Yyds dry goods inventory hcie security Day11: preliminary study of firewall dual machine hot standby and vgmp concepts

Basic concepts

The high reliability of firewall can be achieved by means of dual computer hot standby , Compared with routers and switches , There are some different things , The main conclusion is ：

adopt VGMP The protocol and HRP The protocol realizes the switching between active and standby firewalls , Synchronization of session entries and configuration commands .

VGMP The agreement is right vrrp The supplement of the protocol and the adaptability improvement for the deployment characteristics of the firewall , Realize the synchronous switching state of the uplink and downlink interfaces of the active and standby firewalls .

HRP The protocol realizes the backup of dynamic state data and key configuration commands between two firewalls .

Produce purpose

The traditional backup scheme deploys multiple routers at the access point to form the primary and standby backup , And pass vrrp Or link switching by dynamic routing . But if the access point deploys a state detection firewall , Because it is based on the connection state , Maintain the session table , Forward non first packet efficiently . If only vrrp Words , Although the traffic can be switched between active and standby , But the new master The session table entry of needs to be rebooted , The original connection is broken , Cause business interruption .

The state detection firewall is based on the connection state , For the first packet of a traffic （ The first message ） Do a complete test , And establish a session to record the status information of the message （ Including the source and destination address of the message 、 Source and destination ports and protocol numbers ）, The subsequent messages of this traffic can be forwarded through the firewall only by matching the session , If it does not match, it will be discarded .

In this case , Developed the dual computer hot standby function of firewall . Its biggest feature is to deploy a dedicated heartbeat line between the active and standby firewalls , Used to synchronize the active and standby states of the firewall 、 Session table entries and configuration information , Make the traffic switch seamlessly .

​

Working mode

Primary backup

Under normal circumstances , Two firewalls form one active and one standby according to the configuration ,master Can handle business , And the session on the device 、server-map Important information such as tables and configuration information are synchronized to... In real time through the heartbeat line backup.backup I can't handle business , Just receiving master These table items and configuration commands passed .

master After the failure ,backup Ascending Lord , Deal with business , The traffic is directed to the new by the routing information of the uplink and downlink devices master On , Because the new master Various session entries and configuration information have been synchronized before , So the business switching is insensitive .

Load sharing

If you want to backup idle , Or there is more business flow , Yes master There's a lot of pressure , Load sharing mode can be considered , In this mode , Two sets of fw All are master, All set up conversations , All deal with business traffic , At the same time, as the other side backup equipment , Accept the backup session and configuration information of the other party .

Under normal circumstances , Two sets of fw They are responsible for forwarding different types of traffic , When a certain fw After the failure , All traffic is switched to another fw.

Compared with the primary and standby backup mode , The networking scheme and configuration are complex . There are also more things to pay attention to , such as nat Allocation of address pool 、 The back and forth paths of traffic are inconsistent , Peak traffic , In short, let the head be big , Let's talk about it later through experiments .

matters needing attention

Currently only supported Two identical firewalls Deployment between . Exactly the same meaning looks simple , But in fact, it's not easy to give . The consistency of hardware means that the model must be the same , Type of board installed 、 The quantity and the installation position of the single board must be the same , In a later version of the firewall , such as USG6680E etc. , Also ask for the same type of equipment BomID version matching , Can pass display version Check . But whether the hard disk is included .

Software consistency includes system software version 、 System patch version 、 Dynamically loaded component packages 、 Feature library version 、HASH choice CPU Pattern and HASH Factors, etc . But actually , Two sets of fw You can temporarily run different versions of system software .

VGMP Group

vrrp Group management protocol ,VRRP Group Management Protocol, Huawei private agreement .

The dual machine hot standby function of firewall is in VRRP On the basis of ,vrrp The last one has been systematically studied , In general, it ensures that when the default gateway of the host fails , The backup router automatically replaces the faulty router to complete the message forwarding task , So as to maintain the continuity and reliability of network communication .

vrrp The active and standby of refers to the active and standby as the default gateway of the host , The solution is the reliability of the gateway . As a firewall , Both uplink and downlink interfaces need to be active and standby .

Therefore, you need to configure the uplink interface vrrp, such , The downlink interface of two firewalls is added vrrp Backup group 1, The uplink interface is added vrrp Backup group 2, Under normal circumstances , The upstream and downstream interfaces of a firewall are either active , Or they are all prepared . such as fw1 yes vrrp Backup group 1 Medium master equipment , It's also vrrp Backup group 2 Medium master equipment , Business messages between internal and external networks will pass fw1 To forward .

If fw1 Downlink interface failure of , be vrrp Backup group 1 Active / standby switching occurs ,fw2 Become vrrp Backup group 1 Of master equipment , And by sending free arp To guide the upstream traffic to forward by itself , however fw1 The uplink interface of is still normal , It's still vrrp Backup group 2 Of master equipment , So the return flow must flow to fw1, Attempt to pass fw1 Do the forwarding . however fw1 The downlink interface of is faulty , So it has no way to complete this mission , I'm sorry to throw away all these traffic . here , Our business flow was interrupted .

