CLI: Example for Configuring Hot Standby in Active/Standby Mode Where Firewalls Are Deployed in In-path Mode and Connect to Switches in Upstream and Downstream Directions
This section provides a CLI example of configuring hot standby in active/standby mode in which the service interfaces of the firewalls work at Layer 3 and connect to switches in upstream and downstream directions.
Networking Requirements
On the network shown in Figure 1, the service interfaces of two FWs work at Layer 3 and are directly connected to switches. The upstream switch is connected to the carrier network, and the public IP address the carrier assigns to the enterprise is 1.1.1.1. The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by FW_A. If FW_A is faulty, FW_B takes over to ensure service continuity.
Procedure
- Complete basic network configurations.
FW_A
FW_B
# Set IP addresses for the interfaces on FWs.
<FW_A> system-view [FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] ip address 10.2.0.1 24 [FW_A-GigabitEthernet0/0/1] quit [FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] ip address 10.3.0.1 24 [FW_A-GigabitEthernet0/0/3] quit [FW_A] interface GigabitEthernet 0/0/7 [FW_A-GigabitEthernet0/0/7] ip address 10.10.0.1 24 [FW_A-GigabitEthernet0/0/7] quit
<FW_B> system-view [FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] ip address 10.2.0.2 24 [FW_B-GigabitEthernet0/0/1] quit [FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] ip address 10.3.0.2 24 [FW_B-GigabitEthernet0/0/3] quit [FW_B] interface GigabitEthernet 0/0/7 [FW_B-GigabitEthernet0/0/7] ip address 10.10.0.2 24 [FW_B-GigabitEthernet0/0/7] quit
# Assign the interfaces to security zones on FWs.
[FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 0/0/3 [FW_A-zone-trust] quit [FW_A] firewall zone dmz [FW_A-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_A-zone-dmz] quit [FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_A-zone-untrust] quit
[FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 0/0/3 [FW_B-zone-trust] quit [FW_B] firewall zone dmz [FW_B-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_B-zone-dmz] quit [FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet 0/0/1 [FW_B-zone-untrust] quit
# Create a default route with next hop 1.1.1.10 on FWs.
[FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10[FW_B] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10 - Configure VRRP groups.
FW_A
FW_B
# Configure VRRP group 1 on upstream service interface GE0/0/1 of FW_A and set the VRRP group status to Active. Configure VRRP group 1 on upstream service interface GE0/0/1 of FW_B and set the VRRP group status to Standby. Note that if the interface IP address resides on a different subnet from the address of the VRRP group, you need to specify a subnet mask when setting the address of the VRRP group.
[FW_A] interface GigabitEthernet 0/0/1 [FW_A-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 active [FW_A-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/1 [FW_B-GigabitEthernet0/0/1] vrrp vrid 1 virtual-ip 1.1.1.1 24 standby [FW_B-GigabitEthernet0/0/1] quit
# Configure VRRP group 2 on downstream service interface GE0/0/3 of FW_A and set the VRRP group status to Active. Configure VRRP group 2 on downstream service interface GE0/0/3 of FW_B and set the VRRP group status to Standby.
[FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 active [FW_A-GigabitEthernet0/0/3] quit
[FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] vrrp vrid 2 virtual-ip 10.3.0.3 standby [FW_B-GigabitEthernet0/0/3] quit
- Specify the heartbeat interface and enable hot standby.
FW_A
FW_B
[FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 [FW_A] hrp enable
[FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 [FW_B] hrp enable
- Create a security policy on FW_A. After hot standby relationship is established, the security policy on FW_A will be automatically backed up to FW_B.
# Configure a security policy to allow intranet users to access the Internet.
HRP_M[FW_A] security-policy HRP_M[FW_A-policy-security] rule name trust_to_untrust HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-zone trust HRP_M[FW_A-policy-security-rule-trust_to_untrust] destination-zone untrust HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-address 10.3.0.0 24 HRP_M[FW_A-policy-security-rule-trust_to_untrust] action permit HRP_M[FW_A-policy-security-rule-trust_to_untrust] quit HRP_M[FW_A-policy-security] quit
- Configure a NAT policy on FW_A. After hot standby relationship is established, the NAT policy on FW_A will be automatically backed up to FW_B.
# Configure a NAT policy to translate source addresses on subnet 10.3.0.0/16 to an IP address in the NAT address pool (1.1.1.2 to 1.1.1.5) when intranet users access the Internet.
HRP_M[FW_A] nat address-group group1 HRP_M[FW_A-address-group-group1] section 0 1.1.1.2 1.1.1.5 HRP_M[FW_A-address-group-group1] route enable HRP_M[FW_A-address-group-group1] quit HRP_M[FW_A] nat-policy HRP_M[FW_A-policy-nat] rule name policy_nat1 HRP_M[FW_A-policy-nat-rule-policy_nat1] source-zone trust HRP_M[FW_A-policy-nat-rule-policy_nat1] destination-zone untrust HRP_M[FW_A-policy-nat-rule-policy_nat1] source-address 10.3.0.0 16 HRP_M[FW_A-policy-nat-rule-policy_nat1] action source-nat address-group group1
- Configure the switches and PCs.
