Post on 28-Mar-2015
transcript
NetScreen Redundancy ProtocolNetScreen Redundancy Protocol
2
ObjectivesObjectives
• Discuss NSRP concepts
• Define NSRP-related terms and concepts
• Configure NSRP Active/Passive setup
• Verify NSRP operations
• Identify factors that affect failover time
• Tune NSRP failover behavior
3
NetScreen Redundancy ProtocolNetScreen Redundancy Protocol
• Provides redundancy/fail-over for NetScreen Firewall/VPN products
• Proprietary protocol
• Dedicated link copies critical session-related information to backup system– No interruption to user session
4
NSRP Active/PassiveNSRP Active/Passive
Protected Network HA Link
X
5
NSRP Active/ActiveNSRP Active/Active
Protected Network HA Link
X
6
NSRP TerminologyNSRP Terminology
• HA link, port, zone
• NSRP cluster
• Virtual Security Device (VSD)
• Virtual Security Interface (VSI)
• Run Time Objects (RTOs)
7
HA Link/Port/ZoneHA Link/Port/Zone
• HA1 – Primary path
• HA2 - Secondary
HA linkHA linkHA linkHA linkHA linkHA linkHA ZoneHA Zone
HA portsHA portsHA portsHA ports
8
NSRP ClusterNSRP Cluster
• Group of 2 NetScreens providing redundancy
• Identical configurations– Changes to one propagated via HA link to the
other– Exceptions:
• Hostname – use cluster name to identify “device” for PKI, SNMP, authentication, etc.
• Some VSD settings• Local interface settings• Console settings• Track IP configuration
Cluster
9
VSD/VSI/VSD GroupVSD/VSI/VSD Group
• Virtual Security Device– Logical representation
of a NetScreen– VSD0 by default
• Virtual Security Interface– Logical representation
of interfaces
• VSD Group– 2 NetScreens sharing
VSD configuration
VSI E1
VSI E2
VSD Group
VSD 0
VSI E1
VSI E2
VSD 0
10
VSI E1
VSI E2
VSD 0
Inoperable Master
VSI E1
VSI E2
VSD 0
VSD States and FailoverVSD States and Failover
• Master– Determined by priority– Preempt
• Backup
• Initial
• Ineligible
• Inoperable
• Failover– Gratuitous ARPs
VSI E1
VSI E2
VSD 0
Master BackupVSI E1
VSI E2
VSD 0
X
11
NSRP VSD Group NSRP VSD Group -- Active/PassiveActive/Passive
• NetScreen-1 is the Master for VSD Group 0– The VSIs for VSD group 5 on NetScreen-1 forward data
• NetScreen-2 is the Primary Backup for VSD Group 0– The VSIs for VSD group 5 on NetScreen-2 are in backup and do not
forward data
VSI E1
VSI E2
VSD 0
VSI E1
VSI E2
VSD 0VSD
Group id 0Priority 50
Active
VSDGroup id 0
Priority 100Backup
12
VSI E1:11
VSI E2:11
NSRP VSD Group NSRP VSD Group -- Active/ActiveActive/Active
VSI E1:10
VSI E2:10
VSD 10
VSI E1:10
VSI E2:10
VSD 10VSD 11
VSI E1:11
VSI E2:11
VSD 11
VSD 10Priority 50
Active
VSD 11Priority 50
Active
VSD 11Priority 100
Backup
VSD 10Priority 100
Backup
13
Run Time Objects (RTO)Run Time Objects (RTO)
• Objects created dynamically in memory– Session table entries– ARP cache entries– DHCP leases– IPSec security associations
14
Syncing SessionsSyncing Sessions
HA LinkMaster Backup
Session established
Add session – timeout 8x default
.
.
.
