Differences between firewall hot standby and router dual-link backup


The packet forwarding mechanisms are different. For a router, service packets are forwarded packet by packet. The device looks up the routing table and interface-based ACL. Packets are forwarded only if corresponding match is found. After link switchover, subsequent packets are continuously forwarded. Each packet is independently processed. As a stateful firewall, the USG checks only first packets. If first packets are permitted, the USG creates a quintuple session connection accordingly. Then subsequent packets (including returned packets) matching this session entry are permitted. If link switchover occurs, subsequent packets cannot find correct session entries, resulting in service interruption. When NAT is configured for a router, similar problems may occur, because a new entry is created after NAT.

Other related questions:
Configuration of dual-link uplink backup
AR routers have two uplinks. If the two links both use the PPPoE dial-up method, the route backup method can be used to back up the two links. For example, the AR router has two dial-up interfaces: Dialer 1 and Dialer 2, and the active link and backup link can be determined by configuring the priority of static routes. On field networks, when the PPPoE dial-up or authentication fails, or the IP address cannot be obtained, the router may need to automatically switch over to the backup route. However, the backup route takes over the active route only when the state of the Dialer1 interface changes to Down. In addition, a Dialer interface is a virtual logical interface, whose state is Snoofing Up. Therefore, the state of the Dialer1 interface cannot change to Down even if the PPPoE dial-up fails. A configuration scheme is described as follows to resolve this problem: [Huawei] acl 3000 //Create the ACL list for NAT. [Huawei-acl-adv-3000] rule permit ip //The list can be accessed by all users in general. The access can also be limited based on actual requirements. [Huawei-acl-adv-3000] quit [Huawei] interface dialer 1 //Create the virtual dial-up interface. [Huawei-Dialer1] link-protocol ppp [Huawei-Dialer1] ppp chap user 123456 //Username authenticated by CHAP [Huawei-Dialer1] ppp chap password cipher huawei@123 //Password authenticated by CHAP [Huawei-Dialer1] ppp pap local-user 123456 password cipher huawei@123 //Username and password authenticated by PAP [Huawei-Dialer1] ip address ppp-negotiate //Obtain the IP address by PPP negotiation. [Huawei-Dialer1] dialer user user1 [Huawei-Dialer1] dialer bundle 1 //Set the number of the Dialer bundle to 1. [Huawei-Dialer1] dialer number 1 autodial //This command is added to ensure that the state of the Dialer interface changes to Down when the PPPoE dial-up fails. [Huawei-Dialer1] dialer-group 1 [Huawei-Dialer1] nat outbound 3000 //NAT conversion list [Huawei-Dialer1] quit [Huawei] dialer-rule [Huawei-dialer-rule] dialer-rule 1 ip permit [Huawei-dialer-rule] quit [Huawei] interface gigabitethernet 0/0/0 //Enter the view of the interface connecting to the operator. [Huawei-GigabitEthernet0/0/0] pppoe-client dial-bundle-number 1 //Enable the PPPoE Client function and bind the PPPoE client to the created Dialer interface. [Huawei-GigabitEthernet0/0/0] quit [Huawei] ip route-static dialer 1 preference 60 //Create the default route which directs to the Dialer1 interface, which indicates that when the active link is normal, the route to the external networks through the Dialer1 interface is used with higher priority. [Huawei] ip route-static dialer 2 preference 100 //When the active link is abnormal and the dial-up fails, the active link automatically switches over to the backup link which connects to the external networks through the Dialer2 interface.

