[Dr.WoW] [No.54] Hot Standby Configuration Guide Highlighted

Latest reply: Jan 20, 2016 08:26:22 3172 1 0 0

Prior to deploying hot standby, please first select a suitable hot standby networking approach, which can be:

l   Firewall service interfaces work in Layer 3, and are connected to switches.

l   Firewall service interfaces work in Layer 3, and are connected to routers.

l   Firewall service interfaces work in Layer 2, and are connected to switches.

l   Firewall service interfaces work in Layer 2, and are connected to routers.

Of these, when firewall service interfaces work in Layer 3, networking often will involve different upstream and downstream devices― for example, connecting to switches upstream, and to routers downstream. There is actually nothing particularly noteworthy about this.

After determining the hot standby networking approach, we also need to determine whether to select the active/standby failover method or the load sharing method based on the following principles:

l   If both the active/standby failover and load sharing methods are feasible, the active/standby failover method is recommended.

l   If load sharing is deployed on other parts of the customer's network (for example the egress gateway, core switches, etc.), then the customer generally will request that load sharing be deployed on the firewalls, too.

l   When one firewall forwards all service traffic, if one or more of its three important parameters― session table, throughput, and CPU usage― has exceeded 80% of the maximum capacity for a long time, we must use the load sharing method.

l   Performance will degrade after security features such as IPS and antivirus are enabled on a firewall. If a firewall's forwarding performance drops to below the existing network's total capacity, then the load sharing method must be used.

The support for active/standby failover and load sharing depends on the hot standby networking approaches, as shown in Table 1-1.

Table 1-1 Support for the active/standby failover and load sharing methods

Networking Approach

Active/Standby Failover

Load Sharing

Firewall service interfaces work in Layer 3, and connect to switches.

Supported

Supported

Firewall service interfaces work in Layer 3, and connect to routers.

Supported

Supported

Firewall service interfaces work in Layer 2, and connect to switches.

Supported

Not supported

Firewall service interfaces work in Layer 2, and connect to routers.

Not supported

Supported

 

Before deploying hot standby, we still need to check of the two firewalls' hardware and software to ensure that:

l   The two firewalls' product model and hardware configurations are identical, including the locations, types and numbers of interface boards/cards, service boards, and main processing units (MPU).

l   The two firewalls' software versions and Bootroom versions must be identical.

l   (Recommended) The firewalls' configuration files are the initial configuration files.

1 Configuration Process

The hot standby configuration process is shown in Figure 1-1. Understanding hot standby's configuration process can help everyone understand the relationships between the hot standby protocols we discussed before and in remembering the logic behind hot standby configuration.

Figure 1-1 Hot standby configuration flowchart

[Dr.WoW] [No.54] Hot Standby Configuration Guide-1042635-1 

The configuration steps in the flowchart are explained as follows:

1.         Complete basic network configuration.

?       Interfaces: if the firewall's service interfaces are working in Layer 3, then IP addresses need to be configured for every service interface. Service interfaces' IP addresses must be fixed, and therefore the hot standby cannot work with features that automatically acquire IP addresses such as PPPoE dialing and DHCP clients.

If a firewall's service interfaces are working in Layer 2, they must be added into the same VLAN.

In addition, the primary and backup devices need to select identical service and heartbeat interfaces. For example, if the primary device selects GigabitEthernet1/0/1 as the service interface and GigabitEthernet1/0/7 as the heartbeat interface, then the backup device also needs to make the same selections.

?       Security zone: all interfaces must be added to a security zone regardless of whether they are Layer 2 or Layer 3 interfaces, and regardless of whether they are service interfaces or heartbeat interfaces. Primary and backup devices' corresponding interfaces must be added to the same security zone: if the primary device's GigabitEthernet1/0/1 interface is added to the Trust zone, then the backup device's GigabitEthernet1/0/1 interface must also be added to the Trust zone.

?       Routing: if a firewall's service interfaces are working in Layer 3 and are connected to switches, we need to configure static routing on the firewall; if a firewall's service interfaces are working in Layer 3 and are connected to routers, we need to configure OSPF on the firewall; if a firewall's service interfaces are working in Layer 2, we do not need to configure routing on the firewall.

?       Security policies: the primary types of packet exchanges between firewalls and other devices in hot standby deployments are as follows:

ü  VGMP and HRP packets are exchanged between two firewalls through their heartbeat interfaces.

ü  VRRP packets are exchanged between two firewalls through their service interfaces.

ü  When a firewall's service interfaces are working in Layer 3 and are connected to switches, the firewall will send gratuitous ARP packets to the switches.

ü  When a firewall's service interfaces are working in Layer 3 and are connected to routers, the firewall needs to exchange OSPF packets with the routers.

ü  When a firewall's service interfaces are working in Layer 2, OSPF packets sent between the upstream and downstream devices need to pass through the firewall.

To ensure the normal establishment of a hot standby state, we need to configure corresponding security policies to permit the aforesaid packets, as shown in Table 1-2.

