Scribd
Upload
245 views

Eudemon Basic Principle

SYN Flood attack - Limit the number of half-open connections from a single IP address or zone - Limit the rate of new half-open connections from a single IP address or zone - Enable TCP proxy to handle half-open connections on behalf of the victim host HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 24 Principle of and defend DoS (cont.)  UDP Flood & ICMP Flood  Feature: Send abundant UDP or ICMP packets to the victim host.  Purpose: Use up all processing capability and bandwidth of the attacked equipment.  Configuration:

Uploaded by

Abdelilah Charboub
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
245 views

Eudemon Basic Principle

SYN Flood attack - Limit the number of half-open connections from a single IP address or zone - Limit the rate of new half-open connections from a single IP address or zone - Enable TCP proxy to handle half-open connections on behalf of the victim host HUAWEI TECHNOLOGIES CO., LTD. All rights reserved Page 24 Principle of and defend DoS (cont.)  UDP Flood & ICMP Flood  Feature: Send abundant UDP or ICMP packets to the victim host.  Purpose: Use up all processing capability and bandwidth of the attacked equipment.  Configuration:

Uploaded by

Abdelilah Charboub
Copyright
© © All Rights Reserved
Available Formats
Download as PPT, PDF, TXT or read online on Scribd
You are on page 1/ 59

Internal

ODF010002 Eudemon
Basic Principle
ISSUE 1.0

HUAWEI TECHNOLOGIES CO., LTD.

www.huawei.com

All rights reserved

This slides give us a in-depth knowledge


of Eudemon series firewall products
related to different type of network
attacks, ACL, ASPF, Blacklist, MAC and
IP binding, Port mapping, NAT, NAPT,
ALG principles, IDS, HWTACACS, HRP
etc.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 2

References
Eudemon Series Firewall Operation

Manual
Eudemon Series Firewall Command

Manual

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 3

Upon completion of this course, you will be able


to:
be familiar with Eudemon series equipment
specifics
grasped simple configuration rules of
Eudemon firewalls
known the typical network application of
Eudemon

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 4

Chapter 1 Product Introduction


Chapter 2 Network Attacks
Chapter 3 Security Policy
Chapter 4 HWTACACS and HRP

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 5

Eudemon Series Equipment

Eudemon 1000

Eudemon 500
Eudemon 200
Eudemon 100
HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 6

Performance
Eudemon
100

Eudemon 200

Throughput

100Mbps

Number of
concurrent
connections
Number of
new
connections
per second
Interface

Eudemon
500

Eudemon
1000

400Mbps

2Gbps

3Gbps

200,000

500,000

500,000

800,000

5,000 per
second

20,000 per second

100,000 per
second

100,000 per
second

2 fixed FE, 4
2 fixed FE, 4
2 fixed FE
2 fixed FE 2
extend
extend
2 extend
extend
slots maxim slots 1FE/2FE/1G slots 1GE/2G slots 1GE/2G
E/8FE/4FE/2FE/I E/8FE/4FE/2FE/I
um 4 FE
E/2GE IPSEC
PSEC
PSEC

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 7

Eudemon 200 interface module


Interface module
name

Ethernet
interface
modules

Full name

Remarks

1FE

1 port 10Base-TX/100Base-TX
low-speed Ethernet Electrical
interface (FIC)

Also available on
Eudemon 100

2FE

2 port 10Base-TX/100Base-TX
low-speed Ethernet Electrical
interface (FIC)

Also available on
Eudemon 100

1GE

Not recommend
1 port low-speed Gigabit Ethernet using on Eudemon
interface module
500/1000

2GE

Not recommend
2 port low-speed Gigabit Ethernet using on Eudemon
interface module
500/1000

Multifunctiona
IP security encryption processing
l
IPSEC
module
interface
Page 8
modules
HUAWEI
TECHNOLOGIES CO., LTD.
All rights reserved

Eudemon 500/1000 interface module


Interface module
name

Full name

Remark

2/4/8 port 10Base-T/100Base-TX high- Only available on


high-speed slot
2/4/8FE speed Ethernet Electrical interface
module (HIC)
port 100M Ethernet Optical
2/4/8FE 2/4/8
interface module (HIC)
Ethernet
interface
modules

