Professional Documents
Culture Documents
Keywords: Stateful failover, master/backup mode, load balancing mode, data synchronization,
link switching
Abstract: A firewall device is usually the access point of a network. Once the firewall fails, a single
point of failure occurs and all the traffic will be interrupted. To avoid this, you can use the
stateful failover feature to ensure continuous data transmission. This document describes
the concepts, working mode, implementation and application scenarios of stateful failover.
Acronyms:
Table of Contents
1 Overview......................................................................................................................................... 3
1.1 Background.......................................................................................................................... 3
1.2 Benefits ................................................................................................................................ 5
6 References ................................................................................................................................... 15
1 Overview
1.1 Background
Continuous data transmission at key service entries and access points (such as the
Internet access point of an enterprise or a database server of a bank) must be
ensured. In Figure 1, only one firewall is deployed at the access point. If it fails,
services between the internal and external networks will be interrupted.
To avoid such single point of failures, the traditional backup network solution deploys
multiple devices (routers or forwarding devices only) at the access point for service
backup and link switchover. Once the active device fails, traffic will switch to a
standby device through VRRP or a dynamic routing protocol. In such a network,
packets are forwarded based on the forwarding table; however, if stateful firewalls are
deployed at the access point, packets need to match session entries before they can
pass. Typically, the active firewall checks the first packet of a session, and then
creates a session entry (including the source IP address/port number and destination
IP address/port number of the packet) if it permits the packet to pass. Subsequent
packets matching the session entry can pass through the firewall. After link
switchover, the packets may not find the session entry on the standby device and
thus cannot pass through the firewall.
The stateful failover solution can solve the problem. In a stateful failover network, the
firewall devices synchronize session information before link switchover. If the active
device fails, service traffic is switched to the standby device to ensure session
continuity. In Figure 2, two firewalls are deployed at the access point. If Firewall 1 fails,
the service traffic is switched to Firewall 2. Because Firewall 2 has performed data
synchronization with Firewall 1, the current service is not interrupted, and the network
stability and reliability are improved.
Internet
Firewall 1 Firewall 2
Private network
Stateful failover can be regarded as a solution to solve single point failure by data
synchronization and link switchover; it can also be regarded as a funtional module
(because it only implements data synchronization) that can be configured through the
web interface. This manual describes stateful failover from the first perspective.
1.2 Benefits
Compared with the traditional backup network solution, the stateful failover solution:
The routing mode indicates the firwall works as a Layer 3 device, and the transparent
mode indicates the firwall works as a Layer 2 device on the network.
If two firewalls are in the active/standby mode, one firewall acts as the active device,
and the other firewall acts as the standby device. The active device processes all
services and synchronizes session information to the standby device. The standby
firewall serves as the backup and does not process services. In Figure 3, Firewall 1
processes all services and Firewall 2 is used for backup. When Firewall 1 fails,
Firewall 2 takes over the services, as shown in Figure 4, thus ensuring the
establishment of new sessions and the continuity of the current sessions.
Untrust zone
Actual link
Packet path
DMZ zone
Figure 3 Network diagram for sessions before Firewall 1 fails (in active/standby mode)
Trust zone
Firewall 1
Untrust zone
Actual link
Packet path
DMZ zone
Figure 4 Network diagram for sessions after Firewall 1 fails (in active/standby mode)
If two firewalls are in the load balancing mode, both devices are active to forward
traffic and back up the session information of each other. In Figure 5, both Firewall 1
and Firewall 2 process traffic and serve as the backup of each other. When Firewall 1
fails, Firewall 2 takes over all services, as shown in Figure 4, thus ensuring the
establishment of new sessions and the continuity of the current sessions.
Untrust zone
Actual link
Packet path
DMZ zone
Figure 5 Network diagram for sessions before Firewall 1 fails (in load balancing mode)
A firewall maintains the information of each session. After the standby device takes
over the services of the active device, it must have correct session information to
process session packets; otherwise, session packets are discarded and sessions are
terminated. Therefore, upon the establishment of new session entries or session
entry changes, the active device needs to synchronize the information to the standby
device for session information consistency. The information that a firewall can
synchronize includes: session, NAT, ALG, ASPF, black list, H.323, SIP, ILS, RTSP,
NBT, and SQLNET.
z Batch backup. After a firewall works for a period of time, a large number of
session entries are generated. Then you can deploy another firewall and enable
stateful failover on both firewalls. The session entries will be synchronized to
the newly added device at one time. This process is called batch backup.
z Real-time backup. Upon the establishment of new session entries or session
entry changes, the active firewall synchronizes session information to the
standby device in real time for session information consistency. This process is
called real-time backup.
