CLI: Example for Configuring IPv6 Hot Standby in Active/Standby Mode on Firewalls That Connect Routers in Upstream and Downstream Directions
This section describes how to configure IPv6 hot standby in active/standby mode using the CLI on an IPv6 network where the service interfaces work at Layer 3 and connect to routers in the upstream and downstream directions.
Networking Requirements
As shown in Figure 1, the service interfaces of the FWs work at Layer 3 and are directly connected to routers. OSPFv3 runs between the FWs and upstream and downstream routers. The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by FW_A. If FW_A is faulty, FW_B takes over to ensure service continuity.
Procedure
- Complete basic network configurations.
FW_A
FW_B
# Enable the IPv6 packet forwarding function on FWs.
<FW_A> system-view [FW_A] ipv6
<FW_B> system-view [FW_B] ipv6
# Set IP addresses for the interfaces on FWs.
[FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] ipv6 enable [FW_A-GigabitEthernet0/0/1] ipv6 address 2001:db8:6::1 64 [FW_A-GigabitEthernet0/0/1] quit [FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] ipv6 enable [FW_A-GigabitEthernet0/0/3] ipv6 address 2001:db8:5::1 64 [FW_A-GigabitEthernet0/0/3] quit [FW_A] interface GigabitEthernet 0/0/7 [FW_A-GigabitEthernet0/0/7] ip address 10.10.0.1 24 [FW_A-GigabitEthernet0/0/7] quit
[FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] ipv6 enable [FW_B-GigabitEthernet0/0/1] ipv6 address 2001:db8:6::2 64 [FW_B-GigabitEthernet0/0/1] quit [FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] ipv6 enable [FW_B-GigabitEthernet0/0/3] ipv6 address 2001:db8:5::2 64 [FW_B-GigabitEthernet0/0/3] quit [FW_B] interface GigabitEthernet 0/0/7 [FW_B-GigabitEthernet0/0/7] ip address 10.10.0.2 24 [FW_B-GigabitEthernet0/0/7] quit
# Assign the interfaces to security zones on FWs.
[FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 0/0/3 [FW_A-zone-trust] quit [FW_A] firewall zone dmz [FW_A-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_A-zone-dmz] quit [FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_A-zone-untrust] quit
[FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 0/0/3 [FW_B-zone-trust] quit [FW_B] firewall zone dmz [FW_B-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_B-zone-dmz] quit [FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_B-zone-untrust] quit
# Configure OSPFv3 to ensure IP connectivity on FWs.
[FW_A] ospfv3 100 [FW_A-ospfv3-100] router-id 1.1.1.1 [FW_A-ospfv3-100] quit [FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] ospfv3 100 area 0.0.0.0 [FW_A-GigabitEthernet0/0/1] quit [FW_A] ospfv3 200 [FW_A-ospfv3-200] router-id 10.1.1.1 [FW_A-ospfv3-200] quit [FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] ospfv3 200 area 0.0.0.0 [FW_A-GigabitEthernet0/0/3] quit
[FW_B] ospfv3 100 [FW_B-ospfv3-100] router-id 1.1.1.2 [FW_B-ospfv3-100] quit [FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] ospfv3 100 area 0.0.0.0 [FW_B-GigabitEthernet0/0/1] quit [FW_B] ospfv3 200 [FW_B-ospfv3-200] router-id 10.1.1.2 [FW_B-ospfv3-200] quit [FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] ospfv3 200 area 0.0.0.0 [FW_B-GigabitEthernet0/0/3] quit
- Configure hot standby.
FW_A
FW_B
# Configure VGMP groups to monitor upstream and downstream service interfaces on FWs.
[FW_A] hrp track interface GigabitEthernet 0/0/1 [FW_A] hrp track interface GigabitEthernet 0/0/3
[FW_B] hrp track interface GigabitEthernet 0/0/1 [FW_B] hrp track interface GigabitEthernet 0/0/3
# Configure the function of adjusting the OSPFv3 cost based on VGMP status on FWs. After you enable this function, FW determines whether it is the active or standby FW when advertising OSPFv3 routes. If FW is the active device, it directly advertises the routes that it has learned. If it is the standby device, it advertises the routes after increasing the cost values. In this way, when upstream and downstream routers calculate routes, the next hop is pointed to the active device, and packets are forwarded to the active device.
[FW_A] hrp adjust ospfv3-cost enable[FW_B] hrp adjust ospfv3-cost enable# Specify the heartbeat interface and enable hot standby on FWs.
[FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 [FW_A] hrp enable
[FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 [FW_B] hrp standby-device [FW_B] hrp enable
- Create a security policy on FW_A. After hot standby relationship is established, the security policy on FW_A will be automatically backed up to FW_B.
# Configure security policies to allow FWs and the upstream/downstream routers to exchange OSPFv3 packets.
Controlling function of security policies for OSPFv3 packets are configured by the firewall packet-filter basic-protocol enable command. By default, the function of the firewall packet-filter basic-protocol enable command is enabled. That is, OSPFv3 packets are controlled by security policies. In this case, a security policy must be configured between the security zones where the upstream/downstream service interfaces reside and the local zone to allow OSPFv3 packets to pass. In this example, enabling the firewall packet-filter basic-protocol enable command is used as an example.