Only available on
high-speed slot

1 GE

1 port high-speed GB Ethernet


interface module

Only available on
high-speed slot, to
be configured one
more SPF module

2 GE

2 port high-speed GB Ethernet


interface module

Only available on
high-speed slot, to
be configured two
more SPF module

Multifunctiona
security encryption processing
l
IPSEC IP
module
interface
modules
HUAWEI
TECHNOLOGIES CO., LTD.
All rights reserved

Only available on
low-speed slot
Page 9

Eudemon200: dual PCI design


Dual PCI design
Reduce PCI conflict
Dual PCI T/R

SIC1

CPU
P
C
I
0

HS int Switch

PCI-0

P
C
I
1

PCI-1
SIC2

Excellent design guarantee high packet


forwarding performance even with 64- bytes,
ACL acceleration tech keep same efficiency
in spite of a big amount of ACL rules
HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 10

Eudemon500/1000: NP inside
Eudemon 500/1000 5th generation router tech platform
CPU

Logic

NP
HS switching
forwarding

Intelligent
Interface

HS
interface

2G PCI shared data


bus

HS
interface

2G D_bus switch bus

All module design, based on NP, Carrier-Class Reliability


The first packet of TCP or UDP will be processed by NP to guarantee new
connection per second exceed 100,000 and more security NP forwarding
make Eudemon 500/1000 processing 64 bytes packet rate at 1G and 2G
respectively
HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 11

Chapter 1 Product Introduction


Chapter 2 Network Attacks
Chapter 3 Security Policy
Chapter 4 HWTACACS and HRP

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 12

Types of Attack
Single-packet attack

Fraggle
Ip spoof
Land
Smurf
Tcp flag
Winnuke
ip-fragment

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 13

Types of Attack
Fragment packet attack

Tear Drop
Ping of death
DoS attack

SYN Flood
UDP Flood & ICMP Flood
Scan attack

IP sweep
Port scan

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 14

Principle of and defend Single Packet


Fraggle

Feature: UDP packet, destination port 7 (echo) or 19 (Character Generator).


Purpose: echo service will send back the incoming packets of the port .
Character Generator service will reply with an invalid character string.
The attacker sends, by imitating address of the victim, requests to the above
port whose destination address is a broadcast address, so that the victim will
be attacked by the widespread response packets.
If both the source and destination addresses are a broadcast address, the
network bandwidth will be fully seized.
Configuration: firewall defend fraggle enable
Prevention: Filter UDP packets whose destination port number is 7 or 19.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 15

Principle of and defend Single Packet (cont.)


IP Spoof

Feature: Address spoofing.


Purpose: Spoof an IP address to transmit packets.
Configuration: firewall defend ip-spoofing enable
Prevention: Search the routing table for the source address
and discard the packet whose ingress interface is not the
egress interface of the IP address.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 16

Principle of and defend Single Packet (cont.)


Land

Feature: Both the source and destination addresses are the


IP address of the victim, or the source address is in the
127 network segment.
Purpose: Let the attacked equipment send response
packets to itself. This is used in the syn flood attack.
Configuration: firewall defend land enable
Prevention: Discard the packets with the above feature.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 17

Principle of and defend Single Packet (cont.)


Smurf

Feature: Imitate the victims IP address to send ping echo to


a broadcast address.
Purpose: Cause the victim to be flooded by responses from
hosts on the network.
Configuration: firewall defend smurf enable
Prevention: Discard the packets whose destination address
is a broadcast address.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 18

Principle of and defend Single Packet (cont.)


TCP flag

Feature: All settable flags of the packet are set in a


conflicting way. For example, SYN, FIN, and RST are set at
the same time.
Purpose: Cause the attacked host to stop responding for
processing error.
Configuration: firewall defend tcp-flag enable
Prevention: Discard the packets with the above feature.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 19

Principle of and defend Single Packet (cont.)