Method used to configure the interworking between hot standby devices and IP-Link on USG firewalls
When a USG firewall works in hot standby mode, IP-Link automatically detects a link failure that affects services of the active and standby firewalls. If the VGMP management group is configured to monitor IP-Link, the USG firewall can adjust the priority of the VGMP management group to trigger the active/standby USG firewall switchover, and therefore ensuring service continuity. After the VGMP management group is configured to monitor IP-Link, IP-Link can detect the status of the interface or link that is not directly connected to the USG firewall. Key configurations for the interworking between the hot standby devices and IP-Link on USG firewall are as follows: # Add interfaces GigabitEthernet 0/0/2 and GigabitEthernet 0/0/1 to the same Link-group management group. [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] link-group 1 [USG_A-GigabitEthernet0/0/2] quit [USG_A] interface GigabitEthernet 0/0/1 [USG_A-GigabitEthernet0/0/1] link-group 1 [USG_A-GigabitEthernet0/0/1] quit If the USG firewalls work in hot standby mode on the OSPF network, run the following command: [USG] hrp ospf-cost adjust-enable # In the interface view, configure the Master and Slave management groups to monitor the status of the interfaces. [USG_A] interface GigabitEthernet 0/0/2 [USG_A-GigabitEthernet0/0/2] hrp track master [USG_A-GigabitEthernet0/0/2] quit [USG_A] interface GigabitEthernet 0/0/1 [USG_A-GigabitEthernet0/0/1] hrp track master [USG_A-GigabitEthernet0/0/1] quit # Configure IP-Link to monitor the outbound interface. [USG_A] ip-link check enable [USG_A] ip-link 1 destination interface GigabitEthernet 0/0/1 # Configure the interworking between the hot standby firewalls and IP-Link, and set the VGMP management group to monitor IP-Link. When the outbound interface is faulty, IP-Link state is changed to Down, and the priority of the VGMP management group is degraded to 2. [USG_A] hrp track ip-link 1 master # Configure the HRP backup channel. [USG_A] hrp interface GigabitEthernet 0/0/3 # Configure the fast session backup. [USG_A] hrp mirror session enable # Enable the HRP. [USG_A] hrp enable Note: The hot standby mode involves two devices. The key configuration describes IP-Link configuration only on the master device. For details about the configurations on the slave device and USG6000, click the following link to view the specific configurations. For specific configurations, click Configuring the Interworking Between Hot Standby Devices and IP-Link on USG Firewalls.

What is hot-standby backup of WLAN devices
In hot-standby backup mode, one AC acts as the master AC and the other acts as the backup AC. The master AC forwards services and the backup AC monitors data forwarding. The master AC also periodically sends status information and information that needs to be backed up to the backup AC. If the master AC becomes faulty, the backup AC takes over services. On a WLAN, an AC can manage several hundreds of APs. If an AC is faulty, services on all APs associated with the AC are interrupted. Therefore, AC reliability is vital to network availability. Two hot-standby backup modes are available: HSB+VRRP and HSB+dual-link backup HSB+VRRP and HSB+dual-link backup can improve network availability. HSB supports batch backup and real-time backup between two access devices. Before link switching, the standby AC synchronizes information from the active AC. When the active AC fails, service traffic is immediately switched to the standby AC without interrupting services. This improves connection reliability. Dual-link backup or VRRP can rapidly detect whether the active AC is faulty so that the standby AC can change to active state quickly. This function ensures user service continuity. Pay attention to the following points when deploying hot-standby backup on ACs: - Hot-standby backup supports only backup between two ACs, and the models and software versions of the ACs must be the same. - WLAN service configurations (for example, WMM profile, radio profile, radio, traffic profile, security profile, and WLAN ID) of the AP connected to the active and standby ACs must be consistent on the two ACs; otherwise, the AP cannot work properly after an active/standby AC switchover.

Do WLAN devices support hot-standby backup
ACs support hot-standby backup. Two hot-standby backup modes are available: HSB+VRRP and HSB+dual-link backup. HSB+VRRP backup implements traffic switching through VRRP, while HSB+dual-link backup implements traffic switching through dual links. Hot-standby backup achieves service backup of two ACs. HSB+VRRP applies only to the active/standby mode, whereas HSB+dual-link backup applies to both the active/standby and load balancing modes.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top