Weitere ähnliche Inhalte
Ähnlich wie Highavailability designs-for-juniper-netscreen-firewalls3740
Ähnlich wie Highavailability designs-for-juniper-netscreen-firewalls3740 (20)
Kürzlich hochgeladen (20)
Highavailability designs-for-juniper-netscreen-firewalls3740
- 1. Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net 1
High-Availability Designs
for Juniper NetScreen
Firewalls
Dan Backman
Senior Systems Engineer
dbackman@juniper.net
- 2. 2Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Routing and Firewall Functions Merging
New JUNOS Routing platforms (J / M) and AS PIC
• Stateful firewall, IPsec and NAT services in JUNOS
Expanded Routing functionality in NetScreen platforms
New solutions possible:
• Stateful Firewall, NAT, IPsec VPN termination and
Dynamic Routing
+ !+ =
- 3. 3Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Routing and Firewall Functions Merging
Traditional uses of dynamic routing in firewalls:
• Dynamically advertise reachability of connected services
• Statically routed VPNs advertised into IGP/iBGP
• Dynamic path calculation
• Firewalls participate in routing (usually RIP)
• Limited control plane impacts
• Relatively few prefixes
• Limited policy/redistribution
Today:
• Deployments require:
• Interchangable routing / firewall features
• Juniper delivering integrated feature sets
• AS PIC / J Series SFW/IPsec
• Increasing routing functionality in ScreenOS
- 4. 4Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
JUNOS / ScreenOS Routing Strengths
Virtualization
• Native support for multiple routing tables
• Multiple VRF and Logical routers in JUNOS
• At least two Virtual Routerss in all ScreenOS platforms
– Allows simple split tunneling at edge
• Hundreds of VRs in NetScreen Systems
• Multiple instances of routing protocols in JUNOS and ScreenOS
Scalable, standards-based routing protocols (OSPF/BGP/RIPv2)
PIM-SM and IGMP Proxy for dynamic
multicast forwarding
Dynamic route-based VPNs
• Support for policy and route-based VPNs in ScreenOS and JUNOS
- 5. 5Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
ScreenOS Dynamic Routing
ScreenOS is designed for integrated Firewall / Routing
• Security platform from the ground-up
• Integrated static and dynamic routing support
• Multiple virtual IPv4 routing tables / Multiple routing instances
Security Features
• Screen function
• DoS, IP spoofing, L3/L4 protocol anomaly detection
• Flexible security zone model for all policy
• Network interfaces bound to security zones
• Sessions / flows bound to zones ,not interfaces
• Allows real-time next-hop changes to existing flows
• Critical to support dynamic routing in a firewall
- 6. 6Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
High Availability Scenarios
Firewalls integral part of routing topology –
need redundancy solutions
• Border protection (Screen/Policy)
• Inline to forwarding path at network border
• Logical progression for integrated IDP
– Add IDP into forwarding path with fewer
headaches
VPN Routing Edge
• Redundant VPN termination at site
• Stateful failover without dynamic
routing impact
- 7. 7Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Stateful Failover
True security boundaries require
stateful inspection
• Firewalls track individual network flows
• Provide stateful enforcement of policies and DoS protection
Redundancy requires stateful awareness
• Firewall Cluster must support state synchronization
Failover without state sync:
• Results in loss of existing TCP/UDP sessions
• Users must restart existing protocol connections
Traditional firewall state sync does not account
for dynamic routing
- 8. 8Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Classic Firewall HA Scenario
“Ten-Pack” of routers, switches,
firewalls, switches and routers
• HSRP/VRRP/NSRP virtual addresses for
next-hop
• Static routing
Pros:
• Simple. No dynamic routing
• No asymmetric state
• Supports all firewall features/functions
Cons:
• May require redundant interfaces
• No dynamic routing through firewalls
• Requires additional devices (L2 switches)
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
HA Link
UNTRUST
TRUST
Master
Backup
- 9. 9Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Dynamic Routing / Firewall HA Scenario
- 10. 10Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Firewalls in a Dynamic Routing
Topology: Why?
