SecBlade Firewall Cards Stateful Failover Configuration Examples

Transcription

1 SecBlade Firewall Cards Stateful Failover Configuration Examples Keywords: Stateful failover, active/standby mode, active/active mode, data synchronization, traffic switchover Abstract: A network that has only one firewall has a single point of failure. The stateful failover technology can solve this problem. It ensures continuous traffic forwarding upon the failure of a firewall. This document presents stateful failover configuration examples for the H3C SecBlade firewall cards. Acronyms: ACL Acronym Access control list Full spelling NAT VRRP HA Network Address Translator Virtual Router Redundancy Protocol High availability Hangzhou H3C Technologies Co., Ltd. 1/18

2 Table of Contents Feature Overview 3 Application Scenarios 5 Configuration Guidelines 5 Stateful Failover Configuration Examples 6 Network Requirements 6 Network Diagrams 7 Active/Standby Mode 7 Active/Active Mode 8 Asymmetric Path 9 Software Version Used 9 Configuration Procedure 9 Preconfiguration 9 Configuration Examples 10 Active/Standby Mode Configuration Example 10 Active/Active Mode Configuration Example 13 Asymmetric Path Configuration Example 15 References 18 Hangzhou H3C Technologies Co., Ltd. 2/18

3 Feature Overview 1) Data synchronization Firewalls work based on session information. To ensure that traffic can switch to the standby SecBlade firewall card when the active card fails, the session entries on the active and standby cards must be synchronized. 2) Working modes: active/standby and active/active In active/standby mode, the active SecBlade firewall card processes all services, while the standby card serves only as the backup. Figure 1 Active/Standby mode In active/active mode, both SecBlade firewall cards are active and serve as the backup for each other. Internal users can choose either card through routing or some other method. If one SecBlade firewall card fails, the other takes over all services. Hangzhou H3C Technologies Co., Ltd. 3/18

4 Figure 2 Active/Active mode 3) Symmetric/Asymmetric path Symmetric path: Sessions enter and leave the internal network through one SecBlade firewall card. Asymmetric path: Sessions enter and leave the internal network through different SecBlade firewall cards to achieve load sharing. Hangzhou H3C Technologies Co., Ltd. 4/18

5 Figure 3 Asymmetric path Application Scenarios Some customers require the key service points of their networks to be highly reliable to ensure continuous data transmission. Deploying only one device (even with high reliability) in such a network risks a single point of failure and therefore cannot meet the requirement. Stateful failover ensures continuous traffic forwarding upon the failure of a device. Configuration Guidelines Make sure that configuration and software version on the two SecBlade firewall cards are consistent. Save your configuration in time. Hangzhou H3C Technologies Co., Ltd. 5/18

6 Stateful Failover Configuration Examples Network Requirements Figure 4 Connect the H3C SecBlade firewall cards HA XGE0/0.230 Vlan230 Vlan230 XGE0/0.230 GE0/4 XGE0/0 trunk XGE2/0/1 trunk XGE7/0/1 XGE0/0 GE0/4 XGE0/0.240 Vlan240 Vlan240 XGE0/0.240 GE4/0/23 GE4/0/21 Host A Host B GE4/0/24 Host C Table 1 Software and hardware required Item Description Quantity H3C SecBlade firewall card 2 PC Serves as a client or sever 3 S7500E switch 1 Hangzhou H3C Technologies Co., Ltd. 6/18

7 Network Diagrams Active/Standby Mode Figure 5 Network diagram for active/standby mode Host C IP: /16 Gateway: Internet Master VRRP group 1 Virtual IP address /16 Backup Failover link Firewall 1 Firewall 2 Master VRRP group 1 Virtual IP address /16 Backup Private network Host A IP: /16 Gateway: Host B IP: /16 Gateway: Hangzhou H3C Technologies Co., Ltd. 7/18

8 Active/Active Mode Figure 6 Network diagram for active/active mode Host C IP: /16 Gateway: Internet Backup VRRP group 2 Virtual IP address /16 Master Master VRRP group 1 Virtual IP address /16 Backup Failover link Firewall 1 Firewall 2 Master VRRP group 1 Virtual IP address /16 Backup Backup VRRP group 2 Virtual IP address /16 Master Private network Host A IP: /16 Gateway: Host B IP: /16 Gateway: Hangzhou H3C Technologies Co., Ltd. 8/18

