RtoDto.net
Network/Security/Programming

Simple NSRP configuration

rtoodtoo ScreenOS August 22, 2011

A quick NSRP configuration for reference purposes;

VSD: Virtual Security Device, it is a container for VSIs.
VSI: Virtual Security Interface.

NSRP is slightly different than VRRP when it comes to IP floating. In VRRP, nodes have their own IPs and acquire master IP during failover. However in NSRP, there is only one interface IP floating between nodes.

manage-ip: It is node specific and doesn’t float like VSI address.
HA-links: Only a single link is needed indeed but there are advantages of having dual HA links.

Active/Passive NSRP Configuration

First of all connect both firewalls via their eth0/8-eth0/8 and eth0/9-eth0/9 interfaces.

1) Configure HA zones on both firewalls;

FW1-> set interface eth0/8 zone ha
FW1-> set interface eth0/9 zone ha

FW2->set interface eth0/8 zone ha
FW2->set interface eth0/9 zone ha

2) Activate NSRP, assign a name to cluster and set a VSD (Virtual Security Device) group 

FW1-> set nsrp cluster id 1
FW1(M)-> set nsrp cluster name cluster-prague
cluster-prague:FW1(M)-> set nsrp vsd-group id 0 priority 5

FW2-> set nsrp cluster id 1
FW2(B)-> set nsrp cluster name cluster-prague
cluster-prague:FW2(B)-> save
cluster-prague:FW2(B)-> exec nsrp sync global-config save
Save global configuration successfully.
Continue to save local configurations ... Save local configuration successfully.
done.
Please reset your box to let cluster configuration take effect!
cluster-prague:FW2(B)-> reset

As advised by the output we reset FW2.

3) Now time to configure NSRP parameters;

cluster-prague:FW1(M)->set nsrp rto-mirror sync
cluster-prague:FW1(M)->set nsrp rto-mirror route
cluster-prague:FW1(M)-> set nsrp monitor interface eth0/0
cluster-prague:FW1(M)-> set nsrp monitor interface eth0/1

cluster-prague:FW2(B)-> set nsrp monitor interface eth0/0
cluster-prague:FW2(B)-> set nsrp monitor interface eth0/1

4) If both the devices are synced enable config syncronization

->set nsrp config sync

5) Monitored Interface Config

FW1

set interface ethernet0/0 ip 172.30.72.104/23
set interface ethernet0/0 route
set interface ethernet0/1 ip 10.1.1.1/24
set interface ethernet0/1 nat
set interface ethernet0/1 manage-ip 10.1.1.2
set interface ethernet0/0 ip manageable

FW2

set interface ethernet0/0 ip 172.30.72.104/23
set interface ethernet0/0 route
set interface ethernet0/1 ip 10.1.1.1/24
set interface ethernet0/1 nat
set interface ethernet0/1 manage-ip 10.1.1.3

Some Useful commands;

Check config synronization
>exec nsrp sync global-config check-sum
Forcing Config Syncronization
>exec nsrp sync global-config save
Show Info about cluster
>get nsrp
Show config differences
>exec nsrp sync global diff

About: rtoodtoo

Worked for more than 10 years as a Network/Support Engineer and also interested in Python, Linux, Security and SD-WAN // JNCIE-SEC #223 / RHCE / PCNSE

One thought on “Simple NSRP configuration”

You have a feedback?

Discover more from RtoDto.net

Subscribe now to keep reading and get access to the full archive.

Continue reading