Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 

Example: Configuring Active/Passive Cluster (NSM Procedure)

 

In this example, you configure two NetScreen-208 security devices, Corporate A and Corporate B, in an NSRP cluster. Both devices are running ScreenOS 5.x. Using a cable, connect the ethernet7 interfaces of both devices, and then use another cable to connect the ethernet8 interfaces. Next, add the cluster and cluster member to NSM. When the devices become members of the NSRP cluster, the IP addresses of their physical interfaces automatically become the IP addresses of the virtual security interfaces (VSIs) for VSD group ID 0. Each VSD member has a default priority of 100. The device with the higher unit ID becomes the VSD group primary. See Figure 1.

Finally, configure the cluster:

  • Bind ethernet7 and ethernet8 to the HA zone. By default, ethernet8 is bound to the HA zone, so you only need to bind it to the HA zone if you have previously bound it to a different zone.

  • Set manage IP addresses for the Trust zone interfaces on both devices.

  • Configure monitoring on ethernet1 and ethernet3 so that loss of network connectivity on either of those ports triggers a device failover.

  • Select automatic synchronization of RTOs.

Figure 1: Example of NSRP Active/Passive Configuration
Example of NSRP Active/Passive Configuration

To configure an active/passive cluster:

  1. In the NSM navigation tree, select Device Manager > Devices. Click the Add icon and select Cluster. The Cluster screen is displayed. Configure the following, then click OK:
    • For Cluster Name, enter Corporate.

    • For Color, select cyan.

    • For Physical Choice, select ns208.

    • For OS Version, select 5.0.

    • Ensure that Transparent Mode is not enabled (unchecked).

    • For License Model, select Advanced.

  2. Add the following two cluster members to the cluster: Corporate A, Corporate B. Choose Model when adding each device.
  3. Configure the HA interfaces for the cluster.
  4. In the cluster navigation tree, select Network > Interface. Double-click ethernet7. The General Properties screen appears.
  5. For Zone, select HA, and then click OK to save your changes.
  6. Double-click ethernet8. The General Properties screen appears.
  7. Ensure that the zone name is HA, and then click OK to save your changes.
  8. Configure the Untrust interface for the cluster:
    • In the cluster navigation tree, select Network > Interface. Double-click ethernet1. The General Properties screen appears.

    • For Zone, select Untrust.

    • For IP address and netmask, enter 210.1.1.1/24.

    • Click OK to save your changes.

  9. Configure the Trust interface for the cluster:
    • In the cluster navigation tree, select Network > Interface. Double-click ethernet3. The General Properties screen appears.

    • For Zone, select Trust.

    • For IP address and netmask, enter 10.1.1.1/24.

    • Ensure that the interface mode is NAT, and then click OK to save your changes.

  10. Click Apply to apply all previous changes to the cluster members.
  11. Configure the Manage IP and Monitoring for Corporate A:
    • In the cluster navigation tree, select Members. Double-click Corporate A to open its device configuration.

    • In the device navigation tree, select Network > Interface and double-click ethernet 3. The General Properties screen appears.

    • For Manage IP, enter 10.1.1.20, and then click OK to save your changes.

  12. In the device navigation tree, select Monitoring > Whole Box Monitoring, and then select the Monitor Interface tab.
  13. Click the Add icon to display the new monitor interface dialog box. Select ethernet1, leave the default weight of 255, and click OK to save your changes.
  14. Click the Add icon to display the new monitor interface dialog box. Select ethernet3, leave the default weight of 255, and click OK to save your changes.
  15. Click OK to close the device configuration for Corporate A.
  16. Configure the Manage IP for Corporate B:
    • In the cluster navigation tree, select Members. Double-click Corporate B to open its device configuration.

    • In the device navigation tree, select Network > Interface and double-click ethernet 3. The General Properties screen appears.

    • For Manage IP, enter 10.1.1.21, and `then click OK to save your changes.

    • In the device navigation tree, select Monitoring > Whole Box Monitoring, and then select the Monitor Interface tab.

    • Click the Add icon to display the new monitor interface dialog box. Select ethernet1, leave the default weight of 255, and click OK to save your changes.

    • Click the Add icon to display the new monitor interface dialog box. Select ethernet3, leave the default weight of 255, and click OK to save your changes.

    • Click OK to close the device configuration for Corporate B.

  17. Configure the NSRP settings:
    • In the cluster navigation tree, select NSRP.

    • Select RTO Sync.

  18. Click OK to save your changes to the cluster and cluster members.