Discussion and Implementation for the High Availability of Firewall Virtualized Network Function on Openstack

• Main Authors: Yang, Ta-Wei, 楊大煒
• Other Authors: Chao, Hsi-Lu
• Format: Others
• Language: zh-TW
• Published: 2015
• Online Access: http://ndltd.ncl.edu.tw/handle/74628194728497968523

碩士 === 國立交通大學 === 資訊科學與工程研究所 === 103 === We know that virtual network function (VNF) can turn the traditional network functions into software, so the network function doesn’t need any special hardware to support. This feature makes the hardware requirement for the data center become easier than before. It means that you don’t have to change the hardware when updating the network functions or setting the new network functions. Likewise, for the purpose of making cloud service more convenient, Openstack is going to support or offer more and more VNF these years. The numbers of the VNF on the cloud platform will rise up. The VNF service structure, which is ether put form user or offered from cloud platform, will become more and more complicated. Therefore, once there is an error occurred at some point, it might cause a single point of failure. To prevent that kind of thing form happening, we must apply high availability (HA) to our service, which makes our service system keep working after the error occurred. We will focus on the high availability of VNF on Openstack in our paper. We present a NFV system structure which is based on virtual machine (VM) and is using HA related open software with shell scripts. This kind of VNF structure may be used on most kind of VNF. But there are too many kinds of VNF, we choose firewall, the most completed one to achieve HA, as discussion VNF in this paper. Both “Active Passive” mode firewall and “Active Active” mode firewall are being discussed. To achieve the HA of firewall, we must at least doing three things. First, forwarding the packets to the firewall which is in the right state while the original firewall is error. Second, the firewall rule setting on the original firewall must be synchronized to other backup firewalls. The last thing is the session of connection must also be maintained while switching the packet flow from the error firewall to backup firewall.