[Dr.WoW] [No.51] The Story of VRRP and VGMP-part 4

Latest reply: Jan 13, 2016 09:38:55 2706 1 0 0

11 Process of State Formation in Load Sharing Hot Standby

Above we described state formation and the switching process for the active/standby failover method of hot standby. Below we'll take a look at load sharing states.

As shown in Figure 1-1, in order to achieve the load sharing method of hot standby, we need to enable active and standby VRRP groups on both FW1 and FW2, allow FW1's active VRRP groups to communicate with FW2's standby VRRP groups to form an "active/standby" group, and allow FW2's active VRRP groups and FW1's standby VRRP groups to communicate (also forming an "active/standby" group). In this way the two FWs will be in complementary active/standby states, which are in fact load sharing states.

Figure 1-1 Load sharing hot standby network diagram

[Dr.WoW] [No.51] The Story of VRRP and VGMP-part 4-1040905-1 

Configuration of the load sharing method of hot standby is shown in Table 1-1.

Table 1-1 Configuration of load sharing hot standby

Item

Configuration on FW1

Configuration on FW2

Configure two VRRP groups on interface GE1/0/1, and add one to the active VGMP group and the other to the standby VGMP group.

interface GigabitEthernet 1/0/1

 ip address 10.1.1.3 255.255.255.0

 vrrp vrid 1 virtual-ip 10.1.1.1 255.255.255.0 active

vrrp vrid 2 virtual-ip 10.1.1.2 255.255.255.0 standby

interface GigabitEthernet 1/0/1

 ip address 10.1.1.4 255.255.255.0

 vrrp vrid 1 virtual-ip 10.1.1.1 255.255.255.0 standby  

vrrp vrid 2 virtual-ip 10.1.1.2 255.255.255.0 active  

Configure two VRRP groups on interface GE1/0/3, and add one to the active VGMP group and the other to the standby VGMP group.

interface GigabitEthernet 1/0/3

 ip address 1.1.1.3 255.255.255.0

 vrrp vrid 3 virtual-ip 1.1.1.1 255.255.255.0 active

vrrp vrid 4 virtual-ip 1.1.1.2 255.255.255.0 standby

interface GigabitEthernet 1/0/3

 ip address 1.1.1.4 255.255.255.0

 vrrp vrid 3 virtual-ip 1.1.1.1 255.255.255.0 standby

vrrp vrid 4 virtual-ip 1.1.1.2 255.255.255.0 active

Configure the heartbeat interface

hrp interface GigabitEthernet 1/0/2

hrp interface GigabitEthernet 1/0/2

Enable hot standby

hrp enable

hrp enable

 

From Table 1-1 above we can see that:

1.         In load sharing scenarios, each service interface needs to be added into two VRRP groups, and one of these two VRRP groups needs to be added to the active VGMP group and the other needs to be added to the standby VGMP group. For example, the GE1/0/1 interface is added to groups 1 and 2, and groups 1 and 2 are added to the active VGMP group and the standby VGMP group respectively.

2.         For every pair of the two firewalls' identically numbered VRRP groups, one group must be added to the active VGMP group and the other to the standby VGMP group. For example, FW1's VRRP group 1 is added to the active VGMP group, and FW2's VRRP group 1 is added to the standby VGMP group.

As shown in Figure 1-2, after the configuration is complete, the state formation process for the load sharing method of hot standby is as follows:

3.         FW1 and FW2's active VGMP groups' states switch from initialize to active, and their standby VGMP groups' states switch from initialize to standby.

4.         As FW1's VRRP groups 1 and 3 have joined the active VGMP group whose state is active, FW1's VRRP groups 1 and 3's states are both active; as FW1's VRRP groups 2 and 4 have joined the standby VGMP group whose state is standby, FW1's VRRP groups 2 and 4's states are both standby. Likewise, the states of FW2's VRRP groups 1 and 3 are both standby, and the states of VRRP groups 2 and 4 are both active.

