Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[Archive] NSRP overview

0

0

Article ID: KB4263 KB Last Updated: 11 Mar 2020Version: 7.0
Summary:

This article provides an overview of NSRP.

Symptoms:
An overview of NSRP.
Solution:
Note: This article is applicable to all ScreenOS devices.

To function properly as a network firewall, a ScreenOS device must be placed at the single point, through which all of the inter-zone traffic must pass.

Image of example

As the ScreenOS device is the single point through which all inter-zone traffic must pass, it is vital that the traffic flow remains uninterrupted; even in the event of a device or network failure.

High availability (HA) provides a way to minimize the potential for device failure within a network. As all of the network traffic passes through a Juniper Networks security device, you need to remove as many points of failure as possible from the network by ensuring that the device has a backup.

You can configure the same on ScreenOS devices by using the NetScreen Redundancy Protocol (NSRP). High Availability can be achieved by using Active/Passive, Active/Active, VSD-less, Mixed-mode, and NSRP Lite Implementations. For more information, refer to the Concepts & Examples ScreenOS Reference Guide High Availability Release 6.3.0, Rev. 02.

We will discuss more on Active/Passive and Active/Active Implementation for a ScreenOS device running in Layer3 (Nat/Route) or Layer2(Transparent) mode.

 

Active/Passive Failover:

To assure a continuous traffic flow in the network, you can cable and configure two ScreenOS devices in a redundant cluster, with one device acting as a master and the other as its backup. The master propagates all its network and configuration settings and the current session information to the backup. Should the master fail, the backup is promoted to master and takes over the traffic processing.

Image of example

In this case, the two devices are in an active/passive configuration. The master is active and handles all firewall and VPN activities. The backup is passive and is waiting to take over, when the master steps down.

An NSRP cluster consists of a group of security devices that enforce the same overall security policy and share the same configuration settings. When you assign a device to an NSRP cluster, any changes made to the configuration on one member of the cluster propagate to the others

With the ScreenOS device in Route or NAT mode, you can also configure both devices in a redundant cluster to be active, sharing the traffic distributed between them by routers with load-balancing capabilities running a protocol such as the Virtual Router Redundancy Protocol (VRRP). This is accomplished using the NetScreen Redundancy Protocol (NSRP) to create two virtual security device (VSD) groups, each with its own virtual security interfaces (VSIs). Device A acts as the master of VSD group 1 and as the backup of VSD group 2. Device B acts as the master of VSD group 2 and as the backup of VSD group 1. This configuration is known as active/active. Because of device redundancy, there is no single point of failure.

Image of example

Active/Active Failover:

Devices A and B each receive 50% of the network and VPN traffic. Should Device A fail, Device B becomes the master of VSD group 1, as well as continuing to be the master of VSD group 2, and handles 100% of the traffic. Traffic redirection resulting from a failover in an active/active configuration is shown in the next illustration.

Image of example

Although the total number of sessions divided between the two devices in an active/active configuration cannot exceed the capacity of a single device (in the case of a failover, the excess sessions might be lost), the addition of a second device doubles the available bandwidth potential for the cluster, (not the individual device). A second active device also guarantees that both devices have functioning network connections.

In addition to NSRP clusters, which are primarily responsible for propagating configurations among group members and advertising each member's current VSD group states, you can configure devices A and B as members in a run-time object (RTO) mirror group. They are responsible for maintaining the synchronicity of the RTOs between a pair of devices. When the master steps down, the backup can immediately assume mastership with minimal service downtime by maintaining all current sessions. Because of the sensitive nature of NSRP communications, you can secure all NSRP traffic through encryption and authentication. For encryption and authentication, NSRP supports the DES and MD5 algorithms respectively.

Note: If the high-availability (HA) cables run directly from one NetScreen device to another and not through a switch that forwards other types of network traffic; it is unnecessary to use encryption and authentication.

For more information, refer to KB22090 - Resolution Guides and Articles - NS/ISG/SSG - NSRP (High Availability).

Modification History:
2020-03-11: minor non-technical edits.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search