CLI: Example for Configuring Hot Standby in Active/Standby Mode Where Firewalls Connect to Switches in Out-of-path Mode and Static Routes Are Configured on the Switches to Divert Traffic to the Firewalls
This section provides an example for how to connect two FWs to core switches of a data center in out-of-path mode and configure static routes on the switches to divert traffic to the FWs. The FWs work in active/standby mode.
Networking Requirements
As shown in Figure 1, two FWs are connected off-line to the core switches in the data center to secure the data center network. All traffic on the core switches is diverted to the FWs based on static routes for security checks. The FWs are expected to work in active/standby mode. Normally, traffic is forwarded by FW_A. If FW_A is faulty, FW_B takes over to ensure service continuity.
Configuration Roadmap
As shown in Figure 2, if the core switches need to use static routes to divert traffic to the FWs, you need to configure static routes and set the next hops to the IP addresses of the FW interfaces. However, the core switches and upstream routers and downstream aggregation switches run OSPF. Therefore, traffic cannot be diverted to the FWs after reaching the core switches. Instead, the traffic is directly forwarded to the upstream and downstream devices.
Therefore, you must configure the virtual routing and forwarding (VRF) function on the core switches to virtualize each core switch into a public switch (Public) for connecting to the upstream switch and a virtual switch (VRF) for connecting to the downstream switch. The two virtualized switches are isolated. Therefore, traffic can be diverted to the FWs.
Figure 2 can be abstracted as Figure 3. The FWs run static routes with upstream and downstream switches (Public and VRF). Therefore, you need to configure VRRP groups on the FWs and switches for them to communicate using the virtual IP addresses of VRRP groups.
As shown in Figure 3, configure static routes on the FWs and set the next hops to the IP addresses of VRRP groups 3 and 4. Configure a static route on the Public switch and set the next hop to the IP address of VRRP group 2. Configure a static route on the VRF switch and set the next hop to the IP address of VRRP group 1.
The core switches run static routes with the FWs and OSPF with other devices. Figure 3 lists only the core switch interfaces related to the FWs.
Specify GE0/0/7 on the FW as the heartbeat interface and enable hot standby.
Configure security functions, such as security policies, IPS, and attack defense, on FW_A. FW_A will automatically synchronize its configurations to FW_B. This section describes only security policy configurations as an example.
Procedure
- Set interface IP addresses and assign the interfaces to security zones.
FW_A
FW_B
# Set IP addresses for the interfaces on FWs.
<FW_A> system-view [FW_A] interface GigabitEthernet 0/0/2 [FW_A-GigabitEthernet0/0/2] ip address 10.0.0.1 24 [FW_A-GigabitEthernet0/0/2] quit [FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] ip address 10.1.0.1 24 [FW_A-GigabitEthernet0/0/3] quit [FW_A] interface GigabitEthernet 0/0/7 [FW_A-GigabitEthernet0/0/7] ip address 10.10.0.1 24 [FW_A-GigabitEthernet0/0/7] quit
<FW_B> system-view [FW_B] interface GigabitEthernet 0/0/2 [FW_B-GigabitEthernet0/0/2] ip address 10.0.0.2 24 [FW_B-GigabitEthernet0/0/2] quit [FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] ip address 10.1.0.2 24 [FW_B-GigabitEthernet0/0/3] quit [FW_B] interface GigabitEthernet 0/0/7 [FW_B-GigabitEthernet0/0/7] ip address 10.10.0.2 24 [FW_B-GigabitEthernet0/0/7] quit
# Assign the interfaces to security zones on FWs.
[FW_A] firewall zone untrust [FW_A-zone-untrust] add interface GigabitEthernet 0/0/3 [FW_A-zone-untrust] quit [FW_A] firewall zone dmz [FW_A-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_A-zone-dmz] quit [FW_A] firewall zone trust [FW_A-zone-trust] add interface GigabitEthernet 0/0/2 [FW_A-zone-trust] quit
[FW_B] firewall zone untrust [FW_B-zone-untrust] add interface GigabitEthernet 0/0/3 [FW_B-zone-untrust] quit [FW_B] firewall zone dmz [FW_B-zone-dmz] add interface GigabitEthernet 0/0/7 [FW_B-zone-dmz] quit [FW_B] firewall zone trust [FW_B-zone-trust] add interface GigabitEthernet 0/0/2 [FW_B-zone-trust] quit
- Create static routes.
FW_A
FW_B
# Configure a static route (default route) for the upstream direction and set the next hop to the IP address of VRRP group 4.