Table 1-2 The security policies needed to establish hot standby

Packets

Security Policies

VGMP and HRP packets

l  In USG9500 series firewalls, VGMP and HRP packets are not controlled by security policies.

l  For USG2000/5000/6000 series firewalls, if the remote parameter is not specified when configuring the heartbeat interface, VGMP and HRP packets are multicast packets and are not controlled by security policies; if the remote parameter is specified, VGMP and HRP packets will be encapsulated into unicast UDP packets, and a security policy needs to be configured between the heartbeat interface's security zone and the Local zone to permit packets destined to port 18514 for USG2000/5000 (18514 or 18515 for USG6000) in both directions.

VRRP packets

VRRP packets are multicast packets, and are not controlled by security policies

Gratuitous ARP packets

Gratuitous ARP packets are broadcast packets, and are not controlled by security policies

OSPF packets destined for the firewall

A security policy permitting OSPF packets must be configured between the security zones in which the upstream/downstream service interfaces are located and the Local zone.

OSPF packets passing through the firewall

A security policy permitting OSPF packets must be configured between the upstream service interface's zone and the downstream service interface's zone.

 

NOTE

After hot standby is successfully established, we can back up security policy configurations. However, the security policies mentioned above are the foundation for establishing hot standby, and this must therefore be completed separately on the two firewalls prior to configuring hot standby.

When configuring security policies, we generally first set the default security policy action as 'permit', and then restore the default security zone action to 'deny' after configuring a specific security policy.

2.         Configure VGMP interface monitoring.

?       When firewalls' service interfaces are working in Layer 3 and are connected to switches, a VRRP group(s) must be configured on the interfaces.

ü  In active/standby failover, configure a VRRP group on the primary device's service interface, and then add this VRRP group to the active VGMP group; configure the same VRRP group on the backup device's service interface, and then add this VRRP group to the standby VGMP group.

ü  In load sharing, configure two VRRP groups on every service interface on each device, and then add the VRRP groups to the active VGMP group and standby VGMP group respectively. The same VRRP group must be added to different VGMP groups on the two devices ? the active VGMP group on one device, and the standby VGMP group on the other device.

?       When a firewall's service interfaces are working in Layer 3 and are connected to routers, VGMP direct interface monitoring must be configured on the interface.

ü  In the active/standby failover method, the primary device's service interfaces must all be added to the active VGMP group, and the backup device's service interfaces to the standby VGMP group. The function of automatic OSPF cost adjustment based on the VGMP state (hrp ospf-cost adjust-enable) must also be configured.

ü  In the load sharing method, each device's service interfaces must be added to both the active and the standby VGMP groups.

?       When a firewall's service interfaces are working in Layer 2, VGMP monitoring of a VLAN must be configured on the VLAN.

ü  In the active/standby failover method, the primary device's service interfaces need to all be added to the same VLAN, and then this VLAN is added to the active group; the backup device's service interfaces must all be added to another VLAN, and then this VLAN is added to the standby group.

ü  In the load sharing method, all service interfaces for each device need to be added to the same VLAN, and then this VLAN is simultaneously added to both the active group and the standby group.

?       When the firewall needs to monitor remote interfaces, configure the VGMP to monitor remote interfaces

VGMP can monitor remote interfaces through IP-link or BFD. Under normal circumstances, either of the two methods can be selected.

3.         Configure the heartbeat interface.

Directly connect the two firewalls' heartbeat interfaces if possible. In this case, you do not need to specify the remote parameter in commands (e.g.: hrp track interface GigabitEthernet1/0/7).

If two firewalls' heartbeat interfaces are connected through Layer 3 devices or if service interfaces are used as heartbeat interfaces, the remote parameter must be used to specify the peer's interface address (e.g: hrp track interface GigabitEthernet1/0/7 remote 10.1.1.2). After the remote parameter is specified, packets are encapsulated into UDP unicast packets, and need to be controlled by security policies.

4.         Enable hot standby.

After completing configuration, we need to execute the hrp enable command to enable the hot standby feature. If the above configurations were correct, a hot standby state will be successfully established, and command prompt HRP_A will appear on one device and HRP_S on the other.

5.         Configure a backup method.

?       The automatic backup (hrp auto-sync [ config | connection-status ]) function is enabled by default, and I suggest that you do not disable this.

?       If configuration is not synced between the primary/backup devices, we must execute the manual batch backup command (hrp sync [ config | connection-status ]).

?       If this is a load sharing network, we usually need to enable the fast session backup function (hrp mirror session enable).

6.         Configure security services.

After hot standby setup has been successfully completed, security services configurations will typically be backed up by the primary (master configuration) device onto the backup (backup configuration) device. Therefore, we only need to configure security services on the primary device, and don't need to configure them on the backup device. Common security services include security policies, NAT, attack defense, bandwidth management, and VPN policies.

2 Configuration Check and Result Verification

After completing our hot standby configuration, we need to check the configuration and verify the results as follows:

                               Step 1     View the command line prompt.

