Juniper-ssg-netscreen series High Availability CLI configuration finalization

First of all, for the theory of literacy, you need to understand ha what it is and whether it is similar to other high availability, not much to say. You can look down.

Juniper-netscreen os ha High availability configuration

• HA

NetScreen Company's NSRP agreement is Juniper company based on the VRRP protocol specification independent Development Agreement, the firewall as the core network of the key equipment, need to provide security for all the information flow in and out of the network, in order to meet the customer's uninterrupted business access needs, Requires network firewall devices to be highly reliable and capable of providing seamless switching between network access in the event of a failure of the device, link, and its connected devices

• NSRP function, NSRP cluster working mode, NSRP cluster advantage

NSRP Features:

1 Synchronize configuration information between members of the highly available cluster group.

2 provides the active reply synchronization function to ensure that the network connection is not interrupted in the case of path switching.

The 3 uses an efficient failover algorithm that can be switched in just a few seconds. NSRP Cluster operation mode

NSRP cluster operation mode:

1. Master and Standby mode

By cabling and configuring two security devices in a redundant cluster, one device is used as the primary device and the other is a standby device. The primary device handles all network traffic, and the standby device is in the online backup state. The master device propagates its network and configuration commands and current session information to the standby device, which always synchronizes with the primary device configuration information and session connection information, and keeps track of the primary device status, once the primary device fails, The backup device will be promoted to the primary device in a very short period of time and takes over the information flow processing (currently the most widely compatible stability is quite good)

2. Main main Mode

Create two virtual Security appliance (VSD) groups in NSRP, each with its own virtual Security interface (VSI) that communicates with the network through the VSI interface. Device a acts as a backup device for the main device of the VSD Group 1 and for the VSD Group 2. Device B acts as a backup device for the main device of the VSD Group 2 and for the VSD Group 1. The two firewalls in active/active mode process the information flow at the same time and each other is backed up. There is no single point of failure in dual-active mode

NSRP The advantages of cluster technology are mainly embodied in:

1, eliminate the firewall and the front-end equipment single point of failure, to provide high network reliability. Even in the backbone network, two types of core equipment failure, but also to ensure business security and reliable operation.

2, according to the customer network environment and business reliability needs, to provide a flexible and diverse network of reliable methods. NSRP dual-machine cluster can provide ①, active-passive mode LAYER2/3 multi-Virtual router and die/cross-type network, ②, active-active mode LAYER2/3 multiple virtual router multi-virtualized system and LIP/ Fullmesh cross-type networking mode. Provide users with flexible networking options.

3, NSRP dual-machine structure to facilitate network maintenance management, through the flow in the two-machine flexible switch, in the firewall software upgrade, the front and rear network structure optimization and troubleshooting, dual-machine structure can ensure uninterrupted operation of the business.

3, combined with NetScreen virtual system and virtual router technology, deploy a pair of NSRP cluster firewall, can provide flexible and reliable security protection for enterprise more applications, reduce the number of enterprise firewall deployment and maintenance cost

OK, start the configuration, please prepare the console line and network cable. As far as possible, the network cable directly connected machine eth0/0 (the default management port) convenient troubleshooting and verification, 650) this.width=650; "src=" Http://img.baidu.com/hi/jx2/j_0057.gif "alt=" j_0057. GIF "/>

There is no step, we start the configuration directly. A set of combo finish finish!!!

netscreen-ha Master and Standby mode high availability configuration (CLI command line) "AA mode is not introduced in configuration-mainstream projects are largely not considered"

Preparatory work:

Clear the firewall configuration to avoid future modifications to configuration issues.

Planning interfaces (take juniper-ssg140 as an example)

Eth0/8 ha Interface

eth0/0 Untrust

ETH0/1 Trust

(Finally some terms define literacy)

Step-1: Define the HA core jumper area/interface (first configure the primary device)

51idc-ssg140 (M)->set interface ETH0/8 Zone Ha Bind the Eth8 to the HA zone

51idc-ssg140 (M), set NSRP cluster ID 1 (set Cluster-id group number)

51idc-ssg140 (M), set NSRP VSD ID 0

set the group number of the VSD, this command can be used without input, because the default virtual security database (VSD) value for the NetScreen firewall is 0.

51idc-ssg140 (M), set NSRP Vsd-group ID 0 Priority

Set NSRP Master priority value of the device, the smaller the priority value, the higher the precedence.