Customer desire to integrate firewalls into
existing network topology
• Must support dynamic failover
based on OSPF
• Contiguous OSPF area
• Full Link State in network edge
• Advertise prefixes between
internal network and
external routers
• Must support PIM-SM for multicast
routing (ScreenOS 5.1)
Interop eNet Design
• NSRP VSD-less clusters originally designed
for this topology 2 years ago
- 11. 11Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
NetScreen Redundancy Protocol
Originally designed to support stateful failover
• Never intended to support asymmetric state
VSD – Virtual Security Device
• Logical failover domain within firewall
• Master / Backup state machine per VSD
VSI – Virtual Security Interface
• Shared interface (Virtual IP/MAC pair)
• Maps traffic into VSD
RTO Mirror – Real Time Object Mirroring
• State sync in NSRP cluster
- 12. 12Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
NSRP: Traditional (L3) Design
Virtual addressing
• NSRP VSI and VRRP or HSRP on
routers
• All virtual MAC addresses as
next-hop between routers and
firewall cluster
• Static routes throughout
topology
Single VSD for all traffic
All firewall interfaces are
virtual interfaces (VIP/MAC)
• Easy to add additional
zones/interfaces (DMZ)
• No asymmetric state
S T A T U S
P O W E R
5 20 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
S T A T U S
P O W E R
5 20 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
HA Link
UNTRUST
TRUST
NSRP
Backup
NSRP Master
VRRP
Backup
VRRP Master
VRRP
Backup
VRRP Master
Virtual Address
Static Routes
Virtual Address
Default Route
Virtual Address
Static Routes
Virtual Address
Default Route
- 13. 13Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
NSRP: Traditional (L2) Design
Firewall operates as logical L2
learning bridge
• Backup is in L2 blocking state
• Must permit IGP adjacencies
through firewall
• No asymmetric state
Topologies
• Support for proprietary IGPs
• “drop-in” / transparent firewalls
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H 1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH A S E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H 1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH A S E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
- 14. 14Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Transparent Mode NSRP (L2) Operation
Operate as logical L2 bridge
• MAC learning and forwarding
• Policy engine and forwarding still based on 5-tuple
Must carefully engineer DMZ topology
• ICMP redirect cannot force traffic across
zone boundary
Limited support for VLANs
• VLAN tags preserved, but single inspection domain
• No current support for VLAN tag rewrite
• Enhancement coming in next major ScreenOS release
- 15. 15Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
NSRP Real-Time Object Sync
What is synchronized?
• Sessions / IPsec SA /
Crypto and VSD Configs
• Master Backup replication
in VSD
• Bi-Directional replication in
VSD-less cluster
What is not
synchronized?
• Screens (pre-flow
processing counters)
• Application Level Gateways
• TCP Setup / Inspection
S T A T U S
P O W E R
52 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH A S E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
S T A T U S
P O W E R
52 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
HA Link(s)
UNTRUST
TRUST
NSRP
Backup
NSRP Master
RTO Mirror
Master Backup
Normal Traffic Traffic on Failover
- 16. 16Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
NSRP Operation
Master/Backup state machine run per VSD
• Priority and tracking (weight-based) determines
master eligibility
• Tracking: interface / IP reachability (ping) / Zone
Master assumes virtual IP/MAC addresses
for VSI
• Physical interfaces in VSD 0
• Additional VSI (eg: eth2/1:1)
Master synchronizes state to Backup device
Backup blocks ports in L2/Transparent mode
- 17. 17Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
NSRP State Control: Tracking
NSRP can track various factors to determine
master eligibility
• Applies per VSD
• Administrative weight per tracked object
• Failover threshold per VSD
Track:
• Multiple IP addresses
• Weight per address
• Interfaces
• Zones
• Behaves like VLAN on L3 switch
• any one interface with link == zone up
- 18. 18Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
OSPF and NSRP (The Wrong Way)
VERY slow failover (40-60 sec) when
using OSPF and NSRP
Does support NSRP RTO mirror for
session sync
• NSRP backup has “down” interfaces in
VSD id 0
• OSPF adjacency is “down” when in
backup state
• On failover:
1. Interface up
2. Reestablish OSPF adj. (must wait OSPF
Dead Interval)
3. Database exchange
4. SPF calc
5. Populate routes
• THEN, can begin forwarding traffic
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH A S E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH A S E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
- 19. 19Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Dynamic Routing Clusters
(1): Justification
Desire to integrate firewall into IGP
• Multiple egress paths, integrate into IGP routing
• Control advertisement of default or external routes into IGP
based on exterior connectivity
• Continuity of IGP routing across firewalls
• OSPF-based dynamic route selection
• Simplified topology (no L2 switching required)
ScreenOS modified (early 5.0x) to abstract sessions
from interface to zone.
