[Dr.WoW] [No.50] The Story of VRRP and VGMP-part 3

Latest reply: Jan 12, 2016 00:54:13 7378 1 0 0

7 The Process of State Formation for Active/Standby Failover Hot Standby

The active/standby failover method of hot standby is in widespread use at present. Its configuration and principles are relatively simple, and therefore we'll start with an explanation of the processes through which states are formed in active/standby failover hot standby.

To allow everyone to truly experience how VRRP and VGMP function on firewalls, below we'll first detail the configuration of hot standby through active/standby failover, and then describe the process of hot standby state formation.

NOTE

The hot standby configuration described in this section is generally as done using the Eudemon200E-N\1000E-N firewall series.

As shown in Figure 1-1, to implement the active/standby failover method of hot standby, we need to enable the active VGMP group on FW1, and add FW1's VRRP groups into the active VGMP group to monitor the them. We also enable the standby VGMP group on FW2 and add all of FW2's VRRP groups to the standby VGMP group to monitor them.

Figure 1-1 Network diagram of active/standby failover hot standby

[Dr.WoW] [No.50] The Story of VRRP and VGMP-part 3-1040277-1 

The command to achieve this operation is vrrp vrid virtual-router-id virtual-ip virtual-address [ ip-mask | ip-mask-length ] { active | standby }. This command is simple but very useful and can accomplish the following two tasks:

l   Add an interface to the VRRP group, and assign a virtual IP address and mask. When the interface's IP address and the VRRP group's virtual IP address are not on the same subnet, a virtual IP address subnet mask must be specified.

l   Use the "active | standby" parameter to add VRRP groups to the active or standby VGMP groups.

Configuration of active/standby failover hot standby on two firewalls is shown in Table 1-1.

Table 1-1 Configuration of active/standby failover hot standby

Item

Configuration on FW1

Configuration on FW2

Configure VRRP group 1.

interface GigabitEthernet 1/0/1

 ip address 10.1.1.2 255.255.255.0

 vrrp vrid 1 virtual-ip 10.1.1.1 255.255.255.0 active

interface GigabitEthernet 1/0/1

 ip address 10.1.1.3 255.255.255.0

 vrrp vrid 1 virtual-ip 10.1.1.1 255.255.255.0 standby

Configure VRRP group 2.

interface GigabitEthernet 1/0/3

 ip address 1.1.1.2 255.255.255.0

 vrrp vrid 2 virtual-ip 1.1.1.1 255.255.255.0 active

interface GigabitEthernet 1/0/3

 ip address 1.1.1.3 255.255.255.0

 vrrp vrid 2 virtual-ip 1.1.1.1 255.255.255.0 standby

Configure the heartbeat interface.

hrp interface GigabitEthernet 1/0/2 

hrp interface GigabitEthernet 1/0/2

Enable hot standby.

hrp enable

hrp enable

 

The various VGMP packets and the HRP packets are all sent through the heartbeat interface, which can be understood as hot standby's "lifeblood", and there are many key points that will require your focus here:

l   The two devices' heartbeat interfaces must be added to the same security zone.

l   The two devices' heartbeat interfaces' interface type and number must be the same. For example, if the primary device's heartbeat interface is GigabitEthernet 1/0/2, then the backup device's heartbeat interface must also be GigabitEthernet 1/0/2.

l   Specifics regarding choosing a suitable heartbeat interface connection method are below.

?       When two hot standby firewalls are relatively close together, the heartbeat interfaces can be directly connected, or connected via a Layer 2 switch. The configuration method is that when configuring the heartbeat interfaces, a remote parameter is not added. At this time the packets sent by the heartbeat interfaces are encapsulated into multicast VRRP packets. Multicast packets cannot be transmitted across subnets, and are not controlled by security policies. This is the preferred method.

?       When the distance between two hot standby firewalls is relatively large and cross-subnet transmission is necessary, the heartbeat interfaces need to be connected using routers. To configure this, a remote parameter is added when configuring the heartbeat interfaces, designating the other heartbeat interface's address (for example hrp interface GigabitEthernet 1/0/2 remote 10.1.1.2). After adding the remote parameter, the various packets sent from a heartbeat interface will be encapsulated into UDP packets. UDP packets are unicast packets, and can be transmitted across subnets as long as a route is available, but need to be controlled by security policies. To configure the security policy, permit packets with a destination port of 18514 or 18515 to pass in both directions between the Local zone and the security zone the heartbeat interface is located in.

?       When no heartbeat interface is available, service interfaces can also be used as the heartbeat interfaces. To configure this, when configuring the heartbeat interface add remote parameters, designating the other heartbeat interface's (one of the service interfaces) address. To configure the security policy, permit packets with destination ports of 18514 and 18515 to pass in both directions between the Local zone and the security zone the heartbeat interface is located in.

By now, I believe everyone should understand the method to control VGMP and HRP packet encapsulation.

After completing configuration, we run the command display hrp state on FW1, which allows us to see that VRRP groups 1 and 2 have joined the active VGMP group and are in the active state.

