Knowledge Center Search


 

[ScreenOS] Is Virtual Router Redundancy Protocol (VRRP) supported on Juniper firewalls?

  [KB10892] Show KB Properties

  [KB10892] Hide KB Properties

Categories:
Knowledge Base ID: KB10892
Last Updated: 20 Nov 2013
Version: 9.0

Summary:

Virtual Router Redundancy Protocol (VRRP) is supported on specific Juniper firewall devices. The following sections provide design notes and limitations, the minimum configuration required for VRRP, and the commands for verifying the VRRP configuration.

Problem or Goal:

I am trying to configure VRRP on SSG/ISG series firewalls:


  • What are the limitations of configuring VRRP?

  • What is the minimum required configuration for VRRP?

  • How can I verify the configuration?

Cause:

Solution:

To use VRRP on an SSG series device, you must be running ScreenOS 6.1 or later. ISG devices do not support VRRP.


Design Notes and Limitations:

  • VRRP is supported only on SSG series devices that are running ScreenOS 6.1 or later.

  • Only Ethernet and Gigabit interfaces support VRRP. WAN and Serial interfaces do not support VRRP.

  • VRRP is not supported if enabled on a bridge group interface.

  • One interface can support up to two VRRP groups.

    • VRRP does not support two interfaces within the same VRRP group on the same device. Only one group can be enabled on one interface.

    • One VRRP group can support only one VRRP virtual IP, except owner IP.

  • When a device supports VRRP, it cannot support NSRP and vice-versa; VRRP and NSRP are mutually exclusive on the same device.

  • Authentication is not supported (the latest VRRP RFC obsoletes it). The authentication message will be accepted, but the authentication field is ignored.

  • VRRP failover is based on the IP address or interface. The VRRP interface becomes logically down, either due to physical link failures or interface monitoring.

  • VRRP does not support synchronization sessions.

  • ScreenOS will directly use:

    • VRRP group ID as the NSRP VSD group ID.

    • VRRP group ID ranges from 1 to 7.

    • VSI use the VRRP virtual IP as the IP address.

    • The owner IP as the manage-IP.

  • MIB/SNMP for VRRP may be supported later upon marketing request.

 Configuration example:

set interface ethernet0/1 protocol vrrp
set interface ethernet0/1:6 ip 192.168.1.100/24       --- Configure a virtual IP for the VRRP interface, group 6
set interface ethernet0/1:6 protocol vrrp preempt     --- Define pre-empt feature on the interface
set interface ethernet0/1:6 protocol vrrp priority 50 --- Define the priority of the VRRP Group
set interface ethernet0/1 protocol vrrp enable        --- Enable VRRP on interface

To verify the configuration:
get vrrp interface            --- Show VRRP information of all interfaces
get int e0/1 protocol vrrp     --- Show VRRP information of specific interfaces
Note: For more information on configuring VRRP, refer to the 'VRRP Support' section in the Concept & Examples ScreenOS Reference Guide: Vol 11, High Availability for ScreenOS Version 6.3.

Purpose:
Specifications

Related Links:

 

 

ASK THE KB

Question or KB ID:


 


 

 
Copyright© 1999-2012 Juniper Networks, Inc. All rights reserved.