< Home

CLI: Example for Configuring Hot Standby (Load Balancing) of Virtual Systems on Firewalls Connecting to Upstream Routers and Downstream Switches

This section provides an example of how to configure hot standby in load balancing mode in which the service interfaces of each FW work at Layer 3 and connect respectively to upstream routers or downstream switches after virtual systems are configured on the FW.

Networking Requirements

As shown in Figure 1, two network segments on the enterprise network need to be separated. Switches use VLANs to separate the two network segments, and the FWs use virtual systems to separate them. The FWs connect to upstream routers, and OSPF runs between the FWs and upstream routers. The two FWs work in load balancing mode. In normal situations, FW_A forwards traffic from LAN1, and FW_B forwards traffic from LAN2. If one FW fails, traffic from both LAN1 and LAN2 is forwarded by the other FW. This ensures that the services are not interrupted.

Figure 1 Hot standby networking when virtual systems are configured

Data Planning

Figure 2 Data planning scheme
Table 1 Data planning of FW_A

Item

Data

Description

Interfaces

Interface number: GigabitEthernet 0/0/1

IP address: 192.168.0.2/30

Security zone: untrust

Public interface of the public system

Interface number: GigabitEthernet 0/0/2

IP address: 10.3.1.2/24

Security zone: trust

Private interface of the public system

Interface number: GigabitEthernet 0/0/3

IP address: 192.168.1.2/30

Security zone: untrust

Public interface of virtual system vsysa

Interface number: GigabitEthernet 0/0/4

IP address: 10.3.2.2/24

Security zone: trust

Private interface of virtual system vsysa

Interface number: GigabitEthernet 0/0/7

IP address: 10.10.0.1/24

Security zone: DMZ

Heartbeat interface

VRRP groups

VRRP group 1: 10.3.1.1/24 active

-

VRRP group 2: 10.3.2.1/24 standby

-

Routes

Blackhole route

Destination IP address: 1.1.1.1/32

Blackhole route configured for the NAT address pool of the public system to prevent route loops

Blackhole route

Destination IP address: 1.1.1.2/32

Blackhole route configured for the NAT address pool of vsysa to prevent route loops

OSPF 100

Advertised network segment: 192.168.0.0/30

Static routes are imported.

OSPF configuration of the public system

OSPF 200

Bound VPN instance: vsysa

Advertised network segment: 192.168.1.0/30

Static routes are imported.

OSPF configuration of vsysa
Table 2 Data planning of FW_B

Item

Data

Description

Interfaces

Interface number: GigabitEthernet 0/0/1

IP address: 192.168.0.10/30

Security zone: untrust

Public interface of the public system

Interface number: GigabitEthernet 0/0/2

IP address: 10.3.1.3/24

Security zone: trust

Private interface of the public system

Interface number: GigabitEthernet 0/0/3

IP address: 192.168.1.10/30

Security zone: untrust

Public interface of virtual system vsysa

Interface number: GigabitEthernet 0/0/4

IP address: 10.3.2.3/24

Security zone: trust

Private interface of virtual system vsysa

Interface number: GigabitEthernet 0/0/7

IP address: 10.10.0.2/24

Security zone: DMZ

Heartbeat interface

VRRP groups

VRRP group 1: 10.3.1.1/24 standby

-

VRRP group 2: 10.3.2.1/24 active

-

Routes

Blackhole route

Destination IP address: 1.1.1.1/32

Blackhole route configured for the NAT address pool of the public system to prevent route loops

Blackhole route

Destination IP address: 1.1.1.2/32

Blackhole route configured for the NAT address pool of vsysa to prevent route loops

OSPF 100

Advertised network segment: 192.168.0.8/30

Static routes are imported.

OSPF configuration of the public system

OSPF 200

Bound VPN instance: vsysa

Advertised network segment: 192.168.1.8/30

Static routes are imported.

