Stateful Failover Technology White Paper

Transcription

1 Stateful Failover Technology White Paper Keywords: Stateful failover, master/backup mode, load balancing mode, data synchronization, link switching Abstract: A firewall device is usually the access point of a network. Once the firewall fails, a single point of failure occurs and all the traffic will be interrupted. To avoid this, you can use the stateful failover feature to ensure continuous data transmission. This document describes the concepts, working mode, implementation and application scenarios of stateful failover. Acronyms: Acronym Full spelling ALG ASPF NAT VRRP OSPF Application Level Gateway Application Specific Packet Filter Network Address Translator Virtual Router Redundancy Protocol Open Shortest Path First Hangzhou H3C Technologies Co., Ltd. 1/15

2 Table of Contents 1 Overview Background Benefits Operating Modes of Stateful Failover Active/Standby Mode Load Balancing Mode Stateful Failover Implementation Data Synchronization Link Switchover Link Switchover Through VRRP Link Switchover Through Dynamic Routing Limitations Stateful Failover Technology Characteristics of H3C Application Scenarios Stateful Failover Configuration Example (Routing Mode + Active/Standby Mode) Stateful Failover Configuration Example (Routing Mode + Load Balancing Mode) Stateful Failover Configuration Example (Transparent Mode + Load Balancing Mode) References Hangzhou H3C Technologies Co., Ltd. 2/15

3 1 Overview 1.1 Background Continuous data transmission at key service entries and access points (such as the Internet access point of an enterprise or a database server of a bank) must be ensured. In Figure 1, only one firewall is deployed at the access point. If it fails, services between the internal and external networks will be interrupted. Figure 1 Network diagram for a single point failure To avoid such single point of failures, the traditional backup network solution deploys multiple devices (routers or forwarding devices only) at the access point for service backup and link switchover. Once the active device fails, traffic will switch to a standby device through VRRP or a dynamic routing protocol. In such a network, packets are forwarded based on the forwarding table; however, if stateful firewalls are deployed at the access point, packets need to match session entries before they can pass. Typically, the active firewall checks the first packet of a session, and then creates a session entry (including the source IP address/port number and destination IP address/port number of the packet) if it permits the packet to pass. Subsequent Hangzhou H3C Technologies Co., Ltd. 3/15

4 packets matching the session entry can pass through the firewall. After link switchover, the packets may not find the session entry on the standby device and thus cannot pass through the firewall. The stateful failover solution can solve the problem. In a stateful failover network, the firewall devices synchronize session information before link switchover. If the active device fails, service traffic is switched to the standby device to ensure session continuity. In Figure 2, two firewalls are deployed at the access point. If Firewall 1 fails, the service traffic is switched to Firewall 2. Because Firewall 2 has performed data synchronization with Firewall 1, the current service is not interrupted, and the network stability and reliability are improved. Internet Firewall 1 Firewall 2 Private network Subnet 1: /24 Subnet 2: /24 Figure 2 Network diagram for stateful failover Stateful failover can be regarded as a solution to solve single point failure by data synchronization and link switchover; it can also be regarded as a funtional module (because it only implements data synchronization) that can be configured through the web interface. This manual describes stateful failover from the first perspective. Hangzhou H3C Technologies Co., Ltd. 4/15

5 1.2 Benefits Compared with the traditional backup network solution, the stateful failover solution: Avoids service interruption upon a single point failure. Supports two operating modes (active/standby mode and load balancing mode) and two firewall working modes (routing mode and transparent mode), making the solution applicable to complicated network requirements. The routing mode indicates the firwall works as a Layer 3 device, and the transparent mode indicates the firwall works as a Layer 2 device on the network. 2 Operating Modes of Stateful Failover The stateful failover solution supports two operating modes, namely active/standby and load balancing. In the two modes, a device that forwards traffic is the active device, and a device that does not forward traffic is a standby device. 2.1 Active/Standby Mode If two firewalls are in the active/standby mode, one firewall acts as the active device, and the other firewall acts as the standby device. The active device processes all services and synchronizes session information to the standby device. The standby firewall serves as the backup and does not process services. In Figure 3, Firewall 1 processes all services and Firewall 2 is used for backup. When Firewall 1 fails, Firewall 2 takes over the services, as shown in Figure 4, thus ensuring the establishment of new sessions and the continuity of the current sessions. Hangzhou H3C Technologies Co., Ltd. 5/15

