Example: Configuring Dip Groups (Nsm Procedure) - Juniper NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01 Manual
Configuring screenos devices guide
Hide thumbs
Also See for NETWORK AND SECURITY MANAGER 2010.4 - CONFIGURING SCREENOS DEVICES GUIDE REV 01:
- Manual (340 pages) ,
- Administration manual (1026 pages) ,
- Installation manual (244 pages)
Table of Contents
Advertisement
Configuring ScreenOS Devices Guide
Related
Documentation
Example: Configuring DIP Groups (NSM Procedure)
100
including BGP, OSPF, RIP, RIPng, Telnet, SSH, Web, TFTP, SNMP, syslog, webtrends. The
Web service contains the HTTP and HTTPS services.
The DSCP marking for self-initiated traffic is required. These self-initiated packets might
be dropped by an intermediate device because of lower priority.
The DSCP value of the BGP and the OSPF packet is set to 48, and for all other services
the default value is 0. The value must be in the range of 0 to 63. The priority is lowest
when the DSCP value is set to 0.
When the administrator sets the DSCP value for a specific service, the DSCP field of all
the self-initiated packets that belong to that service are set to the specified value.
Example: Configuring DIP Groups (NSM Procedure) on page 100
DNS Server Configuration Using DNS Settings on page 103
Example: Configuring DNS Proxy Entries (NSM Procedure) on page 105
Use a DIP group to combine two DIP pools for two security devices that are in an
active/active NRSP configuration. When specifying the NAT settings in the rule options
for a Security Policy rule, you can select a DIP group instead of a single DIP pool.
Selecting a DIP group in the policy enables NAT using the DIP pool that exists on either
device in the HA configuration. Typically, two security devices in an active/active
configuration share the same configuration, and both devices process traffic
simultaneously. When you define a policy to perform NAT using a DIP pool located on
one VSI, because that VSI is active only on the device acting as the primary device of the
VSD group to which the VSI is bound, any traffic sent to the other device—the one acting
as the backup of that VSD group—cannot use that DIP pool and is dropped. To solve this
problem, you can create two DIP pools—one on the Untrust zone VSI for each VSD
group—and combine the two DIP pools into one DIP group, which you reference in the
policy. Each VSI uses its own VSD pool even though the policy specifies the DIP group.
If you do not use a DIP group, the security device that acts as the backup of a VSD group
cannot use a DIP pool located on the VSI of the primary of the VSD group. For more
details about DIP groups on security devices, see the " Fundamentals" volume in the
Concepts & Examples ScreenOS Reference Guide.
In this example, you configure a DIP group that includes the DIP pools of two security
devices in an active/active NRSP configuration. By combining the DIP pools located on
both Untrust zone VSIs (for VSD groups 0 and 1) into one DIP group, Devices A and B can
both process traffic matching policy "out-nat," which references not an interface-specific
DIP pool but the shared DIP group.
To configure a DIP group:
Create the Cluster.
1.
Copyright © 2010, Juniper Networks, Inc.
Advertisement
Table of Contents
