HA Designs For Juniper Netscreen Firewalls

High-Availability Designs
for Juniper NetScreen

Firewalls
Dan Backman
Senior Systems Engineer
dbackman@juniper.net
Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1

Routing and Firewall Functions Merging
New JUNOS Routing platforms (J / M) and AS PIC
• Stateful firewall, IPsec and NAT services in JUNOS
Expanded Routing functionality in NetScreen platforms
New solutions possible:
• Stateful Firewall, NAT, IPsec VPN termination and
Dynamic Routing
+ + !=

Routing and Firewall Functions Merging
Traditional uses of dynamic routing in firewalls:
• Dynamically advertise reachability of connected services
• Statically routed VPNs advertised into IGP/iBGP
• Dynamic path calculation
• Firewalls participate in routing (usually RIP)
• Limited control plane impacts
• Relatively few prefixes
• Limited policy/redistribution
Today:
• Deployments require:
• Interchangable routing / firewall features
• Juniper delivering integrated feature sets
• AS PIC / J Series SFW/IPsec
• Increasing routing functionality in ScreenOS

JUNOS / ScreenOS Routing Strengths
Virtualization
• Native support for multiple routing tables
• Multiple VRF and Logical routers in JUNOS
• At least two Virtual Routerss in all ScreenOS platforms
– Allows simple split tunneling at edge
• Hundreds of VRs in NetScreen Systems
• Multiple instances of routing protocols in JUNOS and ScreenOS
Scalable, standards-based routing protocols (OSPF/BGP/RIPv2)
PIM-SM and IGMP Proxy for dynamic
multicast forwarding
Dynamic route-based VPNs
• Support for policy and route-based VPNs in ScreenOS and JUNOS

ScreenOS Dynamic Routing
ScreenOS is designed for integrated Firewall / Routing
• Security platform from the ground-up
• Integrated static and dynamic routing support
• Multiple virtual IPv4 routing tables / Multiple routing instances
Security Features
• Screen function
• DoS, IP spoofing, L3/L4 protocol anomaly detection
• Flexible security zone model for all policy
• Network interfaces bound to security zones
• Sessions / flows bound to zones ,not interfaces
• Allows real-time next-hop changes to existing flows
• Critical to support dynamic routing in a firewall

High Availability Scenarios
Firewalls integral part of routing topology –
need redundancy solutions
• Border protection (Screen/Policy)
• Inline to forwarding path at network border
• Logical progression for integrated IDP
– Add IDP into forwarding path with fewer
headaches
VPN Routing Edge
• Redundant VPN termination at site
• Stateful failover without dynamic
routing impact

Stateful Failover
True security boundaries require
stateful inspection
• Firewalls track individual network flows
• Provide stateful enforcement of policies and DoS protection
Redundancy requires stateful awareness
• Firewall Cluster must support state synchronization
Failover without state sync:
• Results in loss of existing TCP/UDP sessions
• Users must restart existing protocol connections
Traditional firewall state sync does not account
for dynamic routing

Classic Firewall HA Scenario
“Ten-Pack” of routers, switches,
firewalls, switches and routers
UNTRUST
• HSRP/VRRP/NSRP virtual addresses for

next-hop
• Static routing
Pros:
• Simple. No dynamic routing Master 5 0 0 0 - M G T 5 0 0 0 - M G T
• No asymmetric state
1 C O M P CA OC T N S F O LM A L SO E HT D
X
1E/ L MR I X N K 1 C O M P CA OC T N S F O LM A L SO E HT D
X
1E/ L MR I X N K
5 200 5 200
A L S A T R AH M TAS U E S FS LS AI SO H N A L S A T R AH M TAS U E S FS LS AI SO H N
HA Link
1 0 / 1 0 0 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
S T A T U S S T A T U S
2 2
P O W E R P O W E R
Backup
• Supports all firewall features/functions
Cons:
• May require redundant interfaces
• No dynamic routing through firewalls
• Requires additional devices (L2 switches) TRUST

Dynamic Routing / Firewall HA Scenario

Firewalls in a Dynamic Routing
Topology: Why?
Customer desire to integrate firewalls into
existing network topology
• Must support dynamic failover
based on OSPF
• Contiguous OSPF area
• Full Link State in network edge
• Advertise prefixes between
internal network and
external routers
• Must support PIM-SM for multicast
routing (ScreenOS 5.1)
Interop eNet Design
• NSRP VSD-less clusters originally designed
for this topology 2 years ago