Session timeout = 0: sync timeout
If session timeout = protocol max, send 8x default
If session timeout > 10, send sync
If session timeout < 10, mark session
15
NSRP Configuration NSRP Configuration –– Active/PassiveActive/Passive
E5 - HA
Zone 1 Internet
E1
E1E8
E8
16
NSRP Configuration Steps NSRP Configuration Steps –– Active/PassiveActive/Passive
On both devices
1. Assign interface to HA zone (if not using dedicated HA ports)
2. Configure cluster settings
3. Configure interfaces to be monitored
4. Adjust VSD settings (if desired)
On one device
5. Change interfaces, policies, etc. as desired• Changes will automatically be copied via HA link
17
1: Assign Interface to HA Zone1: Assign Interface to HA Zone
Network>Interfaces (Edit)
18
2: Configure Cluster Settings2: Configure Cluster Settings
Network>NSRP>Cluster
set nsrp cluster id <1-7>set nsrp cluster name <name>set nsrp arp <number>set nsrp auth password <password>set nsrp encrypt password <password>
3: Set Interfaces for Monitoring3: Set Interfaces for Monitoring
19
Network>NSRP>Monitor>TrackIP>Edit
Network>NSRP>Monitor>Interface>Edit
set nsrp monitor interface <name> weight <1-255>set nsrp monitor threshold <1-255>
20
4: Adjust VSD settings4: Adjust VSD settings
Network>NSRP>VSD Group>Configuration
set nsrp vsd id <number> priority <1-254>set nsrp vsd id <number> preemptset nsrp vsd id <number> preempt hold-down <sec>
21
Verifying NSRP ConfigurationVerifying NSRP Configuration
Network>NSRP>VSD Group
Network>NSRP>Monitor>Interface
22
Verifying NSRP ConfigurationVerifying NSRP Configuration
left(M)-> get nsrp clustercluster id: 1, no namelocal unit id: 1907680active units discovered:index: 0, unit id: 1907680, ctrl mac: 0010db1d1be8, index: 1, unit id: 1680608, ctrl mac: 0010db19a4e8, data mac: 0010db19a4ebtotal number of units: 2
left(M)-> get nsrp vsd id 0VSD group info:init hold time: 5heartbeat lost threshold: 3heartbeat interval: 1000(ms)master always exist: disabledgroup priority preempt holddown inelig master PB other members
0 50 yes 5 no myself 1680608
vsd group id: 0, member count: 2, master: 1907680member information:---------------------------------------------------------------------group unit_id state prio flag rto_peer hb miss holddown---------------------------------------------------------------------
0 1680608 primary backup 100 0 0 0 0 00 1907680 master 50 2 0 0 0 5
23
NSRP Configuration SynchronizationNSRP Configuration Synchronization
left(B)-> exec nsrp sync global-config check-sum
left(B)-> Warning: configuration out of sync
left(B)-> exec nsrp sync global save
left(B)-> load peer system config to save
Save global configuration successfully.
Save local configuration successfully.
done.
Please reset your box to let cluster configuration take effect!
System change state to Active(1)
configuration in sync (local checksum 1213013518 == remote checksum 1213013518)
Received all run-time-object from peer.
24
Factors that Affect Failover TimeFactors that Affect Failover Time
• Heartbeat Messages
• Switching technologies– Spanning Tree Protocol– Channeling, Bonding, PAgP– Trunking protocols
set nsrp vsd-group hb-threshold <number>set nsrp vsd-group hb-interval <milliseconds>
25
Points to ConsiderPoints to Consider
• NSRP is only one part of overall redundancy solution– NetScreens are redundant… but what about switches? Routers?
GoodProtectedNetwork
Better!
ProtectedNetwork
26
What if HA Link Fails?What if HA Link Fails?
