CLI: Example for Configuring IPv6 Hot Standby in Active/Standby Mode on Firewalls That Connect Switches in Upstream and Downstream Directions
This section describes how to configure VRRPv6 groups with their own virtual IPv6 addresses using the CLI to implement IPv6 hot standby in active/standby mode on an IPv6 network where the service interfaces work at Layer 3 and connect to switches in the upstream and downstream directions.
Networking Requirements
On the network shown in Figure 1, the service interfaces of two FWs work at Layer 3 and are directly connected to switches.
The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by FW_A. If FW_A is faulty, FW_B takes over to ensure service continuity.
Procedure
- Complete basic network configurations.
FW_A
FW_B
# Enable the IPv6 packet forwarding function on FWs.
<FW_A> system-view [FW_A] ipv6
<FW_B> system-view [FW_B] ipv6
# Set IP addresses for the interfaces on FWs.
[FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] ipv6 enable [FW_A-GigabitEthernet0/0/1] ipv6 address 2001:db8:6::1 64 [FW_A-GigabitEthernet0/0/1] quit [FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] ipv6 enable [FW_A-GigabitEthernet0/0/3] ipv6 address 2001:db8:5::1 64 [FW_A-GigabitEthernet0/0/3] quit [FW_A] interface GigabitEthernet 0/0/7 [FW_A-GigabitEthernet0/0/7] ip address 10.10.0.1 24 [FW_A-GigabitEthernet0/0/7] quit
[FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] ipv6 enable [FW_B-GigabitEthernet0/0/1] ipv6 address 2001:db8:6::2 64 [FW_B-GigabitEthernet0/0/1] quit [FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] ipv6 enable [FW_B-GigabitEthernet0/0/3] ipv6 address 2001:db8:5::2 64 [FW_B-GigabitEthernet0/0/3] quit [FW_B] interface GigabitEthernet 0/0/7 [FW_B-GigabitEthernet0/0/7] ip address 10.10.0.2 24 [FW_B-GigabitEthernet0/0/7] quit
# Assign the interfaces to security zones on FWs.
[FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_A-zone-untrust] quit [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 0/0/3 [FW_A-zone-trust] quit [FW_A] firewall zone dmz [FW_A-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_A-zone-dmz] quit
[FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_B-zone-untrust] quit [FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 0/0/3 [FW_B-zone-trust] quit [FW_B] firewall zone dmz [FW_B-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_B-zone-dmz] quit
# Create a default route with next hop 2001:db8:6::4 on FWs to forward traffic of intranet users to the router.
[FW_A] ipv6 route-static :: 0 2001:db8:6::4[FW_B] ipv6 route-static :: 0 2001:db8:6::4 - Configure VRRPv6 groups.
FW_A
FW_B
# Configure VRRPv6 group 1 on upstream service interface GE0/0/1 of FW_A and set the VRRPv6 group status to Active. Configure VRRPv6 group 1 on upstream service interface GE0/0/1 of FW_B and set the VRRPv6 group status to Standby.
[FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] vrrp6 vrid 1 virtual-ip FE80::1 link-local active [FW_A-GigabitEthernet0/0/1] vrrp6 vrid 1 virtual-ip 2001:db8:6::3 [FW_A-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] vrrp6 vrid 1 virtual-ip FE80::1 link-local standby [FW_B-GigabitEthernet0/0/1] vrrp6 vrid 1 virtual-ip 2001:db8:6::3 [FW_B-GigabitEthernet0/0/1] quit
# Configure VRRPv6 group 2 on downstream service interface GE0/0/3 of FW_A and set the VRRPv6 group status to Active. Configure VRRPv6 group 2 on downstream service interface GE0/0/3 of FW_B and set the VRRPv6 group status to Standby.
[FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] vrrp6 vrid 2 virtual-ip FE80::2 link-local active [FW_A-GigabitEthernet0/0/3] vrrp6 vrid 2 virtual-ip 2001:db8:5::3 [FW_A-GigabitEthernet0/0/3] quit
[FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] vrrp6 vrid 2 virtual-ip FE80::2 link-local standby [FW_B-GigabitEthernet0/0/3] vrrp6 vrid 2 virtual-ip 2001:db8:5::3 [FW_B-GigabitEthernet0/0/3] quit
- Specify the heartbeat interface and enable hot standby.
FW_A
FW_B
[FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 [FW_A] hrp enable
[FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 [FW_B] hrp enable
- Configure a security policy to allow intranet users to access the Internet.
# Create a security policy on FW_A. After hot standby relationship is established, the security policy on FW_A will be automatically backed up to FW_B.
HRP_M[FW_A] security-policy HRP_M[FW_A-policy-security] rule name trust_to_untrust HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-zone trust HRP_M[FW_A-policy-security-rule-trust_to_untrust] destination-zone untrust HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-address 2001:db8:5:: 64 HRP_M[FW_A-policy-security-rule-trust_to_untrust] action permit HRP_M[FW_A-policy-security-rule-trust_to_untrust] quit HRP_M[FW_A-policy-security] quit
- Configure the switches and PCs.
- Add the three interfaces of the switches to the same VLANs accordingly. For configuration commands, refer to related documents of the switches.
- On intranet PCs, specify the virtual IPv6 address of VRRPv6 group 2 as the default gateway address. Details are omitted.
- Configure the router.
Configure equal-cost routes to FW, with the next hop being the virtual IPv6 addresses of VRRPv6 group 1.
Verification
Run the display vrrp6 command on FW_A and FW_B to check the status information about the interfaces in the VRRPv6 group. If the following information is displayed, the VRRPv6 group is successfully created.
FW_A
FW_B
HRP_M<FW_A> display vrrp6 GigabitEthernet0/0/1 | Virtual Router 1 State : Master Virtual IP : FE80::1 2001:DB8:6::3 Master IP : FE80::8269:33FF:FE8C:5C7D PriorityRun : 100 PriorityConfig : 100 MasterPriority : 0 Preempt : YES Delay Time : 0 s TimerRun : 4000 cs TimerConfig : 4000 cs Virtual MAC : 0000-5e00-0201 Check hop limit : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2019-04-13 14:54:28 UTC+08:00 Last change time : 2019-04-13 14:56:53 UTC+08:00 GigabitEthernet0/0/3 | Virtual Router 2 State : Master Virtual IP : FE80::2 2001:DB8:5::3 Master IP : FE80::8269:33FF:FE8C:5C6B PriorityRun : 100 PriorityConfig : 100 MasterPriority : 100 Preempt : YES Delay Time : 0 s TimerRun : 4000 cs TimerConfig : 4000 cs Virtual MAC : 0000-5e00-0202 Check hop limit : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2019-04-13 14:11:51 UTC+08:00 Last change time : 2019-04-13 14:54:42 UTC+08:00
HRP_S<FW_B> display vrrp6 GigabitEthernet0/0/1 | Virtual Router 1 State : Backup Virtual IP : FE80::1 2001:DB8:6::3 Master IP : FE80::4AF8:DBFF:FE50:82DB PriorityRun : 100 PriorityConfig : 100 MasterPriority : 0 Preempt : YES Delay Time : 0 s TimerRun : 4000 cs TimerConfig : 4000 cs Virtual MAC : 0000-5e00-0201 Check hop limit : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2019-04-13 14:28:28 UTC+08:00 Last change time : 2019-04-13 15:08:53 UTC+08:00 GigabitEthernet0/0/3 | Virtual Router 2 State : Backup Virtual IP : FE80::2 2001:DB8:5::3 Master IP : FE80::4AF8:DBFF:FE50:826B PriorityRun : 100 PriorityConfig : 100 MasterPriority : 100 Preempt : YES Delay Time : 0 s TimerRun : 4000 cs TimerConfig : 4000 cs Virtual MAC : 0000-5e00-0202 Check hop limit : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2019-04-13 14:30:51 UTC+08:00 Last change time : 2019-04-13 15:10:42 UTC+08:00
Run the display hrp state verbose command on FW_A and FW_B to check the VGMP group status. If the following information is displayed, hot standby relationship is successfully established.
