VGMP) is developed based on VRRP.

    USG A VGMP group


    VRRP
    Trust group 1

    10.100.10.0/24
    Hello ACK Untrust

    DMZ VRRP group 3


    v

    VGMP group
    USG B
    VRRP group
    10.100.20.0/24 2

    11 Huawei Confidential
    Basic Principles of VGMP
     If the VGMP group on a firewall is in the active state, all VRRP groups in the VGMP group are in the active state. The same applies
    with standby.
     The firewall in the VGMP Active state regularly tests the peers' running status, including the priority and VRRP member status, by
    sending Hello packets.
    VGMP Active
    USG A

    Trust VRRP group 1

    10.100.10.0/24 Hello ACK Untrust

    VRRP group 3
    DMZ
    VGMP Standby
    USG B
    VRRP group 2
    10.100.20.0/24
    12 Huawei Confidential
    Management of a VGMP Group
     Status consistency management
     The VGMP group controls the switchover of all VRRP groups.
     Preemption management
     If the faulty active device recovers, so does the priority of the device. In this case, the device can
    become active again through preemption.

    13 Huawei Confidential
    Basic Concepts of HRP
     The Huawei Redundancy Protocol (HRP) backs up dynamic status data and key configuration
    commands between firewalls.

    VRRP group 1
    Trust FWA
    ① Session table


    VRRP group 3 Untrust

    DMZ
    FWB

    VRRP group 2

    14 Huawei Confidential
    HRP Heartbeat Interfaces
     The two firewalls exchange backup data through the heartbeat interfaces over the heartbeat link.
     A heartbeat interface must be an independent interface with an IP address. It can be a physical interface (such as a GE
    interface) or a logical Eth-Trunk interface.

    Physical interface being the


    heartbeat interface

    GE1/0/1 running running GE1/0/1


    FW1 FW2
    1.1.1.1 1.1.1.2

    Eth-Trunk interface being


    the heartbeat interface
    running running
    FW1 FW2
    GE1/0/1 GE1/0/1
    Eth-Trunk1 GE1/0/2 GE1/0/2 Eth-Trunk1 Heartbeat interface
    1.1.1.1 GE1/0/3 GE1/0/3 1.1.1.2
    HRP Data packet

    15 Huawei Confidential
    Status of Heartbeat Interfaces
     HRP heartbeat interfaces have five states:
     Invalid invalid peerdown
    GE1/0/1
    FW_A GE1/0/1 FW_B
    1.1.1.2
     Down peerdown down
    GE1/0/2
    GE1/0/2
    2.2.2.1
     Peerdown running running
    GE1/0/3 GE1/0/3
    3.3.3.1 3.3.3.2
     Ready
    GE1/0/4 ready ready GE1/0/4
     Running 4.4.4.1 4.4.4.2

    Interface
    Heartbeat link
    HRP heartbeat link
    detection packets
    HRP data packets

    16 Huawei Confidential
    Backup Modes of Hot Standby

    Automatic backup

    Manual batch backup Quick session backup

    Automatic sync of FW
    configurations after
    restart

    18 Huawei Confidential
    Contents

    1. Technical Principles of Dual-System Hot Standby


    2. Basic Networking and Configuration of Dual-System Hot Standby

    20 Huawei Confidential
    Basic Networking of Dual-System Hot Standby
     When upstream and downstream service interfaces on firewalls work at Layer 3 and connect to Layer 2 devices,
    configure VRRP groups on the service interfaces, so that the VGMP group can monitor the Layer 3 service interfaces
    through the VRRP groups.
    Master
    VRRP group 1 USG_A
    Virtual IP address G1/0/1 G1/0/3
    1.1.1.1/24 10.2.0.1/24 10.3.0.1/24
    PC2:10.3.0.10/24

    G1/0/6
    Trust 10.10.0.1/24 Untrust

    G1/0/6
    PC1:1.1.1.10/24 10.10.0.2/24

    G1/0/1 VRRP group 2


    G1/0/3
    10.2.0.2/24 Virtual IP address
    10.3.0.2/24
    10.3.0.3/24
    Backup
    USG_B

    21 Huawei Confidential
    Configuring a VRRP Group on the CLI
     Configure VRRP in the interface view:
    vrrp vrid virtual-router-ID virtual-ip virtual-address [ ip-mask | ip-mask-length ] { active | standby }

     After the active or standby parameter is specified, the VRRP group is added to the active or
    standby VGMP group.
     Up to 255 VRRP groups can be configured on each common physical interface (GigabitEthernet
    interface).