5.         At this point, FW1's VRRP groups 1 and 3 will send gratuitous ARP packets to the downstream and upstream switches respectively, notifying them of VRRP groups 1 and 3's virtual MAC addresses; FW2's VRRP groups 2 and 4 will send gratuitous ARP packets to the downstream and upstream switches respectively to notify them of the virtual MAC addresses for VRRP groups 2 and 4.

6.         Entries will be made in the downstream switch's MAC address table recording the mapping between VRRP group 1's virtual MAC address (00-00-5E-00-01-01) and port Eth0/0/1, as well as the mapping between VRRP group 2's virtual MAC address (00-00-5E-00-01-02) and port Eth0/0/2. In this way, when service packets arrive at the downstream switch, the switch will send packets to either FW1 or FW2 according to the specific destination MAC address. If the default gateway of the switch's downstream device is VRRP group 1's address, then its packets will be forwarded to FW1; if the default gateway of the switch's downstream device is set to VRRP group 2's address, then its packets will be forwarded to FW2. Upstream switches and devices operate under the same principles.

Therefore, FW1 and FW2 can both forward service packets, and so FW1 and FW2 are both primary devices, and a load sharing state has been achieved.

7.         After a load sharing state is achieved, FW1's active VGMP group will send HRP heartbeat packets to FW2's standby VGMP group at fixed intervals, and FW2's active VGMP group will send HRP heartbeat packets to FW1's standby VGMP group at fixed intervals.

Figure 1-2 State formation process in load sharing hot standby

[Dr.WoW] [No.51] The Story of VRRP and VGMP-part 4-1040905-2 

12 State Switching Process in Load Sharing Hot Standby

After two firewalls implement hot standby using the load sharing method, if one of the firewall's interfaces malfunctions, the firewalls will switch into an active/standby failover state, the process of which is described below.

1.         As shown in Figure 1-3, when FW1's GE1/0/1 interface fails, the states of FW1's VRRP groups 1 and 2 will each change to initialize.

2.         The priority of FW1's active and standby VGMP groups will each be lowered by 2. After this, FW1's active VGMP group's priority will be changed to 64999, lower than FW2's standby VGMP group's priority of 65000. FW2's standby VGMP group's priority will change to 64998, which is still lower than FW2's active VGMP group's priority of 65001. Therefore, following state negotiation between the VGMP groups, FW1's active VGMP group's state will switch to standby, and FW2's standby VGMP group's state will switch to active.

3.         FW1's active VGMP group and FW2's standby VGMP group will mandate that the VRRP groups within them also undergo state switching, and therefore the states of FW2's VRRP groups 1 and 3 will switch to active.

4.         FW2's VRRP groups 1 and 3 will send gratuitous ARP packets to the downstream and upstream switches respectively to update their MAC address tables.

5.         After the downstream switch receives the gratuitous ARP packet, it will update its own MAC address table, and link VRRP group 1's virtual MAC address (00-00-5E-00-01-01) with Eth0/0/2. Likewise, the upstream switch will link VRRP group 3's virtual MAC address (00-00-5E-00-01-03) with Eth0/0/2. Therefore, when upstream and downstream service packets reach these switches, the switches will forward the packets onto FW2. At this point, hot standby state switching is complete. FW1 has become the backup device and FW2 the primary device, meaning that the load sharing state has changed into an active/standby failover state.

6.         After load sharing has switched to active/standby failover, the primary device (FW2) will send heartbeat packets to the backup device (FW1) at fixed intervals.

Figure 1-3 State switching process in load sharing hot standby

[Dr.WoW] [No.51] The Story of VRRP and VGMP-part 4-1040905-313 Summary

The above content should have provided a satisfactory answer to the question: "How are two firewalls' VGMP groups' packet exchange and state negotiation and state switching processes accomplished?" Therefore, we now know that in hot standby, VGMP's three main functions are:

1.         Fault monitoring: VGMP groups are able to monitor changes in VRRP groups' states, and thereby perceive both interface failures within VRRP groups as well as when such failures are fixed. Here, I've thought of a new question: can VGMP groups directly monitor interface failures, and do they have to conduct their interface monitoring through VRRP groups?

