摘要
现在网络服务的安全性和可靠性变的越来越重要,如果网络中的重要组件—防火墙出现问题,将会导致网络不能提供正常的服务。本文利用集群技术—虚拟路由冗余协议(virtual Router Redundancy Protocol,简称VRRP)来实现防火墙的高可用性,使得在一台防火墙宕掉时,另外一个备份防火墙会及时接管转发工作,不会给主机带来任何负担,提高了网络服务质量。
本文首先介绍高可用性的基本技术,然后对常用防火墙高可用性方案进行了分析比较;详细说明了VRRP协议工作原理,包括协议中所用到概念的定义、协议运行所需参数的确定、协议运行的内在机制、主控防火墙的选举策略和选举实施。
论文重点分析了VRRP实例的同步过程,在深入研究同步过程中可能出现的问题后,给出了可行的改进方案,并用测试用例对改进后实现的防火墙高可用性进行了验证和分析。
防火墙高可用性是在修改后的VRRP协议上实现的,主要包括VRRP功能模块的划分、模块的实现以及配置同步模块的实现。通过对防火墙高可用性的测试表明,该功能得到了较好的实现。最后进行了总结并展望下一步工作。
Nowadays the security and availability of networked service is becoming more and more important for much business and it is extremely important that failure of one network component (such as firewall) does not prevent the normal usage of all other service. Virtual Router Redundancy Protocol which is a clustering technique is used in this paper. That can be used for deploying route reduandancy. When one firewall is down, the other can take over the "work", will not bring the user any burthen, and impove the quality of network.
Firstly I intruduce some basic knowledge of High Availability, then analysis the common deploy way of the Firewall High Availability and the VRRP protocal. The analysis of VRRP includes many sub-aspects again such as concepts definition, parameters choice, protocol mechanism, and master router's election policies and so on.
VRRP instance sysnchronic is focused mainly. I point out possible error and give the feasible solution. With a testing program, I validate the high availability of firewall based on modified VRRP and get the expectable result.
The implementations of the high avalibility firewall based on modified VRRP, which including modules partition, modules realization and configure synchronic realization. Finally, the results of test indicate that the functions of VRRP were realized better. Conclusions and advices are also given finally.
引文
[1] 杨卫华,赵兴海.如何利用VRRP实现接入层的备份和负载均衡,有限电视技术,2005年第22期
[2] 李腊元,李春林.计算机网络技术,国防工业出版社,2001
[3] 谢斌,高扬.Linux高可用集群心跳机制研究.计算机工程与应用,2004.1
[4] 朱培栋,尚韬.基于动态冗余技术高可用核心路由器的实现.计算机工程,2003,Vol.29 No.22
[5] 杨波,武波.虚拟路由冗余协议及应用.通信世界 2002
[6] Li, T., Cole, B., Morton, P. and D. Li, "Cisco Hot Standby Router Protocol (HSRP)", RFC 2281, March 1998.
[7] Knight, S., Weaver, D., Whipple, D., Hinden, R., Mitzel, D., Hunt, P., Higginson, P., Shand, M. and A. Lindem,"Virtual Router Redundancy Protocol", RFC 2338, April 1998.
[8] R. Hinden, Ed. "Virtual Router Redundancy Protocol", RFC 3768, April 2004.
[9] Nokia High Availability Design and Implementation Documentation http://www.cymru.com
[10] 陈麟,李焕洲,胡勇,戴宗坤.防火墙系统高可用性研究.四川大学学报(工程科学版),Vol.37 No.1 Jan.2005
[11] 罗娟,言阳等.高可用性软件的设计与实现.计算机工程,Vol.30 No.8 April 4 2004
[12] High Availability Linux Project http://www.linux-ha.org
[13] 谢作贵.基于linux的高可用状态防火墙的实现.吉林大学硕士论文,2003
[14] 聂飞翔.IP网络的拓扑结构设计,邮电设计技术.2003,第2期
[15] Alesandre Cassen. Linux Virtual Server High Availability using VRRPv2. http://www.LinuxVirtualServer.org/~acassen/
[16] 左骅.高可用性防火墙组网方案分析.中国数据通信,NOV 2003 NO.11
[17] Implementing High Availability Layer 4 Services Using VRRP and VRRP Extensions.http://www.olivercom.com/pdf/solutions/vrrp-wp.pdf
[18] 黄伟强,孟克勋.VRRP路由协议的应用.华南示范大学学报(自然科学版),No.4,2004
[19] 李秀海,韩景生.IPV6环境中的VRRP协议分析.计算机应用,vol.14 No.9 2005:39-40
[20] Pusateri, T. "IP Multicast over Token Ring Local Area Networks", RFC 1469, June 1993
[21] Juha Ranta. Router Redundancy and Scalability Using Clustering. Helsinki University of Technology Telecommunications Software and Multimedia Laboratory, 2004-04
[22] D.C. Plummer. "Ethernet Address Resolution Protocol: Or converting network protocol addresses to 48.bit Etbernet address for transmission on Ethernet hardware", RFC826, Nov-01-1982.
[23] R. Droms. "Dynamic Host Configuration Protocol", RFC2131, March 1997.
[24] 徐效美,张国才.Cisco路由器下线路负载均衡技术的实现.计算机应用与软件.April 2004,Vol121,No14
[25] 赵峰.路由器热切换实现技术的研究,国防科技大学,硕士 2002
[26] 崔韶刚,杨秀平.HSRP与容错IP路由,长沙大学学报.Dec.2003,Vol.12 No.4
[27] 可向民.IP虚拟交换机实现技术的研究,国防科技大学,博士 2002
[28] 王圣.高性能路由器故障测试技术研究与实现,国防科技大学,硕士 2002
[29] 王乐春等.高端路由器测试技术,人民邮电出版社,2002:P17
[301 关惠铭.HSRP的配置方法探讨.平顶山工学院学报.Decc.2003,Vol.12 No.4
[31] 李岳巍.热备份路由选择协议故障分析.中国金融电脑.2003,第5期