• Allows route update to new next-hop without invalidating
existing sessions
New NSRP mode needed to keep routing adjacencies up
- 20. 20Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Dynamic Routing Clusters (2): Operation
Dual Masters in VSD id 0
Bi-directional RTO mirroring between cluster
members
• All physical interfaces remain active and can support
active routing protocol adjacencies
• All devices in cluster can actively forward traffic
Same as running OSPF on non-clustered devices,
but adds session sync
Config:
• Must manually “unset vsd id 0”
• “set nsrp rto-mirror session non-vsi”
- 21. 21Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Primary limitations:
• VERY susceptible to asymmetric state issues
• Require more complex config (mixed mode) for NAT support
• Policy-based VPNs also require
• In both cases, traffic must return to a single address which may
be resident on both devices
Cannot use Data-Path Forwarding as a band-aid
• Both nodes are Master: only backup node can perform
data-path forwarding
Must use “Mixed-mode” NSRP to address these issues
• Unset VSD id 0
• Virtual interfaces in VSD id 1 (loopback for VPN, NAT Pool)
Dynamic Routing Clusters (3): Caveats
- 22. 22Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
HA Considerations: Stateful forwarding
Real Stateful Inspection requires
bidirectional forwarding
• Traditional routing protocols do not guarantee
symmetric bidirectional traffic flows
• ECMP nearly guarantees asymmetric state
• True stateful load balancing requires reverse
hash for returning microflows
• NetScreen firewalls use session/flow state for all
forwarding paths
• Required for stateful policy inspection
• J/M/T/E series use stateless forwarding
• LPM / J-Tree lookup per-packet on forwarding
and firewall filters
- 23. 23Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
ScreenOS – Session State
All forwarded traffic must have a session
• Contains bidirectional flow information
• Route lookup determines egress zone
• Policy lookup from ingress to egress zone
• NetScreen Systems forward traffic like L3/L4 switches
5200-17(M)-> get session
slot 1: sw alloc 3/max 1000064, alloc failed 0, mcast alloc 0, di alloc failed 0
slot 2: hw0 alloc 1/max 1048576
slot 2: hw1 alloc 1/max 1048576
id 7267/s**,vsys 0,flag 00000040/0080/23,policy 320002,time 6, dip 0
11(0601):10.2.4.2/1->224.0.0.5/1,89,000000000000,15,vlan 0,tun 0,vsd 0,route 0
3(0010):10.2.4.2/1<-224.0.0.5/1,89,000000000000,4,vlan 0,tun 0,vsd 0,route 0
id 7268/s**,vsys 0,flag 00000040/0080/23,policy 320002,time 6, dip 0
7(0601):10.1.4.1/1->224.0.0.5/1,89,000000000000,14,vlan 0,tun 0,vsd 0,route 0
3(0010):10.1.4.1/1<-224.0.0.5/1,89,000000000000,4,vlan 0,tun 0,vsd 0,route 0
id 7269/s01,vsys 0,flag 10200440/0000/03,policy 1,time 1440, dip 0
11(0801):10.2.2.2/11033->10.1.255.1/23,6,00a0c96cce14,15,vlan 0,tun 0,vsd 0,route 74
7(4800):10.2.2.2/11033<-10.1.255.1/23,6,00a0c92490e4,14,vlan 0,tun 0,vsd 0,route 44
Total 3 sessions shown
- 24. 24Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Asymmetric State: Symptoms
“Split-state” environment may appear
to work in the lab
• BUT: TCP handshake never completed
through same device
• Half-open sessions: User sees TCP
sessions establish but freeze
(short-lived TCP sessions)
• Can “disable syn checking” but lose
effective TCP inspection and protection
• ALG cannot fully inspect control channels
• Deep Inspection will fail
• Integrated IDP will fail
• “pinholes” may not open correctly
• Some screening functions may depend on
bidirectional traffic
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H 1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H 1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
- 25. 25Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
IGP Costing Exercise (1)
Predictable forwarding path
• Ensure bidirectional path through firewalls
• Must not allow transit through
multiple firewalls
• If ABRs directly connected to firewalls,
make sure there is a valid Intra-Area
route between ABRs in firewall area
IGP costing is unidirectional
• Must be careful to set IGP costing
bidirectionally (must configure both sides