• If using dual links, remaining link assumes control– Data channel dropped on everything but NS-5000 series
• If using single link, NSRP stops working– Use in-line interface as secondary path to prevent this
• Probe option actively monitors HA link status
Network > NSRP > Link
set nsrp secondary <int_name>
set nsrp ha probe interval <sec>set nsrp ha probe threshold <num>
27
NSRPNSRP--LiteLite
Trust10.1.1.1/24
• Available for NS-50, NS-25, and NS5-GT devices
• Uses in-band interface for HA communication
• No VSIs– Interfaces are configured independently– Can be identical or not
Untrust: 1.1.1.1/24
Untrust: 2.2.2.2/24
28
Tuning Failover BehaviorTuning Failover Behavior
• Monitored objects– Interface– Zone– Target host
• Failover calculation
• Defaults– Failover threshold: 255– Individual object weights: 255– Therefore, by default, one failure will cause failover
If FailedObjectWeight ≥ FailoverThreshold, fail over
FailedObjectWeight = sum(IntWt) + sum(ZoneWt) + IPTrackWt
29
Setting Device Failover ThresholdSetting Device Failover Threshold
• Command not available from WebUI
set nsrp monitor threshold <1-255>
30
Adjusting Interface WeightAdjusting Interface Weight
• Configured on per-VSD basis
Network > NSRP > Monitor > Interface > Edit
set nsrp monitor vsd id <group_num> monitor int <name> weight <1-255>
31
Adjusting Zone WeightAdjusting Zone Weight
• Configured on per-VSD basis
• All interfaces in zone must fail for zone to fail
Network > NSRP > Monitor > Zone > Edit
set nsrp monitor vsd id <group_num> monitor zone <name> weight <1-255>
32
IP TrackingIP Tracking
• Tracks reachability to mission-critical hosts
• Failure of IP Tracking is a sum operation– IP track weight then added to overall fail-over calculation
• Defaults– IP Track Threshold: 255– IP Track Weight: 255– IP Address Weight: 1
• Reachability tested by ping (for remote hosts) or ARP (for directly-connected hosts)
If sum(FailedAddress) ≥ IPTrackThreshold, IP Track fails –Send IPTrackWt to device failover calculation
33
Configuring IP TrackingConfiguring IP Tracking
1. Enable IP Tracking– Set failure threshold for tracking– Set weight for tracking
2. Configure tracked addresses– Set tracking method and parameters– Set weight per address
34
1: Enable IP Tracking1: Enable IP Tracking
• Cannot set weight from WebUI
Network > NSRP > Monitor > TrackIP > Edit
set nsrp track-ipset nsrp track-ip threshold <1-255>set nsrp track-ip weight <1-255>
35
2: Configure Tracked Addresses 2: Configure Tracked Addresses –– WebUIWebUI
• Configured on real interface, not VSI
Network > Interfaces > Edit > TrackIP
36
2: Configure Tracked Addresses 2: Configure Tracked Addresses –– CLICLI
• Tracking method can only be configured from CLI
set nsrp track-ip ip <address>set nsrp track-ip ip <address> interface <name>set nsrp track-ip ip <address> method [arp | ping]set nsrp track-ip ip <address> interval <sec>set nsrp track-ip ip <address> threshold <1-200>set nsrp track-ip ip <address> weight <1-255>
37
SummarySummary
• In this module we – Discussed NSRP-related terms and concepts– Configured NSRP Active/Passive setup– Verifed NSRP operations – Identified factors that affect failover time– Configured NSRP Active/Active Setup– Configured interface redundancy– Tuned NSRP failover behavior
38
Review QuestionsReview Questions
1. Which products support NSRP?
2. Which products have designated HA ports?
3. Why would you configure a cluster name?
4. What determines who is master for a VSD?
5. How many devices can be active for a VSD group?
6. What is the purpose of the secondary link?
39
NSRP Active/Passive DemoNSRP Active/Passive Demo
E5 - HA
VLAN1
Group1
VLAN3
Group3
VLAN4
Group4
VLAN7
Instructor
VLAN8
Internet
VLAN2
Group2
E1
E1
E2E2
E3 E3E4E4
E7
E7
E8
E8