This is not what we want to see , So we hope vrrp The agreement is smarter , Multiple vrrp The backup groups are in step , Don't fight each other , Lest the firewall be the master , The next step is to prepare , conceal the true state of affairs from above and below oneself .

In order to make vrrp Don't fight each other , Solve multiple vrrp The status of the backup group is inconsistent , Huawei firewall introduces VGMP（vrrp Group management protocol ）, Realize to vrrp Unified management of backup groups , Guarantee multiple vrrp Consistency of backup group status . Put all on the firewall vrrp Backup groups are all joined to the same vgmp In the group , from vgmp Group to centrally monitor and manage all vrrp Backup group status . If vgmp Group detected one of vrrp The state of the backup group changes , be vgmp The group will control all vrrp The backup group switches states uniformly , Guarantee each vrrp Consistency of backup group status .

vgmp The priority of the Group determines vgmp Status of the group , High priority is active, Low priority is standby.

vgmp The status of the Group determines the Group vrrp Status of the backup group , It also determines the active and standby status of the firewall .

vgmp The initial priority of the group is based on cpu The number is automatically generated , According to vrrp Adjust for state changes ,vrrp State change init,vgmp The priority of the group is lowered 2.

​

With vgmp, stay fw1 Admiral vrrp Backup group 1 And backup groups 2 All in active Of vgmp Group , stay fw2 Admiral vrrp Backup group 1 And backup groups 2 All in standby Of vgmp Group . because vgmp The status of the Group determines the Group vrrp Status of the backup group , It also determines the active and standby status of the firewall , therefore fw1 It's the main equipment ,fw2 It's from the device ,fw1 The uplink and downlink interfaces of are master,fw2 The uplink and downlink interfaces of are backup, At this moment if fw1 Downlink interface failure of , be fw1 Of vgmp Group priority down , Become standby state , and fw2 Upper vgmp Make up the active state , namely fw1 It's standby equipment ,fw2 It's the main equipment .vgmp Within the group vrrp The backup group status is also adjusted ,fw1 The uplink interface of becomes backup,fw2 The uplink interface of becomes master, At this time, the upstream traffic passes fw2 forward , Downstream traffic also passes fw2 forward , Traffic will not be lost .

Of two firewalls VGMP Groups interact VGMP Message to transmit status and priority information .

VGMP Message structure

vgmp The message is transformed from vrrp Header encapsulation .

standard vrrp Headlines

Version：2

Type：1, Express advertisement

Vrid： Virtual router id , from 1 To 255

Priority： default 100, The bigger the better ,0 Means stop participating in the backup group , Give up on your own initiative master status , Don't wait until the timer times out ,255 Reserved for ip Address owner

Count ip addrs： Virtual in backup group ipv4 Number of addresses

Auth type：0 Not certified ,1 Plaintext Authentication ,2md5 authentication

Adver int： Notification message sending interval , Default 1s

Checksum：16 Bit checksums , testing vrrp Message integrity

Ipaddr1： first vrrp Virtual in backup group ipv4 Address

Ipaddrn： The first n individual vrrp Virtual in backup group ipv4 Address

Auth data： Plaintext authentication and md5 Authentication uses
 

And then put vgmp Messages are also placed here

Compare

vgmp Message type

Heartbeat link detection message

Check whether the heartbeat port of the opposite end equipment can normally receive the message of this section of equipment , To determine whether there is a jumping mouth that can be used

Consistency check message

Check whether the dual hot standby and policy configuration of the two firewalls under the dual hot standby state are consistent , Such as security policy 、NAT etc. .

vgmp hello message

Between two firewalls vgmp Group negotiation active and standby .

hrp hello message

Detect the opposite vgmp Whether the group is working , Status as active Of vgmp The group will meet at regular intervals （ default 1s） To the opposite end vgmp Group send hrp Heartbeat message , Used to notify the local vgmp Group status and priority . If the state is standby Of vgmp No message sent by the opposite end has been received within three cycles hrp Heartbeat message , Think of the opposite end vgmp Group failure , Switch your state to active.

hrp The data packet

stay vgmp After the message header, add hrp Message header , Can be encapsulated into hrp The data packet ,hrp Data message is used for data backup between main and standby equipment , Including the backup of command line configuration and various status information .

Particular attention ： None of the above messages is subject to FW Security policy control . therefore , There is no need to configure security policies for these messages ！

VGMP Message interaction channel

Dual computer hot standby networking , There are two heartbeat lines fw Exchange messages to understand the peer status, backup configuration commands and channels of various table items . The interfaces at both ends of the heartbeat line are called heartbeat interfaces .vgmp Messages interact through heartbeat lines .

The heartbeat interface is better to use firewall ha Interface , without ha Interface , Multiple Ethernet interfaces can be bound into eth-trunk Interface .

Heartbeat interface is usually directly connected with optical fiber or network cable , You can also connect through a switch or router .

The heartbeat interface must join the same security zone .

Heartbeat interface mtu Don't be less than 1500.

Don't run business data on the heartbeat line .

There is no experiment today , The experiment will be posted tomorrow ：）