Winnuke

Feature: IGMP packets are marked with fragmentation, or


packets are marked with URG for port 139.
Purpose: Cause the attacked equipment to stop responding
for improper processing.
Configuration: firewall defend winnuke enable
Prevention: Discard the packets with the above feature.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 20

Principle of and defend Single Packet (cont.)


Ip-frag

Feature: DF and MF flags are set at the same time, or the


sum of offset value plus packet length exceeds 65535.
Purpose: Cause the attacked equipment to stop responding
for improper processing.
Configuration: firewall defend ip-fragment enable
Prevention: Discard the packets with the above feature.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 21

Principle of and defend fragmented packet


Tear drop

Feature: Overlapping of fragment


packets.
Purpose: Cause the attacked
equipment to stop responding for
improper processing or cause the
packet to round, through assembly, the
firewall to access the internal port.

TEAR

IP
PING DATA
20 8
1472
Flag MF
IP
DATA
Offset 0
20
remainder
Flag Last Fragment
Offset 500

IP
PING DATA
NORMAL 20 8
1472
Configuration: firewall defend teardrop
Flag MF
IP
DATA
enable
Offset 0
20
remainder
Flag Last Fragment
Prevention: Firewall establishes data
Offset 1480
structure for fragment packets and
records the offset values of the
fragment packets that pass the
firewall, so that the packet will be
discarded upon overlapping.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 22

Principle of and defend fragmented packet (cont.)


Ping of death

Feature: The entire ping packet is longer than 65535.

Purpose: Cause the attacked equipment to stop responding for improper


processing.

Configuration: firewall defend ping-of-death enable

Prevention: Check the packet length. If the sum of the offset value of the last
fragment plus its length exceeds 65535, the fragment will be discarded.

IP
PING DATA
20 8
1472
Flag MF
Offset 0

IP
DATA
20
1480
Flag MF
Offset 65120

IP
DATA
20
1480
Flag MF
Offset 1480

IP
DATA
20
1480
Flag MF
Offset 2960

IP
DATA
20
1480
Flag MF
Offset 4440

IP
DATA
20
568
Flag Last Fragment
Offset 66600

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 23

Principle of and defend DoS


SYN Flood

Feature: Send abundant TCP connection requests to the victim host.

Purpose: Use up all processing capability of the attacked equipment so that it


cannot respond to the requests of normal users normally.

Configuration:

statistic enable ip inzone

firewall defend syn-flood [ ip X.X.X.X | zone zonename] [max-number num] [maxrate num] [ tcp-proxy auto|on|off]

firewall defend syn-flood enable

Prevention: The firewall, based on the destination address statistics, acts as an


agent for the protected host to reply the connection requests received by each IP
address. Upon receipt of an ACK packet from the request sender, the firewall will
deem the connection to be invalid; otherwise, it will delete the session.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 24

Principle of and defend DoS (cont.)


UDP/ICMP Flood

Feature: Abundant UDP/ICMP packets are sent to the victim host.


Purpose: Use up all processing capability of the attacked equipment
Configuration:
statistic enable ip inzone
firewall defend udp/icmp-flood [ ip X.X.X.X | zone zonename] [maxrate num]
firewall defend udp/icmp-flood enable
Prevention: The firewall measures, by destination address, the rate of
packets to each IP address. It will perform CAR if the rate exceeds the
preset upper threshold.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 25

Principle of and defend Scan


IP sweep

Feature: Addresses are scanned, packet with destination address in a


segment changed frequently is sent by one fixed source address.
Purpose: Judge whether there are active hosts and their types so as to
prepare for subsequent attack.
Configuration:
Statistic enable ip outzone
Firewall defend ip-sweep [ max-rate num ] [blacklist-timeout num]
Prevention: The firewall makes statistics based on the source addresses of
packets. If the external connection rate of an IP address exceeds the present
upper threshold, the firewall will add the IP address into the blacklist for
isolation.
Note: To enable the blacklist isolation function, enable the blacklist first.
HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 26

Principle of and defend Scan (cont.)