9 Asymmetric Path Figure 7 Network diagram for asymmetric path Host C IP: /16 Gateway: Internet Master VRRP group 1 Virtual IP address /16 Backup Failover link Firewall 1 Firewall 2 Master VRRP group 2 Virtual IP address /16 Backup Private network Host A IP: /16 Gateway: Host B IP: /16 Gateway: Software Version Used Any of the SecBlade R3166 and F3166 series versions Configuration Procedure Preconfiguration Configuration on the switch # Add GigabitEthernet 4/0/21 to VLAN 230. interface GigabitEthernet4/0/21 port access vlan 230 # Add GigabitEthernet 4/0/23 to VLAN 230. interface GigabitEthernet4/0/23 port access vlan 230 # Add GigabitEthernet 4/0/24 to VLAN 240. interface GigabitEthernet4/0/24 port access vlan 240 # Configure the 10-GE interface that connects to SecBlade firewall card 1 (FW1). Hangzhou H3C Technologies Co., Ltd. 9/18

10 interface Ten-GigabitEthernet2/0/1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan # Configure the 10-GE interface that connects to SecBlade firewall card 2 (FW2). interface Ten-GigabitEthernet7/0/1 port link-type trunk undo port trunk permit vlan 1 port trunk permit vlan Add each firewall card s subinterface XGE0/0.230 connected to the internal network to the Trust zone and subinterface XGE0/0.240 connected to the external network to the Untrust zone, and configure an inter-zone policy to enable intercommunication between the Untrust and Trust zones. Configuration Examples Active/Standby Mode Configuration Example Configuration procedure Configure FW2 1) Configure NAT address pool 1, containing addresses to nat address-group ) Create advanced IPv4 ACL 3000 and enter its view. Configure rule 5 that permits traffic sourced from network /16 to pass. acl number 3000 rule 5 permit ip source ) Configure subinterface Ten-GigabitEthernet 0/ # Configure Ten-GigabitEthernet 0/0.230 to terminate Dot1q packets with VLAN ID 230. interface Ten-GigabitEthernet0/0.230 vlan-type dot1q vid 230 # Configure the IP address of Ten-GigabitEthernet 0/ ip address # Create VRRP group 1 and configure its virtual IP address as vrrp vrid 1 virtual-ip # Set the priority of FW2 in VRRP group 1 to 105. vrrp vrid 1 priority 105 # Monitor Ten-GigabitEthernet 0/0.240 through track, and decrease the priority of VRRP group 1 where FW2 is located by 10 when Ten-GigabitEthernet 0/0.240 is down. vrrp vrid 1 track interface Ten-GigabitEthernet0/ ) Configure subinterface Ten-GigabitEthernet 0/ # Configure Ten-GigabitEthernet 0/0.240 to terminate Dot1q packets with VLAN ID 240. interface Ten-GigabitEthernet0/0.240 vlan-type dot1q vid 240 Hangzhou H3C Technologies Co., Ltd. 10/18

11 # Configure IP addresses matching ACL 3000 to be translated to addresses in address pool 1, and associate ACL 3000 with VRRP group 2. nat outbound 3000 address-group 1 track vrrp 2 # Configure the IP address of Ten-GigabitEthernet 0/ ip address # Create VRRP group 2 and configure its virtual IP address as vrrp vrid 2 virtual-ip # Set the priority of FW2 in VRRP group 2 to 105. vrrp vrid 2 priority 105 # Monitor Ten-GigabitEthernet 0/0.230 through track, and decrease the priority of VRRP group 2 where FW2 is located by 10 when Ten-GigabitEthernet 0/0.230 is down. vrrp vrid 2 track interface Ten-GigabitEthernet0/ ) Enable stateful failover. # Log in to the Web interface, select High Reliability > Stateful Failover from the navigation tree, and perform the following settings on the page. Configure FW1 1) Configure NAT address pool 1, containing addresses to nat address-group ) Create an advanced IPv4 ACL 3001 and enter its view. Configure rule 0 that permits traffic sourced from network /16 to pass. acl number 3001 rule 0 permit ip source ) Configure subinterface Ten-GigabitEthernet 0/ # Configure Ten-GigabitEthernet 0/0.230 to terminate Dot1q packets with VLAN ID 230. interface Ten-GigabitEthernet0/0.230 vlan-type dot1q vid 230 # Configure the IP address of Ten-GigabitEthernet 0/ ip address # Create VRRP group 1 and configure its virtual IP address as vrrp vrid 1 virtual-ip Hangzhou H3C Technologies Co., Ltd. 11/18

