< Home

CLI: Example for Configuring Hot Standby in Load Balancing Mode Where Firewalls connect to Routers Transparently in Upstream and Downstream Directions

This section provides a CLI example of how to configure hot standby in load balancing mode in which the service interfaces of the firewalls work at Layer 2 and connect to routers in upstream and downstream directions.

Networking Requirements

As shown in Figure 1, the service interfaces of the FWs work at Layer 2 and are directly connected to routers. The upstream and downstream service interfaces on the FWs are added to VLAN2. OSPF runs between the upstream and downstream routers. The FWs work as Layer-2 devices and transparently forward OSPF packets. The FWs are expected to work in load balancing mode. Normally, both FW_A and FW_B forward traffic. If either FW fails, the other FW forwards all traffic to ensure service continuity.

Figure 1 Networking diagram for configuring load balancing when service interfaces work at Layer 2 and connect to routers

Procedure

  1. Complete basic network configurations.

    FW_A

    FW_B

    # On FWs, use the upstream and downstream service interfaces as Layer-2 interfaces and add them to the same VLAN.

    		 
    [FW_A] vlan batch 2
[FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] portswitch
[FW_A-GigabitEthernet0/0/1] port link-type access
[FW_A-GigabitEthernet0/0/1] port default vlan 2
[FW_A-GigabitEthernet0/0/1] quit 
[FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] portswitch
[FW_A-GigabitEthernet0/0/3] port link-type access
[FW_A-GigabitEthernet0/0/3] port default vlan 2
[FW_A-GigabitEthernet0/0/3] quit 
    [FW_B] vlan batch 2
[FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] portswitch
[FW_B-GigabitEthernet0/0/1] port link-type access
[FW_B-GigabitEthernet0/0/1] port default vlan 2
[FW_B-GigabitEthernet0/0/1] quit 
[FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet0/0/3] portswitch
[FW_B-GigabitEthernet0/0/3] port link-type access
[FW_B-GigabitEthernet0/0/3] port default vlan 2
[FW_B-GigabitEthernet0/0/3] quit

    # Set an IP address for the heartbeat interface on FWs.

    		 
    [FW_A] interface GigabitEthernet 0/0/7
[FW_A-GigabitEthernet0/0/7] ip address 10.10.0.1 24
[FW_A-GigabitEthernet0/0/7] quit
    		 
    [FW_B] interface GigabitEthernet 0/0/7
[FW_B-GigabitEthernet0/0/7] ip address 10.10.0.2 24
[FW_B-GigabitEthernet0/0/7] quit

    # Assign the interfaces to security zones on FWs.

    		 
    [FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/3
[FW_A-zone-trust] quit 
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 0/0/7
[FW_A-zone-dmz] quit 
[FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit
    		 
    [FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/3
[FW_B-zone-trust] quit 
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 0/0/7
[FW_B-zone-dmz] quit 
[FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit

  2. Configure hot standby.

    FW_A

    FW_B

    # Configure a VGMP group to monitor VLAN2 on FW_A. Configure a VGMP group to monitor VLAN2 on FW_B.

    		 
    [FW_A] hrp track vlan 2
    		 
    [FW_B] hrp track vlan 2

    # Configure quick session backup on both FWs in case of inconsistent forward and return packet paths.

    		 
    [FW_A] hrp mirror session enable
    		 
    [FW_B] hrp mirror session enable

    # Specify the heartbeat interface and enable hot standby on FWs.

    		 
    [FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 
[FW_A] hrp enable 
    [FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 
[FW_B] hrp enable

  3. Create a security policy on FW_A. After hot standby relationship is established, the security policy on FW_A will be automatically backed up to FW_B.

    # Configure a security policy to allow OSPF packets transmitted between the upstream and downstream routers and the packets exchanged between the intranet and Internet.

    When the service interfaces of the FWs work at Layer 2, OSPF packets between upstream and downstream devices need to pass through the FWs. OSPF packets are controlled by the firewall packet-filter basic-protocol enable command. By default, the function of the firewall packet-filter basic-protocol enable command is enabled. That is, OSPF packets are controlled by security policies. In this case, a security policy must be configured between the security zone where the upstream service interface resides and the security zone where the downstream service interface resides to allow OSPF packets to pass. In this example, enabling the firewall packet-filter basic-protocol enable command is used as an example.

    HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name policy_ospf_1 
HRP_M[FW_A-policy-security-rule-policy_ospf_1] source-zone trust
HRP_M[FW_A-policy-security-rule-policy_ospf_1] destination-zone untrust
HRP_M[FW_A-policy-security-rule-policy_ospf_1] source-address 10.3.0.1 32
HRP_M[FW_A-policy-security-rule-policy_ospf_1] source-address 10.3.1.1 32
HRP_M[FW_A-policy-security-rule-policy_ospf_1] destination-address 10.3.0.2 32
HRP_M[FW_A-policy-security-rule-policy_ospf_1] destination-address 10.3.1.2 32
HRP_M[FW_A-policy-security-rule-policy_ospf_1] service ospf
HRP_M[FW_A-policy-security-rule-policy_ospf_1] action permit
HRP_M[FW_A-policy-security-rule-policy_ospf_1] quit
HRP_M[FW_A-policy-security] rule name policy_ospf_2 
HRP_M[FW_A-policy-security-rule-policy_ospf_2] source-zone untrust
HRP_M[FW_A-policy-security-rule-policy_ospf_2] destination-zone trust
HRP_M[FW_A-policy-security-rule-policy_ospf_2] source-address 10.3.0.2 32
HRP_M[FW_A-policy-security-rule-policy_ospf_2] source-address 10.3.1.2 32
HRP_M[FW_A-policy-security-rule-policy_ospf_2] destination-address 10.3.0.1 32
HRP_M[FW_A-policy-security-rule-policy_ospf_2] destination-address 10.3.1.1 32
HRP_M[FW_A-policy-security-rule-policy_ospf_2] service ospf
HRP_M[FW_A-policy-security-rule-policy_ospf_2] action permit
HRP_M[FW_A-policy-security-rule-policy_ospf_2] quit
HRP_M[FW_A-policy-security] rule name policy_sec 
HRP_M[FW_A-policy-security-rule-policy_sec] source-zone trust
HRP_M[FW_A-policy-security-rule-policy_sec] destination-zone untrust
HRP_M[FW_A-policy-security-rule-policy_sec] source-address 10.3.2.0 24
HRP_M[FW_A-policy-security-rule-policy_sec] source-address 10.3.3.0 24
HRP_M[FW_A-policy-security-rule-policy_sec] action permit
HRP_M[FW_A-policy-security-rule-policy_sec] quit
HRP_M[FW_A-policy-security] quit

  4. Configure the routers.

    Configure OSPF on the routers to advertise routes. For configuration commands, refer to the related documents of the routers.

Verification

# Run the display hrp state verbose command on FW_A and FW_B to check the VGMP group status. If the following information is displayed, hot standby relationship is successfully established.

FW_A

FW_B

 
HRP_M<FW_A> display hrp state verbose
 Role: active, peer: active  
 Running priority: 45000, peer: 45000  
 Backup channel usage: 30%      
 Stable time: 1 days, 13 hours, 35 minutes 
 Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_
state = normal(active), new_state = normal(active), local_priority = 45000,
 peer_priority = 45000.       
                                               
 Configuration:                        
 hello interval:              1000ms 
 preempt:                     60s 
 mirror configuration:        off   
 mirror session:              on    
 track trunk member:          on    
 auto-sync configuration:     on   
 auto-sync connection-status: on    
 adjust ospf-cost:            on    
 adjust ospfv3-cost:          on  
 adjust bgp-cost:             on     
 nat resource:                off  
                                
 Detail information:  
                                    vlan 2: enabled 
HRP_S<FW_B> display hrp state verbose
 Role: active, peer: active  
 Running priority: 45000, peer: 45000  
 Backup channel usage: 30%      
 Stable time: 1 days, 13 hours, 35 minutes 
 Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_
state = normal(active), new_state = normal(active), local_priority = 45000,
 peer_priority = 45000.       
        
 Configuration:       
 hello interval:              1000ms 
 preempt:                     60s 
 mirror configuration:        off   
 mirror session:              on    
 track trunk member:          on    
 auto-sync configuration:     on   
 auto-sync connection-status: on    
 adjust ospf-cost:            on    
 adjust ospfv3-cost:          on  
 adjust bgp-cost:             on     
 nat resource:                off  
                                
 Detail information:  
                                    vlan 2: enabled

Configuration Scripts

FW_A

FW_B

 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
 hrp mirror session enable
 hrp track vlan 2  
#
vlan batch 2
#
interface GigabitEthernet 0/0/3
 portswitch
 port link-type access
 port default vlan 2  
#
interface GigabitEthernet 0/0/1
 portswitch
 port link-type access
 port default vlan 2  
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5   
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/7
#    
security-policy
 rule name policy_ospf_1
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.1 32
  source-address 10.3.1.1 32
  destination-address 10.3.0.2 32
  destination-address 10.3.1.2 32
  service ospf
  action permit
 rule name policy_ospf_2
  source-zone untrust
  destination-zone trust
  source-address 10.3.0.2 32
  source-address 10.3.1.2 32
  destination-address 10.3.0.1 32
  destination-address 10.3.1.1 32
  service ospf
  action permit
 rule name policy_sec
  source-zone trust
  destination-zone untrust
  source-address 10.3.2.0 24
  source-address 10.3.3.0 24
  action permit
 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 
 hrp mirror session enable
 hrp track vlan 2  
#
vlan batch 2
#
interface GigabitEthernet 0/0/3
 portswitch
 port link-type access
 port default vlan 2  
#
interface GigabitEthernet 0/0/1
 portswitch
 port link-type access
 port default vlan 2  
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet0/0/7
#    
security-policy
 rule name policy_ospf_1
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.1 32
  source-address 10.3.1.1 32
  destination-address 10.3.0.2 32
  destination-address 10.3.1.2 32
  service ospf
  action permit
 rule name policy_ospf_2
  source-zone untrust
  destination-zone trust
  source-address 10.3.0.2 32
  source-address 10.3.1.2 32
  destination-address 10.3.0.1 32
  destination-address 10.3.1.1 32
  service ospf
  action permit
 rule name policy_sec
  source-zone trust
  destination-zone untrust
  source-address 10.3.2.0 24
  source-address 10.3.3.0 24
  action permit
Parent Topic: Hot Standby
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >