Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual page 105

Copyright © 2010, Juniper Networks, Inc.
fails, traffic to the redundant interface fails over to the secondary interface, which becomes
the new primary interface.
Because redundant interfaces enable failover at the interface level, before a failure
escalates to the device failover level, they are often used when deploying two security
devices in a high availability configuration (HA). You can use the dedicated physical
redundant HA interfaces or bind two generic interfaces to the HA zone (you can also
create redundant security zone interfaces). Then, if the link from the primary interface
to the switch becomes disconnected, the link fails over to the secondary interface,
preventing a device failover from the VSD primary to backup.
NOTE: You cannot combine subinterfaces in a redundant interface. However,
you can define a VLAN on a redundant interface in the same way that you
can define a VLAN on a subinterface.
In this example, devices A and B are members of two VSD groups—VSD group 0 and
VSD group 1—in an active/active configuration. Device A is the primary device of VSD
group 0 and the backup in VSD group 1. Device B is the primary device of VSD group 1 and
the backup in VSD group 0. The devices are linked to two pairs of redundant
switches—switches A and B in the Untrust zone, and switches C and D in the Trust zone.
Because devices A and B are members of the same NSRP cluster, device A propagates
all interface configurations to device B except the manage IP address, which you enter
on the redundant2 interface on both devices. You put ethernet1/1 and ethernet1/2 in
redundant1, and ethernet2/1 and ethernet2/2 in redundant2. On the redundant2 interface,
you define a manage IP of 10.1.1.21 for device A and a manage IP of 10.1.1.22 for device B
on this interface.
The physical interfaces that are bound to the same redundant interface connect to
different switches:
Physical interfaces bound to a redundant interface in the Untrust zone: ethernet1/1 to
switch A, ethernet1/2 to switch B.
Physical interfaces bound to a redundant interface in the Trust zone: ethernet2/1 to
switch C, ethernet2/2 to switch D.
By putting ethernet1/1 and ethernet2/1 in their respective redundant interfaces first, you
designate them as primary interfaces. If the link to a primary interface becomes
disconnected, the device reroutes traffic through the secondary interface to the other
switch without requiring the VSD primary device to fail over.
The physical interfaces do not have to be in the same security zone as the redundant
interface to which you bind them. IP addresses for multiple VSIs can be in the same
subnet or in different subnets if the VSIs are on the same redundant interface, physical
interface, or subinterface. If the VSIs are on different interfaces, they must be in different
subnets. Table 25 on page 82 lists IP addresses for the VSIs.
Chapter 3: Network Settings
81