Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations SkipVought on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Help with Netscreen Redundancy 1

Status
Not open for further replies.
salmonsteak

salmonsteak

Technical User
Apr 15, 2002
47
0
0
CA
I currently have a Netscreen 208 configed on my network and am looking to provide redundancy through the presence of another 208. My question is this... Is there an easy way to transfer all of the config info (Policies etc.) on the existing 208 so that the new 208 is a mirror image of the existing one? I'm wondering if redundancy can be achieved with out configuring the new box from scratch. Any suggestions would be greatly appreciated.
 
Sort by date Sort by votes
Hello,
Yes, you can your 208 to use NSRP (Netscreen Redundancy Protocol). First, you will need to decide on your design (Active/Passive or Active/Active).

In Active/Passive, one NS is actively fundtioning, while the other is in backup mode. If a port configured for Redundancy Fails, the backup NS takes over.

In Active/Active, both NS pass traffic. If fail-over should occur, all trafic is handled by a single NS. Advantage: better throughput, but one NS needs to be able to handle load.

NSRP Terminology:
HA (High Availability) link, port, zone
NSRP Cluster
VSD = Virtual Security Device
VSI = Virtual Security Interface
RTOs = Real Time Objects

NSRP Clusters are two NS's enforcing the same overall security Policy and share the same configuration (this is what you want? no?).

VSD Group = two (2) NS's sharing the same config
Note: Only one physical device acts as the "master" of the VSD group

Basic Configuration:
On BOTH Devices:
1. Assign interface to HA zone (if not using dedicated HA ports)
2. Configure Cluster settings
3. COnfigure interfaces to me monitored
4. Adjust VSD settings (if desired)
On One Device:
5. Change interfaces, policies, etc. as desired
Note: Changes will automatically be copied via HA link

FYI, I'm no pro and only did this in class. We are running NS-25's without NSRP-Lite. The info below was taken from my NMTP 5.0 Courseware. Currently studying for the exam.

Anyway, I hope this helps get you started. If I can help with anything else, let me know. I would also check the Netscreen/Juniper site for a walk through.

Rgds,

John
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
140
Sameer258
Sameer258
intel233
  • Locked
  • Question
Cisco ASA 5510 -Static NAT Help
Replies
8
Views
156
intel233
intel233
tklamb
  • Locked
  • Question
ACL help
Replies
0
Views
45
tklamb
tklamb
PauS0n
  • Locked
  • Question
Need Help On Cisco ASA 5512 Running Version 9
Replies
0
Views
55
PauS0n
PauS0n
TheFireman2
  • Locked
  • Question
Help with Watchguard Firebox M200 setup as a TMG 2010 replacement with ASA 5515 as main firewall
Replies
1
Views
70
hairlessupportmonkey
hairlessupportmonkey

Part and Inventory Search

Sponsor

Back
Top