Fine! Huawei firewall dual computer hot standby Technology: HRP, vgmp, VRRP

Firewall dual hot standby , The main function is to provide redundant backup , Avoid business interruption in case of network failure . The firewall dual computer hot standby networking is based on the firewall mode , The dual computer hot standby networking in the sub routing mode and the dual computer hot standby networking in the transparent mode , The following describes the firewall dual computer hot standby command line according to the networking under different firewall modes .

The configuration of dual computer hot standby of firewall mainly involves HRP Configuration of , VGMP Configuration of , as well as VRRP Configuration of , The dual computer hot standby networking configuration of the firewall needs to be adjusted according to the business of the current network and the needs of users , The following is an explanation of the command line involved in the dual computer hot standby configuration of the firewall .

1 HRP Command line configuration description

HRP It's Huawei's Redundant backup protocol , Eudemon The firewall uses this protocol for backup networking , Achieve the purpose of link state backup , So as to ensure normal business in case of equipment failure .

HRP Agreement is An agreement developed by Huawei itself , Mainly in the VGMP Based on the protocol ;VGMP It's Huawei's private agreement , It's mainly used to manage VRRP Of , VGMP It is also a private agreement of Huawei , Is in VRRP Based on . Whether it's VGMP Message of , still HRP Message of , All are VRRP Message of , Only when the firewall recognizes these packets, it can judge whether they are based on the fields defined by itself VGMP Message of ,HRP Message of , Or ordinary VRRP Message of .

stay Eudemon On the firewall , hrp The main function of is to back up the session table of the firewall , Backup firewall servermap surface , Backup firewall blacklist , Back up the firewall configuration , And backup ASPF The public-private network address mapping table and upper layer session table in the module .

Two firewalls are configured correctly VRRP, VGMP , as well as HRP after , An active standby relationship will be formed , At this time, the command line of the firewall will automatically display whether the firewall status is active or standby , If there is... On the command line HRP_M The logo of , Indicates that this firewall preempts the main firewall after negotiating with another firewall , If there is... On the command line HRP_S The logo of , Indicates that this firewall preempts as a standby firewall after negotiating with another firewall . The active and standby status of firewalls can only be negotiated between two firewalls , After the negotiation state is stable, one must be in the primary state and the other in the standby state , It is impossible to have two sets in the primary state or both in the standby state .

At the firewall HRP After the active / standby system is formed , We call HRP The active / standby status of is HRP Lord or HRP Standby state , In the formation of HRP The active / standby status of the is configured on the primary firewall by default, and then it can be automatically synchronized to the standby firewall , These commands cannot be executed on the command line of the standby firewall , These orders include ACL , Interface joining domain, etc , However, some command lines will not be backed up from the primary firewall to the standby firewall .

HRP The functions and usage of the configuration command are described as follows ：