OSPF configuration of vsysa
Table 3 Data planning of switches

VLAN

Member Interface 1

Member Interface 2

Member Interface 3

10 (public)

GE0/0/15

GE0/0/16

GE0/0/17

30 (vsysa)

GE0/0/18

GE0/0/19

GE0/0/20
Table 4 Data planning of Router1

Item

Data

Description

Interfaces

Interface number: GigabitEthernet 0/0/1

IP address: 192.168.0.1/30

Connecting to the public system on the FW

Interface number: GigabitEthernet 0/0/2

IP address: 192.168.0.5/30

Connecting to Router2

Interface number: GigabitEthernet 0/0/3

IP address: 192.168.1.1/30

Connecting to vsysa on the FW

Interface number: GigabitEthernet 0/0/4

IP address: 192.168.1.5/30

Connecting to Router2

OSPF

OSPF 100

Advertised network segment: 192.168.0.0/30 and 192.168.0.4/30

Default routes are imported.

-

OSPF 200

Advertised network segment: 192.168.1.0/30 and 192.168.1.4/30

Default routes are imported.

-
Table 5 Data planning of Router2

Item

Data

Description

Interfaces

Interface number: GigabitEthernet 0/0/1

IP address: 192.168.0.9/30

Connecting to the public system on the FW

Interface number: GigabitEthernet 0/0/2

IP address: 192.168.0.6/30

Connecting to Router1

Interface number: GigabitEthernet 0/0/3

IP address: 192.168.1.9/30

Connecting to vsysa on the FW

Interface number: GigabitEthernet 0/0/4

IP address: 192.168.1.6/30

Connecting to Router1

OSPF

OSPF 100

Advertised network segment: 192.168.0.8/30 and 192.168.0.4/30

Default routes are imported.

-

OSPF 200

Advertised network segment: 192.168.1.8/30 and 192.168.1.4/30

Default routes are imported.

-

Procedure

  1. Create virtual system vsysa and assign interfaces to it.

    The virtual system names and IDs on FW_A and FW_B must be the same. You can run the display vsys command on both FWs to compare the configurations after virtual systems are created.

    FW_A

    FW_B

    # Enable the virtual system function on FWs.

    		 
    <FW_A> system-view
[FW_A] vsys enable
    		 
    <FW_B> system-view
[FW_B] vsys enable

    # Create a virtual system on FWs and assign interfaces to it.

    		 
    [FW_A] vsys name vsysa
[FW_A-vsys-vsysa] assign interface GigabitEthernet 0/0/3
[FW_A-vsys-vsysa] assign interface GigabitEthernet 0/0/4
[FW_A-vsys-vsysa] quit
    		 
    [FW_B] vsys name vsysa
[FW_B-vsys-vsysa] assign interface GigabitEthernet 0/0/3
[FW_B-vsys-vsysa] assign interface GigabitEthernet 0/0/4
[FW_B-vsys-vsysa] quit

  2. Configure interfaces.

    FW_A

    FW_B

    # Configure IP addresses and VRRP groups for public system interfaces on FWs.

    		 
    [FW_A] interface GigabitEthernet 0/0/1
[FW_A-GigabitEthernet0/0/1] ip address 192.168.0.2 30
[FW_A-GigabitEthernet0/0/1] quit
[FW_A] interface GigabitEthernet 0/0/2
[FW_A-GigabitEthernet0/0/2] ip address 10.3.1.2 24
[FW_A-GigabitEthernet0/0/2] vrrp vrid 1 virtual-ip 10.3.1.1 24 active
[FW_A-GigabitEthernet0/0/2] quit
[FW_A] interface GigabitEthernet 0/0/7
[FW_A-GigabitEthernet0/0/7] ip address 10.10.0.1 24
[FW_A-GigabitEthernet0/0/7] quit
    		 
    [FW_B] interface GigabitEthernet 0/0/1
[FW_B-GigabitEthernet0/0/1] ip address 192.168.0.10 30
[FW_B-GigabitEthernet0/0/1] quit
[FW_B] interface GigabitEthernet 0/0/2
[FW_B-GigabitEthernet0/0/2] ip address 10.3.1.3 24
[FW_B-GigabitEthernet0/0/2] vrrp vrid 1 virtual-ip 10.3.1.1 24 standby
[FW_B-GigabitEthernet0/0/2] quit
[FW_B] interface GigabitEthernet 0/0/7
[FW_B-GigabitEthernet0/0/7] ip address 10.10.0.2 24
[FW_B-GigabitEthernet0/0/7] quit