Port scan

Feature: Connection requests are sent to different ports of the same IP


address.
Purpose: Determine open services of the scanned host to prepare for
subsequent attack.
Configuration:
Statistic enable ip outzone
Firewall defend port-scan [max-rate num] [blacklist-timeout num]
Prevention: The firewall makes statistics based on the source addresses of
packets. If an IP address sends connection requests to another IP address at a
rate higher than the preset upper threshold, it will be added into the blacklist
for isolation.
Note: To enable the blacklist isolation function, enable the blacklist first.
HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 27

Chapter 1 Product Introduction


Chapter 2 Network Attacks
Chapter 3 Security Policy
Chapter 4 HWTACACS and HRP

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 28

ACL
Firewall must be capable of controlling network data stream so as to define

network security, QoS requirement and various policies. Access Control List
(ACL) is one of methods to control data stream.
ACL is a series of ordinal rules composed by permit or deny statements,

which is described by such information as source address, destination


address, port number and upper layer protocol.

2000-2999

Basic ACL

3000-3999

Advanced ACL

4000-4099

MAC address-based ACL


for Eudemon 100/200

5000-5499

firewall ACL for Eudemon


500/1000

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 29

ASPF
Application Specific Packet Filter (ASPF) is the packet filter for

application layer, that is, the status-based packet filter, which


cooperates with the common static firewall to implement the
security policy of internal network. ASPF can detect the
application layer protocol session to prevent the unmatched
data packet from passing the firewall.
At present, for Eudemon 100/200, ASPF supports packet

detection of the following protocols: FTP, H.323, HTTP, HWCC,


ILS, MSN, QQ, RTSP, SIP, SMTP and User-define.
for Eudemon 500/1000, ASPF supports packet detection of the

following protocols: FTP, H.323, HTTP, HWCC, MSN, NetBIOS,


P2P, QQ, RTSP, and User-define.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 30

Blacklist
Ethernet 0/0/0
10.100.10.1 24

Eudemon 1/0/0
202.38.10.1 24

Untrust
zone
PC X
Trust zone

10.100.10.0 24

PC Z

PC Z can be manual put into blacklist, and if matches port-scan PC X or fails


to telnet firewall three times will be also put into blacklist immediately

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 31

MAC and IP address binding


Enable PC Z MAC
and IP binding
Ethernet 0/0/0
10.100.10.1 24

Eudemon 1/0/0
202.38.10.1 24

Untrust
zone
PC X
Trust zone

10.100.10.0 24

PC Z

PC Z only configured with matched MAC


and IP from firewall can reach PC X

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 32

Port Mapping

Application layer protocols usually communicate with well-known port

number. Port identification allows a client to define a group of new port


numbers besides the system-defined port number for various applications
and also provides some mechanisms to maintain and use the user-defined
port configuration information.
129.38.1.1

FTP Server

129.38.1.3

Network segment
210.78.245.0

WWW Server

Network segment
220.78.30.0

Eudemon

129.38.1.5

WAN

Enterprise internal network


202.38.160.1

202.39.2.3

The packets to 129.38.1.1 carrying the port number 80 as FTP packets;


The packets to 129.38.1.3 carrying the port number 5678 as HTTP packets.
HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 33

NAT
Data packet 1:
PC
192.168.1.3

Server
202.120.10.2

Data packet 1:

Source:192.168.1.3
Destination:202.120.10.2

Source: 202.169.10.1
Destination:202.120.10.2

Untrust
Trust Eudemon
s0/0/0
e0/0/0
202.169.10.1
192.168.1.1

Internet

Data packet 2:

Data packet 2:
Source: 202.120.10.2
Server
192.168.1.2 Destination:192.168.1.3

Source:202.120.10.2
Destination: 202.169.10.1

PC
202.130.10.3

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 34

NAT on Eudemon
Zone is a concept introduced in firewall equipment, which is the

main feature differentiating firewall from router. A zone is a


combination of one or more interfaces with a security level.
When a connection request is initiated from a trust zone to an
untrust zone or DMZ zone on a firewall device, the NAT server
checks the data packet to determine whether to perform
address translation, which is implemented at the egress of IP
layer. At the ingress, NAT restores the destination address from
the public address to the private address.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 35