12 4) Configure subinterface Ten-GigabitEthernet 0/ # Configure Ten-GigabitEthernet 0/0.240 to terminate Dot1q packets with VLAN ID 240. interface Ten-GigabitEthernet0/0.240 vlan-type dot1q vid 240 # Configure IP addresses matching ACL 3000 to be translated to addresses in address pool 1, and associate ACL 3000 with VRRP group 2. nat outbound 3000 address-group 1 track vrrp 2 # Configure the IP address of Ten-GigabitEthernet 0/ ip address # Create VRRP group 2 and configure its virtual IP address as vrrp vrid 2 virtual-ip ) # Enable stateful failover. # Log in to the Web interface, select High Reliability > Stateful Failover from the navigation tree, and perform the following settings on the page. Tests Display the VRRP group state on FW2 by using the display vrrp command. Result 1 is expected. Ping Host C on Host A. If FW1 changes from active to standby, result 2 is expected. Ping Host C on Host A. If FW1 changes from standby to active, result 2 is expected. When the traffic volume is small, telnet to Host C from Host A. When stateful failover occurs, result 3 is expected. Results Result 1 [FW-2]display vrrp IPv4 Standby Information: Run Mode : Standard Run Method : Virtual MAC Total number of virtual routers : 2 Interface VRID State Run Adver Auth Virtual Pri Timer Type IP XGE0/ Master None Hangzhou H3C Technologies Co., Ltd. 12/18

13 XGE0/ Master None SecBlade Firewall Cards Stateful Failover Configuration Examples [FW-1]display vrrp IPv4 Standby Information: Run Mode : Standard Run Method : Virtual MAC Total number of virtual routers : 2 Interface VRID State Run Adver Auth Virtual Pri Timer Type IP XGE0/ Backup None XGE0/ Backup None Result 2: No packet loss, or packet loss seldom occurs. Result 3: Communication is not interrupted. Active/Active Mode Configuration Example Configuration procedure Configure FW1 1) Configure NAT address pools 1 and 2. nat address-group nat address-group ) Create an advanced IPv4 ACL 3000 and enter its view. Configure rule 5 that permits traffic sourced from to pass. acl number 3000 rule 5 permit ip source ) Create an advanced IPv4 ACL 3001 and enter its view. Configure rule 1 that permits traffic sourced from to pass. acl number 3001 rule 1 permit ip source ) Configure XGE0/0.230 to terminate Dot1q packets with VLAN ID 230, and configure VRRP groups 1 and 3. interface Ten-GigabitEthernet0/0.230 vlan-type dot1q vid 230 ip address vrrp vrid 1 virtual-ip vrrp vrid 3 virtual-ip vrrp vrid 3 priority 105 vrrp vrid 3 track interface Ten-GigabitEthernet0/ ) Configure XGE0/0.240 to terminate Dot1q packets with VLAN ID 240, and configure VRRP groups 2 and 4. interface Ten-GigabitEthernet0/0.240 vlan-type dot1q vid 240 nat outbound 3001 address-group 2 track vrrp 4 nat outbound 3000 address-group 1 track vrrp 2 ip address vrrp vrid 2 virtual-ip Hangzhou H3C Technologies Co., Ltd. 13/18

14 vrrp vrid 4 virtual-ip vrrp vrid 4 priority 105 vrrp vrid 4 track interface Ten-GigabitEthernet0/ ) Enable stateful failover. # Log in to the Web interface, select High Reliability > Stateful Failover from the navigation tree, and perform the following settings on the page. Configure FW2 1) Configure NAT address pools 1 and 2. nat address-group nat address-group ) Create an advanced IPv4 ACL 3000 and enter its view. Configure rule 5 that permits traffic sourced from to pass. acl number 3000 rule 5 permit ip source ) Create an advanced IPv4 ACL 3001 and enter its view. Configure rule 1 that permits traffic sourced from to pass. acl number 3001 rule 1 permit ip source ) Configure XGE0/0.230 to terminate Dot1q packets with VLAN ID 240, and configure VRRP groups 1 and 3. interface Ten-GigabitEthernet0/0.230 vlan-type dot1q vid 230 ip address vrrp vrid 1 virtual-ip vrrp vrid 1 priority 105 vrrp vrid 1 track interface Ten-GigabitEthernet0/0.240 vrrp vrid 3 virtual-ip ) Configure XGE0/0.240 to terminate Dot1q packets with VLAN ID 240, and configure VRRP groups 2 and 4. interface Ten-GigabitEthernet0/0.240 vlan-type dot1q vid 240 nat outbound 3001 address-group 2 track vrrp 4 nat outbound 3000 address-group 1 track vrrp 2 ip address vrrp vrid 2 virtual-ip vrrp vrid 2 priority 105 Hangzhou H3C Technologies Co., Ltd. 14/18