6 Trust zone Firewall 1 Session entries Firewall 2 Session entries Untrust zone Actual link DMZ zone Packet path Figure 3 Network diagram for sessions before Firewall 1 fails (in active/standby mode) Trust zone Firewall 1 Untrust zone Firewall 2 Session entries Actual link DMZ zone Packet path Figure 4 Network diagram for sessions after Firewall 1 fails (in active/standby mode) 2.2 Load Balancing Mode If two firewalls are in the load balancing mode, both devices are active to forward traffic and back up the session information of each other. In Figure 5, both Firewall 1 and Firewall 2 process traffic and serve as the backup of each other. When Firewall 1 Hangzhou H3C Technologies Co., Ltd. 6/15

7 fails, Firewall 2 takes over all services, as shown in Figure 4, thus ensuring the establishment of new sessions and the continuity of the current sessions. Trust zone Firewall 1 Session entries Untrust zone Firewall 2 Session entries Actual link DMZ zone Packet path Figure 5 Network diagram for sessions before Firewall 1 fails (in load balancing mode) 3 Stateful Failover Implementation 3.1 Data Synchronization A firewall maintains the information of each session. After the standby device takes over the services of the active device, it must have correct session information to process session packets; otherwise, session packets are discarded and sessions are terminated. Therefore, upon the establishment of new session entries or session entry changes, the active device needs to synchronize the information to the standby device for session information consistency. The information that a firewall can synchronize includes: session, NAT, ALG, ASPF, black list, H.323, SIP, ILS, RTSP, NBT, and SQLNET. The data synchronization method can be either of the following: Batch backup. After a firewall works for a period of time, a large number of session entries are generated. Then you can deploy another firewall and enable stateful failover on both firewalls. The session entries will be synchronized to Hangzhou H3C Technologies Co., Ltd. 7/15

8 the newly added device at one time. This process is called batch backup. Real-time backup. Upon the establishment of new session entries or session entry changes, the active firewall synchronizes session information to the standby device in real time for session information consistency. This process is called real-time backup. 3.2 Link Switchover The stateful failover solution uses VRRP or a dynamic routing protocol to implement link switchover Link Switchover Through VRRP You can configure a group of devices in a LAN as a VRRP group, which functions as a virtual device. Hosts in the LAN can communicate with other networks through the virtual device. In the VRRP group, only one device is active to forward packets, which is called the master; other devices are in standby state, which are called backups and are ready to take over services based on the device priorities. When the master fails, the device with the highest priority is elected as the new master and takes over services. Thus, a link switchover is completed and is totally transparent to users. Through network and VRRP configurations, you can implement the active/standby or load balancing mode of stateful failover. In the active/standby mode, only one VRRP group is required. The firewalls in the VRRP group have different priorities and the one with the highest priority is the master. As shown in Figure 6, create VRRP group 1 on Firewall 1 and Firewall 2, and configure a higher priority for Firewall 1. Configure the default gateway of Host A and Host B as the virtual IP address /24 of VRRP group 1. If Firewall 1 works normally, it forwards packets of Host A and Host B and Firewall 2 serves as backup in monitoring state; if Firewall 1 fails, Firewall 2 becomes the master and forwards packets of Host A and Host B. Hangzhou H3C Technologies Co., Ltd. 8/15