After successfully setting up hot standby, if a firewall's command line prompt begins with HRP_A, this means that this firewall has become the primary device after negotiation with the other firewall; if the command line prompt begins with HRP_S, this means that this firewall has become the backup device following negotiation with the other firewall.

                               Step 2     Check whether the key hot standby configurations are correct according to Table 1-3.

Table 1-3 Hot standby configuration checklist

No.

Mandatory?

Item Checked

Command/Method

1

Mandatory

The two firewalls' product models and software versions are identical.

display version

2

Mandatory

The two firewalls' interface card types and installation positions are identical.

display device

3

Mandatory

The two firewalls use the same service interfaces.

display hrp state

4

Mandatory

The two firewalls use the same heartbeat interfaces.

display hrp interface

5

Optional

If an Eth-Trunk interface is used as the failover channel, the two firewalls' Eth-Trunk interfaces have identical member interfaces.

display

eth-trunk trunk-id

6

Optional

If a service channel is used as the failover channel, both the heartbeat interface and the IP address of the heartbeat interface of the peer are specified.

display current-configuration | include hrp interface

7

Mandatory

The two firewalls' interfaces are added to the same security zone.

display zone

8

Mandatory

The two firewalls' configurations are consistent (this includes hot standby, audit, authentication, security, NAT, and bandwidth policies.)

display hrp

configuration check

all

Service interfaces are working in Layer 3

8

Mandatory

IP addresses have been configured for the two firewalls' interfaces.

display ip interface

brief

9

Mandatory

If the firewalls are connected to switches, the two firewalls' service interfaces are added to the same VRRP groups and share a virtual IP address.

display vrrp interface interface-type interface-number

10

Mandatory

If the firewalls are connected to switches, the next hop of the firewalls' upstream and downstream devices have been set to the VRRP groups' virtual IP addresses.

Check the firewalls' upstream and downstream device's static routing configurations.

11

Mandatory

If the firewalls are connected to routers, the two firewalls' service interfaces are added to the correct VGMP group. In active/standby failover, the primary device's service interfaces are added to the active VGMP group, and the backup device's service interfaces to the standby VGMP group. In load sharing, the two devices' service interfaces are added to both the active and standby VGMP groups.

display hrp state

12

Mandatory

If the firewalls are connected to routers, the firewalls are correctly running OSPF, and the OSPF area does not include the heartbeat interfaces.

display ospf

[ process-id ] brief

13

Mandatory

If firewalls are connected to routers, automatic OSPF cost adjustment based on active/standby state is configured.

display current-configuration | include hrp ospf-cost

Service interfaces are working in Layer 2

14

Mandatory

A firewall's upstream and downstream service interfaces are added to the same VLAN.

display port vlan

[interface-type interface-number ]

15

Mandatory

The firewalls' VLANs are added to the correct VGMP groups. In active/standby failover, the primary device's VLAN is added to the active VGMP group, and the backup device's VLAN to the standby VGMP group. In load sharing, the two devices' VLANs are each added to both the active and standby VGMP groups.

display hrp state

16

Mandatory

If the firewalls are connected to switches, the active/standby failover method is used.

display hrp group

17

Mandatory

If the firewall is connected to routers, the load sharing method is used.

display hrp group

Checks for load sharing alone

18

Mandatory

The fast session backup function is enabled.

display current-configuration | include hrp mirror

19

Optional

The port range of the NAT address pool is correctly specified.

display current-configuration | include hrp nat

 

NOTE

Prior to a firewall officially going online, complete the verification in steps 3 and 4.

                               Step 3     In the primary device's interface view, execute the shutdown command to verify whether the primary/backup devices conduct failover.

After the shutdown command is executed on one of the primary device's service interfaces, the state of this primary device interface will change to down, but its other interface(s) will be working normally. The backup device's command line prompt will begin with HRP_A instead of HRP_S, and the primary device's command line prompt will begin with HRP_S instead of HRP_A. Traffic will be normally forwarded, indicating that active/backup failover succeeds.

After the undo shutdown command is executed on the same interface on the primary device, the state of the interface changes back to up. After the preemption hold-down time expires, the primary device's command prompt will begin with HRP_A gain instead of HRP_S, and the backup device's command prompt will begin with HRP_S instead of HRP_A. Traffic will be normally forwarded, demonstrating that the preemption has succeeded.

                               Step 4     In the primary device's user view, execute the reboot command to reboot the device and verify whether the primary/backup devices conduct failover.

If the backup device's command prompt begins with HRP_A instead of HRP_S, and traffic is normally forwarded after the reboot command is executed on the primary device, the failover succeeded.

After the primary device has completed its reboot and the preemption hold-down time expires, the primary device's command prompt will begin with HRP_A instead of HRP_S, the backup device's command prompt will begin with HRP_S instead of HRP_A, and traffic will be normally forwarded, demonstrating that the preemption has succeeded.

 

 

 

To view the list of all Dr. WoW technical posts, click here.

  • x
  • convention:

user_2790689
Created Jan 20, 2016 08:26:22 Helpful(0) Helpful(0)

Thank you for sharing.
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login