- Add the three interfaces of the switches to the same VLANs accordingly. For configuration commands, refer to related documents of the switches.
- On intranet PCs, specify the virtual IP address of VRRP group 2 as the default gateway address. Details are omitted.
- Configure the router.
Configure equal-cost routes to FW, with the next hop being the virtual IP addresses of VRRP group 1.
Verification
Run the display vrrp command on FW_A and FW_B to check the status information about the interfaces in the VRRP group. If the following information is displayed, the VRRP group is successfully created.
FW_A
FW_B
HRP_M<FW_A> display vrrp GigabitEthernet0/0/1 | Virtual Router 1 State : Master Virtual IP : 1.1.1.1 Master IP : 10.2.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES Delay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0101 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2018-03-17 17:35:54 UTC+08:00 Last change time : 2018-03-22 16:01:56 UTC+08:00 GigabitEthernet0/0/3 | Virtual Router 2 State : Master Virtual IP : 10.3.0.3 Master IP : 10.3.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES Delay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0102 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2018-03-17 17:35:54 UTC+08:01 Last change time : 2018-03-22 16:01:56 UTC+08:01
HRP_S<FW_B> display vrrp GigabitEthernet0/0/1 | Virtual Router 1 State : Backup Virtual IP : 1.1.1.1 Master IP : 10.2.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES Delay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0101 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2018-03-17 17:37:54 UTC+08:00 Last change time : 2018-03-22 16:03:56 UTC+08:00 GigabitEthernet0/0/3 | Virtual Router 2 State : Backup Virtual IP : 10.3.0.3 Master IP : 10.3.0.1 PriorityRun : 120 PriorityConfig : 100 MasterPriority : 120 Preempt : YES Delay Time : 0 s TimerRun : 60 s TimerConfig : 60 s Auth type : NONE Virtual MAC : 0000-5e00-0102 Check TTL : YES Config type : vgmp-vrrp Backup-forward : disabled Create time : 2018-03-17 17:37:54 UTC+08:01 Last change time : 2018-03-22 16:03:56 UTC+08:01
Run the display hrp state verbose command on FW_A and FW_B to check the VGMP group status. If the following information is displayed, hot standby relationship is successfully established.
FW_A
FW_B
HRP_M<FW_A> display hrp state verbose Role: active, peer: standby Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_ state = normal(standby), new_state = normal(active), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: off track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet0/0/1 vrrp vrid 1: active GigabitEthernet0/0/3 vrrp vrid 2: active
HRP_S<FW_B> display hrp state verbose Role: standby, peer: active Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2018-03-22 16:03:56 HRP core state changed, old_ state = normal(standby), new_state = normal(standby), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: off track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet0/0/1 vrrp vrid 1: standby GigabitEthernet0/0/3 vrrp vrid 2: standby
Ping the Router in the Untrust zone from the PC in the Trust zone, and display session information on FW_A and FW_B.
FW_A
FW_B
HRP_M<FW_A> display firewall session table Current Total Sessions : 1 icmp VPN: public --> public 10.3.0.10:0[1.1.1.2:10298] --> 1.1.1.10:2048HRP_S<FW_B> display firewall session table Current Total Sessions : 1 icmp VPN:public --> public Remote 10.3.0.10:0[1.1.1.2:10298] --> 1.1.1.10:2048The command output shows that sessions tagged with Remote are created on FW_B, indicating that sessions are successfully backed up after you configure hot standby.
Run the ping 1.1.1.10 -t command on the PC, pull out the cable from GE0/0/1 on FW_A, and then check whether active/standby switchover is performed and whether ping packets are discarded. Insert the cable back to GE0/0/1 on FW_A and check again whether active/standby switchover is performed and whether ping packets are discarded.
Configuration Scripts
FW_A |
FW_B |
|---|---|
# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 # interface GigabitEthernet 0/0/1 ip address 10.2.0.1 255.255.255.0 vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active # interface GigabitEthernet 0/0/3 ip address 10.3.0.1 255.255.255.0 vrrp vrid 2 virtual-ip 10.3.0.3 active # interface GigabitEthernet 0/0/7 ip address 10.10.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet 0/0/7 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.10 # nat address-group group1 route enable section 0 1.1.1.2 1.1.1.5 # security-policy rule name trust_to_untrust source-zone trust destination-zone untrust source-address 10.3.0.0 24 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 10.3.0.0 16 action source-nat address-group group1 |
# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 # interface GigabitEthernet 0/0/1 ip address 10.2.0.2 255.255.255.0 vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 standby # interface GigabitEthernet 0/0/3 ip address 10.3.0.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.3.0.3 standby # interface GigabitEthernet 0/0/7 ip address 10.10.0.2 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/3 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/1 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/7 # ip route-static 0.0.0.0 0.0.0.0 1.1.1.10 # nat address-group group1 route enable section 0 1.1.1.2 1.1.1.5 # security-policy rule name trust_to_untrust source-zone trust destination-zone untrust source-address 10.3.0.0 24 action permit # nat-policy rule name policy_nat1 source-zone trust destination-zone untrust source-address 10.3.0.0 16 action source-nat address-group group1 |