9 Public network Firewall 1 Firewall 2 Stateful failover link GE0/1 GE0/1 Master VRRP group 1 Virtual IP address: //24 Backup Private network Host A IP: /24 Gateway: Host B IP: /24 Gateway: Figure 6 Link switchover through VRRP (in active/standby mode) In the load balancing mode, two VRRP groups are required. One firewall serves as the master in VRRP group 1 and the other firewall serves as the master in VRRP group 2. As shown in Figure 7, create VRRP group 1 and VRRP group 2 on Firewall 1 and Firewall 2 respectively, and configure a higher priority for Firewall 1 in VRRP group 1 and a higher priority for Firewall 2 in VRRP group 2. Configure the default gateway of Host A as the virtual IP address /24 of VRRP group 1, and that of Host B as the virtual IP address /24 of VRRP group 2. If Firewall 1 works normally, it forwards packets of Host A and Firewall 2 forwards packets of Host B to implement load balancing. They serve as backups and monitor the state of each other. If Firewall 1 fails, Firewall 2 becomes the master in VRRP group 1 and forwards packets of Host A and Host B. Hangzhou H3C Technologies Co., Ltd. 9/15

10 Figure 7 Link switchover through VRRP (in load balancing mode) Link Switchover Through Dynamic Routing If devices A and B located on separate networks are reachable through multiple paths, the dynamic routing protocol selects an optimal path by route calculation. If the path fails, the routing protocol selects an optimal path from the rest of the paths, and the failed route is used after recovery. Thus, the connectivity between A and B is ensured. Through network and dynamic routing configurations, you can implement the active/standby or load balancing mode of stateful failover. (The following network diagram takes OSPF as example.) In the active/standby mode, one firewall is active and the other firewall is in the backup state. As shown in Figure 8, enable OSPF on Router A, Router B, Firewall 1 and Firewall 2, configure them to be in the same OSPF domain, and configure the cost value of Ethernet 1/1 to be greater than that of Ethernet 1/2 on both Router A and Router B. Then, the path Router A< >Firewall 1< >Router B has a higher priority than the path Router A< >Firewall 2< Hangzhou H3C Technologies Co., Ltd. 10/15

11 >Router B. If Firewall 1 works normally, packets from the private network are forwarded by Firewall 1 to the Internet; if Firewall 1 fails, packets from the private network are forwarded by Firewall 2 to the Internet. In the active/standby mode, both firewalls are active and serve as the backup of each other. As shown in Figure 8, enable OSPF on Router A, Router B, Firewall 1 and Firewall 2, configure them to be in the same OSPF domain, and configure Router A and Router B to support at least two equal-cost routes. Because the path Router A< >Firewall 1< >Router B has the same priority as the path Router A< >Firewall 2< >Router B, packets from the private network are forwarded by both Firewall 1 and Firewall 2 to the Internet; if Firewall 1 fails, packets from the private network are forwarded by Firewall 2 to the Internet. Internet OSPF Eth1/1 Router A Eth1/2 Firewall 1 Firewall 2 Eth1/1 Eth1/2 Router B Private network Figure 8 Link switchover through OSPF 3.3 Limitations Stateful failover supports only two devices. The hardware configuration and software version must be consistent on the two devices, and the interface cards on the corresponding slot must be consistent; otherwise, the device may fail to recognize or fail to find related physical resources of the information backed up from the other device, resulting in Hangzhou H3C Technologies Co., Ltd. 11/15

