Dual-System Hot Standby

Foreword

 With the rapid development of services such as mobile office, online shopping, instant
messaging, Internet finance, and Internet education, networks carry increasing
services and therefore become more important. How to ensure uninterrupted network
transmission is an issue that needs to be solved urgently during network development.
 Dual-system hot standby improves reliability. Two firewalls can be deployed at the
egress of a network to ensure the communication between the intranet and Internet.

3 Huawei Confidential
 Objectives

On completion of this course, you will be able to:

 Master the technical principles of dual-system hot standby.
 Master the basic configuration of dual-system hot standby.

4 Huawei Confidential
 Contents

1. Technical Principles of Dual-System Hot Standby

2. Basic Networking and Configuration of Dual-System Hot Standby

5 Huawei Confidential
Why Dual-System Hot Standby?
 The following figure shows a traditional networking mode: packets exchanged between intranet
and Internet users are transmitted through Firewall A. If Firewall A is faulty, intranet hosts that
use Firewall A as the default gateway cannot communicate with the Internet, affecting
communication reliability.
PC 10.100.10.1/24

Intranet

Firewall A

Server

10.100.10.0/24

6 Huawei Confidential
Redundancy Deployment Solution for Routers
 In router networking, Virtual Router Redundancy Protocol (VRRP) is used for router
redundancy.
10.100.10.2
Master
Router A

PC

10.100.10.3
Intranet Backup
10.100.10.0/24

Router B

Server
Backup

VRRP group Router C

Virtual IP address
10.100.10.1 10.100.10.4

7 Huawei Confidential
Application of VRRP in Multi-zone Firewall Networking
 To provide dual-system hot standby for multiple zones on firewalls, you must configure multiple
VRRP groups.

VRRP group 1
Virtual IP address
10.100.10.1
Trust Master

10.100.10.0/24 USG A
Untrust
Backup

VRRP group 3
DMZ Virtual IP address
USG B 202.38.10.1
VRRP group 2
10.100.20.0/24 Virtual IP address
10.100.20.1

8 Huawei Confidential
Defect of VRRP in Firewall Applications
 In traditional VRRP mode, the status of the master firewall cannot be consistent with that of the
backup firewall.

(2) Session entries

PC1
(1) Master
(3)

(4) PC2
Trust USG A
(7) (6)
(5)
Backup
Untrust

Server (9)
(8) USG B
Actual cable connection
Packet path
DMZ

9 Huawei Confidential
Use of VRRP for Firewall Multi-zone Backup
 To ensure the switchover consistency of all VRRP groups, the VRRP Group Management
Protocol (VGMP) is developed based on VRRP.

USG A VGMP group

VRRP
Trust group 1

10.100.10.0/24
Hello ACK Untrust

DMZ VRRP group 3

v
VGMP group
USG B
VRRP
10.100.20.0/24 group 2

11 Huawei Confidential
Basic Principles of VGMP
 If the VGMP group on a firewall is in the active state, all VRRP groups in the VGMP group are in the active state. The same applies
with standby.
 The firewall in the VGMP Active state regularly tests the peers' running status, including the priority and VRRP member status, by
sending Hello packets.
VGMP Active
USG A

Trust VRRP group 1

10.100.10.0/24 Hello ACK Untrust

VRRP group 3
DMZ
VGMP Standby
USG B
VRRP group 2
10.100.20.0/24
12 Huawei Confidential
Management of a VGMP Group
 Status consistency management
 The VGMP group controls the switchover of all VRRP groups.
 Preemption management
 If the faulty active device recovers, so does the priority of the device. In this case, the device can
become active again through preemption.

13 Huawei Confidential
Basic Concepts of HRP
 The Huawei Redundancy Protocol (HRP) backs up dynamic status data and key configuration
commands between firewalls.

VRRP group 1
Trust FWA
① Session table
②

③
VRRP group 3 Untrust
⑥
⑤

DMZ
FWB

VRRP group 2

14 Huawei Confidential
HRP Heartbeat Interfaces
 The two firewalls exchange backup data through the heartbeat interfaces over the heartbeat link.
 A heartbeat interface must be an independent interface with an IP address. It can be a physical interface (such as a GE interface)
or a logical Eth-Trunk interface.

Physical interface being the

heartbeat interface

GE1/0/1 running running GE1/0/1

FW1 FW2
1.1.1.1 1.1.1.2

Eth-Trunk interface being

the heartbeat interface
running running
FW1 FW2
GE1/0/1 GE1/0/1
Eth-Trunk1 GE1/0/2 GE1/0/2 Eth-Trunk1 Heartbeat interface
1.1.1.1 GE1/0/3 GE1/0/3 1.1.1.2
HRP Data packet

15 Huawei Confidential
Status of Heartbeat Interfaces
 HRP heartbeat interfaces have five states:
 Invalid invalid peerdown
GE1/0/1
FW_A GE1/0/1 FW_B
1.1.1.2
 Down peerdown down
GE1/0/2
GE1/0/2
2.2.2.1
 Peerdown running running
GE1/0/3 GE1/0/3
3.3.3.1 3.3.3.2
 Ready
GE1/0/4 ready ready GE1/0/4
 Running 4.4.4.1 4.4.4.2