HRP_A<FW1> display hrp state

The firewall's config state is: ACTIVE

 

 Current state of virtual routers configured as active:

                    GigabitEthernet1/0/3    vrid   2 : active

                    GigabitEthernet1/0/1    vrid   1 : active

Running the command display hrp state on FW2 shows that VRRP groups 1 and 2 have joined the standby VGMP group, and are in the standby state.

HRP_S<FW2> display hrp state

The firewall's config state is: STANDBY

 

 Current state of virtual routers configured as standby:

                    GigabitEthernet1/0/3    vrid   2 : standby

                    GigabitEthernet1/0/1    vrid   1 : standby

Running the command display hrp group on FW1 shows that the active group's state is active, its priority is 65001, and that the standby group hasn't been enabled.

HRP_A<FW1> display hrp group

 

Active group status:

   Group enabled:         yes

   State:                 active

   Priority running:      65001

   Total VRRP members:    1

   Hello interval(ms):    1000

   Preempt enabled:       yes

   Preempt delay(s):      30

   Peer group available:  1

   Peer's member same:    yes

 Standby group status:

   Group enabled:         no

   State:                 initialize

   Priority running:      65000

   Total VRRP members:    0

   Hello interval(ms):    1000

   Preempt enabled:       yes

   Preempt delay(s):      0

   Peer group available:  0

   Peer's member same:    yes

Running the command display hrp group on FW2 shows that the standby group's state is standby, its priority is 65000, and that the active group hasn't been enabled.

HRP_S<FW2> display hrp group

 

Active group status:

   Group enabled:         no

   State:                 initialize

   Priority running:      65001

   Total VRRP members:    0

   Hello interval(ms):    1000

   Preempt enabled:       yes

   Preempt delay(s):      30

   Peer group available:  1

   Peer's member same:    yes

 Standby group status:

   Group enabled:         yes

   State:                  standby

   Priority running:      65000

   Total VRRP members:    2

   Hello interval(ms):    1000

   Preempt enabled:       yes

   Preempt delay(s):      0

   Peer group available:  1

   Peer's member same:    yes

NOTE

After completing configuration and state switching for the various hot standby networks that we'll discuss below, we can run the above two commands to check VGMP group information and verify whether or not our configuration is correct and whether state switching has occurred.

As shown in Figure 1-2, after configuration, the process of state formation for the active/standby failover method of hot standby is as follows (the numbers in the Figure 1-2 are the same numbers as in the below text)

1.         After hot standby is enabled, the state of the active VGMP group on FW1 switches from initialize to active, and the state of the standby VGMP group on FW2 switches from initialize to standby.

2.         As FW1's VRRP groups have all joined the active VGMP group, and as the active VGMP group's state is active, FW1's VRRP group 1 and VRRP group 2 are both in the active state. Similarly, FW2's VRRP group 1 and VRRP group 2 are both in the standby state.

3.         At this time, FW1's VRRP groups 1 and 2 will each send gratuitous ARP packets to the upstream and downstream switches to notify them of their VRRP group virtual MAC address. 00-00-5E-00-01-01 is VRRP group 1's virtual MAC address, and 00-00-5E-00-01-02 is VRRP group 2's virtual MAC address.

4.         The upstream and downstream switches' MAC tables will each have entries made recording the mapping between the virtual MAC address and port Eth0/0/1. In this way, after upstream and downstream service packets arrive at the switches, the switches will forward the packets to FW1. Therefore, FW1 becomes the primary device, and FW2 becomes the backup device.

5.         At the same time, FW1's active VGMP group will also send HRP heartbeat packets to FW2's standby VGMP group at fixed intervals through the heartbeat cable.

Figure 1-2 Process of state formation in active/standby failover hot standby

[Dr.WoW] [No.50] The Story of VRRP and VGMP-part 3-1040277-2 

8 State Switching Process Following a Primary Device Interface Failure

Once two firewalls are in their active/standby failover states, if the primary device's interface fails, the two firewalls will change their active/standby state as follows:

1.         As shown in Figure 1-3, after the primary device's interface GE1/0/1 fails, FW1's VRRP group 1's state changes to initialize.

2.         FW1's active group will perceive this change, and lower its own priority by 2 (if one interface fails the priority is lowered by two), and switch its own state to 'active to standby' (this is abbreviated in the figure as A To S). Active to standby is a temporary, intermediate state, invisible to the user.

3.         FW1's active VGMP group will send a VGMP request packet to its peer group, requesting that its state be changed to standby. VGMP request packets are a kind of VGMP packet, and this packet carries the sending VGMP group's adjusted priority of 64999.

Figure 1-3 Primary device link or interface failure and request for state switching

[Dr.WoW] [No.50] The Story of VRRP and VGMP-part 3-1040277-3 

4.         As shown in Figure 1-4, after FW2's standby VGMP group receives the VGMP request from the active VGMP group on FW1, it will compare its VGMP priority with that of its peer VGMP group (FW1's active VGMP group). After comparison, it discovers that its own priority of 65000 is higher than its peer's 64999, and therefore FW2's standby group will switch its state to active.