• hrp enable ： HRP Enable command , Can make HRP After that, the firewall will be in the active / standby state .
• hrp configuration check acl ： Check the... At both ends of the active and standby firewalls ACL Are the configurations consistent . After executing this command , The active and standby firewalls interact , After execution, you can use the command line display hrpconfiguration check acl To check whether the configurations on both sides are consistent .
• hrp configuration check hrp ： Check the... At both ends of the active and standby firewalls HRP Are the configurations consistent . After executing this command , The active and standby firewalls interact , After execution, you can use the command line display hrpconfiguration check acl To check whether the configurations on both sides are consistent .
• hrp interface Ethernet/ GigabitEthernet ： Add firewall to configure session backup channel . It usually refers to firewall heartbeat port , This interface is used to back up firewall sessions .
• hrp interface Ethernet 1/0/0 high-availability ： Configure the high availability interface of the firewall . It is mainly used to realize fast session backup of firewall , If you don't configure high-availability , The session fast backup command will not be enabled , After configuring this command , This interface will be selected as a limited interface for firewall session backup . The firewall is configured with hrp interface after , The interface of the backup channel selected by the firewall is ： When you first select the configuration, you bring high-availability The interface of , If multiple bands are configured high-availability The interface of , First select the interface with smaller slot number and port number , Then select the one with smaller slot number and port number without high-availability The interface of . Interface failure causes VRRP In the initialization state or on the interface VRRP Of VGMP When not enabled , The firewall will reselect the backup channel . Learn more about network technology , Please follow the WeChat public account ： Network technology dry goods circle
• hrp mirror session enable ： Session Quick Backup enable command , This command enables the newly created or refreshed session on the firewall to be immediately backed up to the opposite firewall , In the configuration high-availability This command can only be configured after .
• hrp mirror packet enable ： Message relocation enable command , After this command is enabled , If ICMP The response message or TCP Of ACK The message cannot find a session on one of the firewalls , The message will be moved to another firewall , If a session is found on another firewall , The message is forwarded according to the session , If the session cannot be found , Direct discarding . This feature is now reserved , But basically no longer use , Because the firewall session can be backed up to the opposite firewall immediately after the session is established or refreshed , And the packet relocation occupies a lot of bandwidth , So this command is not recommended .
• hrp ospf-cost adjust-enable ： This command is used when the firewall and router are networking , After configuring this command on the firewall , Firewall Publishing OSPF When routing , Can judge whether it is the main firewall or the backup firewall , If it is the main firewall , The firewall directly publishes the learned routes , If it is a backup firewall , The firewall adds one to the learned route COST Values are then published , This COST The default value is 65535, It can be adjusted as needed , In this way, the router connected to the firewall calculates the route , All routes can be directed to the main firewall , The router forwards the packets to the main firewall . When using firewalls and routers for networking OSPF At the time of the agreement , Try to make sure that OSPF The domain of is smaller , In this way, when the firewall is switched from active to standby , OSPF The route of can converge as soon as possible , Ensure that the business will recover soon .
• hrp auto-sync connection-status ： Firewall connection status backup command . Firewall session backup does not depend on whether the firewall is the primary firewall or the backup firewall , After enabling a command , Firewalls can back up their own established or refreshed sessions to the peer firewall . This command line is on the firewall hrp enable After execution, it is enabled by default .
• hrp auto-sync config ： Firewall configuration backup command . After enabling this command on the firewall , The command line configured on the main firewall is as follows ACL, The domain can be automatically backed up to the backup firewall , Ensure that the command line can be synchronized in real time . This command line is in hrp enable Then it is enabled by default , At this time, the standby firewall cannot be configured by default ACL And so on , But if you need a separate configuration , perform undo hrp auto-sync config You can configure this command line on the standby firewall , Execute on the main firewall ACL When the configuration is sent to the standby firewall, it will not be executed , If you execute this command on the main firewall , The primary firewall will not send the configuration to the standby firewall for execution .
• hrp auto-sync config batch-backup ： Firewall configuration batch backup enable command . Enable this command , After the active / standby switchover of the firewall , The new primary firewall backup automatically backs up the configuration to the new standby firewall . This command is disabled by default , It is not recommended to use , Because bulk backup will consume a lot of CPU resources , It may affect some businesses when performing batch backup .
• hrp sync config ： Firewall configuration batch backup command . After executing this command, the primary firewall can send its configuration to the standby firewall for execution , This command line is used in the user view , It's enabling hrp Only after that can we use . This command defaults to and is not recommended , Because bulk backup will consume a lot of CPU resources , It may affect some businesses when performing batch backup .
• hrp sync connection-status ： Manual synchronization connection status information command , Will have a conversation , The blacklist , Address translation table , as well as ARP Backup of tables, etc , At the same time Eudemon 1000 It also refreshes the backup channel .
• display hrp ： Show the current HRP Status information , It mainly includes HRP Backup channel for , HRP The state of , hrp Whether to enable fast backup , by MASTER State of VGMP Information .
• display hrp verbose ： Show the current HRP Detailed status information for .

