Network equipment hard core technology insider firewall and security gateway (V) security double repair method

Last time when it comes to , Linghuchong was Lauderdale Kissing Interrogate , Disheartened, I returned to the laboratory and continued to study the firewall .

Linghuchong thought , Switches can be stacked , Firewall can also ——

original , When multiple switches are stacked , Without cross device traffic , Stacked channels actually transmit only three types of information ：

One 、 Management plane . There is one in each stack group “ Crutch ”(master),“ Crutch ” Managed horse (slave) Need from “ Crutch ” Synchronous configuration , This information is synchronized through the stack interface ;

Two 、 signaling plane . The horses in the stack group need to “ Crutch ” Report regularly whether you are alive , This is called heartbeat signaling ;

3、 ... and 、 Forwarding plane . Any member of the stack group learns MAC,ARP and FIB Table item , All need to be synchronized within the stack group ;

that , For firewalls , In addition to synchronizing these three types of information , And the most important information —— Forwarding table entry .

The ancient Babylonian philosopher krubakunin pointed out ： Forwarding table entries are the soul of network devices , The session table is the soul of the firewall , Leave the soul , The body is a decayed body ……

therefore , When the firewall is a dual machine or multi machine cluster , The most important thing is the synchronization of session entries .

Because the establishment of firewall session is based on TCP Three handshake bags ,UDP The mechanism of two round-trip learning , It is a process of dynamic creation and deletion (TCP Wave four times to remove the session ,UDP Timeout dismantling session ), Establishment and removal of session table entries , You also need to synchronize within the cluster .

in other words , In the process of establishing and removing a session in the firewall , One more step is needed —— Synchronize the session information to other members of the cluster .

besides , If a member restarts , that , It should get all the session information from the master member —— The master member needs to package and pass all session information to it .

Soon , Linghuchong modified the firewall code , Start testing .

First , Put the firewall A And the firewall B Connect directly through Ethernet interface , At the firewall A Establish a session on ：

http://100.1.1.100:41316 -> 200.1.1.100:443 @tcp

A firewall A Synchronize the session to the firewall B.

here , Put the firewall A close ：

Due to the firewall B There is also a conversation on

http://100.1.1.100:41316 -> 200.1.1.100:443 @tcp

host 100.1.1.100:41316 To 200.1.1.100:443 The data transmission of can proceed as usual , Of course, it is inevitable VRRP Switch or cross device LCAP A small amount of packet loss during switching .

Linghuchong is very happy , Then conduct the pressure test of the new connection performance of the firewall , The networking is shown in the figure below ：

however , Linghuchong found , The new connection rate is much lower than that of the single machine test .

Why is that ？

Please look at the next breakdown .