The stateful failover solution uses VRRP or a dynamic routing protocol to implement
link switchover.
You can configure a group of devices in a LAN as a VRRP group, which functions as
a virtual device. Hosts in the LAN can communicate with other networks through the
virtual device. In the VRRP group, only one device is active to forward packets, which
is called the master; other devices are in standby state, which are called backups and
are ready to take over services based on the device priorities. When the master fails,
the device with the highest priority is elected as the new master and takes over
services. Thus, a link switchover is completed and is totally transparent to users.
Through network and VRRP configurations, you can implement the active/standby or
load balancing mode of stateful failover.
z In the active/standby mode, only one VRRP group is required. The firewalls in
the VRRP group have different priorities and the one with the highest priority is
the master. As shown in Figure 6, create VRRP group 1 on Firewall 1 and
Firewall 2, and configure a higher priority for Firewall 1. Configure the default
gateway of Host A and Host B as the virtual IP address 172.17.1.200/24 of
VRRP group 1. If Firewall 1 works normally, it forwards packets of Host A and
Host B and Firewall 2 serves as backup in monitoring state; if Firewall 1 fails,
Firewall 2 becomes the master and forwards packets of Host A and Host B.
Public network
GE0/1 GE0/1
VRRP group 1
Master Virtual IP address: Backup
172.17.1.200//24
Private network
Host A Host B
IP: 172.17.1.10/24 IP: 172.17.1.129/24
Gateway: 172.17.1.200 Gateway: 172.17.1.200
z In the load balancing mode, two VRRP groups are required. One firewall serves
as the master in VRRP group 1 and the other firewall serves as the master in
VRRP group 2. As shown in Figure 7, create VRRP group 1 and VRRP group 2
on Firewall 1 and Firewall 2 respectively, and configure a higher priority for
Firewall 1 in VRRP group 1 and a higher priority for Firewall 2 in VRRP group 2.
Configure the default gateway of Host A as the virtual IP address
172.17.1.200/24 of VRRP group 1, and that of Host B as the virtual IP address
172.17.1.201/24 of VRRP group 2. If Firewall 1 works normally, it forwards
packets of Host A and Firewall 2 forwards packets of Host B to implement load
balancing. They serve as backups and monitor the state of each other. If
Firewall 1 fails, Firewall 2 becomes the master in VRRP group 1 and forwards
packets of Host A and Host B.
If devices A and B located on separate networks are reachable through multiple paths,
the dynamic routing protocol selects an optimal path by route calculation. If the path
fails, the routing protocol selects an optimal path from the rest of the paths, and the
failed route is used after recovery. Thus, the connectivity between A and B is ensured.
Through network and dynamic routing configurations, you can implement the
active/standby or load balancing mode of stateful failover. (The following network
diagram takes OSPF as example.)
z In the active/standby mode, one firewall is active and the other firewall is in the
backup state. As shown in Figure 8, enable OSPF on Router A, Router B,
Firewall 1 and Firewall 2, configure them to be in the same OSPF domain, and
configure the cost value of Ethernet 1/1 to be greater than that of Ethernet 1/2
on both Router A and Router B. Then, the path Router A<—>Firewall 1<—
>Router B has a higher priority than the path Router A< — >Firewall 2< —
>Router B. If Firewall 1 works normally, packets from the private network are
forwarded by Firewall 1 to the Internet; if Firewall 1 fails, packets from the
private network are forwarded by Firewall 2 to the Internet.
z In the active/standby mode, both firewalls are active and serve as the backup of
each other. As shown in Figure 8, enable OSPF on Router A, Router B, Firewall
1 and Firewall 2, configure them to be in the same OSPF domain, and configure
Router A and Router B to support at least two equal-cost routes. Because the
path Router A<—>Firewall 1<—>Router B has the same priority as the path
Router A<—>Firewall 2<—>Router B, packets from the private network are
forwarded by both Firewall 1 and Firewall 2 to the Internet; if Firewall 1 fails,
packets from the private network are forwarded by Firewall 2 to the Internet.
