[Dr.WoW] [No.52] Explanation of VGMP Techniques-part 1

Latest reply: May 29, 2019 06:14:20 4091 2 2 1

The marriage of VGMP and VRRP is only applicable to networking using firewalls connected to Layer 2 devices. Therefore, if a firewall connects to a router, or a firewall transparently accesses a network (service interfaces are working in Layer 2), what technique does a VGMP group use in response? In this section, I will reveal the remaining VGMP group techniques for everyone.

1 VGMP Technique For Firewall-Router Connections

In Figure 1-1, two firewalls' upstream and downstream service interfaces are working in Layer 3, and are connected to routers. The firewalls and the routers are running OSPF between them. As the upstream and downstream devices are not Layer 2 switches, the VGMP group cannot use VRRP groups. Therefore, the technique that the VGMP groups will use to monitor failures is direct interface state monitoring. This is accomplished by directly adding interfaces to VGMP groups. When there is a failure with one of a VGMP group's interfaces, the VGMP group will directly perceive the interface's change in state, and therefore lower its own priority.

Figure 1-1 Networking with firewalls connected to upstream and downstream routers

[Dr.WoW] [No.52] Explanation of VGMP Techniques-part 1-1041515-1 

The steps for configuring direct interface monitoring using VGMP groups are as shown in Table 1-1 (as performed using the active/standby failover method of hot standby.)

Table 1-1 Configuration of direct interface monitoring using VGMP groups

Item

Configuration on FW1

Configuration on FW2

Configure the VGMP group to directly monitor interface GE1/0/1.

interface GigabitEthernet 1/0/1

 ip address 10.1.1.2 255.255.255.0

 hrp track active

interface GigabitEthernet 1/0/1

 ip address 10.1.2.2 255.255.255.0

 hrp track standby

Configure the VGMP group to directly monitor interface GE1/0/3.

interface GigabitEthernet 1/0/3

 ip address 10.2.1.2 255.255.255.0

 hrp track active

interface GigabitEthernet 1/0/3

 ip address 10.2.2.2 255.255.255.0

 hrp track standby

Configure the automatic cost adjustment function.

hrp ospf-cost adjust-enable

hrp ospf-cost adjust-enable

Configure the heartbeat interface.

hrp interface GigabitEthernet 1/0/2 

hrp interface GigabitEthernet 1/0/2 

Enable the hot standby function.

hrp enable

hrp enable

NOTE

If the load sharing method of hot standby is used, then we only need to execute the hrp track active and hrp track standby commands on each service interface, and add the service interfaces to both the active and standby VGMP groups.

[Question from Dr. Wow] Here, curious readers may ask: aren't we adding interfaces to VGMP groups to allow a VGMP(s) group to monitor interface states? Why is the command hrp track and not vgmp track? This is because of what we discussed in the section above regarding VGMP and HRP packets both being encapsulated with a VRRP header and a VGMP header (with the only difference between them being that HRP packets also need to be further encapsulated with an HRP header.) Therefore, when developers designed this command, they used the hrp parameter, and this practice has continued in use until today.

After configuration is complete, we can run command display hrp state on FW1, allowing us to see that interfaces GE1/0/1 and GE1/0/3 have both been added to the active group, and are being monitored by the active group.

HRP_A<FW1> display hrp state

The firewall's config state is: ACTIVE

 

Current state of interfaces tracked by active:

             GigabitEthernet0/0/1 : up 

             GigabitEthernet0/0/3 : up 

Running the command display hrp state on FW2 shows that interfaces GE1/0/1 and GE1/0/3 have both been added to the standby VGMP group, and are being monitored by the group.

HRP_S<FW2> display hrp state

The firewall's config state is: Standby

 

Current state of interfaces tracked by standby:

             GigabitEthernet0/0/1 : up 

             GigabitEthernet0/0/3 : up 

Running the command display hrp group on FW1 shows that the active VGMP group's state is active, its priority is 65001, and that the standby VGMP group hasn't been enabled.