    # Assign public system interfaces to security zones on FWs.

    		 
    [FW_A] firewall zone untrust
[FW_A-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_A-zone-untrust] quit
[FW_A] firewall zone trust
[FW_A-zone-trust] add interface GigabitEthernet 0/0/2
[FW_A-zone-trust] quit
[FW_A] firewall zone dmz
[FW_A-zone-dmz] add interface GigabitEthernet 0/0/7
[FW_A-zone-dmz] quit
    		 
    [FW_B] firewall zone untrust
[FW_B-zone-untrust] add interface GigabitEthernet 0/0/1
[FW_B-zone-untrust] quit
[FW_B] firewall zone trust
[FW_B-zone-trust] add interface GigabitEthernet 0/0/2
[FW_B-zone-trust] quit
[FW_B] firewall zone dmz
[FW_B-zone-dmz] add interface GigabitEthernet 0/0/7
[FW_B-zone-dmz] quit

    # Configure IP addresses and VRRP groups for virtual system interfaces on FWs.

    		 
    [FW_A] interface GigabitEthernet 0/0/3
[FW_A-GigabitEthernet0/0/3] ip address 192.168.1.2 30
[FW_A-GigabitEthernet0/0/3] quit
[FW_A] interface GigabitEthernet 0/0/4
[FW_A-GigabitEthernet0/0/4] ip address 10.3.2.2 24
[FW_A-GigabitEthernet0/0/4] vrrp vrid 2 virtual-ip 10.3.2.1 24 standby
[FW_A-GigabitEthernet0/0/4] quit
    		 
    [FW_B] interface GigabitEthernet 0/0/3
[FW_B-GigabitEthernet0/0/3] ip address 192.168.1.10 30
[FW_B-GigabitEthernet0/0/3] quit
[FW_B] interface GigabitEthernet 0/0/4
[FW_B-GigabitEthernet0/0/4] ip address 10.3.2.3 24
[FW_B-GigabitEthernet0/0/4] vrrp vrid 2 virtual-ip 10.3.2.1 24 active
[FW_B-GigabitEthernet0/0/4] quit

    # Assign virtual system interfaces to security zones on FWs.

    		 
    [FW_A] switch vsys vsysa
<FW_A-vsysa> system-view
[FW_A-vsysa] firewall zone untrust
[FW_A-vsysa-zone-untrust] add interface GigabitEthernet 0/0/3
[FW_A-vsysa-zone-untrust] quit
[FW_A-vsysa] firewall zone trust
[FW_A-vsysa-zone-trust] add interface GigabitEthernet 0/0/4
[FW_A-vsysa-zone-trust] quit
[FW_A-vsysa] quit
    		 
    [FW_B] switch vsys vsysa
<FW_B-vsysa> system-view
[FW_B-vsysa] firewall zone untrust
[FW_B-vsysa-zone-untrust] add interface GigabitEthernet 0/0/3
[FW_B-vsysa-zone-untrust] quit
[FW_B-vsysa] firewall zone trust
[FW_B-vsysa-zone-trust] add interface GigabitEthernet 0/0/4
[FW_B-vsysa-zone-trust] quit
[FW_B-vsysa] quit

  3. Configure static routes.

    FW_A

    FW_B

    # Configure a blackhole route pointing to the addresses in the NAT address pool of the public system on FWs.

    		 
    [FW_A] ip route-static 1.1.1.1 32 null 0
    		 
    [FW_B] ip route-static 1.1.1.1 32 null 0

    # Configure a blackhole route pointing to the addresses in the NAT address pool of the virtual system on FWs.

    		 
    [FW_A] switch vsys vsysa
<FW_A-vsysa> system-view
[FW_A-vsysa] ip route-static 1.1.1.2 32 null 0
[FW_A-vsysa] quit
    		 
