Virtual Router Redundancy Protocol (VRRP) is supported on specific Juniper firewall devices. The following sections provide design notes and limitations, the minimum configuration required for VRRP, and the commands for verifying the VRRP configuration.
Problem or Goal:
I am trying to configure VRRP on SSG/ISG series firewalls:
What are the limitations of configuring VRRP?
What is the minimum required configuration for VRRP?
How can I verify the configuration?
To use VRRP on an SSG series device, you must be running ScreenOS 6.1 or later. ISG devices do not support VRRP.
Design Notes and Limitations:
VRRP is supported only on SSG series devices that are running ScreenOS 6.1 or later.
Only Ethernet and Gigabit interfaces support VRRP. WAN and Serial interfaces do not support VRRP.
VRRP is not supported if enabled on a bridge group interface.
One interface can support up to two VRRP groups.
VRRP does not support two interfaces within the same VRRP group on the same device. Only one group can be enabled on one interface.
One VRRP group can support only one VRRP virtual IP, except owner IP.
When a device supports VRRP, it cannot support NSRP and vice-versa; VRRP and NSRP are mutually exclusive on the same device.
Authentication is not supported (the latest VRRP RFC obsoletes it). The authentication message will be accepted, but the authentication field is ignored.
VRRP failover is based on the IP address or interface. The VRRP interface becomes logically down, either due to physical link failures or interface monitoring.
VRRP does not support synchronization sessions.
ScreenOS will directly use:
VRRP group ID as the NSRP VSD group ID.
VRRP group ID ranges from 1 to 7.
VSI use the VRRP virtual IP as the IP address.
The owner IP as the manage-IP.
MIB/SNMP for VRRP may be supported later upon marketing request.
set interface ethernet0/1 protocol vrrp set interface ethernet0/1:6 ip 192.168.1.100/24 --- Configure a virtual IP for the VRRP interface, group 6 set interface ethernet0/1:6 protocol vrrp preempt --- Define pre-empt feature on the interface set interface ethernet0/1:6 protocol vrrp priority 50 --- Define the priority of the VRRP Group set interface ethernet0/1 protocol vrrp enable --- Enable VRRP on interface
To verify the configuration:
get vrrp interface --- Show VRRP information of all interfaces get int e0/1 protocol vrrp --- Show VRRP information of specific interfaces