HRP_A<FW1> display hrp group

 

Active group status:

   Group enabled:         yes

   State:                 active

   Priority running:      65001

   Total VRRP members:    0

   Hello interval(ms):    1000

   Preempt enabled:       yes

   Preempt delay(s):      30

   Peer group available:  1

   Peer's member same:    yes

 Standby group status:

   Group enabled:         no

   State:                 initialize

   Priority running:      65000

   Total VRRP members:    0

   Hello interval(ms):    1000

   Preempt enabled:       yes

   Preempt delay(s):      0

   Peer group available:  0

   Peer's member same:    yes

Running the command display hrp group on FW2 shows that the standby VGMP group's state is standby, its priority is 65000, and that the active VGMP group hasn't been enabled.

HRP_S<FW2> display hrp group

 

Active group status:

  Group enabled:         no

   State:                 initialize

   Priority running:      65001

   Total VRRP members:    0

   Hello interval(ms):    1000

   Preempt enabled:       yes

   Preempt delay(s):      30

   Peer group available:  1

   Peer's member same:    yes

 Standby group status:

   Group enabled:         yes

   State:                  standby

   Priority running:      65000

   Total VRRP members:    2

   Hello interval(ms):    1000

   Preempt enabled:       yes

   Preempt delay(s):      0

   Peer group available:  1

We can therefore conclude that after the completion of configuration, FW1's VGMP group is in the active state, and FW1 has become the primary device. FW2's VGMP group's state is in the standby state, and FW2 has become the backup device.

In Hot Standby Overview , I mentioned that if we wish PC1's traffic to PC2 to be forwarded by FW1, we need to manually increase the OSPF cost of FW2's link (R1>FW2>R2). However, what happens if it's inconvenient/impossible to configure the upstream and downstream router(s) R1 or R2? This situation requires that we use the firewall's VGMP group's traffic direction function to automatically direct traffic onto the primary device. This can be done because the firewall will automatically adjust OSPF costs according to a VGMP group's state (the command is hrp ospf-cost adjust-enable). Once this function is enabled, if an active VGMP group is on a firewall, the firewall will advertise routes with normal costs; if a firewall's VGMP group is in the standby state, then the firewall will increase costs by 65500 (this is a default value, and can be adjusted) when advertising routes.

NOTE

If this is a load sharing network, as there are active VGMP groups on both firewalls, each firewall will advertise routes with normal costs.

On the left of Figure 1-1, the primary firewall FW1 (its VGMP group's state is active) is advertising routes normally, and the backup device FW2 (its VGMP group is in the standby state) will therefore increase costs by 65500 when advertising routes to the upstream and downstream devices. Therefore, from the perspective of R1, the OSPF cost of using FW1 to access PC2 is 1+1+1=3, while the OSPF cost of using FW2 to access PC2 is 65501+1+1=65503. As the router will choose the path with the lower cost when forwarding traffic (R1>FW1>R2), traffic from the intranet's PC1 to the external network's PC2 will be forwarded through the primary device FW1.

We can see from R1's routing table that the next hop of packets going to network 1.1.1.0 is FW1's GE1/0/1's address 10.1.1.2 .

[R1] display ip routing-table

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 11       Routes : 11      

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

1.1.1.0/24     OSPF    10   3            D   10.1.1.2        GigabitEthernet0/0/1

 

After one of FW1's service interfaces fails, the two firewalls' VGMP groups will undergo state switching. After state switching, FW2's VGMP group's state will switch to active, and FW2 will become the primary device; FW1's VGMP group's state will switch to standby, and FW1 will become the backup device. FW2 will announce routes normally (it does not increase the cost value), while the route cost announced by FW1 will increase to 65500. To R1, the path to PC2 using FW1 is blocked (because FW1's upstream interface has failed), and the route to PC2 through FW2 is accessible, and the cost is 3, so traffic from intranet PC1 accessing PC2 on the external network will be forwarded through the new primary device FW2.