    [FW_B] switch vsys vsysa
<FW_B-vsysa> system-view
[FW_B-vsysa] ip route-static 1.1.1.2 32 null 0
[FW_B-vsysa] quit

  4. Configure OSPF.

    FW_A

    FW_B

    		 
    [FW_A] ospf 100
[FW_A-ospf-100] import-route static
[FW_A-ospf-100] area 0
[FW_A-ospf-100-area-0.0.0.0] network 192.168.0.0 0.0.0.3
[FW_A-ospf-100-area-0.0.0.0] quit
[FW_A-ospf-100] quit
[FW_A] ospf 200 vpn-instance vsysa
[FW_A-ospf-200] import-route static
[FW_A-ospf-200] area 0
[FW_A-ospf-200-area-0.0.0.0] network 192.168.1.0 0.0.0.3
[FW_A-ospf-200-area-0.0.0.0] quit
[FW_A-ospf-200] quit
    		 
    [FW_B] ospf 100
[FW_B-ospf-100] import-route static
[FW_B-ospf-100] area 0
[FW_B-ospf-100-area-0.0.0.0] network 192.168.0.8 0.0.0.3
[FW_B-ospf-100-area-0.0.0.0] quit
[FW_B-ospf-100] quit
[FW_B] ospf 200 vpn-instance vsysa
[FW_B-ospf-200] import-route static
[FW_B-ospf-200] area 0
[FW_B-ospf-200-area-0.0.0.0] network 192.168.1.8 0.0.0.3
[FW_B-ospf-200-area-0.0.0.0] quit
[FW_B-ospf-200] quit

  5. Configure hot standby.

    FW_A

    FW_B

    # Configure VGMP groups to monitor upstream and downstream service interfaces on FWs.

    		 
    [FW_A] hrp track interface GigabitEthernet 0/0/1
[FW_A] hrp track interface GigabitEthernet 0/0/3
    		 
    [FW_B] hrp track interface GigabitEthernet 0/0/1
[FW_B] hrp track interface GigabitEthernet 0/0/3

    # Configure quick session backup on both FWs in case of inconsistent forward and return packet paths.

    		 
    [FW_A] hrp mirror session enable
    		 
    [FW_B] hrp mirror session enable

    # Specify the heartbeat interface and enable hot standby on FWs.

    		 
    [FW_A] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
[FW_A] hrp enable
    		 
    [FW_B] hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
[FW_B] hrp enable

    # To prevent port conflicts in address translation on the FWs in load balancing mode, configure available port ranges on FW_A and FW_B.

    NOTE:

    In the hot standby load balancing scenario, If NAPT is configured, the FWs may have conflicting public ports. To prevent such conflicts, configure respective NAT resources (including public IP addresses and ports) for the FWs. You can run the hrp nat resource primary-group command on the active FW. The standby FW will automatically generate the hrp nat resource secondary-group command (if you run the hrp nat resource secondary-group command on the active FW, the standby FW will automatically generate the hrp nat resource primary-group command).

    		 
    HRP_M[FW_A] hrp nat resource primary-group
    		 
    HRP_S[FW_B] hrp nat resource secondary-group

  6. Configure security policies.

    After hot standby relationship is established, the security policy configured on FW_A is automatically backed up to FW_B.

    # Configure a security policy for the public system to allow intranet users to access the Internet.

    HRP_M[FW_A] security-policy
HRP_M[FW_A-policy-security] rule name policy_sec
HRP_M[FW_A-policy-security-rule-policy_sec] source-zone trust 
HRP_M[FW_A-policy-security-rule-policy_sec] destination-zone untrust
HRP_M[FW_A-policy-security-rule-policy_sec] source-address 10.3.1.0 24
HRP_M[FW_A-policy-security-rule-policy_sec] action permit
HRP_M[FW_A-policy-security-rule-policy_sec] quit
HRP_M[FW_A-policy-security] quit