15 vrrp vrid 2 track interface Ten-GigabitEthernet0/0.230 vrrp vrid 4 virtual-ip ) Enable stateful failover. # Log in to the Web interface, select High Reliability > Stateful Failover from the navigation tree, and perform the following settings on the page. Tests Display the VRRP group state on FW2 by using the display vrrp command. Result 1 is expected. Ping Host C on Host A. If FW1 is experiencing an active/standby failover, result 2 is expected. Ping Host C on Host B through FW2. If FW2 is experiencing an active/standby failover, result 2 is expected. Ping Host C on Host A. If FW1 changes from standby to active, result 2 is expected. When the traffic volume is small, telnet to Host C from Host A. When stateful failover occurs, result 3 is expected. Results Result 1 [FW-2]dis vrrp IPv4 Standby Information: Run Mode : Standard Run Method : Virtual MAC Total number of virtual routers : 4 Interface VRID State Run Adver Auth Virtual Pri Timer Type IP XGE0/ Master None XGE0/ Backup None XGE0/ Master None XGE0/ Backup None Result 2: No packet loss, or packet loss seldom occurs. Result 3: Traffic processing is not interrupted. Asymmetric Path Configuration Example Configuration procedure Configure FW2 Hangzhou H3C Technologies Co., Ltd. 15/18

16 1) Configure NAT address pool 1. nat address-group ) Create an advanced IPv4 ACL 3000 and enter its view. Configure rule 5 that permits traffic sourced from network /16 to pass. acl number 3000 rule 5 permit ip source ) Configure subinterface XGE0/0.230, and configure VRRP group 1. interface Ten-GigabitEthernet0/0.230 vlan-type dot1q vid 230 ip address vrrp vrid 1 virtual-ip vrrp vrid 1 track interface Ten-GigabitEthernet0/ ) Configure subinterface XGE0/0.240, and configure VRRP group 2. interface Ten-GigabitEthernet0/0.240 vlan-type dot1q vid 240 nat outbound 3000 address-group 1 track vrrp 2 ip address vrrp vrid 2 virtual-ip vrrp vrid 2 priority 105 vrrp vrid 2 track interface Ten-GigabitEthernet0/ ) Enable stateful failover. # Log in to the Web interface, select High Reliability > Stateful Failover from the navigation tree, and perform the following settings on the page. Configure FW1 1) Configure NAT address pool 1. nat address-group ) Create an advanced IPv4 ACL 3001 and enter its view. Configure rule 0 that permits traffic sourced from network /16 to pass. acl number 3001 rule 0 permit ip source ) Configure subinterface Ten-GigabitEthernet 0/0.230, and configure VRRP group 1. interface Ten-GigabitEthernet0/0.230 vlan-type dot1q vid 230 ip address vrrp vrid 1 virtual-ip vrrp vrid 1 priority 105 Hangzhou H3C Technologies Co., Ltd. 16/18

17 4) Configure subinterface Ten-GigabitEthernet 0/0.240, and configure VRRP group 2. interface Ten-GigabitEthernet0/0.240 vlan-type dot1q vid 240 nat outbound 3000 address-group 1 track vrrp 2 ip address vrrp vrid 2 virtual-ip ) Enable stateful failover. # Log in to the Web interface, select High Reliability > Stateful Failover from the navigation tree, and perform the following settings on the page. Tests Display the VRRP group state on FW2 by using the display vrrp command. Result 1 is expected. Ping Host C on Host A. If FW1 is experiencing an active/standby failover, result 2 is expected. Ping Host C on Host B through FW2. If FW2 is experiencing an active/standby failover, result 2 is expected. Ping Host C on Host A. If FW1 changes from standby to active, result 2 is expected. When the traffic volume is small, telnet to Host C from Host A. When stateful failover occurs, result 3 is expected. Results Result 1 [FW-2]dis vrrp IPv4 Standby Information: Run Mode : Standard Run Method : Virtual MAC Total number of virtual routers : 2 Interface VRID State Run Adver Auth Virtual Pri Timer Type IP XGE0/ Backup None XGE0/ Master None [FW-1]dis vrrp IPv4 Standby Information: Run Mode : Standard Run Method : Virtual MAC Hangzhou H3C Technologies Co., Ltd. 17/18

18 Total number of virtual routers : 2 Interface VRID State Run Adver Auth Virtual Pri Timer Type IP XGE0/ Master None XGE0/ Backup None Result 2: No packet loss, or packet loss seldom occurs. Result 3: Traffic processing is not interrupted. References Stateful Failover Configuration in the Web configuration documentation set Copyright 2010 Hangzhou H3C Technologies Co., Ltd. All rights reserved. No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou H3C Technologies Co., Ltd. The information in this document is subject to change without notice. Hangzhou H3C Technologies Co., Ltd. 18/18