High Availability of the juniper firewall using NSP

1. Experiment topology:

2. ip planning:

Eth1: 192.168.101.68/24

Eth3: 192.168.100.10/24

3. device description:

The switch used in the trust region is Digital China DCS-3950S

The switch in the untrust area is the quidwayS3526E of H3C.

Firewall: Juniper Netscreen-25

4. Device Configuration

4.1 configure ns-a for the first Firewall

Login: netscreen
Password:
NS-A (M)-> get system
Product Name: NetScreen-25
Serial Number: 0096052007001238, Control Number: 00000000
Hardware Version: 4010 (0)-(00), FPGA checksum: 00000000, VLAN1 IP (0.0.0.0)
Software Version: 5.3.0r6.0, Type: Firewall + VPN
Compiled by build_master at: Tue Nov 28 15:14:46 PST 2006
Base MACOs: 0019. e240.67d0
File Name: ns50ns25.5.3.0r6.0, Checksum: 966acd5c

Date 11/15/2012 19:45:39, Daylight Saving Time enabled
The Network Time Protocol is Disabled
Up 0 hours 51 minutes 30 seconds Since 15Nov2012: 18: 54: 09
Total Device Resets: 48, Last Device Reset at: 11/15/2012 15:21:15

System in NAT/route mode.

NS-A (M)-> exit
Login: 0096052007001238
Password:
!!! Lost Password Reset !!! You have initiated a command to reset the device to factory defaults, clearing all current configuration and settings. wocould you like to continue? Y/[n] y

!! Reconfirm Lost Password Reset !! If you continue, the entire configuration of the device will be erased. in addition, a permanent counter will be incremented to signify that this device has been reset. this is your last chance to cancel this command. if you proceed, the device will return to factory default configuration, which is: System IP: 192.168.1.1; username: netscreen, password: netscreen. wocould you like to continue? Y/[n] y
In reset...
Start deactivate session...
0 sessions deactivated

NetScreen NS-25/50 Boot Loader Version 3.0.0 (Checksum: D1C6421F)
Copyright (c) 1997-2003 NetScreen Technologies, Inc.

Total physical memory: 128 MB
Test-Pass
Initialization-Done

Ns25-> set hostname ns-
Ns-a-> set interface eth1 ip 192.168.101.68 255.255.255.0
Ns-a-> set int eth3 ip 192.168.100.10 255.255.255.0
Ns-a-> set int eth4 zone
Null zone
Trust zone
Untrust zone
Self zone
Global zone
HA zone
MGT zone
Untrust-Tun zone
V1-Null v1-Null zone
V1-Trust V1-Trust zone
V1-Untrust V1-Untrust zone
DMZ zone
V1-DMZ V1-DMZ zone
VLAN zone
Ns-a-> set int eth4 zone HA heartbeat detection (eth4)

Ns-a-> set NSP cl
Cluster config cluster id/name
Ns-a-> set NSP cluster id
<Number> NSP cluster ID (range: 1-7)
Ns-a-> set NSP cluster id 1
Ns-a (B)-> Unit becomes master of NSP Caf-group 0

Ns-a (M)-> set NSP sealing-group id 0
Ns-a (M)-> set NSP sealing-group id
<Number> a maximum of 8 failover domains can be found in the vulnerability group ID (range: 0-7 ).
Ns-a (M)-> set NSP sealing-group id 0 pr
Preempt allow to preempt a lower priority master
Priority for this sealing group
<Return>
Ns-a (M)-> set NSP sealing-group id 0 priority 50
Ns-a (M)-> set NSP sealing-group id 0 preempt
Ns-a (M)-> set NSP sealing-group id 0 monitor inter
Interface to be monitored Monitoring Port
Ns-a (M)-> set NSP sealing-group id 0 monitor interface eth1
Ns-a (M)-> set NSP sealing-group id 0 monitor interface eth3

Ns-a (M)-> get config view Configuration

Set NSP cluster id 1
Set NSP Caf-group id 0 priority 50
Set NSP Caf-group id 0 preempt
Set NSP Caf-group id 0 monitor interface ethernet1
Set NSP Caf-group id 0 monitor interface ethernet3

Ns-a (M)-> get NSP
NSP version: 2.0

Cluster info:
Cluster id: 1, no name
Local Units id: 4220880
Active units discovered:
Index: 0, unit id: 4220880, ctrl mac: 0019e24067d7, index: 1, unit id: 4220080, ctrl mac: 0019e24064b7, data mac: ffffffffffff
Total number of units: 2

Sealing group info:
Init hold time: 5
Heartbeat lost threshold: 3
Heartbeat interval: 1000 (MS)
Master always exist: disabled
Group priority preempt holddown inelig master PB other members
0 50 yes 3 no myself none 4220080 (inoperable)

Ns-a (M)-> save
Save System Configuration...
Done

4.2 configure the second firewall

First clear the configuration with the serial number!

Login: netscreen
Password:
Ns25-> set hostname ns-B
Ns-B-> set int eth1 ip 192.168.101.68 255.255.255.0
Ns-B-> set int eth3 ip 192.168.100.10 255.255.255.0
Ns-B-> set int eth4 zone HA
Ns-B-> set NSP cluster id 1
Ns-B (B)-> set NSP sealing-group id 0
Ns-B (B)-> set NSP sealing-group id 0 priority 100
Ns-B (B)-> set NSP sealing-group id 0 monitor int eth1

Ns-B (B)-> set NSP sealing-group id 0 monitor int eth3

 

Ns-B (I)-> get NSP
NSP version: 2.0

Cluster info:
Cluster id: 1, no name
Local Units id: 4220080
Active units discovered:
Index: 0, unit id: 4220080, ctrl mac: 0019e24064b7, index: 1, unit id: 4220880, ctrl mac: 0019e24067d7, data mac: ffffffffffff
Total number of units: 2

Sealing group info:
Init hold time: 5
Heartbeat lost threshold: 3
Heartbeat interval: 1000 (MS)
Master always exist: disabled
Group priority preempt holddown inelig master PB other members
0 100 no 3 no 4220880 none myself (inoperable)

Ns-B (I)-> save
Save System Configuration...
Done

4.3 configure the digital switch as follows:

Sw14 # show version
DCS-3950S Device, Aug 27 2004 11:14:24
HardWare version is 2.10, SoftWare version is DCNOS-4.1.5, BootRom version is 1.2.1
Copyright (C) 2001-2004 by Digital China Networks Limited.
All rights reserved.

Sw14> enable
Sw14 # config
 

Sw14 (Config) # exit
Sw14 # show running-config
Current configuration:
!
Hostname sw14

Sw14 # config
Sw14 (Config) # int vlan 1
Sw14 (Config-If-Vlan1) # ip add 192.168.101.20 255.255.255.0

Sw14 # ping 192.168.101.68
Type ^ c to abort.
Sending 5 56-byte ICMP Echos to 192.168.101.68, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 MS
Sw14 # show ip route
Codes: C-connected, S-static, R-RIP derived, O-OSPF derived
A-ospf ase, B-BGP derived, D-DVMRP derived

Destination Mask Nexthop Interface Preference
C 192.168.101.0 255.255.255.0 0.0.0.0 Vlan1 0

4.4 web Access Policy Configuration

 

 

 

 

View command changes on vswitch

Ns-a (M)-> get config

Set policy id 1 from "Trust" to "Untrust" "Any" "Any" "permit

Check whether synchronization is performed on ns-B.

Ns-B (B)-> get config

Set policy id 1 from "Trust" to "Untrust" "Any" "Any" "permit

Check whether the configuration is synchronized?

Ns-B (B)-> exec NSP sync global-config check-sum
Ns-B (B)-> configuration in sync

Perform a test on sw14:

Sw14 # ping 192.168.101.68
Type ^ c to abort.
Sending 5 56-byte ICMP Echos to 192.168.101.68, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 MS
Sw14 # ping 192.168.100.10
Type ^ c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.10, timeout is 2 seconds.
.....
Success rate is 0 percent (0/5), round-trip min/avg/max = 0/0/0 MS
Sw14 # ping 192.168.100.20
Type ^ c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.20, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 MS
Sw14 # ping 192.168.100.20
Type ^ c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.20, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 MS

The ping to 192.168.100.10 fails, and the ping function is not enabled.

View and enable the ping function:

Ns-a (M)-> get interface eth3
Interface ethernet3 (VSI ):
Description ethernet3
Number 6, if_info 1248, if_index 0, mode route
Link up, phy-link up/full-duplex
Vsys Root, zone Untrust, vr trust-vr, rv0
Dhcp client disabled
PPPoE disabled
Admin mtu 0, operating mtu 1500, default mtu 1500
* The ip address 192.168.100.10/24 mac 0010. dbff.2060
* Manage ip 192.168.100.10, mac 0019. e240.67d6
Route-deny disable
The pmtu-v4 is disabled.
Ping disabled, telnet disabled, SSH disabled, SNMP disabled
Web disabled, ident-reset disabled, SSL disabled
DNS Proxy disabled, webauth disabled, webauth-ip 0.0.0.0
OSPF disabled BGP disabled RIP disabled RIPng disabled mtrace disabled
PIM: not configured IGMP not configured
Band physical 100000 kbps, configured egress [gbw 0 kbps mbw 0 kbps]
Configured ingress mbw 0 kbps, current bw 0 kbps
Total allocated gbw 0 kbps
DHCP-Relay disabled
DHCP-server disabled
Number of SW session: 32063, hw sess err cnt 0

Ns-a (M)-> set interface eth3 manage ping

4.5 Test:

Sw14 # ping 192.168.100.10
Type ^ c to abort.
Sending 5 56-byte ICMP Echos to 192.168.100.10, timeout is 2 seconds.
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 MS

High Availability test:

Unplug eth1 and test the eth1 status!

Unplug the eth1 interface of ns-:

Ns-a (M)-> ethernet1 interface change state to Down
Start deactivate session...
2 sessions deactivated

Ns-a (I)-> get NSP

Sealing group info:
Init hold time: 5
Heartbeat lost threshold: 3
Heartbeat interval: 1000 (MS)
Master always exist: disabled
Group priority preempt holddown inelig master PB other members
0 50 yes 3 no 4220080 none myself (inoperable)

 

Login: netscreen
Password:
Ns-B (M)-> get NSP

Sealing group info:
Init hold time: 5
Heartbeat lost threshold: 3
Heartbeat interval: 1000 (MS)
Master always exist: disabled
Group priority preempt holddown inelig master PB other members
0 100 no 3 no myself none 4220880 (inoperable)

If the line of eth1 is better, because the preemption mode is enabled, the viewing is as follows:

Ns-B (B)-> get NSP
NSP version: 2.0

Sealing group info:
Init hold time: 5
Heartbeat lost threshold: 3
Heartbeat interval: 1000 (MS)
Master always exist: disabled
Group priority preempt holddown inelig master PB other members
0 100 no 3 no 4220880 myself

Ns-a (M)-> get NSP

Sealing group info:
Init hold time: 5
Heartbeat lost threshold: 3
Heartbeat interval: 1000 (MS)
Master always exist: disabled
Group priority preempt holddown inelig master PB other members
0 50 yes 3 no myself 4220080

No packet loss!

If eth3 is enabled, the above phenomenon will occur!

If the backup firewall eth1 and eth3 and heartbeat line eth4 are disconnected

Ns-a (M)-> get NSP
NSP version: 2.0

Cluster info:
Cluster id: 1, no name
Local Units id: 4220880
Active units discovered:
Index: 0, unit id: 4220880, total number of units: 1

Sealing group info:
Init hold time: 5
Heartbeat lost threshold: 3
Heartbeat interval: 1000 (MS)
Master always exist: disabled
Group priority preempt holddown inelig master PB other members
0 50 yes 3 no myself none
Total number of sealing group: 1
Total iteration = 6917, time = 97434286, max = 75534, min = 5702, average = 14086

Ns-B (I)-> get NSP
NSP version: 2.0

Cluster info:
Cluster id: 1, no name
Local Units id: 4220080
Active units discovered:
Index: 0, unit id: 4220080, total number of units: 1

Sealing group info:
Init hold time: 5
Heartbeat lost threshold: 3
Heartbeat interval: 1000 (MS)
Master always exist: disabled
Group priority preempt holddown inelig master PB other members
0 100 no 3 no none myself (inoperable

4.6 configure a layer-3 switch in the untrust area:

Int vlan 1

Ip add 192.168.100.20 255.255.255.0

Note: You must specify a gateway for the vswitch in the trust region! (During testing)