Scribd
Upload
65 views29 pages

05 High Availability

The document discusses high availability (HA) features including working modes, HA terms, implementation, session backup, state transition diagrams, and synchronization. HA provides failover to ensure smooth communication and improve network reliability when communication lines or devices fail.

Uploaded by

isa Games
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
65 views29 pages

05 High Availability

The document discusses high availability (HA) features including working modes, HA terms, implementation, session backup, state transition diagrams, and synchronization. HA provides failover to ensure smooth communication and improve network reliability when communication lines or devices fail.

Uploaded by

isa Games
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 29

Chapter 5 High Availability

Reshape.Security
Embrace Cyber Resilience

© 2022 Hillstone Networks | All rights reserved.


1
1 High Availability

2 Working Mode
Agenda
3 HA Terms

4 HA Implementation (A/P)

2 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


1 High Availability

3 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Single Point of Failure

NGFW Core switch Server

4 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Redundancy Technology

Reliable System Reliable Board Reliable Hardware Reliable Module Reliable software
AA/AP redundant Hardware bypass System Power N+M control board redundancy In-Service Software
deployment board card redundancy service card redundancy Upgrade
System Fan redundancy switch board redundancy Dynamic resource
allocation

Carrier-grade 99.999% high reliability


5 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.
High Availability

• High Availability (HA) provides a fail-over solution for communications lines or device failure to ensure
the smooth communication and effectively improve the reliability of the network.

• To implement the HA function, you need to configure the two devices as HA clusters with identical
settings for the following: Hardware platform, Firmware version, Licenses, VRouter, and identical
configuration of function status.

6 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


2 Working Mode

7 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


HA Working Mode

8 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


SCM HA (Redundancy in DCFW)

• Master
• Handling ARP requests, SSH, Telnet, etc.

• Slave
SCM SCM
SSM SSM IOM IOM
• Backup Master Slave

• Master/Slave is determined by Hardware


HA
election

9 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Device HA A/P

Master
192.168.10.254

NGFW

192.168.10.0/24
gw:192.168.10.1

HA Internet

Backup
Access
Returned data
NGFW Downtime

10 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


State Transition Diagram

11 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Session Backup

Local interface,
FW1 FW2 Zone find

Lookup route
session

Policy rematch
session

Install session(tagged as
peer session)

12 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Difference between Master and Backup Firewalls

Configure and manage the HA


Local configuration only
cluster

The interface can send and receive Can send and receive mgmt.
packets normally packets only

Can send and receive mgmt.


ARP reply
packets only

Process service traffic Do not process service traffic

Service interface uses virtual MAC All interfaces use real MAC
for communication addresses

13 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


3 HA Terms

14 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


HA Terms
• HA Cluster
Ø For the external network devices, an HA cluster is a single device which handles network traffic and
provides security services. The HA cluster is identified by its cluster ID. After specifying an HA cluster ID
for the device, the device will be in the HA state to implement HA function

• HA Group
Ø System will select the primary and backup device of the same HA group ID in an HA cluster according to
the HCMP protocol and the HA configuration. The primary device is in the active state and processes
network traffic. When the primary device fails, the backup device will take over its work.
Ø When assigning a cluster ID to the device, the HA group with ID 0 will be automatically created. In
Active-Passive (A/P) mode, the device only has HA group 0. In Active-Active (A/A) mode, the latest
Hillstone version supports two HA groups, i.e., Group 0 and Group 1.

• HA Link Interface
Ø Used for the HA negotiation, configuration synchronization, status and failure notification etc.

15 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


HA Terms

• Virtual MAC (VMAC)


In the HA environment, each HA group has an interface to forward traffic, which is known as the Virtual
Forward Interface. The primary device of each HA group manages a virtual MAC (VMAC) address which is
corresponding with its interface, and the traffic is forwarded on the interface. Different HA groups in an HA cluster
cannot forward data among each other. VMAC address is defined by HA base MAC, HA cluster ID, HA group ID and
the physical interface index.:prefix is 001c.54ff.xxxx

Note:For CloudEdge, all interfaces using real MAC address

but not VMAC.

16 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


HA Terms

• ID – Uniquely identifies the group

• Priority – Specifies the priority for the HA device. The device with higher priority (smaller number) will
be selected as the primary device.

• Hello interval – Specifies the Hello interval value

• Hello threshold – Specifies the threshold value of the Hello message.

• Monitor track – Specifies the track object which used to monitor the working status of the device.

• Preempt – Configure the preempt mode. When the preempt mode is enabled, once the backup device finds
that its own priority is higher than the primary device, it will upgrade itself to become the primary device and the original primary
device will become the backup device.

17 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


HA State Diagram

• Init Init

• Hello
Hello
• Backup

• Master Backup Master

• Failed

• Standalone(non HA) Failed

18 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


HA Synchronization
• To ensure the backup device can take over the work from the master device when it fails, the master
device will synchronize its information to the backup device. There are 3 types of information that can
be synchronized: configuration information, files and RDO (Runtime Dynamic Object).