2 VGMP Configuration instructions

VGMP （vrrp group management protocol ） yes VRRP Group management protocol , Again VGMP So is the agreement Huawei private The agreement . VGMP Through the VRRP Join a group to manage , adopt VGMP Message and peer negotiation , Identify yourself and your counterpart VGMP The state of , according to VGMP Active / standby in the state of , hold VGMP Under group VRRP Change the status of to and VGMP In the same state . VGMP Status is also divided into Master and Slave, Again VGMP The message is in VRRP Based on the packet , It passes through VRRP The message informs the opposite end of its own status and negotiates with the opposite end .

Firewall VGMP The feature now supports between two firewalls VGMP negotiation , By negotiation , Form a state of one active and one standby on two firewalls , When the main firewall fails or is caused by other reasons VGMP When the priority of , Firewall ready VGMP Will seize the main , The original main firewall VGMP Will become a standby , meanwhile VGMP In the group VRRP Also follow this VGMP A change in the state of . adopt VGMP To manage VRRP, send VGMP The main firewall is released to the public VGMP All under the group VRRP Virtual address of , and VGMP The prepared firewall will not be released to the public VRRP Virtual address , formation VRRP Redundant backup of .

VGMP The functions and usage of the configuration command are described as follows ：

• vrrp group <1-16>： establish VGMP Management Group . After executing this command line , Create a VGMP Management Group , And enter this management group view , be-all VGMP The configuration is there VGMP View .add interface Ethernet 1/0/7 vrrp vrid 1 ： Interface Ethernet1/0/7 Under the configuration of VRRP 1 Join this management group to manage .
• add interface Ethernet 1/0/7 vrrp vrid 1 data ： Interface Ethernet1/0/7 Under the configuration of VRRP 1 Join this management group to manage , And put the interface Ethernet1/0/7 As send VGMP Channel of data message . Sending is configured VGMP After the data channel of , VGMP To enable . The firewall configuration is synchronized through VGMP Data channel for transmission .
• add interface Ethernet 1/0/7 vrrp vrid 1 data transfer-only ： hold Pick up mouth Ethernet1/0/7 Under the configuration of VRRP 1 Join this management group to manage , And put the interface Ethernet1/0/7 As send VGMP Channel of data message , And... Under this interface VRRP Do not participate in when the priority changes VGMP Calculation of priority . Generally, the upstream and downstream of the firewall are the case of switch networking , On the heartbeat VRRP Can be added to in this way VGMP In the group .
• add interface Ethernet1/0/7 vrrp vrid 1 data ip-link 1 ： Interface Ethernet1/0/7 Under the configuration of VRRP 1 Join this management group to manage , And put the interface Ethernet1/0/7 As send VGMP Channel of data message , At the same time VGMP The binding ip-link function . ip-link Please refer to other documents for the use of .
• vrrp-group enable ：VGMP Group enable command . In configuration VGMP After the data channel of , This command can be executed , After executing this order , The firewall sends... From the data channel VGMP And the peer firewall , determine VGMP Active and standby status of the .
• vrrp-group preempt ： To configure VGMP Preemptive mode of group . This command configures the local terminal VGMP And the opposite end VGMP Negotiate , And preempt , If the priority is high, preemption is the priority , If the priority is low, it will be preempted as standby . After configuring this command, the default preemption delay is 0, That is, to seize immediately .
• vrrp-group preempt delay <0-1800000> ： To configure VGMP Group preemption delay , The unit is millisecond （ ms）, If the local VGMP The priority of the group is compared with that of the end VGMP High priority , After delaying the configured time VGMP Just seize it as Master state . For firewall networking , The proposed preemption method is that the preemption delay of the standby firewall is 0, The main firewall configuration preemption delay is 20000ms Or not to preempt . The specific configuration describes in detail how to configure the preemption mode of the firewall in the relevant networking .
• vrrp-group priority <1-254> ： To configure VGMP Group priority . To configure VGMP After the priority of the group , VGMP And the end-to-end firewall VGMP Negotiate , And to determine VGMP Active and standby status of the . This method is used by default as VGMP Group priority , The default priority is 100.VGMP The priority adjustment algorithm of the group is ： Current priority －（ Current priority /16 ）. If VGMP One under the group VRRP Change to the initialization state , be VGMP The priority of the group is adjusted once , Similarly, if you configure a ip-link Detect remote IP For unreachable , VGMP The priority of the group will also be adjusted once , Use the above algorithm to adjust each time . In this way , It is recommended that the main firewall be configured as 105, The standby firewall uses the default configuration 100.
• vrrp-group priority using-vrrppriority ： Use VRRP Priority of as VGMP Group priority . To configure VGMP After the priority of the group , VGMP And the end-to-end firewall VGMP Negotiate , And to determine VGMP Active and standby status of the . If it is decided in this way VGMP Group priority , First turn on the VGMP All under the group VRRP The priorities of add up , Divided by VGMP Under group VRRP The number of . If it's still VGMP The following configuration ip-link , also ip-link Remote... Detected IP The address is unreachable , To calculate the ip-link Priority of adjustment , The calculation method is as follows ip-link The binding of VRRP Priority of divided by 16, Then according to VGMP All under the group VRRP Subtract... From the calculated priority ip-link Priority of adjustment , To get the final VGMP Group priority . In this way , Suggest VRRP The priority primary firewall of is configured as 105, The standby firewall is configured as the default 100.
• vrrp-group priority plus <0-254> ： This command is also used to adjust VGMP Priority of , But it is no longer used , It is also not recommended to configure this command .
• vrrp-group manual-preempt ： VGMP Group manual preemption command . stay VGMP When the preemption delay is configured , If the delay time is not up , Even the local firewall VGMP The priority of the group is higher than that of the end , No preemption . If in VGMP Non preemption is configured under the group , Even if the local priority is higher than the end , No preemption . But by vrrp-group manual-preempt You can manually preempt , If the local VGMP Group priority is high , The configured preemption delay does not arrive or the configuration does not preempt , Use this command to local VGMP Can immediately seize for Master state . Please follow the WeChat public account ： Network technology dry goods circle
• vrrp-group timer hello <200-60000> ：VGMP Group send VGMP Of hello Time interval of message , The unit is millisecond （ ms）, The default value is 1000ms. By configuring VGMP Under group VGMP Of hello Time interval of message sending , VGMP Groups can perform preemptive switching more quickly . The default value is recommended , If the parameter setting is too small , Causes the firewall to send and receive VGMP There will be a large number of messages , It will take more time CPU resources , And configure 1s Of hello The time interval of the message can also meet the fault response time interval of the current network .
• vrrp-group group-send ：VGMP All data channels under the group are sent VGMP message . After configuring this command ,VGMP Send data messages and hello At the time of the message , Join this VGMP Each data channel of the group is sent once . This command is not enabled by default , VGMP A data channel will be automatically selected for transmission VGMP Message channel , And re select when data channel failure is detected .