NAPT

PC
192.168.1.3

Data packet 1:
Source: 192.168.1.3
Source port:1357

Data packet 1:
Source: 202.169.10.1
Source port:1357

Data packet 2:
Source:192.168.1.3
Source port: 2468

Data packet 2:
Source: 202.169.10.1
Source port: 2468

Trust Eudemon Untrust


s0/0/0
e0/0/0
202.169.10.1
192.168.1.1

Data packet 3:
Source: 192.168.1.1
Server
192.168.1.2 Source port:11111

Data packet 3:
Source: 202.169.10.1
Source port:11111

Data packet 4:
Source: 192.168.1.2
Source port:11111

Data packet 4:
Source: 202.169.10.1
Source port:22222

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Server
202.120.10.2

Internet

PC
202.130.10.3

Page 36

ALG
Application Level Gateway (ALG) is the translation proxy of

some application protocols. It interacts with NAT to modify the


specific data encapsulated in the IP packet based on the NAT
state information and facilitates the application protocols to
function in various ranges through other necessary processes.
Eudemon firewall provides a perfect address translation ALG

mechanism with good scalability, which can support various


special application protocols with no need to modify NAT
platform. So far, ALG function can be used in such protocols as
DNS, HWCC, ICMP, FTP, H.323, ILS, Media Gateway Control
Protocol (MGCP), MSN, NetBIOS, PPTP, QQ, RAS, SIP and
SNP.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 37

IDS Cooperation
Trust zone
PC

PC

Internal LAN
Eudemon
Administration
server
IDS detector

IDS server

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Router

External
network
(Internet)
Untrust zone

Page 38

IDS Cooperation (cont.)


By default:
No address is configured for the external IDS server
The Eudemon firewall communicates with the external IDS

server through the port 40000


No authentication is configured between the firewall and the

external IDS server, that is, the firewall does not perform
packet authentication with the third-party IDS server.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 39

Chapter 1 Product Introduction


Chapter 2 Network Attacks
Chapter 3 Security Policy
Chapter 4 HWTACACS and HRP

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 40

HWTACACS
HWTACACS is the enhancement of TACACS (RFC1492, an

access control protocol, sometimes called TACACS). Similar to


RADIUS, it implements various AAA functions in the ServerClient mode, suitable for accessing users over PPP or VPDN
as well as performing authentication, authorization and
accounting on login users.
Compared with RADIUS, HWTACACS is more reliable in

transmission and encryption and is more suitable for security


control. Differences between HWTACACS and RADIUS are
shown in the following table.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 41

HWTACACS and RADIUS


HWTACACS

RADIUS

Use TCP, more reliable in the


network transmission

Uses UDP

Encrypt the main body of


packets except the standard
HWTACACS header

Only encrypts the


password field in
authentication packets

Separate the authentication


from the authorization

Performs the
authentication together
with the authorization

Suitable for security control

Suitable for accounting

Responsible for the router


configuration authorization

None

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 42

VRRP
10.100.10.2 Master
RouterA

PC

10.100.10.3
Backup

Internet
RouterB

Server
Internal network
10.100.10.0/24 Backup group
Virtual IP
Address
10.100.10.1

HUAWEI TECHNOLOGIES CO., LTD.

Backup
RouterC
10.100.10.4

All rights reserved

Page 43

Disadvantages of Traditional VRRP

Trust zone

Backup group1
Virtual IP Address EudemonA
Master
10.100.10.1

10.100.10.0/24
Untrust zone
DMZ zone

10.100.20.0/24

Backup group2
Virtual IP Address
10.100.20.1

HUAWEI TECHNOLOGIES CO., LTD.

Backup
EudemonB

Backup group3
Virtual IP Address
202.38.10.1

All rights reserved

Page 44

Disadvantages of Traditional VRRP (cont.)

(1)

PC

(2)

EudemonA
Master

Session entry

(8)

(3)

(7)

(4)

Trust zone

(6)

PC

(5)
Untrust zone

(9)
Backup
EudemonB
DMZ zone

HUAWEI TECHNOLOGIES CO., LTD.