    22 Huawei Confidential
    Configuring HRP on the CLI
     Specify a heartbeat interface.
    hrp interface interface-type interface-number [ remote { ip-address | ipv6-address } ]

     Enable HRP.

    hrp enable

     Enable the function of configuring the standby device.

    hrp standby config enable


     Enable the function of automatically backing up commands and status information.

    hrp auto-sync [ config | connection-status]

     Enable quick session backup.


    hrp mirror session enable

    23 Huawei Confidential
    VRRP Configuration Example on the CLI
     Configuration of VRRP group 1 on USG_A:
    [USG_A]interface GigabitEthernet 1/0/1
    [USG_A-GigabitEthernet 1/0/1 ]ip address 10.2.0.1 24
    [USG_A-GigabitEthernet 1/0/1 ]vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active

     Configuration of VRRP group 1 on USG_B:


    [USG_B]interface GigabitEthernet 1/0/1
    [USG_B-GigabitEthernet1/0/1 ]ip address 10.2.0.2 24
    [USG_B-GigabitEthernet 1/0/1 ]vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 standby

    24 Huawei Confidential
    HRP Configuration Example on the CLI
     HRP configuration on USG_A:

    [USG_A]hrp enable
    [USG_A]hrp mirror session enable
    [USG_A]hrp interface GigabitEthernet 1/0/6

    25 Huawei Confidential
    Viewing the VRRP Status on the CLI
     View the status of an interface in a VRRP group:
    HRP_A<USG_A>display vrrp interface G1/0/3
    GigabitEthernet1/0/3 | Virtual Router 2
    VRRP Group : Active
    state : Active
    Virtual IP : 10.3.0.3
    Virtual MAC : 0000-5e00-0102
    Primary IP : 10.3.0.1
    PriorityRun : 120
    PriorityConfig:100
    MasterPriority : 120
    Preempt : YES Delay Time : 0
    Advertisement Timer : 1
    Auth Type : NONE
    Check TTL : YES

    26 Huawei Confidential
    Viewing the HRP Status on the CLI
     View the status of the active firewall:
    HRP_A<USG_A>dis hrp state
    The firewall's config state is: ACTIVE

    Current state of virtual routers configured as active:


    GigabitEthernet1/0/1 vrid 1 : active
    GigabitEthernet1/0/3 vrid 2 : active

    27 Huawei Confidential
    Configuring Dual-System Hot Standby on the Web UI
     Choose System > High Availability > Dual-System Hot Standby and click Edit to configure dual-
    system hot standby.

    28 Huawei Confidential
    Configuring the Active Firewall
     On the Dual-System Hot Standby page, click Edit to configure the active firewall USG_A. In the
    Configure Virtual IP Address area, click Add to create a VRRP group.

    29 Huawei Confidential
    Configuring the Standby Firewall
     On the Dual-System Hot Standby page, click Edit to configure the standby firewall USG_B. In the
    Configure Virtual IP Address area, click Add to create a VRRP group.

    30 Huawei Confidential
    Viewing Historical Switchover
     On the Dual-System Hot Standby page, click Details to view active/standby switchover
    information about dual-system hot standby.

    31 Huawei Confidential
    Viewing Hot Standby Status Information
     On the Dual-System Hot Standby page, view the running mode, role, and VRRP group status.

    32 Huawei Confidential
    Quiz
    1. HRP enables the active firewall to synchronize all configurations and information to the standby firewall. Therefore,
    the configurations and information are still available after a firewall restart. As a result, no information needs to be
    configured on the standby firewall.
    A. True

    B. False

    2. Which of the following protocols is used to control the switchover of all VRRP groups in the firewall dual-system hot
    standby networking?
    A. VGMP

    B. VRRP

    C. HRP

    D. OSPF

    33 Huawei Confidential
    Summary

     Technical Principles of Dual-System Hot Standby


     Basic Networking and Configuration of Dual-System Hot Standby

    34 Huawei Confidential
    Thank you. 把数字世界带入每个人、每个家庭、
    每个组织,构建万物互联的智能世界。
    Bring digital to every person, home, and
    organization for a fully connected,
    intelligent world.

    Copyright©2021 Huawei Technologies Co., Ltd.


    All Rights Reserved.

    The information in this document may contain predictive


    statements including, without limitation, statements regarding
    the future financial and operating results, future product
    portfolio, new technology, etc. There are a number of factors that
    could cause actual results and developments to differ materially
    from those expressed or implied in the predictive statements.
    Therefore, such information is provided for reference purpose
    only and constitutes neither an offer nor an acceptance. Huawei
    may change the information at any time without notice.

    You might also like