[Dr.WoW] [No.47] Hot Standby Overview Highlighted

Latest reply: Jan 4, 2016 09:07:30 3122 1 0 0

1 Dual Device Deployment Improving Network Availability

The dynamic development of mobile working, online-shopping, instant messaging, Internet finance, online education, and other similar network services has been accompanied by a relentless increase in both the number and the importance of services on networks. Therefore, uninterrupted network transmission has become a challenge in urgent need of resolution.

On the left side of Figure 1-1, a firewall has been deployed on an enterprise network's egress to forward all traffic between the intranet and an external. If the firewall failed, this would result in the complete severance of traffic between the intranet and external network. Therefore, if only one device is used in such a key network position, we must accept the risk of a network interruption due to a single point of failure, regardless of how reliable the device is.

Therefore, when we design a network architecture, we usually deploy two (dual) or more devices in key network positions to improve network reliability. On the right side of Figure 1-1, we can see that when one firewall fails, traffic will be forwarded through the other firewall.

Figure 1-1 Dual device deployment improving network reliability

[Dr.WoW] [No.47] Hot Standby Overview-1038429-1 

2 Only Routing Failover Needs to Be Considered in Dual Router Deployments

If using traditional network devices (such as routers or Layer 3 switches), all that needs to be done to guarantee reliable service is to configure routing failover on two devices. This is because ordinary routers and switches don't record packets' exchange state and application-level information, and simply forward packets according to their routing tables. An example is provided below to illustrate this.

As shown in Figure 1-2, OSPF runs on the two routers (R1 and R2) and R3 and R4. Under normal circumstances, because the Ethernet interface's default OSPF cost is 1, from the perspective of R3, the cost for the link on which R1 is positioned (R3 -> R1 -> R4 -> FTP server) is 3. And, because we've configured the OSPF cost as 10 for the interfaces on the R2 link (R3 -> R2 -> R4 -> FTP server), from the perspective of R3, the cost of the link on which R2 is positioned is 21. As traffic will only be forwarded through the link with the lower cost, traffic between the FTP client and the server will only be forwarded through R1.

Figure 1-2 Traffic forwarded through the link with the lower routing cost

[Dr.WoW] [No.47] Hot Standby Overview-1038429-2 

As OSPF will only choose to add the most optimal routes to the routing table, we can only see the routes with a relatively low cost in R3's routing table (below). Therefore, packets to/from the FTP server (destination address is 1.1.1.0/24) can only be forwarded through R1 (next hop: 10.1.1.2).

[R3] display ip routing-table

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 11       Routes : 11      

 

Destination/Mask       Proto   Pre  Cost    Flags NextHop         Interface

 

        1.1.1.0/24  OSPF    10   3           D   10.1.1.2        Ethernet0/0/0

       10.1.1.0/24    Direct  0    0           D   10.1.1.1        Ethernet0/0/0

       10.1.1.1/32    Direct  0    0           D   127.0.0.1       Ethernet0/0/0

       10.1.2.0/24    Direct  0    0           D   10.1.2.1        Ethernet0/0/1

       10.1.2.1/32    Direct  0    0           D   127.0.0.1       Ethernet0/0/1

       10.1.3.0/24    OSPF    10   2           D   10.1.1.2        Ethernet0/0/0

       10.1.4.0/24    OSPF    10   12          D   10.1.1.2        Ethernet0/0/0

      127.0.0.0/8     Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32    Direct  0    0           D   127.0.0.1       InLoopBack0

    192.168.1.0/24    Direct  0    0           D   192.168.1.1     GigabitEthernet0/0/0

    192.168.1.1/32    Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0

 

As shown in Figure 1-3, when R1 fails, the cost of the link on which R1 is positioned becomes infinitely great, while to R3 the cost of R2's link is still 21. At this time, the network routes will be converged, and traffic will be forwarded to R2. The time required for traffic to switch from R1 to R2 is the network routing convergence time. If the routing convergence time is relatively short, then traffic transmissions won't be interrupted.

Figure 1-3 Routing failover ensuring uninterrupted services

[Dr.WoW] [No.47] Hot Standby Overview-1038429-3 

From the routing table on R3 below, we can learn that when a failure occurs on R1's Eth0/0/1 interface, packets to/from the FTP server (destination address is 1.1.1.0/24) can only be forwarded through R2 (next hop: 10.1.2.2).

[R3] display ip routing-table

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 10       Routes : 10      

 

Destination/Mask       Proto   Pre  Cost    Flags NextHop         Interface

 

1.1.1.0/24      OSPF    10   21          D   10.1.2.2        Ethernet0/0/1

       10.1.1.0/24    Direct  0    0           D   10.1.1.1        Ethernet0/0/0

       10.1.1.1/32    Direct  0    0           D   127.0.0.1       Ethernet0/0/0

       10.1.2.0/24    Direct  0    0           D   10.1.2.1        Ethernet0/0/1

       10.1.2.1/32    Direct  0    0           D   127.0.0.1       Ethernet0/0/1

       10.1.4.0/24    OSPF    10   20          D   10.1.2.2        Ethernet0/0/1

      127.0.0.0/8     Direct  0    0           D   127.0.0.1       InLoopBack0

      127.0.0.1/32    Direct  0    0           D   127.0.0.1       InLoopBack0

    192.168.1.0/24    Direct  0    0           D   192.168.1.1     GigabitEthernet0/0/0

    192.168.1.1/32    Direct  0    0           D   127.0.0.1       GigabitEthernet0/0/0

3 Session Failover Also Needs to Be Considered in Dual Firewall Deployments

Everything changes when we replace a traditional network device with a stateful inspection firewall. Let's review the content we discussed in "Stateful Inspection and Session Mechanism": stateful inspection firewalls inspect only the first packet of a flow, and establish a session to record packets' stateful information (including the source IP address, source port, destination IP address, destination port, protocol, etc.). Subsequent packets in this data flow must match a session to be forwarded by the firewall.