[FW_A] ip route-static 0.0.0.0 0.0.0.0 10.1.0.6[FW_B] ip route-static 0.0.0.0 0.0.0.0 10.1.0.6# Configure a static route for the downstream direction and set the destination address to an address in the server area and the next hop to the IP address of VRRP group 3.
[FW_A] ip route-static 192.168.0.0 255.255.0.0 10.0.0.6[FW_B] ip route-static 192.168.0.0 255.255.0.0 10.0.0.6 - Configure hot standby.
FW_A
FW_B
# Configure VRRP groups on FWs.
[FW_A] interface GigabitEthernet 0/0/2 [FW_A-GigabitEthernet0/0/2] vrrp vrid 1 virtual-ip 10.0.0.3 active [FW_A-GigabitEthernet0/0/2] quit [FW_A] interface GigabitEthernet 0/0/3 [FW_A-GigabitEthernet0/0/3] vrrp vrid 2 virtual-ip 10.1.0.3 active [FW_A-GigabitEthernet0/0/3] quit
[FW_B] interface GigabitEthernet 0/0/2 [FW_B-GigabitEthernet0/0/2] vrrp vrid 1 virtual-ip 10.0.0.3 standby [FW_B-GigabitEthernet0/0/2] quit [FW_B] interface GigabitEthernet 0/0/3 [FW_B-GigabitEthernet0/0/3] vrrp vrid 2 virtual-ip 10.1.0.3 standby [FW_B-GigabitEthernet0/0/3] quit
# Specify the heartbeat interface and enable hot standby on FWs.
[FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 [FW_A] hrp enable
[FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 [FW_B] hrp enable
- Configure a security policy.
Configure a security policy on FW_A to allow Internet users to access the server area (subnet: 192.168.0.0/16, port: 80) in the data center. Security policies configured on FW_A will be automatically backed up to FW_B.
HRP_M[FW_A] security-policy HRP_M[FW_A-policy-security] rule name policy_sec1 HRP_M[FW_A-policy-security-rule-policy_sec1] source-zone untrust HRP_M[FW_A-policy-security-rule-policy_sec1] destination-zone trust HRP_M[FW_A-policy-security-rule-policy_sec1] destination-address 192.168.0.0 16 HRP_M[FW_A-policy-security-rule-policy_sec1] service http HRP_M[FW_A-policy-security-rule-policy_sec1] action permit
- Configure the core switches.
This example describes only the switch configurations related to firewall connection.
# Configure Switch1.
[Switch1] ip vpn-instance VRF //Create VRF. [Switch1-vpn-instance-VRF] ipv4-family [Switch1-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1 [Switch1-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both [Switch1-vpn-instance-VRF-af-ipv4] quit [Switch1-vpn-instance-VRF] quit [Switch1] vlan 2 [Switch1-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add the interface to VLAN2. [Switch1-vlan2] quit [Switch1] interface Vlanif 2 [Switch1-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to VRF. [Switch1-Vlanif2] ip address 10.0.0.4 24 [Switch1-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Create VRRP group 3. [Switch1-Vlanif2] vrrp vrid 3 priority 120 //Set the priority to 120. The VRRP group with high priority is active. [Switch1-Vlanif2] quit [Switch1] vlan 3 [Switch1-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //Add the interface to VLAN3. [Switch1-vlan3] quit [Switch1] interface Vlanif 3 [Switch1-Vlanif3] ip address 10.1.0.4 24 [Switch1-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //Create VRRP group 4. [Switch1-Vlanif3] vrrp vrid 4 priority 120 //Set the priority to 120. The VRRP group with high priority is active. [Switch1-Vlanif3] quit [Switch1] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //Configure a default route on the VRF and set the next hop to the virtual IP address of VRRP group 1. [Switch1] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a static route on the Public switch and set the next hop to the virtual IP address of VRRP group 2.
