NetScreen Redundancy Protocol

Objectives

• Discuss NSRP concepts

• Define NSRP-related terms and concepts
• Configure NSRP Active/Passive setup
• Verify NSRP operations
• Identify factors that affect failover time
• Tune NSRP failover behavior

2
 NetScreen Redundancy Protocol

• Provides redundancy/fail-over for NetScreen

Firewall/VPN products
• Proprietary protocol
• Dedicated link copies critical session-related
information to backup system
– No interruption to user session

3
 NSRP Active/Passive

X
Protected
Network HA Link

4
 NSRP Active/Active

X
Protected
Network HA Link

5
 NSRP Terminology

• HA link, port, zone

• NSRP cluster
• Virtual Security Device (VSD)
• Virtual Security Interface (VSI)
• Run Time Objects (RTOs)

6
 HA Link/Port/Zone

• HA1 – Primary path

• HA2 - Secondary

HA link
HA Zone
HA ports

7
 NSRP Cluster

• Group of 2 NetScreens providing

redundancy
Cluster
• Identical configurations
– Changes to one propagated via HA link to the
other
– Exceptions:
• Hostname – use cluster name to identify
“device” for PKI, SNMP, authentication, etc.
• Some VSD settings
• Local interface settings
• Console settings
• Track IP configuration

8
 VSD/VSI/VSD Group

• Virtual Security
Device
– Logical representation
VSI E1 VSI E1
of a NetScreen
– VSD0 by default
VSD 0 VSD 0
• Virtual Security
Interface
– Logical representation VSI E2 VSI E2
of interfaces
VSD Group
• VSD Group
– 2 NetScreens sharing
VSD configuration

9
 VSD States and Failover

• Master Master Backup

– Determined by priority X
VSI E1 VSI E1

– Preempt
VSD 0 VSD 0
• Backup
• Initial VSI E2 VSI E2

• Ineligible
• Inoperable
VSI E1 VSI E1

• Failover VSD 0 VSD 0

– Gratuitous ARPs

Inoperable VSI E2 VSI E2

Master
10
 NSRP VSD Group - Active/Passive

• NetScreen-1 is the Master for VSD Group 0

– The VSIs for VSD group 5 on NetScreen-1 forward data
• NetScreen-2 is the Primary Backup for VSD Group 0
– The VSIs for VSD group 5 on NetScreen-2 are in backup and do not
forward data

VSI E1 VSI E1
VSD VSD
Group id 0 Group id 0
Priority 50 VSD 0 VSD 0 Priority 100
Active Backup

VSI E2 VSI E2

11
 NSRP VSD Group - Active/Active

VSD 10 VSD 11
Priority 50 Priority 50
Active VSI E1:10VSI E1:11 VSI E1:10 VSI E1:11 Active

VSD 10VSD 11 VSD 10VSD 11

VSI E2:10VSI E2:11 VSI E2:10 VSI E2:11

VSD 11 VSD 10
Priority 100 Priority 100
Backup Backup

12
 Run Time Objects (RTO)

• Objects created dynamically in memory

– Session table entries
– ARP cache entries
– DHCP leases
– IPSec security associations

13
 Syncing Sessions

Master Backup
HA Link

Session established

Add session – timeout 8x default

.
.
.

Session timeout = 0: sync timeout

If session timeout = protocol max,

send 8x default

If session timeout > 10, send sync

If session timeout < 10, mark session

14
 NSRP Configuration – Active/Passive

E5 - HA

E8 E1
E1
E8

Zone 1 Internet

15
 NSRP Configuration Steps – Active/Passive

On both devices
1. Assign interface to HA zone (if not using dedicated
HA ports)
2. Configure cluster settings
3. Configure interfaces to be monitored
4. Adjust VSD settings (if desired)

On one device
5. Change interfaces, policies, etc. as desired
• Changes will automatically be copied via HA link

16
 1: Assign Interface to HA Zone

Network>Interfaces (Edit)

17
 2: Configure Cluster Settings

Network>NSRP>Cluster

set nsrp cluster id <1-7>

set nsrp cluster name <name>
set nsrp arp <number>
set nsrp auth password <password>
set nsrp encrypt password <password>

18
 3: Set Interfaces for Monitoring

Network>NSRP>Monitor>TrackIP>Edit

Network>NSRP>Monitor>Interface>Edit

set nsrp monitor interface <name> weight <1-255>

set nsrp monitor threshold <1-255>

19
 4: Adjust VSD settings

Network>NSRP>VSD Group>Configuration

set nsrp vsd id <number> priority <1-254>

set nsrp vsd id <number> preempt
set nsrp vsd id <number> preempt hold-down <sec>

20
 Verifying NSRP Configuration

Network>NSRP>VSD Group

Network>NSRP>Monitor>Interface

21
 Verifying NSRP Configuration

left(M)-> get nsrp cluster

cluster id: 1, no name
local unit id: 1907680
active units discovered:
index: 0, unit id: 1907680, ctrl mac: 0010db1d1be8, index: 1, unit id: 16806
08, ctrl mac: 0010db19a4e8, data mac: 0010db19a4eb
total number of units: 2

left(M)-> get nsrp vsd id 0

VSD group info:
init hold time: 5
heartbeat lost threshold: 3
heartbeat interval: 1000(ms)
master always exist: disabled
group priority preempt holddown inelig master PB other members
0 50 yes 5 no myself 1680608

vsd group id: 0, member count: 2, master: 1907680

member information:
---------------------------------------------------------------------
group unit_id state prio flag rto_peer hb miss holddown
---------------------------------------------------------------------
0 1680608 primary backup 100 0 0 0 0 0
0 1907680 master 50 2 0 0 0 5
22
 NSRP Configuration Synchronization

left(B)-> exec nsrp sync global-config check-sum

left(B)-> Warning: configuration out of sync

left(B)-> exec nsrp sync global save

left(B)-> load peer system config to save
Save global configuration successfully.
Save local configuration successfully.
done.
Please reset your box to let cluster configuration take effect!

System change state to Active(1)

configuration in sync (local checksum 1213013518 == remote
checksum 1213013518)
Received all run-time-object from peer.

23
 Factors that Affect Failover Time

• Heartbeat Messages
set nsrp vsd-group hb-threshold <number>
set nsrp vsd-group hb-interval <milliseconds>

• Switching technologies
– Spanning Tree Protocol
– Channeling, Bonding, PAgP
– Trunking protocols

24
 Points to Consider

• NSRP is only one part of overall redundancy solution

– NetScreens are redundant… but what about switches? Routers?

Good
Protected
Network

Better!

Protected
Network

25
 What if HA Link Fails?

• If using dual links, remaining link assumes control

– Data channel dropped on everything but NS-5000 series
• If using single link, NSRP stops working
– Use in-line interface as secondary path to prevent this
• Probe option actively monitors HA link status
set nsrp secondary <int_name>

set nsrp ha probe interval <sec>

set nsrp ha probe threshold <num>

26
Network > NSRP > Link
 NSRP-Lite

• Available for NS-50, NS-25, and NS5-GT devices

• Uses in-band interface for HA communication
• No VSIs
– Interfaces are configured independently
– Can be identical or not

Untrust: Untrust:
1.1.1.1/24 2.2.2.2/24

Trust
10.1.1.1/24

27
 Tuning Failover Behavior

• Monitored objects
– Interface
– Zone
– Target host
• Failover calculation
If FailedObjectWeight ≥ FailoverThreshold, fail over

FailedObjectWeight = sum(IntWt) + sum(ZoneWt) + IPTrackWt

• Defaults
– Failover threshold: 255
– Individual object weights: 255
– Therefore, by default, one failure will cause failover
28
 Setting Device Failover Threshold

• Command not available from WebUI

set nsrp monitor threshold <1-255>

29
 Adjusting Interface Weight

• Configured on per-VSD basis

Network > NSRP > Monitor > Interface > Edit

set nsrp monitor vsd id <group_num> monitor int <name> weight <1-255>

30
 Adjusting Zone Weight

• Configured on per-VSD basis

• All interfaces in zone must fail for zone to fail

Network > NSRP > Monitor > Zone > Edit

set nsrp monitor vsd id <group_num> monitor zone <name> weight <1-255>

31
 IP Tracking

• Tracks reachability to mission-critical hosts

• Failure of IP Tracking is a sum operation
– IP track weight then added to overall fail-over calculation

If sum(FailedAddress) ≥ IPTrackThreshold, IP Track fails –

Send IPTrackWt to device failover calculation

• Defaults
– IP Track Threshold: 255
– IP Track Weight: 255
– IP Address Weight: 1
• Reachability tested by ping (for remote hosts) or ARP
(for directly-connected hosts)

32
 Configuring IP Tracking

1. Enable IP Tracking
– Set failure threshold for tracking
– Set weight for tracking
2. Configure tracked addresses
– Set tracking method and parameters
– Set weight per address

33
 1: Enable IP Tracking

• Cannot set weight from WebUI

Network > NSRP > Monitor > TrackIP > Edit

set nsrp track-ip

set nsrp track-ip threshold <1-255>
set nsrp track-ip weight <1-255>

34
 2: Configure Tracked Addresses – WebUI

• Configured on real interface, not VSI

Network > Interfaces > Edit > TrackIP

35
 2: Configure Tracked Addresses – CLI

• Tracking method can only be configured from CLI

set nsrp track-ip ip <address>

set nsrp track-ip ip <address> interface <name>
set nsrp track-ip ip <address> method [arp | ping]
set nsrp track-ip ip <address> interval <sec>
set nsrp track-ip ip <address> threshold <1-200>
set nsrp track-ip ip <address> weight <1-255>

36
 Summary

• In this module we
– Discussed NSRP-related terms and concepts
– Configured NSRP Active/Passive setup
– Verifed NSRP operations
– Identified factors that affect failover time
– Configured NSRP Active/Active Setup
– Configured interface redundancy
– Tuned NSRP failover behavior

37
 Review Questions

1. Which products support NSRP?

2. Which products have designated HA ports?
3. Why would you configure a cluster name?
4. What determines who is master for a VSD?
5. How many devices can be active for a VSD group?
6. What is the purpose of the secondary link?

38
 NSRP Active/Passive Demo

E5 - HA

E1
E7 E8 E2
E1
E2 E3 E4 E3
E4 E7 E8

VLAN1 VLAN2 VLAN3 VLAN4 VLAN7 VLAN8

Group1 Group2 Group3 Group4 Instructor Internet

39