    # Configure a security policy for the virtual system to allow intranet users to access the Internet.

    HRP_M[FW_A] switch vsys vsysa
HRP_M<FW_A-vsysa> system-view
HRP_M[FW_A-vsysa] security-policy
HRP_M[FW_A-vsysa-policy-security] rule name policy_sec
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] source-zone trust 
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] destination-zone untrust
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] source-address 10.3.2.0 24
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] action permit
HRP_M[FW_A-vsysa-policy-security-rule-policy_sec] quit
HRP_M[FW_A-vsysa-policy-security] quit
HRP_M[FW_A-vsysa] quit

  7. Configure NAT policies.

    After hot standby relationship is established, the NAT policy configured on FW_A is automatically backed up to FW_B.

    # Configure a NAT policy for the public system to allow intranet users to access the Internet.

    HRP_M[FW_A] nat address-group addressgroup1 
HRP_M[FW_A-address-group-addressgroup1] section 0 1.1.1.1 1.1.1.1 
HRP_M[FW_A-address-group-addressgroup1] quit
HRP_M[FW_A] nat-policy
HRP_M[FW_A-policy-nat] rule name policy_nat
HRP_M[FW_A-policy-nat-rule-policy_nat] source-zone trust 
HRP_M[FW_A-policy-nat-rule-policy_nat] destination-zone untrust
HRP_M[FW_A-policy-nat-rule-policy_nat] source-address 10.3.1.0 24
HRP_M[FW_A-policy-nat-rule-policy_nat] action source-nat address-group addressgroup1
HRP_M[FW_A-policy-nat-rule-policy_nat] quit
HRP_M[FW_A-policy-nat] quit

    # Configure a NAT policy for the virtual system to allow intranet users to access the Internet.

    HRP_M[FW_A] switch vsys vsysa
HRP_M<FW_A-vsysa> system-view
HRP_M[FW_A-vsysa] nat address-group addressgroup1 
HRP_M[FW_A-vsysa-address-group-addressgroup1] section 0 1.1.1.2 1.1.1.2 
HRP_M[FW_A-vsysa-address-group-addressgroup1] quit
HRP_M[FW_A-vsysa] nat-policy
HRP_M[FW_A-vsysa-policy-nat] rule name policy_nat
HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] source-zone trust 
HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] destination-zone untrust
HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] source-address 10.3.2.0 24
HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] action source-nat address-group addressgroup1
HRP_M[FW_A-vsysa-policy-nat-rule-policy_nat] quit
HRP_M[FW_A-vsysa-policy-nat] quit
HRP_M[FW_A-vsysa] quit

  8. Configure the switch.

    The following part uses a Huawei switch to illustrate the configuration.

    # Configure the switch.

    [Switch] vlan batch 10 30
[Switch] interface GigabitEthernet 0/0/15
[Switch-GigabitEthernet0/0/15] port link-type access
[Switch-GigabitEthernet0/0/15] port default vlan 10
[Switch-GigabitEthernet0/0/15] quit  
[Switch] interface GigabitEthernet 0/0/16
[Switch-GigabitEthernet0/0/16] port link-type access
[Switch-GigabitEthernet0/0/16] port default vlan 10
[Switch-GigabitEthernet0/0/16] quit        
[Switch] interface GigabitEthernet 0/0/17
[Switch-GigabitEthernet0/0/17] port link-type access
[Switch-GigabitEthernet0/0/17] port default vlan 10
[Switch-GigabitEthernet0/0/17] quit        
[Switch] interface GigabitEthernet 0/0/18
[Switch-GigabitEthernet0/0/18] port link-type access
[Switch-GigabitEthernet0/0/18] port default vlan 30
[Switch-GigabitEthernet0/0/18] quit  
[Switch] interface GigabitEthernet 0/0/19
[Switch-GigabitEthernet0/0/19] port link-type access
[Switch-GigabitEthernet0/0/19] port default vlan 30
[Switch-GigabitEthernet0/0/19] quit        
[Switch] interface GigabitEthernet 0/0/20
[Switch-GigabitEthernet0/0/20] port link-type access
[Switch-GigabitEthernet0/0/20] port default vlan 30
[Switch-GigabitEthernet0/0/20] quit

  9. Configure the routers.

    The following part uses Huawei routers to illustrate the configuration.