HRP_M[FW_A] security-policy HRP_M[FW_A-policy-security] rule name policy_ospfv3_1 HRP_M[FW_A-policy-security-rule-policy_ospfv3_1] source-zone local HRP_M[FW_A-policy-security-rule-policy_ospfv3_1] destination-zone trust untrust HRP_M[FW_A-policy-security-rule-policy_ospfv3_1] service ospf HRP_M[FW_A-policy-security-rule-policy_ospfv3_1] action permit HRP_M[FW_A-policy-security-rule-policy_ospfv3_1] quit HRP_M[FW_A-policy-security] rule name policy_ospfv3_2 HRP_M[FW_A-policy-security-rule-policy_ospfv3_2] source-zone trust untrust HRP_M[FW_A-policy-security-rule-policy_ospfv3_2] destination-zone local HRP_M[FW_A-policy-security-rule-policy_ospfv3_2] service ospf HRP_M[FW_A-policy-security-rule-policy_ospfv3_2] action permit HRP_M[FW_A-policy-security-rule-policy_ospfv3_2] quit
# Configure a security policy to allow intranet users to access the Internet.
HRP_M[FW_A-policy-security] rule name policy_sec HRP_M[FW_A-policy-security-rule-policy_sec] source-zone trust HRP_M[FW_A-policy-security-rule-policy_sec] destination-zone untrust HRP_M[FW_A-policy-security-rule-policy_sec] source-address 2001:db8:3:: 64 HRP_M[FW_A-policy-security-rule-policy_sec] source-address 2001:db8:4:: 64 HRP_M[FW_A-policy-security-rule-policy_sec] action permit
- Configure the routers.
Configure OSPFv3 on the routers to advertise routes. For configuration commands, refer to the related documents of the routers.
Verification
Run the display hrp state verbose command on FW_A and FW_B to check the VGMP group status. If the following information is displayed, hot standby relationship is successfully established.
FW_A
FW_B
HRP_M<FW_A> display hrp state verbose Role: active, peer: standby Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2018-03-22 16:01:56 HRP link changes to up. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: off track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet0/0/1: up GigabitEthernet0/0/3: up ospfv3-cost: +0
HRP_S<FW_B> display hrp state verbose Role: standby, peer: active Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2018-03-22 16:01:56 HRP link changes to up. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: off track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet0/0/1: up GigabitEthernet0/0/3: up ospfv3-cost: +65500
Run the ping 2001:db8:6::4 command on the PC in the trust zone to ping the router in the untrust zone. The ping operation is successful. Run the display firewall ipv6 session table command on FW_A and FW_B. Sessions between the two FWs are successfully created and backed up.
FW_A
FW_B
HRP_M<FW_A> display firewall ipv6 session table Current Total Sessions : 2 icmpv6 VPN: public --> public 2001:DB8:3::4.0 --> 2001:DB8:6::4.2048 icmpv6 VPN: public --> public 2001:DB8:4::4.0 --> 2001:DB8:6::4.2048HRP_S<FW_B> display firewall ipv6 session table Current Total Sessions : 2 icmpv6 VPN: public --> public Remote 2001:DB8:3::4.0 --> 2001:DB8:6::4.2048 icmpv6 VPN: public --> public Remote 2001:DB8:4::4.0 --> 2001:DB8:6::4.2048The preceding command output shows that sessions with the Remote tag are created on FW_B. This indicates that the sessions are successfully backed up after the hot standby function is configured.
Run the ping 2001:db8:6::4 -t command on the PC, pull out the cable from GE0/0/1 on FW_A, and then check whether active/standby switchover is performed and whether ping packets are discarded. Insert the cable back to GE0/0/1 on FW_A and check again whether active/standby switchover is performed and whether ping packets are discarded. During the entire process, the ping operation is not interrupted.
Configuration Scripts
FW_A |
FW_B |
|---|---|
# ipv6 # hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 hrp track interface GigabitEthernet 0/0/1 hrp track interface GigabitEthernet 0/0/3 # interface GigabitEthernet 0/0/1 ipv6 enable ipv6 address 2001:DB8:6::1/64 ospfv3 100 area 0.0.0.0 # interface GigabitEthernet 0/0/3 ipv6 enable ipv6 address 2001:DB8:5::1/64 ospfv3 200 area 0.0.0.0 # interface GigabitEthernet 0/0/7 ip address 10.10.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet 0/0/7 # ospfv3 100 router-id 1.1.1.1 ospfv3 200 router-id 10.1.1.1 # security-policy rule name policy_ospfv3_1 source-zone local destination-zone trust destination-zone untrust service ospf action permit rule name policy_ospfv3_2 source-zone trust source-zone untrust destination-zone local service ospf action permit rule name policy_sec source-zone trust destination-zone untrust source-address 2001:db8:3:: 64 source-address 2001:db8:4:: 64 action permit |
# ipv6 # hrp enable hrp standby-device hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 hrp track interface GigabitEthernet 0/0/1 hrp track interface GigabitEthernet 0/0/3 # interface GigabitEthernet 0/0/1 ipv6 enable ipv6 address 2001:DB8:6::2/64 ospfv3 100 area 0.0.0.0 # interface GigabitEthernet 0/0/3 ipv6 enable ipv6 address 2001:DB8:5::2/64 ospfv3 200 area 0.0.0.0 # interface GigabitEthernet 0/0/7 ip address 10.10.0.2 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet 0/0/7 # ospfv3 100 router-id 1.1.1.2 ospfv3 200 router-id 10.1.1.2 # security-policy rule name policy_ospfv3_1 source-zone local destination-zone trust destination-zone untrust service ospf action permit rule name policy_ospfv3_2 source-zone trust source-zone untrust destination-zone local service ospf action permit rule name policy_sec source-zone trust destination-zone untrust source-address 2001:db8:3:: 64 source-address 2001:db8:4:: 64 action permit |