04-06-2011 07:43 AM
Can you run VRRP on a Redundant interface? I need to configure a fail over mechanism between 2 WAN segments. 1 of those segments is a Netscreen VPN architecture and the other is MPLS on a Cisco router. The Cisco routers will be the VRRP master. The Cisco router and Juniper SSG-140 will be connecting to the same layer 2 switch stack LAN/Trust side. I want to try and keep routing symetric, and thought that VRRP along with redundant interfaces would do the trick.
Solved! Go to Solution.
04-06-2011 09:46 AM
If you intended to configure VRRP on an SSG140 firewall there are a few things to know. VRRP was introduced in ScreenOS 6.1 but there is no possibility to configure VRRP from the GUI.
Here are the steps to configure VRRP with CLI:
set interface ethernet0/6 protocol vrrp
set interface ethernet0/6 protocol vrrp enable # activate VRRP for eth6/0
set interface ethernet0/6 ip 192.168.1.253/24 # "real" IP for VRRP group 1
set interface ethernet0/6:1 ip 192.168.1.254/24 # virtual IP for VRRP group 1
set interface ethernet0/6:1 protocol vrrp preempt # preemption (if desired)
set interface ethernet0/6:1 protocol vrrp priority 50 # priority (default is 100)
“get vrrp” command:
SSG-140-> get vrrp ?
interface vrrp info for all interfaces
statistics vrrp statistics
virtual-group vrrp info for all virtual groups
There are also a lot of restrictions:
- It only works for native ethernet interfaces
- You can only have one VRRP group supported per interface
- There is no secondary VRRP ip possible
- Only VRRP or NSRP can be activated for the whole device, not both
- No VRRP authentication is supported
Hope this helps you,