< Home

CLI: Example for Configuring Hot Standby in Mirroring Mode (Routing Mode)

This section describes how to configure hot standby when service interfaces on two firewalls work at Layer 3 in mirroring mode.

Networking Requirements

On the network shown in Figure 1, the service interfaces of two FWs work at Layer 3 and are directly connected to switches in both upstream and downstream directions. The FWs are connected to log hosts respectively. The upstream switch is connected to the carrier network, and the IP address that the carrier assigns to the enterprise is 1.1.1.1 to 1.1.1.5. It is required that the two FWs form hot standby networking in mirroring mode and intranet users can access the Internet. In the mirroring mode, the two FWs have the same service interface address and route configuration. Therefore, the two FWs can be considered as one device.

Figure 1 Hot standby networking in mirroring mode

Configuration Roadmap

Before configuring the mirroring mode, you need to complete network connections and basic configurations of hot standby, but not service interface and interface configurations. The configuration roadmap is described as follows:

  1. Complete basic hot standby configurations on the two FW, including configuring VGMP groups to monitor service interfaces (hrp track interface), configuring the heartbeat interfaces, and enabling hot standby.
  2. Enable the mirroring mode on the FWs and complete manual batch backup.

  3. Complete network configurations on one of the FWs to ensure that intranet users can access the Internet.

    After the mirroring mode is formed, all configurations (including interface and route configurations) need to be performed on only one FW. These configurations will be automatically backed up to the other FW.

Procedure

  1. Configure heartbeat interfaces and hot standby management interfaces on FWs.

    Only heartbeat interfaces and hot standby management interfaces need to be configured, and service interfaces do not need to be configured. This is because the service interface configurations will be automatically backed up after the mirroring mode is enabled.

    Hot standby management interfaces are used to connect to log hosts and NMS devices.

    FW_A

    FW_B

    # Configure addresses for the heartbeat interface and hot standby management interface on FWs and assign these interfaces to security zones.

    		 
    <FW_A> system-view
[FW_A] interface GigabitEthernet 0/0/7
[FW_A-GigabitEthernet0/0/7] ip address 10.10.0.1 24
[FW_A-GigabitEthernet0/0/7] quit
[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 172.16.1.1 24
[FW_A-GigabitEthernet0/0/2] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 0/0/2
[FW_A-zone-dmz] add interface GigabitEthernet 0/0/7
[FW_A-zone-dmz] quit
    		 
    <FW_B> system-view
[FW_B] interface GigabitEthernet 0/0/7
[FW_B-GigabitEthernet0/0/7] ip address 10.10.0.2 24
[FW_B-GigabitEthernet0/0/7] quit
[FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ip address 172.16.1.2 24
[FW_B-GigabitEthernet0/0/2] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 0/0/2
[FW_B-zone-dmz] add interface GigabitEthernet 0/0/7
[FW_B-zone-dmz] quit

    # On FWs, configure the action as permit in the security policy implemented between the local zone and the security zones to which the hot standby management interface is assigned.

    		 
    [FW_A] security-policy
[FW_A-policy-security] rule name ha_local_to_dmz
[FW_A-policy-security-rule-ha_local_to_dmz] source-zone local dmz
[FW_A-policy-security-rule-ha_local_to_dmz] destination-zone local dmz
[FW_A-policy-security-rule-ha_local_to_dmz] action permit
[FW_A-policy-security-rule-ha_local_to_dmz] quit
[FW_A-policy-security] quit
    		 
    [FW_B] security-policy
[FW_B-policy-security] rule name ha_local_to_dmz
[FW_B-policy-security-rule-ha_local_to_dmz] source-zone local dmz
[FW_B-policy-security-rule-ha_local_to_dmz] destination-zone local dmz
[FW_B-policy-security-rule-ha_local_to_dmz] action permit
[FW_B-policy-security-rule-ha_local_to_dmz] quit
[FW_B-policy-security] quit

  2. Configure hot standby on FWs.

    FW_A

    FW_B

    # Configure a VGMP group to monitor upstream and downstream service interfaces, and configure on FW_B as the standby FW.

    		 
    [FW_A] hrp track interface GigabitEthernet 0/0/1
[FW_A] hrp track interface GigabitEthernet 0/0/3
    		 
    [FW_B] hrp track interface GigabitEthernet 0/0/1
[FW_B] hrp track interface GigabitEthernet 0/0/3
[FW_B] hrp standby-device

    # Specify the heartbeat interface and enable hot standby.

    		 
    [FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2 
[FW_A] hrp enable 
    [FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1 
[FW_B] hrp enable

  3. On FW_A, configure the mirroring mode and hot standby management interface. These configurations will be automatically backed up to FW_B.