NetScreen Redundancy Protocol
Originally designed to support stateful failover
• Never intended to support asymmetric state
VSD – Virtual Security Device
• Logical failover domain within firewall
• Master / Backup state machine per VSD
VSI – Virtual Security Interface
• Shared interface (Virtual IP/MAC pair)
• Maps traffic into VSD
RTO Mirror – Real Time Object Mirroring
• State sync in NSRP cluster

NSRP: Traditional (L3) Design
Virtual addressing
• NSRP VSI and VRRP or HSRP on
UNTRUST
routers
• All virtual MAC addresses as
next-hop between routers and Virtual Address VRRP Master
VRRP
Backup
firewall cluster Static Routes
• Static routes throughout

topology
Virtual Address
Default Route
NSRP
5 0 0 0 - M G T 5 0 0 0 - M G T
1 1E/ 1 1E/
NSRP Master
C O M P C A OC T N S F O LM A L SO E H T D
X L MR I X N K C O M P C A OC T N S F O LM A L SO E H T D
X L MR I X N K
5 20 0 5 20 0
Single VSD for all traffic

HA Link
1 0 / 1 0 0 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
Backup
2 2
P O W E R P O W E R
Virtual Address
Static Routes
All firewall interfaces are

virtual interfaces (VIP/MAC) Virtual Address
Default Route VRRP Master
VRRP
Backup
• Easy to add additional

zones/interfaces (DMZ)
TRUST

NSRP: Traditional (L2) Design
Firewall operates as logical L2
learning bridge
• Backup is in L2 blocking state
• Must permit IGP adjacencies
through firewall
Topologies
5 0 0 0 - M G T 5 0 0 0 - M G T
1 C O M P CA OC T N SF OLM A L SO E H T D
X 1E/ L M
R I X N K 1 C O M P CA OC T N S F O LM A L SO E H T D
X 1E/ L MR I X N K
5200 5200
A L S A T R AH M TA S U E S FS LS AI SO H N A L S A T R AH M TA S UE S FS LS AI SO H N
1 0 / 1 0 0 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
2 2
P O W E R P O W E R
• Support for proprietary IGPs

• “drop-in” / transparent firewalls

Transparent Mode NSRP (L2) Operation
Operate as logical L2 bridge
• MAC learning and forwarding
• Policy engine and forwarding still based on 5-tuple
Must carefully engineer DMZ topology
• ICMP redirect cannot force traffic across
zone boundary
Limited support for VLANs
• VLAN tags preserved, but single inspection domain
• No current support for VLAN tag rewrite
• Enhancement coming in next major ScreenOS release

NSRP Real-Time Object Sync
What is synchronized?
UNTRUST
• Sessions / IPsec SA /
Crypto and VSD Configs
• Master Æ Backup replication
in VSD
• Bi-Directional replication in
VSD-less cluster 52 0 0
1
NSRP Master
A L S A T R AH M TA S U E S FS LS AI SO H N
C O M P CA OC T N SF O LM A L SO E H T D
X
1
1E/
0
L MR I X N
/ 1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T HA Link(s)
52 0 0
1
A L
NSRP
S A T R AHM TAS U E S FS LS AI SO H N
C O M P C A OC T N S F O LM A L SO E H T D
X
1
1E/
0
L M
/
R I X N
1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
Backup
2 2
P O W E R P O W E R
What is not RTO Mirror

Master Backup
synchronized?
• Screens (pre-flow
processing counters)
• Application Level Gateways TRUST
• TCP Setup / Inspection Normal Traffic Traffic on Failover

NSRP Operation
Master/Backup state machine run per VSD
• Priority and tracking (weight-based) determines
master eligibility
• Tracking: interface / IP reachability (ping) / Zone
Master assumes virtual IP/MAC addresses
for VSI
• Physical interfaces in VSD 0
• Additional VSI (eg: eth2/1:1)
Master synchronizes state to Backup device
Backup blocks ports in L2/Transparent mode

NSRP State Control: Tracking
NSRP can track various factors to determine
master eligibility
• Applies per VSD
• Administrative weight per tracked object
• Failover threshold per VSD
Track:
• Multiple IP addresses
• Weight per address
• Interfaces
• Zones
• Behaves like VLAN on L3 switch
• any one interface with link == zone up

OSPF and NSRP (The Wrong Way)
VERY slow failover (40-60 sec) when
using OSPF and NSRP
Does support NSRP RTO mirror for
session sync
• NSRP backup has “down” interfaces in
VSD id 0
• OSPF adjacency is “down” when in
backup state S
P
T
O
5 20 0
A T
W
U S
E R
1
2
C O M P CA OC T N S F O LM A L SO E H T D
X
1
1E/
0
L MR I
/
X N
1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
P
T
O
5 200
A T
W
U S
E R
1
2
X
1
1 E/
0
L MR I X N
/ 1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
• On failover:
1. Interface up
2. Reestablish OSPF adj. (must wait OSPF
Dead Interval)
3. Database exchange
4. SPF calc
5. Populate routes
• THEN, can begin forwarding traffic

Dynamic Routing Clusters
(1): Justification
Desire to integrate firewall into IGP
• Multiple egress paths, integrate into IGP routing
• Control advertisement of default or external routes into IGP
based on exterior connectivity
• Continuity of IGP routing across firewalls
• OSPF-based dynamic route selection
• Simplified topology (no L2 switching required)
ScreenOS modified (early 5.0x) to abstract sessions
from interface to zone.
• Allows route update to new next-hop without invalidating
existing sessions
New NSRP mode needed to keep routing adjacencies up

Dynamic Routing Clusters (2): Operation
Dual Masters in VSD id 0
Bi-directional RTO mirroring between cluster
members
• All physical interfaces remain active and can support
active routing protocol adjacencies
• All devices in cluster can actively forward traffic
Same as running OSPF on non-clustered devices,
but adds session sync
Config:
• Must manually “unset vsd id 0”
• “set nsrp rto-mirror session non-vsi”

Dynamic Routing Clusters (3): Caveats
Primary limitations:
• VERY susceptible to asymmetric state issues
• Require more complex config (mixed mode) for NAT support
• Policy-based VPNs also require
• In both cases, traffic must return to a single address which may
be resident on both devices
Cannot use Data-Path Forwarding as a band-aid
• Both nodes are Master: only backup node can perform
data-path forwarding
Must use “Mixed-mode” NSRP to address these issues
• Unset VSD id 0
• Virtual interfaces in VSD id 1 (loopback for VPN, NAT Pool)

HA Considerations: Stateful forwarding
Real Stateful Inspection requires
bidirectional forwarding
• Traditional routing protocols do not guarantee
symmetric bidirectional traffic flows
• ECMP nearly guarantees asymmetric state
• True stateful load balancing requires reverse
hash for returning microflows
• NetScreen firewalls use session/flow state for all
forwarding paths
• Required for stateful policy inspection
• J/M/T/E series use stateless forwarding
• LPM / J-Tree lookup per-packet on forwarding
and firewall filters

ScreenOS – Session State
All forwarded traffic must have a session
• Contains bidirectional flow information
• Route lookup determines egress zone
• Policy lookup from ingress to egress zone
• NetScreen Systems forward traffic like L3/L4 switches
5200-17(M)-> get session
slot 1: sw alloc 3/max 1000064, alloc failed 0, mcast alloc 0, di alloc failed 0
slot 2: hw0 alloc 1/max 1048576
slot 2: hw1 alloc 1/max 1048576
id 7267/s**,vsys 0,flag 00000040/0080/23,policy 320002,time 6, dip 0
11(0601):10.2.4.2/1->224.0.0.5/1,89,000000000000,15,vlan 0,tun 0,vsd 0,route 0
3(0010):10.2.4.2/1<-224.0.0.5/1,89,000000000000,4,vlan 0,tun 0,vsd 0,route 0
id 7268/s**,vsys 0,flag 00000040/0080/23,policy 320002,time 6, dip 0
7(0601):10.1.4.1/1->224.0.0.5/1,89,000000000000,14,vlan 0,tun 0,vsd 0,route 0
3(0010):10.1.4.1/1<-224.0.0.5/1,89,000000000000,4,vlan 0,tun 0,vsd 0,route 0
id 7269/s01,vsys 0,flag 10200440/0000/03,policy 1,time 1440, dip 0
11(0801):10.2.2.2/11033->10.1.255.1/23,6,00a0c96cce14,15,vlan 0,tun 0,vsd 0,route 74
7(4800):10.2.2.2/11033<-10.1.255.1/23,6,00a0c92490e4,14,vlan 0,tun 0,vsd 0,route 44
Total 3 sessions shown

Asymmetric State: Symptoms
“Split-state” environment may appear
to work in the lab
• BUT: TCP handshake never completed
through same device
• Half-open sessions: User sees TCP
sessions establish but freeze
(short-lived TCP sessions)
• Can “disable syn checking” but lose 5 200
1
C O M P CA OC T N SF O LM A L SOE H T D
X 1E/ L MR I X N K
5 0 0 0 - M G T
5 200
1
X 1E/ L MR I X N K
5 0 0 0 - M G T
effective TCP inspection and protection

1 0 / 1 0 0 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
2 2
P O W E R P O W E R
• ALG cannot fully inspect control channels

• Deep Inspection will fail
• Integrated IDP will fail
• “pinholes” may not open correctly
• Some screening functions may depend on
bidirectional traffic

IGP Costing Exercise (1)
Predictable forwarding path
• Ensure bidirectional path through firewalls
• Must not allow transit through
multiple firewalls
• If ABRs directly connected to firewalls,
make sure there is a valid Intra-Area
route between ABRs in firewall area
5 0 0 0 - M G T 5 0 0 0 - M G T
1 C O M P C A OC T N S F O LM A L SO E HT D
X
1E/ L MR I X N K 1 C O M P CA OC T N SF O LM A L SO E H T DX
1E/ L MR I X N K
5200 5200
A L S A T R AH M TA S U E S FS LS AI SO H N A L S A T R AHM TAS U E S FS LS AI SO H N
1 0 / 1 0 0 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
2 2
P O W E R P O W E R
IGP costing is unidirectional

• Must be careful to set IGP costing
bidirectionally (must configure both sides
of a link to the same cost)
• Do NOT rely on automatic costing (varies
between vendors and equipment types)

Predictable failover
• Control traffic paths in the
event of a link-down event
• This design preseves state
through a firewall in a single
link-break 5 0 0 0 - M G T 5 0 0 0 - M G T
Fast IGP failover:

1 C O M P CA OC T N S F O LM A L SO E HT DX
1E/ L MR I X N K 1 C O M P CA OC T N SF O LM A L SO E H T D
X
1E/ L MR I X N K
5 200 5 200
A L S A T R AH M TA S U E S FS LS AI SO H N A L S A T R AH M TAS U E S FS LS AI SO H N
1 0 / 1 0 0 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
2 2
P O W E R P O W E R
• No split link
• Can use aggregated
interfaces between devices
• Use /30 p2p links to skip
dead timer / DR election
on link-up

IGP Costing Dangers: External External
Router-A Router-B
• Routed DMZ Network
• Do not allow transit
between firewalls
• Carefully control costs within
the OSPF area
5 0 0 0 - M G T
5 0 0 0 - M G T
1 C O M P CA OC T N S F OL M A L S O E HT D
X
1E/ L MR I X N K
1 C O M P CA OC T N SF O LM A L SO E HT D
X
1E/ L MR I X N K
5 20 0
A L S A T R AHM TA S U E S FS LS AI SO H N
1 0 / 1 0 0
5 2 00
1 0 / 1 0 0
5 0 0 0 - 8 G
5 0 0 0 - 8 G
S T A T U S
2
P O W E R
S T A T U S
2
P O W E R
• Watch out for asymmetric costs DMZ Router

• Use separate VR for DMZ
network if necessary
• Carefully test all iterations in a Internal Internal
failover topology Router-A Router-B

NSRP: Data-Path Forwarding
NSRP can correct asymmetric
state in some situations
• 2) BACKUP device receives
packet that matches session
from master
• 3) packet is exception-
forwarded (CPU forwarded)
5 0 0 0 - M G T 5 0 0 0 - M G T
1 C O M P C A OC T N SF O LM A L SO E H T D
X 1 E/ L MR I X N K 1 C O M P CA OC T N S F O LM A L SOE H T D
X 1E/ L MR I X N K
A L S A T R AH M TA S U E S FS LS AI SO H N A L S A T R AH M TAS U E S FS LS AI SO H N
52 00 1 0 / 1 0 0 52 00 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
2 2
P O W E R P O W E R
to master over HA link

• 4) MASTER forwards packet
to end node
Do not rely on this behavior
• Serious performance impact
for large amounts of
forwarded traffic