2.         State switching: the VGMP group state switching process is actually also the device active/standby state switching process. After a VGMP group perceives VRRP state changes, it will adjust its own priority, and will renegotiate active/standby states with its peer device's VGMP group. This point should already be fairly clear, as this section has delved deeply into how state switching and negotiation are accomplished.

3.         Traffic direction: after two VGMP groups' active/standby states are established or switched, the VGMP groups will mandate that their VRRP group states undergo unified switching. Following this, the active VRRP group will send a gratuitous ARP packet to direct the traffic to it (the primary device). Here, a new question has popped to mind: "If VGMP groups were able to directly monitor interfaces, how would traffic direction be accomplished?

Actually, VGMP's functionality is extremely strong, and effecting firewall fault monitoring and traffic direction by monitoring VRRP group states is only one of VGMP's techniques. This technique can only be used when firewall's upstream or downstream devices are switches, as VRRP itself was created especially for this kind of scenario. Is VGMP useless when a firewall's upstream or downstream device(s) is a router? Of course not! In the next section I'll introduce more of VGMP's features to allow everyone to gain a thorough understanding of the hot standby function, and be completely prepared for all contingencies!

14 Addendum: VGMP State Machine

Above, we've learned about the processes for VGMP groups' various state changes. Below, I'll use an explanation of a VGMP state machine (a visual representation is shown in Figure 1-4) to help deepen everyone's understanding of VGMP group state switching.

NOTE

The VGMP state machine discussed in this section is currently applicable to the USG2000/5000/6000 firewall series and the USG9500 firewall series' V100R003 version.

Figure 1-4 VGMP state machine

[Dr.WoW] [No.51] The Story of VRRP and VGMP-part 4-1040905-4 

0.         After the hot standby function is enabled, each VGMP group enters the initialize state.

1.         After the active VGMP group is enabled, the active group's state switches from initialize to active.

2.         After the standby VRRP group is enabled, the standby group's state switches from initialize to standby.

3.         When one of the interfaces monitored by this device's VGMP group fails, its state switches from 'active' to 'active to standby', and it sends a VGMP request packet to its peer device's VGMP group.

4.         When this VGMP group receives the peer's VGMP request packet, it discovers that its priority is higher than its peer's, switches from the standby state to the active state, and sends a VGMP acknowledgement packet to the peer device's VGMP group.

5.         This device's VGMP group receives its peer's VGMP acknowledgement packet, and confirms that it (this device) needs to conduct state switching, so this device's VGMP group's state is switched from 'active to standby' to 'standby'.

6.         The peer device's VGMP group determines that this device's VGMP group does not need to undergo state switching or the peer doesn't answer this device's VGMP request packets for three intervals, and so this device's VGMP group's state switches from the 'active to standby' state to the 'active' state.

7.         After the failure with the interface monitored by this device's VGMP group is fixed, if this device's VGMP group's priority is higher than the peer device's, and if the preemption function has been configured, then this device's VGMP group's state will switch from 'standby' to 'standby to active', and it will send a VGMP request packet to its peer.

8.         This device's VGMP group receives the peer device's VGMP request packet and discovers that the peer device's priority is higher, and it therefore switches from the active state to the standby state and sends a VGMP acknowledgement packet to the peer device's VGMP group.

9.         This device's VGMP group receives the peer device's VGMP acknowledgement packet, and confirms that it (this device) needs to undergo state switching. This device's VGMP group therefore switches from the 'standby to active' state to the 'active' state, completing the preemption process.

10.      The peer VGMP group determines that this device's VGMP group doesn't need to undergo state switching, or it hasn't answered this device's VGMP request packet for three consecutive intervals, and therefore this device's VGMP group switches from the 'standby to active' state to the 'standby' state.

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Jan 13, 2016 09:38:55 Helpful(0) Helpful(0)

Thank you for sharing.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login