    HRP_M[FW_A] hrp mirror config enable
HRP_M[FW_A] hrp mgt-interface GigabitEthernet 0/0/2
HRP_M[FW_A] quit

  4. Complete manual batch backup to synchronize the configurations on FW_A to FW_B.

    The mirroring mode requires that the configurations of the two FWs are the same. The configurations of the two FWs may be different when mirroring is enabled. In this case, you can run the hrp sync config command to synchronize the configurations on the FWs.

    HRP_M<FW_A> hrp sync config

  5. Complete network configurations on FW_A to ensure that intranet users can access the Internet. The network configurations will be automatically backed up to FW_B.

    After the mirroring mode is configured, the configuration on one device will be automatically backed up to the other device. Compared with the traditional hot standby, hot standby in mirroring mode can implement interface and route configuration backup.

    # Assign IP addresses to interfaces.

    HRP_M<FW_A> system-view
HRP_M[FW_A] interface GigabitEthernet 0/0/1
HRP_M[FW_A-GigabitEthernet0/0/1] ip address 1.1.1.1 24
HRP_M[FW_A-GigabitEthernet0/0/1] quit 
HRP_M[FW_A] interface GigabitEthernet 0/0/3
HRP_M[FW_A-GigabitEthernet0/0/3] ip address 10.3.0.1 24
HRP_M[FW_A-GigabitEthernet0/0/3] quit

    # Assign the interfaces to security zones.

    HRP_M[FW_A] firewall zone trust
HRP_M[FW_A-zone-trust] add interface GigabitEthernet 0/0/3
HRP_M[FW_A-zone-trust] quit 
HRP_M[FW_A] firewall zone untrust
HRP_M[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
HRP_M[FW_A-zone-untrust] quit

    # Create a default route with next-hop address 1.1.1.10.

    HRP_M[FW_A] ip route-static 0.0.0.0 0.0.0.0 1.1.1.10

    # Configure a security policy to allow intranet users to access the Internet.

    HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name trust_to_untrust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-zone trust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] destination-zone untrust
HRP_M[FW_A-policy-security-rule-trust_to_untrust] source-address 10.3.0.0 24
HRP_M[FW_A-policy-security-rule-trust_to_untrust] action permit
HRP_M[FW_A-policy-security-rule-trust_to_untrust] quit
HRP_M[FW_A-policy-security] quit

    # Configure a NAT policy to translate source addresses on network segment 10.3.0.0/24 to IP addresses in the NAT address pool (1.1.1.2 to 1.1.1.5) when intranet users access the Internet.

    HRP_M[FW_A] nat address-group group1
HRP_M[FW_A-address-group-group1] section 0 1.1.1.2 1.1.1.5
HRP_M[FW_A-address-group-group1] route enable
HRP_M[FW_A-address-group-group1] quit
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat1  
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-zone trust
HRP_M[FW_A-policy-nat-rule-policy_nat1] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-policy_nat1] source-address 10.3.0.0 24 
HRP_M[FW_A-policy-nat-rule-policy_nat1] action source-nat address-group group1

Verification

  1. Run the display hrp state verbose command on FW_A and FW_B to check the VGMP group status. If the following information is displayed, hot standby relationship is successfully established.

    FW_A

    FW_B

    		 
    HRP_M<FW_A> display hrp state verbose
 Role: active, peer: standby 
 Running priority: 45000, peer: 45000 
 Backup channel usage: 30%           
 Stable time: 1 days, 13 hours, 35 minutes  
 Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_
state = normal(standby), new_state = normal(active), local_priority = 45000,
 peer_priority = 45000.       
                                
 Configuration:                     
 hello interval:              1000ms
 preempt:                     60s   
 mirror configuration:        on   
 mirror session:              off   
 track trunk member:          on    
 auto-sync configuration:     on    
 auto-sync connection-status: on    
 adjust ospf-cost:            on    
 adjust ospfv3-cost:          on    
 adjust bgp-cost:             on    
 nat resource:                off   
                                    
 Detail information:                
                       GigabitEthernet0/0/1: up
                       GigabitEthernet0/0/3: up
    		 
    HRP_S<FW_B> display hrp state verbose
 Role: standby, peer: active 
 Running priority: 45000, peer: 45000   
 Backup channel usage: 30%           
 Stable time: 1 days, 13 hours, 35 minutes 
 Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_
state = normal(standby), new_state = normal(standby), local_priority = 45000,
 peer_priority = 45000.       
     