12 packet forwarding error or failure after link switchover. Stateful failover supports data synchronization only and does not support configuration synchronization. Therefore, if you make some configurations (such as interface type, VLAN that permitted to pass the interface) on one device, you need to make the same configurations on the other device. 4 Stateful Failover Technology Characteristics of H3C Stateful failover backs up only session information to ensure session continuity after link switchover. Link switchover is implemented by using traditional backup technologies (such as VRRP and dynamic routing protocols), which are flexible in application and adaptable to various network environments. Stateful failover backs up session information through dedicated interfaces that are not used for forwarding, thus featuring high reliability and performance. 5 Application Scenarios 5.1 Stateful Failover Configuration Example (Routing Mode + Active/Standby Mode) As shown in Figure 9, Firewall and Firewall 2 are deployed at the access point between the private network and public network, and are working in routing mode. It is required that: If Firewall 1 works normally, Host A and Host B access Server 1 through Firewall 1; if Firewall 1 fails, Host A and Host B access Server 1 through Firewall 2 and the ongoing sessions between Host A and Server 1, Host B and Server 1 are not interrupted. To meet the requirement, you can configure VRRP group 1 for monitoring the down links and VRRP group 2 for monitoring the uplinks on Firewall 1 and Firewall 2, and enable data synchronization between the two firewalls. Hangzhou H3C Technologies Co., Ltd. 12/15

13 Server 1 IP: /24 Gateway: /24 L2 switch A / /24 Firewall 1 Stateful failover link Firewall 2 GE0/1 GE0/1 GE1/ /24 Master Master VRRP group 2 Virtual IP address: //24 VRRP group 1 Virtual IP address: //24 Backup GE1/ /24 Backup L2 switch B L2 switch C Host A IP: /24 Gateway: Host B IP: /24 Gateway: Figure 9 Network diagram for stateful failover (implementing link switchover through VRRP) 5.2 Stateful Failover Configuration Example (Routing Mode + Load Balancing Mode) As shown in Figure 10, Firewall 1 and Firewall 2 are deployed at the access point between the private network and public network, and are working in routing mode. It is required that: If Firewall 1 works normally, Host A accesses Server 1 through Firewall 1 and Host B accesses Server 1 through Firewall 2 for load balancing; if Firewall 1 fails, Host A and Host B access Server 1 through Firewall 2 and the ongoing sessions between Host A and Server 1, Host B and Server 1 are not interrupted. To meet the requirement, you can configure OSPF on Router A, Router B, Router C, Router D, Firewall 1 and Firewall 2, and enable data synchronization between the two firewalls. Hangzhou H3C Technologies Co., Ltd. 13/15

14 Server / /24 OSPF Router C /24 GE1/ /16 GE1/ /24 GE1/ / /24 Router D GE1/ /16 GE1/1 GE1/ / /16 Firewall 1 Stateful failover link Firewall / / /24 Router A GE1/ / /24 Router B GE1/ / / /24 Host A Host B Figure 10 Network diagram for stateful failover (routing mode + load balancing mode) 5.3 Stateful Failover Configuration Example (Transparent Mode + Load Balancing Mode) As shown in Figure 11, Firewall and Firewall 2 are deployed at the access point between the private network and public network, and are working in transparent mode (Layer 2 mode). It is required that: If Firewall 1 works normally, Host A accesses Server 1 through Firewall 1 and Host B accesses Server 1 through Firewall 2 for load balancing; if Firewall 1 fails, Host A and Host B access Server 1 through Firewall 2 and the ongoing sessions between Host A and Server 1, Host B and Sever 1 are not interrupted. To meet the requirement, you can configure VRRP group 1 and VRRP group 2 (both for load balancing and monitoring the down link) on Router A and Router B, and Hangzhou H3C Technologies Co., Ltd. 14/15

15 enable data synchronization between Firewall 1 and Firewall 2. Server 1 IP: /24 L2 switch C Route A Route B Backup VRRP group 2 Virtual IP address: //24 Master Master VRRP group 1 Virtual IP address: //24 Backup Firewall 1 Firewall 2 GE0/1 Stateful failover link GE0/1 L2 switch A L2 switch B Host A IP: /24 Gateway: Host B IP: /24 Gateway: Figure 11 Network diagram for stateful failover (transparent mode + load balancing mode) 6 References Stateful Failover Configuration Examples Copyright 2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 15/15