51idc-ssg140 (M), set nsrp RTO syn set session information to sync automatically

51idc-ssg140 (M), set NSRP vsd-group ID 0 Monitor interface ethernet0/0

(The above recommendation is put on hold, after the last firewall deployment, and then set this on the main device CLI, if the device is not wired, the device detects its own eth0/0 link is not normal, the alarm lamp will turn red, take the device status is not activated (like shut down))

51idc-ssg140 (M), get NSRP View redundancy Status   

51idc-ssg140 (M), set NSRP vsd-group hb-interval 200

Set Heartbeat information Greeting Message "Default 200S" will be sent every 200 seconds

51idc-ssg140 (M), set NSRP Vsd-group hb-threshold 3

Set Heartbeat information send a total of 3 greeting messages "Default 3 times"

51idc-ssg140 (M), save

At this point, the master device configuration is complete.

Step-2: Define the HA core jumper area/interface (standby device)

51idc-ssg140->setinterface ETH0/8 Zone Ha bind the Eth8 to the HA zone

51idc-ssg140-> SETNSRP Cluster ID 1 (set Cluster-id group number)

51idc-ssg140-> SETNSRP VSD ID 0

set the group number of the VSD, this command can be used without input, because the default virtual security database (VSD) value for the NetScreen firewall is 0.

51idc-ssg140-> set nsrp rto syn set session information to sync automatically

51idc-ssg140-> SETNSRP vsd-group ID 0 Monitor interface ethernet0/0

(The above recommendation is put on hold, after the last firewall deployment, and then set this on the main device CLI, if the device is not wired, the device detects its own eth0/0 link is not normal, the alarm lamp will turn red, take the device status is not activated (like shut down))

51idc-ssg140-> SETNSRP vsd-group ID 0 Monitor interface ETHERNET0/1

(The above recommendation is put on hold, after the last firewall deployment, and then set this on the main device CLI, if the device is not wired, the device detects its own eth0/0 link is not normal, the alarm lamp will turn red, take the device status is not activated (like shut down))

51idc-ssg140-> SETNSRP Vsd-group Hb-interval 200

Set Heartbeat information Greeting Message "Default 200S" will be sent every 200 seconds

51idc-ssg140-> SETNSRP Vsd-group Hb-threshold 3

Set Heartbeat information send a total of 3 greeting messages "Default 3 times"

51idc-ssg140->save

51idc-ssg140->exec nsrp sync global-config check-sum "Check the main device configuration via the heartbeat line"

(Please connect the heartbeat line to the two firewall before configuring it, and check the main device configuration globally)

51idc-ssg140->exec nsrp sync global-config Save (Synchronize global configuration)

(You'll be prompted to restart your device to complete the synchronization.)

After restarting: You will find that the device has automatically assumed that it is the backup state!

51idc-ssg140 ( B )->get NSRP view, Output view! At a glance, well, the configuration is all over here. You are then asked to enter the device to view the primary and standby status.

Appendix III NSRP Common Maintenance commands

1, Getlicense-key

view the feature supported by the firewall, where the nsrpa/a mode contains the active/passive mode, and aactive/passive mode does not support active/active mode. Lite version is a simplified version that supports device and link redundancy switching and does not support configuration and session synchronization.

2, EXECNSRP sync global-config check-sum

Check whether the dual-machine configuration commands are synchronized

3. EXECNSRP Sync Global-config Save

If the dual-machine configuration information is not automatically synchronized, please manually perform this synchronization command, need to restart the system.

4, GETNSRP

View device status, primary and standby relationships, session synchronization, and parameter switch information in the NSRP cluster.

5. EXECNSRP Sync RTO all from peer

Synchronize the RTO information manually to keep the session information consistent between the two machines

6, EXECNSRP vsd-group 0 mode backup

When you manually make a primary and standby switch, the switch command is executed on the primary device, at which point the master device does not have preemption mode enabled.

7, EXECNSRP vsd-group 0 mode ineligible

When you manually make a primary standby switch, the switch command is executed on the primary device, at which point the master device has preemption mode enabled.

8. Getalarm Event

Check device alarm information, which will contain NSRP status switch information

Appendix two NSRP default setting values

VSD Group Information

L VSD Group id:0

L Device priority in the VSD group:100

L Preempt option:disable

L Preempt Hold-Down time:0 Second

L Initial State Hold-Down Time:5 Second

L Heartbeat interval:1000 milliseconds

L Lost Heartbeat Threshold:3

L Master (Primary) always Exist:no

RTO Image Information

L RTO synchronization:disable

L Heartbeat Interval:4 Second

L Lost Heartbeat threshold:16

NSRP Link Information

L Number of gratuitous arps:4

L NSRP encryption:disable

L NSRP authentication:disable

L Track Ip:none

L Interfaces Monitored:none

L Secondary Path:none

L HA Link Probe:none

L INTERVAL:15

L Threshold:5

This article from "from Zero to One" blog, reproduced please contact the author!

Juniper-ssg-netscreen series High Availability CLI configuration finalization