5.         FW2's standby VGMP group will return a VGMP reply packet to its peer group (FW1's active VGMP group), permitting this peer to switch states.

6.         Simultaneous to this, FW2's standby VGMP group will mandate that its VRRP groups 1 and 2 switch their states to active.

7.         FW2's VRRP groups 1 and 2 will send gratuitous ARP packets to the downstream and upstream switches respectively to update their MAC address tables.

Figure 1-4 Backup device state switching

[Dr.WoW] [No.50] The Story of VRRP and VGMP-part 3-1040277-4 

8.         As shown in Figure 1-5, after FW1's active VGMP group receives its peer group's VGMP acknowledgement packet, it switches its own state to standby.

9.         FW1's active VGMP group will mandate that its VRRP groups switch their states to standby. Due to the interface failure within VRRP group 1, VRRP group 1's state of initialize does not change, and only VRRP group 2's state will switch to standby.

10.      At the same time as this, after the upstream and downstream switches receive FW2's gratuitous ARP packets, they will update their MAC table entries, by recording the mapping between the virtual MAC address and port Eth0/0/2. Therefore, after upstream and downstream service traffic reaches these switches, the switches will forward traffic onto FW2. At this point the two firewalls' active/standby state switching is complete; FW2 has become the new primary device, and FW1 has become the new backup device.

11.      After the completion of active/standby state switching, FW2 (the new primary device) will send heartbeat packets to FW1 (the new backup device) at fixed intervals.

Figure 1-5 Completion of active/standby state switching

[Dr.WoW] [No.50] The Story of VRRP and VGMP-part 3-1040277-5 

9 State Switching Process After a Failure of the Entire Primary Device

If there is a total failure of the primary device, the primary device's VGMP group will no longer send HRP heartbeat packets. At such a time, if the backup device's VGMP group has not received an HRP heartbeat packet from the primary device for three consecutive intervals, it will deem this to mean there has been a failure in the other VGMP group, and will switch its own state to the active state.

10 Process of State Switching After a Failure on the Original Primary Device is Fixed (Preemption)

After a failure on the original primary device is fixed. If the preemption function has not been configured, the original primary device will remain in a backup state; if the preemption function has been configured, the original primary device will initiate a 'coup' to again become the primary device as follows:

1.         In Figure 1-6, after interface GE1/0/1 of the original primary device recovers from failure, the state of VRRP group 1 switches from initialize to standby.

2.         After FW1's active VGMP group perceives this change, it raises its own priority by 2 (if a failure on one interface is fixed, priority increases by 2) to 65001. FW1's active VGMP group will compare its VGMP priority with that of its peer group obtained from an HRP heartbeat packet sent by the peer. The comparison finds that FW1's active VGMP group's priority of 65001 is higher than this peer group's 65000. At this point, if the preemption function has been configured, the preemption hold-down timer will be enabled. After the timer expires, FW1's active VGMP group will switch its state from standby to 'standby to active' (this is abbreviated in the figure as S to A), which is a temporary intermediate state that is invisible to the user.

3.         FW1's active VGMP group will send a VGMP request to its peer group, requesting that its state be switched to active. The VGMP request is a kind of VGMP packet that carries this VGMP group's (FW1's active group) adjusted priority of 65001.

Figure 1-6 Request for state switching once the original primary device recovers from failure

[Dr.WoW] [No.50] The Story of VRRP and VGMP-part 3-1040277-6 

4.         As shown in Figure 1-7, after FW2's standby group receives FW1's active group's VGMP request packet, it will compare its VGMP priority with this peer group. Through this comparison it will discover that its priority of 65000 is lower than its peer's 65001, and therefore FW2's standby group will switch its own state from active to standby.

5.         FW2's standby group will return a VGMP response packet to its peer group, permitting this peer group to switch its state to active.

6.         At the same time as this, FW2's standby group will mandate its VRRP groups 1 and 2 switch their states to standby.

Figure 1-7 State switching of current primary device

[Dr.WoW] [No.50] The Story of VRRP and VGMP-part 3-1040277-7 

7.         As shown in Figure 1-8, after FW1's active VGMP group receives the peer group's VGMP acknowledgement packet, it will switch its own state to active.

8.         FW1's active VGMP group will mandate that its VRRP groups 1 and 2 also switch their states to active.

9.         FW1's VRRP groups 1 and 2 will send gratuitous ARP packets to the downstream and upstream switches respectively to update their MAC address tables to record the mapping between the virtual MAC address and port Eth0/0/1. In this way, after upstream and downstream service packets arrive at the switches, the switches will forward the packets to FW1. At this point, active/standby state switching for the two firewalls is complete. FW1 has again snatched the position of primary device through preemption, while FW2 has again become the backup device.

10.      After the completion of active/standby state switching, the primary device (FW1) will send heartbeat packets to the backup device (FW2) at fixed intervals.

Figure 1-8 The original primary device preempting to become primary again

[Dr.WoW] [No.50] The Story of VRRP and VGMP-part 3-1040277-8

 

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Jan 12, 2016 00:54:13 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login