Active/Active Configurations Overview

On a security device in Route or NAT mode, you can configure both devices in a redundant cluster to be active, sharing the traffic distributed between them by routers with load-balancing capabilities running a protocol such as the Virtual Router Redundancy Protocol (VRRP).

Using NSRP, you create two virtual security device (VSD) groups, each with its own virtual security interfaces (VSIs). For example, Device A acts as the primary of VSD group 1 and as the backup of VSD group 2. Device B acts as the primary of VSD group 2 and as the backup of VSD group 1. Devices A and B each receive 50% of the network and VPN traffic. Should device A fail, device B becomes the primary of VSD group 1, as well as continuing to be the primary of VSD group 2, and handles all of the traffic.

In ScreenOS 6.1 or later, on a security device in Transparent mode, the Active/Active mode provides system monitoring and traffic load-sharing by using VLANs to differentiate traffic to different VSDs. NSM allows the user to assign or unassign a VLAN group to a VSD. The user needs to set the VSD group in cluster mode and the VSD group ID list is available from the cluster member. All VLANs belonging to the group are assigned to the VSD group. The user can assign multiple VLAN groups to a VSD group as well.

Although the total number of sessions divided between the two devices in an active/active configuration cannot exceed the capacity of a single security device (otherwise, in the case of a failover, the excess sessions might be lost), the addition of a second device doubles the available bandwidth potential. A second active device also guarantees that both devices have functioning network connections.

Related Documentation