[Dr.WoW] [No.52] Explanation of VGMP Techniques-part 2

Latest reply: Oct 29, 2017 12:27:21 3103 2 0 0

3 VGMP Technique When Firewalls Transparently Access and Connect to Routers

In Figure 1-3, two firewalls' upstream and downstream service interfaces are both working in Layer 2, and are connected to routers. OSPF is running between the two firewalls. In this sort of networking, the fault monitoring and traffic direction methods adopted by the firewalls' VGMP groups are essentially the same as in 02 VGMP Technique When Firewalls Transparently Access and Connect to Switches, which is to say that VLAN is used to monitor interface faults and control traffic direction.

The difference between these methods lies in the fact that the networking described in this section only supports the load sharing method of hot standby, and does not support active/standby failover. This is because if working using the active/standby failover method, the backup device's VLAN would be disabled, and its upstream and downstream routers would be unable to communicate or establish OSPF routes. Therefore, when active/standby switching occurred, the new primary device's (the original backup device) VLAN would be enabled, and its upstream and downstream routers would only then begin to build new OSPF routes. However, the building of new OSPF routes requires a certain amount of time, and this would result in a temporary service interruption.

Figure 1-3 Networking with firewall transparently accessing and connecting to routers

[Dr.WoW] [No.52] Explanation of VGMP Techniques-part 2-1041533-1 

The steps for configuring VGMP group to monitor interface states (load sharing) through VLAN are shown in Table 1-3.

Table 1-3 Configuration of VGMP group to monitor interfaces using a VLAN (load sharing)

Item

Configuration on FW1

Configuration on FW2

Add the Layer 2 service interfaces to the same VLAN and configure the active and standby VGMP groups to monitor the VLAN.

vlan 2

 port GigabitEthernet 1/0/1

port GigabitEthernet 1/0/3   

hrp track active

hrp track standby

vlan 2

 port GigabitEthernet 1/0/1

port GigabitEthernet 1/0/3   

hrp track active

hrp track standby

Configure the heartbeat interface.

hrp interface GigabitEthernet 1/0/2

hrp interface GigabitEthernet 1/0/2

Enable the hot standby function.

hrp enable

hrp enable

 

NOTE

When the firewalls' service interfaces work in Layer 2 and are connected to routers, do not use the active/standby failover method of hot standby. This is because the backup device's VLAN is disabled, and its upstream and downstream routers can't communicate, and thus can't establish routes. Therefore, during active/standby switching, the backup device is unable to immediately replace the primary device, resulting in a service interruption.

After configuration, as there are active VGMP groups on both FW1 and FW2, FW1 and FW2 are both primary devices, and each of their VLAN2s will forward traffic. At this time, R1's routing table shows that traffic going to PC2 can be forwarded through either FW1 or FW2.

<R1> display ip routing-table

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 14       Routes : 15      

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

1.1.1.0/24      OSPF    10    2           D    10.1.1.2        GigabitEthernet0/0/1

OSPF    10    2           D    10.1.2.2        GigabitEthernet0/0/2

After one of FW1's service interfaces fails, the two firewalls' VGMP groups will conduct state switching, and the hot standby state will change from load sharing to active/standby failover. When FW1's VGMP group's state switches from active to standby, all of the interfaces in the groups VLAN will go down and then up. This will cause the upstream and downstream routers' routes to change and converge, and all traffic will therefore be directed onto FW2.

At this time, R1's routing table (below) also shows that the next hop of packets going to network 1.1.1.0 has changed to R2's GE0/0/2's address 10.1.2.2.

<R1>display ip routing-table

Route Flags: R - relay, D - download to fib

------------------------------------------------------------------------------

Routing Tables: Public

         Destinations : 10       Routes : 11      

 

Destination/Mask    Proto   Pre  Cost      Flags NextHop         Interface

 

        1.1.1.0/24    OSPF    10   2            D   10.1.2.2        GigabitEthernet0/0/2

        10.1.2.0/24   Direct  0    0            D   10.1.2.1        GigabitEthernet0/0/2

4 VGMP Groups' Remote Interface Monitoring Techniques

The techniques used by VGMP groups in handling various hot standby networks were described above, and in these the VGMP groups were monitoring the firewall's own interfaces. Below we'll take a look at two techniques for VGMP group monitoring of remote interfaces. "Remote interfaces" refer to other devices' interfaces on a link. When a remote interface monitored by a VGMP group fails, the VGMP group's priority lowers by 2, just as we've seen previously. The techniques by which VGMP monitors firewalls' own interfaces can be used together with the techniques by which remote interfaces are monitored.

It is important to note that the two kinds of techniques for VGMP to monitor remote interfaces can only be used on networks in which firewalls' service interfaces are working in Layer 3, because only Layer 3 interfaces have IP addresses and can send IP-Link and BFD detection packets to the remote device(s).

l   Monitoring the state of remote interfaces using IP-link

The method is to establish an IP-link to probe the remote interface, and then have the VGMP group monitor the IP-link's state. When an interface being probed through an IP-link fails, the IP-link state will change to Down, and the VGMP group will perceive the IP-link's state change and therefore lower its own priority.