• RDO includes:

• Session information
• PKI information
• IPSec VPN information

• SCVPN information • DHCP information

• DNS cache mappings • MAC table

• ARP table • WebAuth information

19 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


HA Switchover

• The situations that cause the switchover includes:


Ø Preempt

Ø Track failed

Ø Master device reboot

Ø High-end device SSM/IOM plug-out or reboot

• HA failure switchover mechanism assures the network availability, avoids network interruption
caused by single point failure.
p Original master device physical interface down/up, impels peripheral switches clear mac forward table;

p New master device sends free ARP to refresh mac table of peripheral switches and steers traffic

20 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Device HA A/P Switchover

Use track to monitor HA 192.168.1.10 client

1. E0/1 down, track failed

2. FW1 change state to failed sw1


001c:54ff:0001 001c:54ff:0001
e0/1 192.168.1.100 192.168.1.100 e0/1
3. FW1 down and up e0/1, e0/3 GARP
e0/2 e0/2
fw1 fw2
4. FW2 change state to master 10.1.1.1 10.1.1.2
MF BGARP
M
e0/3 200.1.1.100 200.1.1.100 e0/3
5. VMAC, VIP switch to FW2
001c:54ff:0003 001c:54ff:0003
sw2
6. FW2 send GARP from e0/1, e0/3

7. Traffic forward by FW2


200.1.1.10
server

21 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


4 HA Implementation(A/P)

22 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Implementation Topology(A/P)

Master

e0/1 e0/4
192.168.10.1 200.0.0.10

e0/2 e0/3
192.168.10.0/24
gw:192.168.10.1

GW
200.0.0.254
HA Link Internet

e0/2 e0/3

Backup
Access
Return data
Downtime

23 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Configuration Steps

• To configure HA in A/P mode, following below steps:


ü 1. Configure FW basic functions
ü 2. Configure HA Track object
ü 3. Configure HA group
‒ Specify the device priority (for selection)
‒ Specify the HA packet-related parameters
ü 4. Configure HA link.
‒ You need to specify the HA link interface first, and then specify the IP address of the interface. Use HA link
interface for device synchronization and HA packet transmission.
ü 5. Configure an HA cluster
‒ Specify the ID of the HA cluster
‒ Enable the device HA function
24 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.
Configuration example(Master)

# Basic function configuration # HA configuration


interface ethernet0/4 # HA group
zone untrust ha group 0
ip address 200.0.0.10/24 priority 50 # The default priority is100
exit preempt (Try not to use preemption in the actual
interface ethernet0/1 environment to avoid switching back and forth)
zone trust monitor track trackobj1
ip address 192.168.10.1/24 exit
exit
policy-global # HA link
rule from any to any service any permit ha link interface ethernet0/2
exit ha link interface ethernet0/3
ip vrouter trust-vr ha link ip 1.1.1.1/30
ip route 0.0.0.0/0 200.0.0.254
snatrule from any to any service any eif e0/4 trans-to eif-ip mode # HA cluster
dynamicport ha cluster 1 node 0

# track configuration # Management IP configuration


track trackobj1 interface ethernet0/1
interface ethernet0/1 weight 255 manage ip 192.168.10.251
interface ethernet0/2 weight 255 manage https
exit manage ping

25 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Configuration example(Backup)

# Management IP configuration # HA configuration

interface ethernet0/1 # HA group


manage ip 192.168.10.252 ha group 0
manage https priority 100
manage ping monitor track trackobj1
exit

# HA link
ha link interface ethernet0/2
ha link interface ethernet0/3
ha link ip 1.1.1.2/30

# HA cluster
ha cluster 1 node 1

26 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


Task 8: HA Internet

.1

E0/4
Internet01 2xx.0.0.0/24
.10

E0/6 E0/6
Core_Firewall01 Core_Firewall02
.1 1.1.1.0/30 .2
.1 E0/1
E0/1

Office
192.168.40.0/24

PC1

27 | See. Understand. Act. 192.168.40.10 © 2022 Hillstone Networks | All rights reserved.
Requirements:
• Two firewalls, Core_Firewall01 and Core_Firewall02, are set up in an HA Active-Passive (AP)
mode in the core area of the enterprise network. After the configuration is completed,
Core_Firewall01 is elected as the master device, while Core_Firewall02 serves as the backup
device. The master device Core_Firewall01 will handles traffic forwarding and synchronizes
configuration information and status data to the backup device Core_Firewall02. In the event of
a failure of the master device Core_Firewall01 that it cannot forward traffic properly, the backup
device will seamlessly switch to the master role without affecting user communication, and
continuing forward the traffic.
Ø During the practical implementation of this task, it is essential to maintain consistency in the model, version, and
licenses of the two core area firewall devices. Monitor the firewall state switchover, session synchronization
information, and MAC address changes after successful HA negotiation.
Ø To check the current HA status, use the following command:
- show ha group 0
Ø To view the HA link status, use the following command:
- show ha link status
Ø To check the HA configuration synchronization status, use the following command:
- show ha sync state all

28 | See. Understand. Act. © 2022 Hillstone Networks | All rights reserved.


+1 408 508 6750
[email protected]
5201 Great America Pkwy, #420
Santa Clara, CA 95054
www.hillstonenet.com

You might also like