    Router1

    Router2

    		 
    [Router1] interface GigabitEthernet 0/0/1
[Router1-GigabitEthernet0/0/1] ip address 192.168.0.1 30
[Router1-GigabitEthernet0/0/1] quit
[Router1] interface GigabitEthernet 0/0/2
[Router1-GigabitEthernet0/0/2] ip address 192.168.0.5 30
[Router1-GigabitEthernet0/0/2] quit
[Router1] interface GigabitEthernet 0/0/3
[Router1-GigabitEthernet0/0/3] ip address 192.168.1.1 30
[Router1-GigabitEthernet0/0/3] quit
[Router1] interface GigabitEthernet 0/0/4
[Router1-GigabitEthernet0/0/4] ip address 192.168.1.5 30
[Router1-GigabitEthernet0/0/4] quit
[Router1] ospf 100
[Router1-ospf-100] default-route-advertise
[Router1-ospf-100] area 0
[Router1-ospf-100-area-0.0.0.0] network 192.168.0.0 0.0.0.3
[Router1-ospf-100-area-0.0.0.0] network 192.168.0.4 0.0.0.3
[Router1-ospf-100-area-0.0.0.0] quit
[Router1-ospf-100] quit
[Router1] ospf 200
[Router1-ospf-200] default-route-advertise
[Router1-ospf-200] area 0
[Router1-ospf-200-area-0.0.0.0] network 192.168.1.0 0.0.0.3
[Router1-ospf-200-area-0.0.0.0] network 192.168.1.4 0.0.0.3
[Router1-ospf-200-area-0.0.0.0] quit
[Router1-ospf-200] quit
    		 
    [Router2] interface GigabitEthernet 0/0/1
[Router2-GigabitEthernet0/0/1] ip address 192.168.0.9 30
[Router2-GigabitEthernet0/0/1] quit
[Router2] interface GigabitEthernet 0/0/2
[Router2-GigabitEthernet0/0/2] ip address 192.168.0.6 30
[Router2-GigabitEthernet0/0/2] quit
[Router2] interface GigabitEthernet 0/0/3
[Router2-GigabitEthernet0/0/3] ip address 192.168.1.9 30
[Router2-GigabitEthernet0/0/3] quit
[Router2] interface GigabitEthernet 0/0/4
[Router2-GigabitEthernet0/0/4] ip address 192.168.1.6 30
[Router2-GigabitEthernet0/0/4] quit
[Router2] ospf 100
[Router2-ospf-100] default-route-advertise
[Router2-ospf-100] area 0
[Router2-ospf-100-area-0.0.0.0] network 192.168.0.8 0.0.0.3
[Router2-ospf-100-area-0.0.0.0] network 192.168.0.4 0.0.0.3
[Router2-ospf-100-area-0.0.0.0] quit
[Router2-ospf-100] quit
[Router2] ospf 200
[Router2-ospf-200] default-route-advertise
[Router2-ospf-200] area 0
[Router2-ospf-200-area-0.0.0.0] network 192.168.1.8 0.0.0.3
[Router2-ospf-200-area-0.0.0.0] network 192.168.1.4 0.0.0.3
[Router2-ospf-200-area-0.0.0.0] quit
[Router2-ospf-200] quit

Verification

  1. Run the display hrp state verbose command on FW_A and FW_B to check the HRP status. If the following information is displayed, HRP is successfully configured.

    FW_A

    FW_B

    		 
    HRP_M[FW_A] display hrp state verbose
 Role: active, peer: active    
 Running priority: 45000, peer: 45000 
 Backup channel usage: 30%       
 Stable time: 1 days, 13 hours, 35 minutes  
 Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_
 state = Abnormal(standby), new_state = normal(active), local_priority = 45000,
 peer_priority = 45000.
                     
