NSRP Clusters Overview

An NSRP cluster consists of two security devices that enforce the same security policy and share the same configuration settings. When you assign a security device to an NSRP cluster, any changes you make to the configuration on one member of the cluster propagate to the other. Members of the same NSRP cluster maintain identical settings for policies and policy objects (such as addresses, services, VPNs, users, and schedules) and system parameters (such as settings for authentication servers, DNS, SNMP, syslog, and so on).

Before two security devices can provide redundant network connectivity, you must group them in the same NSRP cluster. In an NSRP cluster, one device acts as a primary and the other as a backup:

Because of the sensitive nature of NSRP communications, you can secure all NSRP traffic through encryption and authentication. For encryption and authentication, NSRP supports the DES and MD5 algorithms respectively. However, if the HA cables run directly from one security device to another (that is, not through a switch forwarding other kinds of network traffic), it is unnecessary to use encryption and authentication.

In addition to NSRP clusters, which propagate configurations among group members and advertise each members’ current VSD group states, you can configure the devices as members in a runtime object (RTO) mirror group, which maintains the synchronicity of RTOs between a pair of devices. When the primary device fails, the backup becomes the primary device with minimal service downtime by maintaining all current sessions.

Note: We recommend that you do not change the settings of VSD group 0 after importing the NSRP to NSM. Doing so will result in a loss of most attributes, especially the interface attributes. If you must change VSD group 0 settings, do not use NSM to delete or add VSD group 0. The safe way is to use the CLI or the Web UI to make the change to the device cluster first, and then reimport the cluster to NSM. On devices running ScreenOS 6.3, NSRP supports IPv6.

For more information about NSRP, see the Concepts & Examples ScreenOS Reference Guide: NSRP for ScreenOS 5.x or the Concepts & Examples ScreenOS Reference Guide: High Availability.

Related Documentation