Actual connection
Packets traffic

All rights reserved

Page 45

VGMP
A logical collection of several backup groups that meet some backup

requirement, performing centralized management on each backup group


in it so that VRRP backup groups can communicate with each other.
VRRP backup groups exchange information between each other via

VGMP packets; while VRRP backup groups interact with interfaces via
traditional VRRP packets.
VRRPmanagement group
VGMP packet
VRRP backup group
Traditional
VRRP packet
Interface

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 46

Function of VGMP

State consistency management

Preemption management

Channel management

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 47

State consistency management


State consistency management thoroughly overcomes the

relative state-independent situation in the traditional VRRP.


VRRP management group determines whether to switch
master/backup state of each device in it so that the state of
each VRRP backup group can keep accordance consequently.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 48

Preemption management
Eudemon firewall will perform preemption based on the

determination of the VRRP management group in spite of the


backup group priority is higher or lower than that of the current
master firewall.

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 49

Channel management

EudemonA
Master
A3
A1
A2

A4
A4-B4

Trust zone

B1
DMZ zone

Untrust zone

B4

B2
B3
Backup
EudemonB

A1A2A3 are interfaces of EudemonA


B1B2B3 are interfaces of EudemonB
S represents LAN Switch
HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Actual connection
packets traffic

Page 50

Relationship between VGMP, Backup Group


and Interface
Management
EudemonA
group1

Master

Backup group1

A1

A3

A2

Trust zone

Untrust zone

DMZ zone

Backup group3

B1
Backup Group2 B2

B3
Backup
EudemonB

A1A2A3 are interfaces of EudemonA


B1B2B3 are interfaces of EudemonB
HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Management group2
Actual connection
Traffic
Page 51

Backup Mode

Master/Backup Mode
Load Sharing Mode

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 52

Master/Backup Mode
Master
EudemonA
Backup group1 A1
A3
A2

Trust zone

Untrust zone
EudemonB
B1
DMZ zone
Backup group2B2

Backup group3

B3

Backup
A1A2A3 are interfaces of EudemonA
B1B2B3 are interfaces of EudemonB

Actual connection
Traffic

Management group1
Firewall

Component

Priority

State

Session volume

Backup groups 1, 2 and 3

Level 1

Master

Whole

Backup groups 1, 2 and 3

Level 2

Backup

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 53

Configuration priority on Master/Backup


Mode
vrrp vrid link properties
data: Specify a link that is associated with the interface to transfer state

information.
data transfer-only: Indicate the state change of the interface does not affect

the state of the associated VRRP management group.


dummy-up: Indicates not to trigger state update of VRRP management

group after the state is Up.


vrrp group priority = priority set - (priority data/16) - (priority dummy-up/16)
Interface default priority is 100
Zone with interface data link priority must be bidirectional opened to local for
VGMP packet is exchanged through it

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 54

Load Sharing Mode (simple)


Master / Backup
Eudemo
Backup group1Backup group4
A1
nA
A3
A2

Trust zone

Untrust zone
EudemonB
B1

DMZ zone

Backup group3

B3
Backup group5B2
Backup group6
Backup group2
Backup / Master
A1A2A3 are interfaces of EudemonA
B1B2B3 are interfaces of EudemonB

Actual connection
Traffic

Management group1
Firewall

Management group2

Component

Priority

State

Transferred
sessions

Component

Priority

State

Transfer
red
sessions

Backup groups
1, 2 and 3

Level 1

Master

part

Backup groups
4, 5 and 6

Level 2

Backup

Backup groups
1, 2 and 3

Level 3

Backup

Backup groups
4, 5 and 6

Level 4

Master

part

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 55

Load Sharing Mode (complex)

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 56

HRP Application
Eudemon A
PC

(1)

(2)

Session entries

Master

(3)
Trust zone

(6)

(7)

(8)
Server

(4)
(5)

Untrust zone
Backup
Actual connection
Traffic

Eudemon B
DMZ zone

HUAWEI TECHNOLOGIES CO., LTD.

P
C

All rights reserved

Page 57

HRP, VGMP, VRRP

HRP module
HRP packet
VRRP management group
VGMP packet
VRRP backup group

HUAWEI TECHNOLOGIES CO., LTD.

All rights reserved

Page 58

Thank You
www.huawei.com

You might also like