 Configuration:                     
 hello interval:              1000ms
 preempt:                     60s   
 mirror configuration:        on   
 mirror session:              off   
 track trunk member:          on    
 auto-sync configuration:     on    
 auto-sync connection-status: on    
 adjust ospf-cost:            on    
 adjust ospfv3-cost:          on    
 adjust bgp-cost:             on    
 nat resource:                off   
                                    
 Detail information:                
                       GigabitEthernet0/0/1: up
                       GigabitEthernet0/0/3: up

  2. Ping the Router in the untrust zone from the PC in the trust zone, and display session information on FW_A and FW_B.

    FW_A

    FW_B

    		 
    HRP_M<FW_A> display firewall session table

 Current Total Sessions : 1
  icmp  VPN: public --> public 10.3.0.10:0[1.1.1.2:10298] --> 1.1.1.10:2048  
    HRP_S<FW_B> display firewall session table

 Current Total Sessions : 1
  icmp  VPN:public --> public  Remote 10.3.0.10:0[1.1.1.2:10298] --> 1.1.1.10:2048

    The command output shows that sessions tagged with Remote are created on FW_B, indicating that sessions are successfully backed up after you configure hot standby.

  3. Run the ping 1.1.1.10 -t command on the PC, shutdown GE0/0/1 on FW_A, and then check whether active/standby switchover is performed and whether ping packets are discarded. undo shutdown GE0/0/1 on FW_A and check again whether active/standby switchover is performed and whether ping packets are discarded.

Configuration Scripts

FW_A

FW_B

 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
 hrp mirror config enable
 hrp mgt-interface GigabitEthernet 0/0/2
 hrp track interface GigabitEthernet 0/0/1
 hrp track interface GigabitEthernet 0/0/3
#
interface GigabitEthernet 0/0/1
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
 ip address 172.16.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#
firewall zone dmz
 set priority 50
 add interface GigabitEthernet 0/0/2
 add interface GigabitEthernet 0/0/7
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
#    
 nat address-group group1 
  route enable
  section 0 1.1.1.2 1.1.1.5
#    
security-policy  
 rule name ha_local_to_dmz
  source-zone local dmz
  destination-zone local dmz
  action permit
 rule name trust_to_untrust
  source-zone trust  
  destination-zone untrust
  source-address 10.3.0.0 24
  action permit    
#    
nat-policy  
 rule name policy_nat1
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 24 
  action source-nat address-group group1
 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
 hrp mirror config enable
 hrp mgt-interface GigabitEthernet 0/0/2
 hrp track interface GigabitEthernet 0/0/1
 hrp track interface GigabitEthernet 0/0/3
 hrp standby-device
#
interface GigabitEthernet 0/0/1
 ip address 1.1.1.1 255.255.255.0
#
interface GigabitEthernet 0/0/2
 ip address 172.16.1.2 255.255.255.0
#
interface GigabitEthernet 0/0/3
 ip address 10.3.0.1 255.255.255.0
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#    
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/3
#    
firewall zone untrust
 set priority 5
 add interface GigabitEthernet 0/0/1
#    
firewall zone dmz    
 set priority 50     
 add interface GigabitEthernet 0/0/2
 add interface GigabitEthernet0/0/7
#
 ip route-static 0.0.0.0 0.0.0.0 1.1.1.10
#    
 nat address-group group1 
  route enable
  section 0 1.1.1.2 1.1.1.5
#    
security-policy  
 rule name ha_local_to_dmz
  source-zone local dmz
  destination-zone local dmz
  action permit
 rule name trust_to_untrust
  source-zone trust  
  destination-zone untrust
  source-address 10.3.0.0 24
  action permit    
#    
nat-policy  
 rule name policy_nat1
  source-zone trust
  destination-zone untrust
  source-address 10.3.0.0 24 
  action source-nat address-group group1
Parent Topic: Hot Standby
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >