NetScreen Redundancy Protocol (NSRP)

To function properly as a network firewall, a security device must be placed at the single point through which all interzone traffic must pass. When a single device is responsible for handling all interzone traffic, it becomes vital that the traffic flow remain uninterrupted, even in the event of a device or network failure.

To ensure a continuous traffic flow, you can cable and configure two security devices in a redundant cluster, where one device acts as the primary and the other as its backup. The primary device propagates all its network and configuration settings, along with the current session information, to the backup. If the primary device fails, the backup becomes the primary and begins processing traffic.

You can configure a redundant cluster in one of three ways:

Configuring an NSRP Cluster

Before two security devices can provide redundant network connectivity, you must group them in the same NSRP cluster.

To Configure your Security Device in a Redundant Cluster

  1. Enter the necessary information:

Cluster ID: Enter a cluster ID between 1 and 63. After the security devices are members of the same cluster, you can configure them as members of the same VSD group within that cluster.

Note: You must set the number of NSRP clusters and VSD groups using the set envar nsrp-max-cluster and set envar nsrp-max-vsd CLI commands. Setting a cluster ID range of 1–63 limits the number of allowed VSD groups to 8. For more information about NSRP clusters, refer to the ScreenOS Reference Guide, available on the Juniper Networks ScreenOS documentation site.

Not in Cluster: Select this option if you want to remove the device from an NSRP cluster.

Local Unit: (Read-only) Indicates the ID number of the local device.

Active Units Discovered: (Read-only) Indicates the ID number of each active unit in the same NSRP cluster.

Number of Gratuitous ARPs to Resend: Enter the number of Address Resolution Protocol (ARP) broadcasts for notifying surrounding network devices of the MAC address of a new master following a failover. The default is 4.

NSRP Authentication Password: Enter a password for creating an authentication key to secure NSRP communications.

NSRP Encryption Password: Enter a password for creating an encryption key to secure NSRP communications.

Note: If the security devices in an NSRP cluster are cabled directly to each other and do not pass through a switch to which other network devices also connect, it is not necessary to authenticate and encrypt the NSRP communications passed between the devices.

  1. Click Apply to save your configuration.