Internet
OSPF
Router A
Eth1/1 Eth1/2
Firewall 1 Firewall 2
Eth1/1 Eth1/2
Router B
Private network
3.3 Limitations
z Stateful failover supports only two devices.
z The hardware configuration and software version must be consistent on the two
devices, and the interface cards on the corresponding slot must be consistent;
otherwise, the device may fail to recognize or fail to find related physical
resources of the information backed up from the other device, resulting in
5 Application Scenarios
+ Active/Standby Mode)
As shown in Figure 9, Firewall and Firewall 2 are deployed at the access point
between the private network and public network, and are working in routing mode. It
is required that: If Firewall 1 works normally, Host A and Host B access Server 1
through Firewall 1; if Firewall 1 fails, Host A and Host B access Server 1 through
Firewall 2 and the ongoing sessions between Host A and Server 1, Host B and
Server 1 are not interrupted.
To meet the requirement, you can configure VRRP group 1 for monitoring the down
links and VRRP group 2 for monitoring the uplinks on Firewall 1 and Firewall 2, and
enable data synchronization between the two firewalls.
Server 1
IP: 100.0.0.100/24
Gateway: 100.0.0.200/24
L2 switch A
L2 switch B L2 switch C
Host A Host B
IP: 172.17.1.10/24 IP: 172.17.1.129/24
Gateway: 172.17.1.200 Gateway: 172.17.1.200
Figure 9 Network diagram for stateful failover (implementing link switchover through VRRP)
As shown in Figure 10, Firewall 1 and Firewall 2 are deployed at the access point
between the private network and public network, and are working in routing mode. It is
required that: If Firewall 1 works normally, Host A accesses Server 1 through Firewall 1
and Host B accesses Server 1 through Firewall 2 for load balancing; if Firewall 1 fails,
Host A and Host B access Server 1 through Firewall 2 and the ongoing sessions between
Host A and Server 1, Host B and Server 1 are not interrupted.
To meet the requirement, you can configure OSPF on Router A, Router B, Router C,
Router D, Firewall 1 and Firewall 2, and enable data synchronization between the two
firewalls.
Server 1
202.100.1.101/24 202.100.1.100/24
GE1/1 GE1/1
172.17.1.101/16 172.17.2.102/16
Stateful failover link
Firewall 1 Firewall 2
GE1/3 GE1/3
172.16.1.101/24 172.16.2.102/24
GE1/3 GE1/3
172.16.1.1/24 172.16.2.2/24
Router A Router B
GE1/1 GE1/1
192.168.1.1/24 192.168.2.2/24
192.168.1.100/24 192.168.2.101/24
Host A Host B
Figure 10 Network diagram for stateful failover (routing mode + load balancing mode)
As shown in Figure 11, Firewall and Firewall 2 are deployed at the access point
between the private network and public network, and are working in transparent
mode (Layer 2 mode). It is required that: If Firewall 1 works normally, Host A
accesses Server 1 through Firewall 1 and Host B accesses Server 1 through Firewall
2 for load balancing; if Firewall 1 fails, Host A and Host B access Server 1 through
Firewall 2 and the ongoing sessions between Host A and Server 1, Host B and Sever
1 are not interrupted.
To meet the requirement, you can configure VRRP group 1 and VRRP group 2 (both
for load balancing and monitoring the down link) on Router A and Router B, and
Server 1
IP: 100.0.0.1/24
L2 switch C
Route A Route B
VRRP group 2
Backup Virtual IP address: Master
172.17.1.201//24
VRRP group 1
Master Virtual IP address: Backup
172.17.1.200//24
Firewall 1 Firewall 2
GE0/1 Stateful failover link GE0/1
L2 switch A L2 switch B
Host A Host B
IP: 172.17.1.10/24 IP: 172.17.1.129/24
Gateway: 172.17.1.200 Gateway: 172.17.1.201
Figure 11 Network diagram for stateful failover (transparent mode + load balancing mode)
6 References
Stateful Failover Configuration Examples
Copyright ©2008 Hangzhou H3C Technologies Co., Ltd. All rights reserved.
No part of this manual may be reproduced or transmitted in any form or by any means without prior written consent of Hangzhou