 Configuration:                 
 hello interval:              1000ms
 preempt:                     60s   
 mirror configuration:        off   
 mirror session:              on   
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                primary
                                
 Detail information: 
            GigabitEthernet0/0/2 vrid 1: active
            GigabitEthernet0/0/4 vrid 2: standby
                   GigabitEthernet0/0/1: up
                   GigabitEthernet0/0/3: up
                              ospf-cost: +0
    		 
    HRP_S[FW_B] display hrp state verbose
 Role: active, peer: active    
 Running priority: 45000, peer: 45000 
 Backup channel usage: 30%       
 Stable time: 1 days, 13 hours, 35 minutes 
 Last state change information: 2018-03-22 16:01:56 HRP core state changed, old_
 state = Abnormal(standby), new_state = normal(active), local_priority = 45000,
 peer_priority = 45000.
            
 Configuration:                 
 hello interval:              1000ms
 preempt:                     60s   
 mirror configuration:        off   
 mirror session:              on   
 track trunk member:          on
 auto-sync configuration:     on
 auto-sync connection-status: on
 adjust ospf-cost:            on
 adjust ospfv3-cost:          on
 adjust bgp-cost:             on
 nat resource:                secondary
                                
 Detail information:        
            GigabitEthernet0/0/2 vrid 1: standby
            GigabitEthernet0/0/4 vrid 2: active
                   GigabitEthernet0/0/1: up
                   GigabitEthernet0/0/3: up
                              ospf-cost: +0

  2. Access the Internet from the enterprise network. The access succeeds. Check session information on FW_A and FW_B.

    FW_A

    FW_B

    		 
    HRP_M[FW_A] display firewall session table
 Current Total Sessions : 2     
  icmp  VPN:vsysa --> vsysa Remote 10.3.2.10:2057[1.1.1.2:2048]-->3.3.3.3:2048 
  icmp  VPN:public -> public 10.3.1.10:2057[1.1.1.1:2048]-->3.3.3.3:2048 
    HRP_S[FW_B] display firewall session table
  Current Total Sessions : 2     
  icmp  VPN:vsysa --> vsysa 10.3.2.10:2057[1.1.1.2:2048]-->3.3.3.3:2048 
  icmp  VPN:public -> public Remote 10.3.1.10:2057[1.1.1.1:2048]-->3.3.3.3:2048

    As shown in the previous information, a session tagged with Remote is created on FW_A and FW_B, indicating that the session is successfully synchronized after hot standby is configured.

  3. Ping an IP address on the Internet from an intranet PC, remove the network cable from GigabitEthernet 0/0/1 on FW_A, and check FW status switchover and ping packet discard statistics. Then insert the network cable back to GigabitEthernet 0/0/1 on FW_A and check FW status switchover and ping packet discard statistics again.

Configuration Scripts

Configuration script of the public system:

FW_A

FW_B

 
#
vsys enable
#   
vsys name vsysa 1
  assign interface GigabitEthernet 0/0/3
  assign interface GigabitEthernet 0/0/4 
  assign global-ip 2.2.2.2 2.2.2.2 exclusive 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.2
 hrp track interface GigabitEthernet 0/0/1
 hrp track interface GigabitEthernet 0/0/3
 hrp mirror session enable
 hrp nat resource primary-group
#
interface GigabitEthernet 0/0/1
 ip address 192.168.0.2 255.255.255.252
#
interface GigabitEthernet 0/0/2
 ip address 10.3.1.2 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 active
#
interface GigabitEthernet 0/0/3
 ip address 192.168.1.2 255.255.255.252
#
interface GigabitEthernet 0/0/4
 ip address 10.3.2.2 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 standby
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.1 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
#
firewall zone dmz  
 set priority 50   
 add interface GigabitEthernet 0/0/7
#
firewall zone untrust
 set priority 5   
 add interface GigabitEthernet 0/0/1
#
 ip route-static 1.1.1.1 255.255.255.255 null 0
#
ospf 100
 import-route static
 area 0.0.0.0
  network 192.168.0.0 0.0.0.3
# 
ospf 200 vpn-instance vsysa
 import-route static
 area 0.0.0.0
  network 192.168.1.0 0.0.0.3
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.1.0 24
  action permit    
# 
 nat address-group addressgroup1 
  section 0 1.1.1.1 1.1.1.1 
#  
nat-policy  
  rule name policy_nat 
    source-zone trust 
    destination-zone untrust   
    source-address 10.3.1.0 24   
    action source-nat address-group addressgroup1
 
