Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How to configure the Active/Active NSRP in the transparent mode

0

0

Article ID: KB25567 KB Last Updated: 14 Dec 2017Version: 2.0
Summary:
This article provides information on how to configure the Active/Active NSRP cluster in the transparent mode.
Symptoms:
How to configure the Active/Active NSRP cluster in the transparent mode.
Solution:
The following image illustrates the setup:




In this example , an Active/Active NSRP is configured on two security devices, Device A and Device B, in the transparent mode. Two VSD groups, VSD 5 and VSD 7, are created. Verify if Device A is the master and Device B the backup in VSD 5 and Device B is the master and Device A the backup in VSD 7.

Verify if both devices are members of the NSRP and check if the VSI Media Access Control (MAC) address of the NSRP devices is correct. The configuration can be synchronized to its NSRP Peer and the traffic that belongs to different VLANs can be passed from each VSD.

First, you have to configure the Active/Active NSRP on Device A and Device B. Secondly; you have to configure the transparent mode on both devices. You can use the WebUI or CLI to configure the Active/Active NSRP.

To configure the cluster via the CLI, perform the following procedure:
  1. Cluster and VSD groups for Device A:
    set interface ethernet2/7 zone ha
    set interface ethernet2/8 zone ha
    set nsrp cluster id 7
    unset nsrp vsd id 0
    set nsrp vsd id 5 priority 50
    set nsrp vsd id 5 preempt
    set nsrp vsd id 7 priority 100
    set nsrp vsd id 7 preempt
    set nsrp rto-mirror sync
    
  2. Cluster and VSD groups for Device B:
    set interface ethernet2/7 zone ha
    set interface ethernet2/8 zone ha
    set nsrp cluster id 7
    unset nsrp vsd id 0
    set nsrp vsd id 5 priority 100
    set nsrp vsd id 5 preempt
    set nsrp vsd id 7 priority 50
    set nsrp vsd id 7 preempt
    set nsrp rto-mirror sync
    
  3. Create the v100 VLAN group and assign It to VSD 5:
    set vlan group name v100
    set vlan group v100 100
    set vlan group v100 vsd id 5
    
  4. Create the v200 VLAN group and assign It to VSD 7:
    set vlan group name v200
    set vlan group v200 200
    set vlan group v200 vsd id 7
    
  5. Create the L2 zone and assign the VLAN group to different zones:
    set zone name l2-aa-trust l2
    set zone name l2-aa-untrust l2
    set vlan port ethernet2/1 group v100 zone L2-aa-trust
    set vlan port ethernet2/2 group v100 zone L2-aa-untrust
    set vlan port ethernet2/1 group v200 zone L2-aa-trust
    set vlan port ethernet2/2 group v200 zone L2-aa-untrust
    
  6. Create a policy on both of the directions:
    set policy from l2-aa-untrust to l2-aa-trust any any any permit
    set policy from l2-aa-trust to l2-aa-untrust any any any permit
    save
    
Modification History:
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search