Example: Configuring a Redundant Interface (NSM Procedure)

A redundant interface combines two physical interfaces to create one redundant interface, which you can then bind to a security zone. One of the two physical interfaces acts as the primary interface and handles all the traffic directed to the redundant interface; the other physical interface is the secondary interface and stands by. If the primary interface fails, traffic to the redundant interface fails over to the secondary interface, which becomes the new primary interface.

Because redundant interfaces enable failover at the interface level, before a failure escalates to the device failover level, they are often used when deploying two security devices in a high availability configuration (HA). You can use the dedicated physical redundant HA interfaces or bind two generic interfaces to the HA zone (you can also create redundant security zone interfaces). Then, if the link from the primary interface to the switch becomes disconnected, the link fails over to the secondary interface, preventing a device failover from the VSD primary to backup.

Note: You cannot combine subinterfaces in a redundant interface. However, you can define a VLAN on a redundant interface in the same way that you can define a VLAN on a subinterface.

In this example, devices A and B are members of two VSD groups—VSD group 0 and VSD group 1—in an active/active configuration. Device A is the primary device of VSD group 0 and the backup in VSD group 1. Device B is the primary device of VSD group 1 and the backup in VSD group 0. The devices are linked to two pairs of redundant switches—switches A and B in the Untrust zone, and switches C and D in the Trust zone.

Because devices A and B are members of the same NSRP cluster, device A propagates all interface configurations to device B except the manage IP address, which you enter on the redundant2 interface on both devices. You put ethernet1/1 and ethernet1/2 in redundant1, and ethernet2/1 and ethernet2/2 in redundant2. On the redundant2 interface, you define a manage IP of 10.1.1.21 for device A and a manage IP of 10.1.1.22 for device B on this interface.

The physical interfaces that are bound to the same redundant interface connect to different switches:

By putting ethernet1/1 and ethernet2/1 in their respective redundant interfaces first, you designate them as primary interfaces. If the link to a primary interface becomes disconnected, the device reroutes traffic through the secondary interface to the other switch without requiring the VSD primary device to fail over.

The physical interfaces do not have to be in the same security zone as the redundant interface to which you bind them. IP addresses for multiple VSIs can be in the same subnet or in different subnets if the VSIs are on the same redundant interface, physical interface, or subinterface. If the VSIs are on different interfaces, they must be in different subnets. Table 25 lists IP addresses for the VSIs.

Table 25: VSI IP Addresses

VSi

IP Address

VSI

IP Address

redundant1

210.1.1.1/24

redundant1:1

210.1.1.2/24

redundant2

10.1.1.1/24

redundant2:1

10.1.1.2/24

In this example, if the cable from ethernet1/1 becomes disconnected, the port fails over to ethernet1/2. Consequently, all the traffic to and from devices A and B passes through switch B. Reconnecting the cable from ethernet1/1 on device A to switch A automatically causes that interface to regain its former priority.

To configure a redundant interface:

  1. Add the cluster and member devices:
    • For cluster, specify NetScreen-500 security devices running ScreenOS 5.1.
    • Add member Device A.
    • Add member Device B.
  2. Create a VSD definition for the cluster:
    • Double-click the Office 1 Cluster to open the cluster configuration.
    • In the cluster navigation tree, select Members.
    • In the VSD Definitions area, click the Add icon.
    • Enter 2, and then click OK to save the new VSD definition.
  3. Configure the cluster network module (slot1):
    • In the cluster navigation tree, select Network > Slot.
    • Double-click slot 1 to display the slot configuration dialog box. For Card Type, select 2 Interfaces (10/100).
    • Click OK to save the slot configuration. Repeat process to add a new network module for slot 2.
  4. Configure the redundant1 interface:
    • In the cluster navigation tree, select Network > Interface.
    • Click the Add icon and select Redundant Interface. The General Properties screen appears.
  5. Configure the following options, and then click OK:
    • For Zone, select Untrust.
    • For IP address/netmask, enter 210.1.1.1/24.
    • Ensure that Manageable is enabled.
    • Ensure that the Management IP is 210.1.1.1.
  6. Add ethernet1/1 as a member of the redundant1 interface:
    • In the cluster navigation tree, select Network > Interface. Double-click ethernet1/1. The General Properties screen appears.
    • Configure the Redundant Interface Group as redundant1, and then click OK to save your changes.
  7. Add ethernet1/2 as a member of the redundant1 interface:
    • In the cluster navigation tree, select Network > Interface. Double-click ethernet1/1. The General Properties screen appears.
    • Configure the Redundant Interface Group as redundant1, and then click OK to save your changes.
  8. Configure the redundant2 interface:
    • In the cluster navigation tree, select Network > Interface.
    • Click the Add icon and select Redundant Interface. The General Properties screen appears.
  9. Configure the following options, and then click OK:
    • For Zone, select Trust.
    • For IP address/netmask, enter 10.1.1.1/24.
  10. Add ethernet2/1 as a member of the redundant2 interface:
    • In the cluster navigation tree, select Network > Interface. Double-click ethernet1/1. The General Properties screen appears.
    • For Redundant Interface Group, select redundant2.
    • Click OK to save your changes.
  11. Add ethernet2/2 as a member of the redundant2 interface:
    • In the cluster navigation tree, select Network > Interface. Double-click ethernet1/1. The General Properties screen appears.
    • For Redundant Interface Group, select redundant2.
    • Click OK to save your changes.
  12. Add the VSI interface for redundant1:
    • In the cluster navigation tree, select Network > Interfaces. Click the Add icon and select VSI. The General Properties screen appears.
  13. Configure the following options, and then click OK:
    • For Name, select redundant1, and then select 1 (for VSD Group 1).
    • For IP address/Netmask, enter 210.1.1.2/24.
    • Ensure that Manageable is enabled.
  14. Add the VSI interface for redundant2:
    • In the cluster navigation tree, select Network > Interfaces. Click the Add icon and select VSI. The General Properties screen appears.
  15. Configure the following options, and then click OK:
    • For Name, select redundant2, then select 1 (for VSD Group 1).
    • For IP address/Netmask, enter 10.1.1.2/24.
    • Ensure that Manageable is enabled.
    • Click Apply to apply your changes to the cluster and propagate the settings to each member device.
  16. Configure the Manage IP address for each member device:
    • In the cluster navigation tree, select Members, and then double-click Device A.
    • In the device navigation tree, select Network > Interfaces, and then double-click redundant2. The General Properties screen appears.
    • For Management IP, enter 10.1.1.21, and then click OK to save your changes.
    • In the cluster navigation tree, select Members, and then double-click Device B.
    • In the device navigation tree, select Network > Interfaces, and then double-click redundant2. The General Properties screen appears.
    • For Management IP, enter 10.1.1.22, and then click OK to save your changes.
  17. Click OK to save your changes to the cluster.

Related Documentation