#
vsys enable
#   
vsys name vsysa 1
  assign interface GigabitEthernet 0/0/3
  assign interface GigabitEthernet 0/0/4 
  assign global-ip 2.2.2.2 2.2.2.2 exclusive 
#
 hrp enable
 hrp interface GigabitEthernet 0/0/7 remote 10.10.0.1
 hrp track interface GigabitEthernet 0/0/1
 hrp track interface GigabitEthernet 0/0/3
 hrp mirror session enable
 hrp nat resource secondary-group
#
interface GigabitEthernet 0/0/1
 ip address 192.168.0.10 255.255.255.252
#
interface GigabitEthernet 0/0/2
 ip address 10.3.1.3 255.255.255.0
 vrrp vrid 1 virtual-ip 10.3.1.1 standby
#
interface GigabitEthernet 0/0/3
 ip address 192.168.1.10 255.255.255.252
#
interface GigabitEthernet 0/0/4
 ip address 10.3.2.3 255.255.255.0
 vrrp vrid 2 virtual-ip 10.3.2.1 active
#
interface GigabitEthernet 0/0/7
 ip address 10.10.0.2 255.255.255.0
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/2
#
firewall zone dmz  
 set priority 50   
 add interface GigabitEthernet 0/0/7
#
firewall zone untrust
 set priority 5 
 add interface GigabitEthernet 0/0/1
#
 ip route-static 1.1.1.1 255.255.255.255 null 0
#
ospf 100
 import-route static
 area 0.0.0.0
  network 192.168.0.8 0.0.0.3
# 
ospf 200 vpn-instance vsysa
 import-route static
 area 0.0.0.0
  network 192.168.1.8 0.0.0.3
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.1.0 24
  action permit    
# 
 nat address-group addressgroup1 
  section 0 1.1.1.1 1.1.1.1 
#  
nat-policy  
  rule name policy_nat 
    source-zone trust 
    destination-zone untrust   
    source-address 10.3.1.0 24   
    action source-nat address-group addressgroup1

Configuration script of vsysa:

FW_A

FW_B

 
#   
Switch vsys vsysa
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/4
#
firewall zone untrust
 set priority 5   
 add interface GigabitEthernet 0/0/3
#
 ip route-static 1.1.1.2 255.255.255.255 null 0
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.2.0 24
  action permit    
# 
 nat address-group addressgroup1 
  section 0 1.1.1.2 1.1.1.2 
#  
nat-policy  
  rule name policy_nat 
    source-zone trust 
    destination-zone untrust   
    source-address 10.3.2.0 24   
    action source-nat address-group addressgroup1
 
#
Switch vsys vsysa
#
firewall zone trust
 set priority 85
 add interface GigabitEthernet 0/0/4
#
firewall zone untrust
 set priority 5 
 add interface GigabitEthernet 0/0/3
#
 ip route-static 1.1.1.2 255.255.255.255 null 0
#    
security-policy  
 rule name policy_sec
  source-zone trust  
  destination-zone untrust
  source-address 10.3.2.0 24
  action permit    
# 
 nat address-group addressgroup1 
  section 0 1.1.1.2 1.1.1.2 
#  
nat-policy  
  rule name policy_nat 
    source-zone trust 
    destination-zone untrust 
    source-address 10.3.2.0 24   
    action source-nat address-group addressgroup1
Parent Topic: Hot Standby
Copyright © Huawei Technologies Co., Ltd.
Copyright © Huawei Technologies Co., Ltd.
< Previous topic Next topic >