From R1's routing table we can also see that the next hop of packets travelling to destination network segment 1.1.1.0 has changed to FW2's GE1/0/1's address 10.1.2.2.

[R1] display ip routing-table

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 11       Routes : 11      

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

1.1.1.0/24     OSPF    10   3            D   10.1.2.2        GigabitEthernet0/0/2

 

2 VGMP Technique When Firewalls Transparently Access and Connect to Switches

In Figure 1-2, two firewalls' upstream and downstream service interfaces are both working in Layer 2 and are connected to switches. As the firewalls' service interfaces are working in Layer 2, they do not have IP addresses, and so there is no way for the VGMP groups to use VRRP groups or to directly monitor interface states. Therefore, the fault monitoring technique used by the VGMP groups is to monitor interface states using a VLAN. This is accomplishing by adding Layer 2 service interfaces to a VLAN, with the VGMP group monitoring the VLAN. When an interface in a VGMP group fails, the VGMP group will perceive this change in state of one of its interfaces through the VLAN, and therefore lower its own priority.

Figure 1-2 Networking with a firewall transparently accessing and connecting to switches

[Dr.WoW] [No.52] Explanation of VGMP Techniques-part 1-1041515-2 

Table 1-2 shows the configuration steps used to allow a VGMP group to use a VLAN to monitor interface states (active/standby failover).

Table 1-2 Configuration of VGMP groups' use of a VLAN to monitor interfaces (active/standby failover)

Item

Configuration FW1

Configuration FW2

Add Layer 2 service interfaces into the same VLAN, and configure the VGMP group to monitor the VLAN.

vlan 2

 port GigabitEthernet 1/0/1

port GigabitEthernet 1/0/3 

hrp track active

vlan 2

 port GigabitEthernet 1/0/1

port GigabitEthernet 1/0/3

hrp track standby

Configure the heartbeat interface.

hrp interface GigabitEthernet 1/0/2

hrp interface GigabitEthernet 1/0/2

Enable the hot standby function.

hrp enable

hrp enable

 

NOTE

When firewalls' service interfaces work in Layer 2 and are connected to switches, the load sharing method of hot standby is not supported. This is because if working in the load sharing method, the VLANs would be enabled on both devices, and each device would be able to forward traffic, so that the entire network would form a loop.

After completing configuration, FW1's VGMP group's state is active, and FW1 becomes the primary device; FW2's VGMP group's state is standby, and FW2 becomes the backup device. As the firewalls' service interfaces are working in Layer 2, the firewalls themselves cannot run OSPF, and therefore the VGMP groups cannot direct upstream and downstream traffic using OSPF costs. However, the VGMPs can control whether or not their VLAN forwards traffic to ensure that traffic is directed onto the primary device. When a VGMP's group is active, the group's VLAN is able to forward traffic; when a VGMP group's state is standby, the group's VLAN is disabled, and it cannot forward traffic. A VGMP's control of whether its VLAN forwards traffic does not need to be separately configured; adding a VLAN to the VGMP group is all that is required.

As shown in Figure 1-2, under normal circumstances, the primary device's (FW1; its VGMP group's state is active) VLAN is enabled, and it can forward traffic. The backup device's (FW2; its VGMP group is in the standby state) VLAN is disabled, and it cannot forward traffic. Therefore, the traffic from PC1 to PC2 will all be forwarded by primary device FW1.

After a service interface failure on FW1, the two firewalls' VGMP groups will undergo state switching. When FW1's VGMP group's state switches from active to standby, the state of the normal interface(s) in the group's VLAN will go down and then up. This causes the upstream and downstream switches to update their own MAC address tables to map the destination MAC address to port Eth0/0/2, thereby directing traffic onto FW2.

  • x
  • convention:

user_2790689
Created Jan 15, 2016 03:43:04 Helpful(0) Helpful(0)

Good!
  • x
  • convention:

Swidan
Admin Created May 29, 2019 06:14:20 Helpful(0) Helpful(0)

Thanks for sharing
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login