Mixed-Mode NSRP (Simple)
Medium-sized enterprise UNTRUST
• Upstream OSPF to routers OSPF Area X
• Downstream (Trust)
• Firewall cluster is first-hop router
for internal network
• Virtual IP/MAC in Trust VSI
• VSI exported to OSPF OSPF
(VSD-less)
Pro: S
P
T
O
5 200
A T
W
U S
E R
1
2
X
1
1 E/
0
L MR I
/
X N
1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
HA Link
S
P
T
O
5 200
A T
W
U S
E R
1
2
A L S A T R AH M TAS U E S FS LS AI SO H N
C O M P CA OC T N S F O LM A L SO E HT D
X
1
1E/
0
L MR I X N
/ 1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
• Simple integration of OSPF and VSI: Shared Address
Firewalls
• No Asymmetric State
Cons:
• Requires both VSD-less (untrust)
and VSD/VSI (trust) TRUST
(L2)

Mixed-Mode NSRP (VSD-less + DMZ)
Add DMZ network to existing UNTRUST
VSD-less NSRP cluster

OSPF Area X
Pros:
• Allows for DMZ network
connected to OSPF
meshed network
5 0 0 0 - M G T 5 0 0 0 - M G T
1 C O M P CA OC T N S F O LM A L SO E HT D
X
1E/ L MR I X N K 1 C O M P CA OC T N S F O LM A L SO E HT D
X
1E/ L MR I X N K
5 200 5 200
HA Link
1 0 / 1 0 0 1 0 / 1 0 0
5 0 0 0 - 8 G 5 0 0 0 - 8 G
2 2
P O W E R P O W E R
Cons:
• Must control asymmetric state DMZ
VSI
with OSPF costing

OSPF Passive
• Requires both VSD-less and

VSD/VSI support
TRUST
OSPF Area X

Mixed-mode NSRP Complications
Must link NSRP and OSPF
failover in mixed mode OSPF Untrust-DMZ
Transit Path
UNTRUST
OSPF Area X
• OSPF makes path calculations

based on link state information
from routers NAT from
loopback1:1
• NSRP elects master based on S T

520 0
A T U S
1
2
VSD 1 Master
A
lo0
L S A T R AH M TAS U E S FS LS AI SO H N
X
1
1 E/
0
L MR I X N
/ 1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
HA Link S T
520 0
A T U S
1
2
VSD 1 Backup
A
lo0
L S A T R AH M TAS U E S FS LS AI SO H N
X
1
1 E/
0
L MR I X N
/ 1 0
K
0
5 0
5
0
0
0
0
-
0
M
- 8
G
G
T
tracking information and priority

P O W E R P O W E R
• Unidirectional feedback
DMZ
X
• Add VSI as OSPF VSI
OSPF Passive
passive interface
• Recommend adding NSRP zone
tracking or IP ping tracking to
control NSRP failover TRUST
OSPF Area X
OSPF Trust-Untrust
Transit Path

Questions?

Thank You

HA Designs For Juniper Netscreen Firewalls

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

HA Designs For Juniper Netscreen Firewalls

Caricato da

Copyright:

Formati disponibili

High-Availability Designs

for Juniper NetScreen

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 2

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 3

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 4

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 5

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 6

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 7

• HSRP/VRRP/NSRP virtual addresses for

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 8

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 9

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 10

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 11

• Static routes throughout

 Single VSD for all traffic

 All firewall interfaces are

• Easy to add additional

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 12

• Support for proprietary IGPs

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 13

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 14

 What is not RTO Mirror

• TCP Setup / Inspection Normal Traffic Traffic on Failover

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 15

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 16

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 17

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 18

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 19

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 20

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 21

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 22

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 23

effective TCP inspection and protection

• ALG cannot fully inspect control channels

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 24

 IGP costing is unidirectional

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 25

 Fast IGP failover:

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 26

• Watch out for asymmetric costs DMZ Router

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 27

to master over HA link

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 28

• Upstream OSPF to routers OSPF Area X

• Simple integration of OSPF and VSI: Shared Address

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 29

VSD-less NSRP cluster

with OSPF costing

• Requires both VSD-less and

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 30

• OSPF makes path calculations

• NSRP elects master based on S T

tracking information and priority

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 31

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 32

Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 33

Potrebbero piacerti anche

Single VSD for all traffic

All firewall interfaces are

What is not RTO Mirror

IGP costing is unidirectional

Fast IGP failover: