Juniper firewall transparent mode HA

Source: Internet
Author: User

 

Network Topology: 

650) this. width = 650; "onclick = 'window. open (" http://blog.51cto.com/viewpic.php? Refimg = "+ this. src) 'style = "width: 460px; height: pixel PX" border = "0" alt = "" width = "601" height = "301" src = "http://www.bkjia.com/uploads/allimg/131227/0340234c8-0.gif"/>

Requirements: SoftwareThe software versions of the two devices used for HA must be the same.

Platform Active/Passive Active/Active
ISG Series 5.0.0 or abve 5.0.0 or abve
NS5000 Series 5.0.0 or abve 5.0.0 or abve
SSG550/550 M 5.1.0 or above 5.1.0 or above
SSG520/520 M 5.1.0 or above 6.0.0 or abve
SSG300 Series 5.4.0 or abve 5.4.0 or abve
SSG 140 5.4.0 or abve 6.0.0 or abve
SSG5 & SSG20 5.4.0 or above * 6.0.0 or above *
NS500 5.1.0 or above 5.1.0 or above
NS200 Series 5.1.0 or above 5.1.0 or above
NS50 5.1.0 or above Not Supported
NS25 5.1.0 or above ** Not Supported
NS5gt 5.1.0 or above *** Not Supported

Note: * extended license required
** Supports only NSP Lite. * ** Supports only NSP Lite & extended license required. in addition, if the firewall is to do a transparent mode of HA, then Active/Active mode is not supported in screano6.1.0 or above; and is the following Platform: the SSG-500 series, NS-ISG-1000, NS-ISG-2000, and all NS-5000 platforms. LicenseThe two firewalls must have software licenses for the same function; HardwareThe two firewalls must have the same hardware and modules; Network details:Here, the configuration example uses the ISG1000 device. The two are used for HA, A/S mode. ethernet1/1 is the trusted port, ethernet1/2 is the untrusted port, and ethernet1/4 is the HA interface; Detailed Configuration: 1, Configure the master deviceSet interface "ethernet1/1" zone "V1-Trust" set interface "ethernet1/2" zone "V1-Untrust" set interface "ethernet1/4" zone "HA" set interface vlan1 ip 10.0.0.1/24 set interface vlan1 manage-ip 10.0.0.2 set interface vlan1 ip manageableset zone V1-Untrust manage pingset zone V1-Untrust manage web set policy id 2 from "V1-Trust" to "V1-Untrust" "Any" Any "" ANY "permit set route 0.0.0.0/0 interface vlan1 gateway 10.0.0.254 set NSP cluster id 1 set NSP rto-mirror syncset NSP ventricular change-group id 0 priority 10 set NSP ventricular change-group id 0 preemptset NSP ventricular change -group id 0 monitor interface ethernet1/1 set nsp asd-group id 0 monitor interface ethernet1/2 2, Configure the standby DeviceSet NSP cluster id 1 set NSP rto-mirror syncset NSP ventricular change-group id 0 priority 100 set NSP ventricular change-group id 0 monitor interface ethernet1/1 set NSP ventricular change-group id 0 monitor interface ethernet1/2 nsisg1000-> exec NSP sync global saveSave global configuration successfully.
Continue to save local events... Save local configuration successfully.

Nsisg1000-> reset
Nsisg1000-> Configuration modified. Save? [Y] y/n
Nsisg1000-> System reset? Are you sure? After y/n y is restarted, check whether the configuration has been synchronized with exec NSP sync global-config check-sum. If yes, set the management address set interface vlan1 manage-ip 10.0.0.3. 3, Supplement:A. After implementing HA in transparent mode, if the device cannot be managed by default, you can use the following command to solve the problem: Set interface vlan1 NSP manage zone V1-Untrust This command must be in 2 Application on all devices.  B. There are some precautions for Tracking ip addresses: this is the correct configuration method in transparent mode. set NSP monitor track-ip address 10.0.0.5 interface vlan1. if the ip address to be tracked is the VLAN interface of the directly connected switch, the vlan must be the native vlan ip address. The following command does not take effect in HA in transparent mode because there is no address on the V1-Trust and V1-Untrust. Set NSP monitor track-ip 10.0.0.5 zone V1-Trust about troubleshooting, here I will not write, too many methods, you can summarize in the project; the above is a configuration document I previously created for the customer. There are basically no documents about transparent mode HA on the Internet. I will share it with you here, but it is not intended to teach you how to configure HA, in fact, the configuration is very simple. The complexity is that many problems arise from a function configuration. Here I just write a part, for example, how to troubleshoot and what data is transmitted by heartbeat lines, how MAC addresses are generated ........ There are a lot of other commands that are useless. What are they used for? I hope you will develop a good habit, be good at summing up, and generate documents on your project experience. Remember, it depends on the comprehensiveness. A good engineer is embodied in the fact that no one else will, but you will.

 

 

Continuous

QQ: 76900998

MAIL: jane.h@genisystem.com

This article is from the genisystem blog, please be sure to keep this source http://genisystem.blog.51cto.com/39344/429813

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.