Interface
Heartbeat link
HRP heartbeat link
detection packets
HRP data packets

16 Huawei Confidential
Backup Modes of Hot Standby

Automatic backup

Manual batch backup Quick session backup

Automatic sync of FW
configurations after
restart

18 Huawei Confidential
 Contents

1. Technical Principles of Dual-System Hot Standby

2. Basic Networking and Configuration of Dual-System Hot Standby

20 Huawei Confidential
Basic Networking of Dual-System Hot Standby
 When upstream and downstream service interfaces on firewalls work at Layer 3 and connect to Layer 2 devices,
configure VRRP groups on the service interfaces, so that the VGMP group can monitor the Layer 3 service interfaces
through the VRRP groups.
Master
VRRP group 1 USG_
Virtual IP address G1/0/1 A G1/0/3
1.1.1.1/24 10.2.0.1/24 10.3.0.1/24
PC2:10.3.0.10/24

G1/0/6
Trust 10.10.0.1/24 Untrust

G1/0/6
PC1:1.1.1.10/24 10.10.0.2/24

G1/0/1 VRRP group 2

G1/0/3
10.2.0.2/24 Virtual IP address
10.3.0.2/24
10.3.0.3/24
Backup
USG_
B
21 Huawei Confidential
Configuring a VRRP Group on the CLI
 Configure VRRP in the interface view:
vrrp vrid virtual-router-ID virtual-ip virtual-address [ ip-mask | ip-mask-length ] { active | standby }

 After the active or standby parameter is specified, the VRRP group is added to the active or
standby VGMP group.
 Up to 255 VRRP groups can be configured on each common physical interface (GigabitEthernet
interface).

22 Huawei Confidential
Configuring HRP on the CLI
 Specify a heartbeat interface.
hrp interface interface-type interface-number [ remote { ip-address | ipv6-address } ]

 Enable HRP.

hrp enable

 Enable the function of configuring the standby device.

hrp standby config enable

 Enable the function of automatically backing up commands and status information.

hrp auto-sync [ config | connection-status]

 Enable quick session backup.

hrp mirror session enable

23 Huawei Confidential
VRRP Configuration Example on the CLI
 Configuration of VRRP group 1 on USG_A:
[USG_A]interface GigabitEthernet 1/0/1
[USG_A-GigabitEthernet 1/0/1 ]ip address 10.2.0.1 24
[USG_A-GigabitEthernet 1/0/1 ]vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 active

 Configuration of VRRP group 1 on USG_B:

[USG_B]interface GigabitEthernet 1/0/1
[USG_B-GigabitEthernet1/0/1 ]ip address 10.2.0.2 24
[USG_B-GigabitEthernet 1/0/1 ]vrrp vrid 1 virtual-ip 1.1.1.1 255.255.255.0 standby

24 Huawei Confidential
HRP Configuration Example on the CLI
 HRP configuration on USG_A:

[USG_A]hrp enable
[USG_A]hrp mirror session enable
[USG_A]hrp interface GigabitEthernet 1/0/6

25 Huawei Confidential
Viewing the VRRP Status on the CLI
 View the status of an interface in a VRRP group:
HRP_A<USG_A>display vrrp interface G1/0/3
GigabitEthernet1/0/3 | Virtual Router 2
VRRP Group : Active
state : Active
Virtual IP : 10.3.0.3
Virtual MAC : 0000-5e00-0102
Primary IP : 10.3.0.1
PriorityRun : 120
PriorityConfig:100
MasterPriority : 120
Preempt : YES Delay Time : 0
Advertisement Timer : 1
Auth Type : NONE
Check TTL : YES

26 Huawei Confidential
Viewing the HRP Status on the CLI
 View the status of the active firewall:
HRP_A<USG_A>dis hrp state
The firewall's config state is: ACTIVE

Current state of virtual routers configured as active:

GigabitEthernet1/0/1 vrid 1 : active
GigabitEthernet1/0/3 vrid 2 : active

27 Huawei Confidential
Configuring Dual-System Hot Standby on the Web UI
 Choose System > High Availability > Dual-System Hot Standby and click Edit to configure
dual-system hot standby.

28 Huawei Confidential
Configuring the Active Firewall
 On the Dual-System Hot Standby page, click Edit to configure the active firewall USG_A. In
the Configure Virtual IP Address area, click Add to create a VRRP group.

29 Huawei Confidential
Configuring the Standby Firewall
 On the Dual-System Hot Standby page, click Edit to configure the standby firewall USG_B. In
the Configure Virtual IP Address area, click Add to create a VRRP group.

30 Huawei Confidential
Viewing Historical Switchover
 On the Dual-System Hot Standby page, click Details to view active/standby switchover
information about dual-system hot standby.

31 Huawei Confidential
Viewing Hot Standby Status Information
 On the Dual-System Hot Standby page, view the running mode, role, and VRRP group status.

32 Huawei Confidential
 Quiz
1. HRP enables the active firewall to synchronize all configurations and information to the standby firewall. Therefore,
the configurations and information are still available after a firewall restart. As a result, no information needs to be
configured on the standby firewall.
A. True

B. False

2. Which of the following protocols is used to control the switchover of all VRRP groups in the firewall dual-system
hot standby networking?
A. VGMP

B. VRRP

C. HRP

D. OSPF

33 Huawei Confidential
 Summary

 Technical Principles of Dual-System Hot Standby

 Basic Networking and Configuration of Dual-System Hot Standby

34 Huawei Confidential
Thank you. 把数字世界带入每个人、每个家庭、
每个组织，构建万物互联的智能世界。
Bring digital to every person, home, and
organization for a fully connected,
intelligent world.

Copyright©2021 Huawei Technologies Co., Ltd.

All Rights Reserved.

The information in this document may contain predictive

statements including, without limitation, statements regarding
the future financial and operating results, future product
portfolio, new technology, etc. There are a number of factors that
could cause actual results and developments to differ materially
from those expressed or implied in the predictive statements.
Therefore, such information is provided for reference purpose
only and constitutes neither an offer nor an acceptance. Huawei
may change the information at any time without notice.