As shown in Figure 1-4, we need to use IP-Link 1 on FW1 (FW2) to inspect R1's (R2's) GE1/0/1 interface (an indirectly connected remote interface), and then add IP-Link 1 to the active (standby) VGMP group to monitor IP-Link 1's state.

Figure 1-4 VGMP monitoring of remote interfaces using IP-link

[Dr.WoW] [No.52] Explanation of VGMP Techniques-part 2-1041533-2 

Configuration details are shown in Table 1-4 (configuration of the hot standby function must be completed prior to the below configuration)

Table 1-4 Configuration of VGMP monitoring of remote interfaces using IP-link

Item

Configuration on FW1

Configuration on FW2

Enable IP-link.

ip-link check enable

ip-link check enable

Configure IP-link to monitor the remote address.

ip-link 1 destination 1.1.1.1 interface GigabitEthernet1/0/3 mode icmp

ip-link 1 destination 2.2.2.1 interface GigabitEthernet1/0/3 mode icmp

Configure VGMP to monitor the IP-link.

hrp track ip-link 1 active

hrp track ip-link 1 standby

 

l   Monitoring remote interface status using BFD

This method entails using BFD to probe remote interfaces, with a VGMP group monitoring the BFD state. When there is a failure of the remote interface being inspected by BFD, BFD's state will change to Down, and the VGMP group will perceive the BFD state change and therefore lower its own priority.

As shown in Figure 1-5, we need to use BFD session 10 on FW1 (FW2) to probe R1's (R2's) GE1/0/1 interface (an indirectly connected remote interface), and then add BFD session 1 to the active (standby) VGMP group to monitor BFD session 1's state.

Figure 1-5 VGMP monitoring of remote interfaces using BFD

[Dr.WoW] [No.52] Explanation of VGMP Techniques-part 2-1041533-3 

Configuration details are shown in Table 1-5 (the hot standby function must be configured prior to the below configuration)

Table 1-5 Configuring VGMP monitoring of remote interfaces using BFD

Item

Configuration on FW1

Configuration on FW2

Configure BFD to monitor the remote address, and specify the local and peer discriminators.

bfd 1 bind peer-ip 1.1.1.1

discriminator local 10

discriminator remote 20

bfd 1 bind peer-ip 2.2.2.1

discriminator local 10

discriminator remote 20

Configure the VGMP group to monitor BFD.

hrp track bfd-session 10 active

hrp track bfd-session 10 standby

 

5 Summary

In summary, although there are many different VGMP group monitoring and traffic direction techniques, they all abide by the following two principles:

l   Whenever a failure occurs on an interface that is being monitored by a VGMP group, regardless of whether it is directly or indirectly monitored, and regardless of whether the monitoring is of a firewall's own interface or a remote interface, the VGMP group's priority will be lowered by 2.

l   Only primary devices (VGMP group in the active state) will direct traffic onto themselves, while backup devices (VGMP group in the standby state) will think of a way to refuse traffic from being directed onto them.

Finally, I'll summarize the relationships between the various typical hot standby networks and the VGMP fault monitoring and traffic direction techniques in Table 1-6.

Table 1-6 Summary of various hot standby networks' VGMP techniques

Hot Standby Network

Supported Scenarios

Fault Monitoring Technique

Traffic Direction Technique

Firewall service interfaces are working in Layer 3, and are connected to Layer 2 switches.

Active/standby failover and load sharing

l  Interface monitoring using VRRP groups

l  Interface monitoring using IP-links (optional)

l  Interface monitoring using BFD (optional)

The primary device will send gratuitous ARP packets to connected switches, updating the switches' MAC address tables

Firewall service interfaces are working in Layer 3, and are connected to routers.

Active/standby failover and load sharing

l  Direct interface monitoring

l  Interface monitoring using IP-links (optional)

l  Interface monitoring using BFD (optional)

The primary device advertises routes with normal costs, and the cost of routes advertised by the backup device increases by 65500.

Firewall service interfaces are working in Layer 2 (transparent mode) and are connected to Layer 2 switches.

Only supports active/standby failover

Interface monitoring using VLANs

The primary device's VLAN is able to forward traffic, while the backup device's VLAN is disabled. When the primary device becomes the backup device, the interfaces in the primary device's VLAN will go down and then up, triggering the upstream and downstream Layer 2 devices to update their MAC address tables.

Firewall service interfaces are working in Layer 2 (transparent mode), and are connected to routers.

Only supports load sharing

Interface monitoring using VLANs

The primary device's VLAN is able to forward traffic, while the backup device's VLAN is disabled. When the primary device becomes the backup device, the interfaces in the primary device's VLAN will go down and then up once, triggering route convergence on the upstream and downstream Layer 3 devices.

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Jan 15, 2016 03:43:32 Helpful(0) Helpful(0)

Thank you.
  • x
  • convention:

user_2897649
Created Oct 29, 2017 12:27:21 Helpful(0) Helpful(0)

:(
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login