of a link to the same cost)
• Do NOT rely on automatic costing (varies
between vendors and equipment types)
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH A S E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
- 26. 26Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
IGP Costing Exercise (2)
Predictable failover
• Control traffic paths in the
event of a link-down event
• This design preseves state
through a firewall in a single
link-break
Fast IGP failover:
• No split link
• Can use aggregated
interfaces between devices
• Use /30 p2p links to skip
dead timer / DR election
on link-up
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH A S E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
- 27. 27Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
IGP Costing Exercise (3)
IGP Costing Dangers:
• Routed DMZ Network
• Do not allow transit
between firewalls
• Carefully control costs within
the OSPF area
• Watch out for asymmetric costs
• Use separate VR for DMZ
network if necessary
• Carefully test all iterations in a
failover topology
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH A S E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH A S E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
External
Router-A
External
Router-B
Internal
Router-A
Internal
Router-B
DMZ Router
- 28. 28Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
NSRP: Data-Path Forwarding
NSRP can correct asymmetric
state in some situations
• 2) BACKUP device receives
packet that matches session
from master
• 3) packet is exception-
forwarded (CPU forwarded)
to master over HA link
• 4) MASTER forwards packet
to end node
Do not rely on this behavior
• Serious performance impact
for large amounts of
forwarded traffic
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H 1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH A S E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H 1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
- 29. 29Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Mixed-Mode NSRP (Simple)
Medium-sized enterprise
• Upstream OSPF to routers
• Downstream (Trust)
• Firewall cluster is first-hop router
for internal network
• Virtual IP/MAC in Trust VSI
• VSI exported to OSPF
Pro:
• Simple integration of OSPF and
Firewalls
• No Asymmetric State
Cons:
• Requires both VSD-less (untrust)
and VSD/VSI (trust)
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH A S E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
HA Link
VSI: Shared Address
OSPF
(VSD-less)
UNTRUST
OSPF Area X
TRUST
(L2)
- 30. 30Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Mixed-Mode NSRP (VSD-less + DMZ)
Add DMZ network to existing
VSD-less NSRP cluster
Pros:
• Allows for DMZ network
connected to OSPF
meshed network
Cons:
• Must control asymmetric state
with OSPF costing
• Requires both VSD-less and
VSD/VSI support
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H
1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
HA Link
UNTRUST
OSPF Area X
TRUST
OSPF Area X
DMZ
VSI
OSPF Passive
- 31. 31Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Mixed-mode NSRP Complications
Must link NSRP and OSPF
failover in mixed mode
• OSPF makes path calculations
based on link state information
from routers
• NSRP elects master based on
tracking information and priority
• Unidirectional feedback
• Add VSI as OSPF
passive interface
• Recommend adding NSRP zone
tracking or IP ping tracking to
control NSRP failover
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H 1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
S T A T U S
P O W E R
5 2 0 0
C O M P A C T F L A S H 1T X / R XL I N K
1 0 / 1 0 0
A L A R MS T A T U SH AS E S S I O NF L A S H
C O N S O L EM O D E M
5 0 0 0 - M G T
5 0 0 0 - 8 G
1
2
HA Link
UNTRUST
OSPF Area X
TRUST
OSPF Area X
DMZ
VSI
OSPF Passive
OSPF Trust-Untrust
Transit Path
VSD 1 Backup
lo0
VSD 1 Master
lo0
X
OSPF Untrust-DMZ
Transit Path
NAT from
loopback1:1
- 32. 32Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Questions?
- 33. 33Copyright © 2005 Juniper Networks, Inc. Proprietary and Confidential www.juniper.net
Thank You