3 VRRP Configuration instructions

Firewall VRRP And standard VRRP agreement , Let's talk about VRRP Configuration of , For more information, you can find relevant RFC see . On the firewall , If VRRP Add to VGMP in ,VRRP The status of the VGMP decision , No more self negotiation .

VRRP The functions and usage of the configuration command are described as follows ：

• vrrp vrid 1 virtual-ip 1.1.1.100 ： Configure... In the interface view VRRP . This command configures... On the interface VRRP Of ID as well as VRRP Virtual address of .
• vrrp vrid 1 track Ethernet1/0/6 ： To configure VRRP Monitored port . After configuring the monitored port , If the protocol status of this port down,VRRP The priority of will be automatically adjusted . The default is to adjust 10, You can continue to configure how much to drop after this command .
• vrrp vrid 1 priority <1-254> ： To configure VRRP The priority of the . The default value is 100, If it is the main firewall , Recommended configuration is 105, The standby firewall is recommended to be configured as the default value 100.
• vrrp vrid 1 timer advertise <1-255> ：VRRP Of hello Time interval of message sending . Default VRR Of hello The sending time interval of the message is 1s, It is recommended to use the default configuration .
• vrrp vrid 1 preempt-mode ：VRRP Preemption parameter of . If VRRP Join in VGMP In the group , VRRP The preemption parameter of no longer takes effect .

4 IP-Link Configuration instructions

4.1 ip-link Functional specifications ：

A firewall ip-link Function is a kind of Check whether the layer-3 link is reachable The function of , The basic principle is to configure on the firewall ip-link Enable and configure ip-link After the destination address of , The firewall will send... To the destination address icmp To determine whether the destination address is reachable , Judge whether the three-layer link from the firewall to the destination address is accessible , It is used in dual computer hot standby networking , VGMP According to ip-link Adjustment of special test results VGMP The priority of the , Thus, the firewall and the router can perform active / standby switchover in case of failure .

The firewall is enabling ip-link When the function , You need to determine ip-link The destination address of the device can communicate with the firewall normally icmp Interaction , In this way, the firewall can correctly detect the destination address , Thus, when the device fails, it can correctly guide the active and standby firewalls to perform active and standby switchover , therefore ip-link The prerequisite for use is ip-link The device with the configured destination address can communicate with the firewall normally icmp conversation .

4.2 ip-link Application in networking ：

Firewall ip-link The common networking in the dual computer hot standby networking environment with common functions is shown in the following figure ：

As shown in the figure above , If not enabled on the firewall ip-link function , Under normal circumstances, the message will pass through the firewall A Forward , At this time, the firewall must be ensured A Both the uplink and downlink devices are working normally . But once with the firewall A Connected routers A Of 0/1 The port is faulty , The message cannot be forwarded from this port , At this point, the firewall A Of VRRP The router cannot be detected A Of 0/1 The port fails , The message will continue from the firewall A Forward to router A, Leading to business disruption . If in the firewall A On enabling ip-link The function of , bring ip-link The destination address of is the router A Of 0/1 mouth , When routers A Of 0/1 When the port breaks down , A firewall A Can detect the router A Of 0/1 Interface IP The address is unreachable , At this point, the firewall A Think from the local 0/0 The link out of the port is blocked , This time the firewall A Will automatically adjust the priority , Make the firewall A And the firewall B Active / standby switching occurs , A firewall A All the above businesses are transferred to the firewall B On , Ensure the normal forwarding of services .

4.3 A firewall ip-link Configuration of ：

Configure on the firewall ip-link First confirm the function ip-link The device with the destination address in the configuration can correctly communicate with the firewall under normal circumstances icmp conversation . Related configurations are described as follows ：

1： Enable firewall ip-link function

Execute commands in the system view ip-link check enable Such as ：

[Eudemon]ip-link check enable

2： To configure ip-link The other parameters

ip-link INTEGER<1-32> [ vpn-instance vpn-name] destination X.X.X.X [ interface | timer ]

For the meanings of the above command parameters, please refer to the prompt information given on the command line .

3：vrrp binding ip-link

Get into VGMP The view of

Vrrp group 1

To configure ip-link

[E1000_A-vrrpgroup-1]add int Ethernet 4/0/0 vrrp vrid 1 ip-link 1

4.4 A firewall ip-link Configuration of ：

Configure firewall ip-link After enabling , The firewall will be directed to ip-link Device sending to destination address icmp Whether the message detection destination device is normal . We did this by looking at vrrp The status of the group can be seen ip-link Has begun to affect vrrp Group priority , A firewall ip-link Check to adjust the size of the priority and add vrrp Management group interface down Off adjustment vrrp Management groups have the same priority .

HRP_M[E1000_A]dis v v
Vrrp Group 16
state : Master
Priority : 98 ―――― > The priority here will be based on  ip-link  Adjust the results of the inspection 
Preempt : YES Delay Time : 0
Timer : 1000
Group-Send : YES
Peer Status : OnLine
Vrrp number : 3
: Same
interface : Ethernet4/0/7, vrrp id : 254 Up
interface : Ethernet4/0/0, vrrp id : 2 Up
interface : Ethernet4/0/1, vrrp id : 1 Down, ip-link: 32 Down