Hot Standby Protocol System Highlighted

Latest reply: Mar 13, 2020 20:51:25 264 6 6 1

Good morning dear


Then I bring the following publication hoping it will be very useful for all of you, I await your comments and / or feedback.


Hot Standby Protocol System.


z


VRRP is a fault tolerance protocol that enables a standby router to automatically replace the faulty active router to forward packets, ensuring service continuity and availability.

 

VGMP is used to manage multiple VRRP groups in a centralized manner to ensure that the status of these VRRP groups is consistent.

 

HRP is used to back up dynamic status data and key configuration commands between active/standby firewalls.

 

Overview Hot Standby Protocol System.



v


Principles of the VRRP protocol:


  • Virtual IP address

  • Multiple routers in a VRRP group provide a virtual IP address as the Gateway for intranet users.

  • The virtual IP address takes effect only on the active router. If the active router fails, the standby routers elect a new active router, and the virtual IP address is automatically migrated to the new active router.

  • In services Gateway configuration, a VRRP virtual IP address is used to replace the actual IP address of an interface. In this way, an utomatic and smooth switchover can be achieved if a fault occurs.

 

  • Hello packet and fault detection.

  • The active router periodically sends hello packets to the standby routers through multicast. The standby routers intercept the hello packets.

  • If a fault occurs on the link of the active router, hello packets cannot be sent to the standby routers. As a result, if the standby routers recibe no hello packet within three packet intervals, they re-negotiate a new active router. This new router automatically enables the virtual IP address of the VRRP group, and sends gratuitous ARP packets containing this IP address to notify the upstream and downstream devices of refreshing ARP entires. In addition, the new active routers switches services traffic to its services interface, and forwards packets with the vitual IP address as the next hop.

  • Because VRRP hello packets are multicast packets, all routers in a VRRP group must be interconnected through a Layer 2 device (a Layer 2 switch or router with a Layer 2 board). That is, after VRRP is enabled, the upstream and downstream devices must Support the Layer 2 switching function, ensuring that the standby routers can receive hello packets from the active router. If this networking condition is not met, VRRP cannot be used.

 

Principles of the VGMP protocol:

 

  • VGMP status (active/standby).

  •  If the status of the VGMP group on an firewall is Active, all VRRP groups in this VGMP group are in Active state. In this case, all packets pass through the firewall and the firewall becomes the active device. The status of the VGMP group on the other firewall is Standby, and this firewall becomes the standby device.

  • The priority VGMP group is dynamically adjusted base don the status of the member VRRP groups, triggering an active/standby switchover of the two firewalls.

 

  • VGMP hello packet.

  • The active VGMP group regularly sends hello packets to the standby VGMP group to inform the latter of its own running status, including the priority and the status of VRRP members. The implementation is similar to that of VRRP.

  • The two firewalls use hello packets to Exchange their status information.

  • The default interval for sending VGMP helle packets is 1s. If the standby firewall does not receive any hello packet from the active firewall winthin three hello packet intervals, the standby firewall considers that the active firewall fails, and switches to the Active state.


 Principles of the HRP protocol:

  •  If the active firewall fails, all service traffic switches to the standby firewall. However, the unified security Gateway (USG) is a status firewall. That is, if the standby firewall does not have the connection status data of the old active firewall, most of the traffic switching to the standby firewall cannot pass. As a result, the existing connection is interrupted, and users have to establish a connection again.

  • The HRP provides the basic data backup mechanism and transmission function. Application modules collect data that needs to be backed up, and submit the data to the HRP module. Then, the HRP module sends data to the corresponding module on the peer firewall. The application modules of the peer firewall parse the data submitted by the HRP module, and add the data to the dynamic running data pool of the firewall.


Backup content.

  • Connection status data including sesión tables.  

  •  Server map table.

  • Blacklist.

  •  Whitelist.

  • PAT-based port mapping table.

  • NO-PAT-based address mapping table.


  •  If the standby firewall does not have this data, the traffic switching to the standby firewall may be blocked, leading to connection interruption.

 

  • Backup direction.

  • On an active/standby network, the active firewall backs up configuration commands and status information to the standby firewall.

  • On a load balancing network, both firewalls are active devices. If the two active devices are allowed to back up commands to each other, the commands on both these devices may overwrite or conflicto. Therefore, the configuration of master and slave devices is introduced to facilitate administrators’ centralized management of the two firewalls and to prevent errors.

  • On a load balancing network, the firewall sending backup configuration commands is called the master device, and the firewall receiving these commands is called the slave device. The prefixes of HRP_M and HRP_S are included at the beginning of a command for the master and slave firewalls respectively.

  • On a load balancing network, only the active device can back up configuration commands to the slave device. However, both devices can back up status.

 

  • Backup mode.

  •  Automatic backup.

  •  By default, the automatic backup function is enabled. Firewalls can automatically back up configuration commands in real time and periodically back up status information. This function is applicable to various type of hot standby networks.

  • Manual batch backup.

  • Administrators need to trigger this function manually. When they run the manual batch backup command, the active firewall immediately synchronizes configuration commands and status information to the standby firewall.

  • Quick sesión backup.

  •  After this function is enabled, the active firewall backs up all sessions that can be backed up, to the standby firewall in real time.

 

  • Automatic synchronization of configurations on the active and standby firewalls after a restart.

  • On a hot standby network, if an firewall is restarted, the other firewall processes all services during the restart. In this period, the firewall processing services may have configurations added, deleted, or modified. To ensure that the active and standby firewalls have the same configurations, after an firewall is restarted, it automatically synchronizes configurations from the firewall that processes services.


  • Backup channel.

  •  Generally, the channel between directly connected interfaces on two devices is a backup channel, which is also called “heartbeat link”. (VGMP uses this channel for communication).

  •  The supported heartbeat interface types include Layer 3 ethernet interface and its subinterfaces, layer 3 Eth-Trunk interface and its subinterfaces, POS interface, IP-trunk interface, and VLAN interface.

  • You can run the hrp interface interface-name command to configure a backup channel.


Regards!

  • x
  • convention:

Popeye_Wang
Admin Created Jan 6, 2020 08:35:28 Helpful(0) Helpful(0)

Thanks you for sharing!
  • x
  • convention:

JorgeMX
JorgeMX Created Jan 6, 2020 14:48:51
@Popeye_Wang Thank you for your comment, hoping this information will be useful  
juan_manosalva
Created Mar 13, 2020 15:37:11 Helpful(1) Helpful(1)

genial, muy bueno también !
  • x
  • convention:

JorgeMX
JorgeMX Created Mar 13, 2020 15:56:05
@juan_manosalva gracias por pasar por esta publicación y dejarme tus comentarios. Saludos!  
Ingeniero%20en%20Telecomunicaciones%2C%20Apasionado%20con%20el%20mundo%20de%20la%20tecnolog%C3%ADa%20%20con%205%20a%C3%B1os%20de%20experiencia%20profesional%20%20y%20en%20estado%20de%20crecimiento%20en%20el%20sector%20IT%2C%20Un%20amigo%20y%20colaborador%20mas%20para%20lo%20que%20les%20pueda%20ayudar.
tesfama
MVE Created Mar 13, 2020 20:51:25 Helpful(0) Helpful(0)

Tnx for the tips
  • x
  • convention:

JorgeMX
JorgeMX Created Mar 14, 2020 16:14:03
@tesfama Thank you for your comment, hoping this information will be useful  

Comment

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!

My Followers

Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login