FW_A
FW_B
HRP_M<FW_A> display hrp state verbose Role: active, peer: standby Running priority: 45000, peer: 45000 Backup channel usage: 0.00% Stable time: 0 days, 0 hours, 0 minutes Last state change information: 2019-04-13 15:01:44 HRP core state changed, old_state = initial, new_state = normal(active), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: off track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet0/0/1 vrrp6 vrid 1: active GigabitEthernet0/0/3 vrrp6 vrid 2: active
HRP_S<FW_B> display hrp state verbose Role: standby, peer: active Running priority: 45000, peer: 45000 Backup channel usage: 0.00% Stable time: 0 days, 0 hours, 0 minutes Last state change information: 2019-04-13 15:01:44 HRP core state changed, old_state = initial, new_state = normal(standby), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: off track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet0/0/1 vrrp6 vrid 1: standby GigabitEthernet0/0/3 vrrp6 vrid 2: standby
Run the ping 2001:db8:6::4 command on the PC in the trust zone to ping the router in the untrust zone. The ping operation is successful. Run the display firewall ipv6 session table command on FW_A and FW_B. Sessions between the two FWs are successfully created and backed up.
FW_A
FW_B
HRP_M<FW_A> display firewall ipv6 session table Current Total Sessions : 1 icmpv6 VPN: public --> public 2001:DB8:5::4.0 --> 2001:DB8:6::4.2048HRP_S<FW_B> display firewall ipv6 session table Current Total Sessions : 1 icmpv6 VPN: public --> public Remote 2001:DB8:5::4.0 --> 2001:DB8:6::4.2048The preceding command output shows that sessions with the Remote tag are created on FW_B. This indicates that the sessions are successfully backed up after the hot standby function is configured.
Run the ping 2001:db8:6::4 -t command on the PC, pull out the cable from GE0/0/1 on FW_A, and then check whether active/standby switchover is performed and whether ping packets are discarded. Insert the cable back to GE0/0/1 on FW_A and check again whether active/standby switchover is performed and whether ping packets are discarded. During the entire process, the ping operation is not interrupted.
Configuration Scripts
FW_A |
FW_B |
|---|---|
# ipv6 # hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 # interface GigabitEthernet 0/0/1 ipv6 enable ipv6 address 2001:DB8:6::1/64 vrrp6 vrid 1 virtual-ip FE80::1 link-local active vrrp6 vrid 1 virtual-ip 2001:DB8:6::3 # interface GigabitEthernet 0/0/3 ipv6 enable ipv6 address 2001:DB8:5::1/64 vrrp6 vrid 2 virtual-ip FE80::2 link-local active vrrp6 vrid 2 virtual-ip 2001:DB8:5::3 # interface GigabitEthernet 0/0/7 ip address 10.10.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet 0/0/7 # ipv6 route-static :: 0 2001:db8:6::4 # security-policy rule name trust_to_untrust source-zone trust destination-zone untrust source-address 2001:db8:5:: 64 action permit |
# ipv6 # hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 # interface GigabitEthernet 0/0/1 ipv6 enable ipv6 address 2001:DB8:6::2/64 vrrp6 vrid 1 virtual-ip FE80::1 link-local standby vrrp6 vrid 1 virtual-ip 2001:DB8:6::3 # interface GigabitEthernet 0/0/3 ipv6 enable ipv6 address 2001:DB8:5::2/64 vrrp6 vrid 2 virtual-ip FE80::2 link-local standby vrrp6 vrid 2 virtual-ip 2001:DB8:5::3 # interface GigabitEthernet 0/0/7 ip address 10.10.0.2 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/7 # ipv6 route-static :: 0 2001:db8:6::4 # security-policy rule name trust_to_untrust source-zone trust destination-zone untrust source-address 2001:db8:5:: 64 action permit |