ScreenOS Firewalls (NOT SRX)
Reply
Visitor
stevehoot
Posts: 4
Registered: ‎06-04-2010
0

NSRP and PPPoE...

Hi Guys,

 

I have a in production SSG 320M SH, everything working fine. I'm planning on turning it into a NSRP Active/Passive cluster with another SSG 320M SH (and same PIMs).

 

However at the same time I want to add in an ADSL connection. I'm thinking a PPPoE ADSL2 modem (e.g. DrayTek 100) would do the trick. (Done it on a couple of SSG-5's a few times and worked fine).

 

The problem is that I'm struggling to work out if a PPPoE connection will work OK in a NSRP cluster...? The PPPoE modem has multiple ethernet interfaces, so I'm thinking of connecting say eth1/5 to the modem on my production firewall. Once done and using the ADSL I was then planning on bringing the new (and will be passive) SSG and connecting everything up. However would ScreenOS be OK with failover when one of the ethernet interfaces is PPPoE?

 

Documentation on this is very weak and after speaking to JTAC the engineer blagged that it wouldn't work but couldn't tell me why. I'm not sure I believe her as on page 263 in volume 2 of the ScreenOS 6.1.0 manual it states

 

"Two security devices that support PPPoE in Active/Active mode can handle failover
of a PPPoE connection. Upon initiation of the connection, the primary device
synchronizes its PPPoE state with the backup device. Because the passive device
uses the same IP address as the primary device, it does not have to make a new
PPPoE connection once it becomes the primary."

 

http://www.juniper.net/techpubs/software/screenos/screenos6.1.0/ce_v2.pdf

 

Think it means Active/Passive in the first line (as it references to a primary and backup device), but it seems to suggest a PPPoE configured interface should work and fallover as part of a NSRP cluster.

 

Anyone have any advice here? I'm sort of at a loss as apart from the above I can't seem to find any information about it! (O'Reilly ScreenOS Cookbook, SSG Config book, ScreenOS Manual, even JTAC!)

 

Cheers,

 

 

Steve

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.