# Configure Switch2.
[Switch2] ip vpn-instance VRF //Create VRF. [Switch2-vpn-instance-VRF] ipv4-family [Switch2-vpn-instance-VRF-af-ipv4] route-distinguisher 100:1 [Switch2-vpn-instance-VRF-af-ipv4] vpn-target 111:1 both [Switch2-vpn-instance-VRF-af-ipv4] quit [Switch2-vpn-instance-VRF] quit [Switch2] vlan 2 [Switch2-vlan2] port gigabitethernet 1/0/3 to 1/0/4 //Add the interface to VLAN2. [Switch2-vlan2] quit [Switch2] interface Vlanif 2 [Switch2-Vlanif2] ip binding vpn-instance VRF //Bind VLANIF2 to VRF. [Switch2-Vlanif2] ip address 10.0.0.5 24 [Switch2-Vlanif2] vrrp vrid 3 virtual-ip 10.0.0.6 //Create VRRP group 3. [Switch2-Vlanif2] vrrp vrid 3 priority 100 //Set the priority to 100. The VRRP group with low priority is standby. [Switch2-Vlanif2] quit [Switch2] vlan 3 [Switch2-vlan3] port gigabitethernet 1/0/1 to 1/0/2 //Add the interface to VLAN3. [Switch2-vlan3] quit [Switch2] interface Vlanif 3 [Switch2-Vlanif3] ip address 10.1.0.5 24 [Switch2-Vlanif3] vrrp vrid 4 virtual-ip 10.1.0.6 //Create VRRP group 4. [Switch2-Vlanif3] vrrp vrid 4 priority 100 //Set the priority to 100. The VRRP group with low priority is standby. [Switch2-Vlanif3] quit [Switch2] ip route-static vpn-instance VRF 0.0.0.0 0.0.0.0 10.0.0.3 //Configure a default route on the VRF and set the next hop to the virtual IP address of VRRP group 1. [Switch2] ip route-static 192.168.0.0 255.255.0.0 10.1.0.3 //Configure a static route on the Public switch and set the next hop to the virtual IP address of VRRP group 2.
Verification
Run the display hrp state verbose command on FW_A and FW_B to view hot standby status.
FW_A
FW_B
HRP_M<FW_A> display hrp state verbose Role: active, peer: standby Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_ state = normal(standby), new_state = normal(active), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: off track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet0/0/2 vrrp vrid 1: active GigabitEthernet0/0/3 vrrp vrid 2: active
HRP_S<FW_B> display hrp state verbose Role: standby, peer: active Running priority: 45000, peer: 45000 Backup channel usage: 30% Stable time: 1 days, 13 hours, 35 minutes Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_ state = initial, new_state = normal(standby), local_priority = 45000, peer_priority = 45000. Configuration: hello interval: 1000ms preempt: 60s mirror configuration: off mirror session: off track trunk member: on auto-sync configuration: on auto-sync connection-status: on adjust ospf-cost: on adjust ospfv3-cost: on adjust bgp-cost: on nat resource: off Detail information: GigabitEthernet0/0/2 vrrp vrid 1: standby GigabitEthernet0/0/3 vrrp vrid 2: standby
- Run the display firewall session table command on FW_A and FW_B. You can view that FW_A has sessions, indicating that the traffic on the core switch is diverted to the FW, and hot standby in active/standby mode is successfully configured.
Configuration Scripts
FW_A |
FW_B |
|---|---|
# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 # interface GigabitEthernet 0/0/2 ip address 10.0.0.1 255.255.255.0 vrrp vrid 1 virtual-ip 10.0.0.3 active # interface GigabitEthernet 0/0/3 ip address 10.1.0.1 255.255.255.0 vrrp vrid 2 virtual-ip 10.1.0.3 active # interface GigabitEthernet 0/0/7 ip address 10.10.0.1 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/2 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/7 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/3 # ip route-static 0.0.0.0 0.0.0.0 10.1.0.6 ip route-static 192.168.0.0 255.255.0.0 10.0.0.6 # security-policy rule name policy_sec1 source-zone untrust destination-zone trust destination-address 192.168.0.0 16 service http action permit |
# hrp enable hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 # interface GigabitEthernet 0/0/2 ip address 10.0.0.2 255.255.255.0 vrrp vrid 1 virtual-ip 10.0.0.3 standby # interface GigabitEthernet 0/0/3 ip address 10.1.0.2 255.255.255.0 vrrp vrid 2 virtual-ip 10.1.0.3 standby # interface GigabitEthernet 0/0/7 ip address 10.10.0.2 255.255.255.0 # firewall zone trust set priority 85 add interface GigabitEthernet 0/0/2 # firewall zone dmz set priority 50 add interface GigabitEthernet0/0/7 # firewall zone untrust set priority 5 add interface GigabitEthernet 0/0/3 # ip route-static 0.0.0.0 0.0.0.0 10.1.0.6 ip route-static 192.168.0.0 255.255.0.0 10.0.0.6 # security-policy rule name policy_sec1 source-zone untrust destination-zone trust destination-address 192.168.0.0 16 service http action permit |