Below we'll give an example to illustrate thistwo firewalls (FW1 and FW2) are deployed in a network. OSPF runs on the two firewalls and R1 and R2. As shown on the left side of Figure 1-4, under normal circumstances, as the OSPF cost of the link on which FW1 sits is relatively low, packets will be forwarded through FW1. A session will be established on FW1, and all subsequent packets will match the session and be forwarded.

The right side of Figure 1-4 shows that when FW1 fails, traffic will be directed onto FW2 based on the upstream and downstream devices' routing information. However, as there is no session on FW2, packets will be discarded by FW2, leading to service interruption. At this time the user needs to reinitiate their access request (for example by redownloading FTP) and trigger FW2 in reestablishing a session before the user's service can continue.

Figure 1-4 Session failover also needs to be considered in dual firewall deployment

[Dr.WoW] [No.47] Hot Standby Overview-1038429-4 

A session exists on FW1, as shown below:

[FW1] display firewall session table

 Current Total Sessions : 1

  ftp  VPN:public --> public 192.168.1.10:2050-->1.1.1.10:21

No session exists on FW2, as shown below:

[FW2] display firewall session table

 Current Total Sessions :0

4 Hot Standby Resolving the Problem with Firewall Session Failover

So, how can we resolve this problem with achieving session failover to ensure service continuity after active/standby switchover between the two firewalls? Here, the firewall hot standby function lends a helping hand!

As shown on the left side of Figure 1-5, the most important feature of the firewall hot standby function is to negotiate active/standby states and synchronize important state and configuration information, including session and server-map table information, between the two firewalls through the failover channel (heartbeat link). After the hot standby function is enabled, one of the two firewalls will become the primary device and the other the backup device based upon the administrator's configuration. The firewall that becomes the primary device (FW1) will handle traffic, and synchronizes important status and configuration information, including session and server-map table information to the backup device (FW2) through the heartbeat link. The firewall that becomes the backup device (FW2) will not handle traffic, and only receives the state and configuration information from the primary device (FW1) through the failover channel.

As shown on the right side of Figure 1-5, when the link where primary device FW1's resides fails, the two firewalls will use the failover channel to exchange packets, and renegotiate their active/standby states. At this time, FW2 will negotiate to become the new primary device and handle traffic, while FW1 will negotiate to become the backup device and will not handle traffic. Concurrently with this, service traffic will be redirected to the new primary device (FW2) by the upstream and downstream devices. As FW2 was already provided with the primary device's backup information (such as session and configuration information) when it served as the backup device, service packets will match the session and be forwarded.

The backup of routing, session and configuration information guarantees that the backup device FW2 will successfully replace the original primary device FW1, thus avoiding service interruption.

Figure 1-5 Hot standby ensuring service continuity

[Dr.WoW] [No.47] Hot Standby Overview-1038429-5 

There is a session on FW1, as shown below:

[FW1]display firewall session table

 

 Current Total Sessions : 1

  ftp  VPN:public --> public 192.168.1.10:2050-->1.1.1.10:21

There is also a session on FW2, as shown below:

[FW2]display firewall session table

 

 Current Total Sessions : 1

  ftp  VPN:public --> public 192.168.1.10:2050-->1.1.1.10:21

The method introduced above is the active/standby failover method of hot standby. In typical active/standby failover scenarios, the backup device does not handle service traffic, and is in an idle state. If you don't wish for the device you've bought to be idle, or if there is too much traffic for one device to handle, we can use the load sharing method of hot standby.

As shown in Figure 1-6, in a load sharing scenario, both firewalls are primary devices, and each establish sessions and handle service traffic. At the same time, the two firewalls also serve as each other's backup devices, and receive each other's backup session and configuration information. As seen on the right side of Figure 1-6, when one of these firewalls fails, the other firewall will handle all service traffic. As these two firewalls' session information is backed up, all subsequent service packets can match a session on either firewall and be forwarded, avoiding service interruption.

Figure 1-6 Load sharing method of hot standby

[Dr.WoW] [No.47] Hot Standby Overview-1038429-6 

There are FTP and HTTP sessions on FW1, as shown below:

[FW1]display firewall session table

 

 Current Total Sessions : 2

  ftp  VPN:public --> public 192.168.1.10:2050-->1.1.1.10:21

  http VPN:public --> public 192.168.1.20:2080-->1.1.1.20:80

There are also FTP and HTTP sessions on FW2, as shown below:

[FW2]display firewall session table

 

 Current Total Sessions : 2

  ftp  VPN:public --> public 192.168.1.10:2050-->1.1.1.10:21

  http VPN:public --> public 192.168.1.20:2080-->1.1.1.20:80

5 Summary

To improve network reliability and avoid single point of failures, we need to deploy two network devices at key network nodes. If these devices are routers or switches, we can simply configure routing failover. If these devices are firewalls, we also need to provide failover for stateful information (such as the session table, etc.) between the firewalls.

The firewall hot standby function provides a special failover channel used in negotiating active/standby states between two firewalls and in providing backup state information about sessions, etc. Hot standby includes active/standby failover and load sharing scenarios. Active/standby failover refers to only having the primary device handle traffic, with the backup device idle; when a failure occurs on the primary device's interface(s), link or the entire device, the backup device will change to the primary device, and replace the primary device in handling services. Load sharing can also be called "complementary active/standby", as this is two devices simultaneously handling services. When one device fails, the other device will immediately assume its services, guaranteeing that there is no interruption of the services that originally forwarded through this device.

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Jan 4, 2016 09:07:30 Helpful(0) Helpful(0)

Thank you for sharing.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login