Screen OS

Can you run VRRP on a Redundant interface?  I need to configure a fail over mechanism between 2 WAN segments.  1 of those segments is a Netscreen VPN architecture and the other is MPLS on a Cisco router.  The Cisco routers will be the VRRP master.  The Cisco router and Juniper SSG-140 will be connecting to the same layer 2 switch stack LAN/Trust side.  I want to try and keep routing symetric, and thought that VRRP along with redundant interfaces would do the trick.

Hi,

If you intended to configure VRRP on an SSG140 firewall there are a few things to know. VRRP was introduced in ScreenOS 6.1 but there is no possibility to configure VRRP from the GUI.

Here are the steps to configure VRRP with CLI:

set interface ethernet0/6 protocol vrrp

set interface ethernet0/6 protocol vrrp enable            # activate VRRP for eth6/0

set interface ethernet0/6 ip 192.168.1.253/24             # "real" IP for VRRP group 1

set interface ethernet0/6:1 ip 192.168.1.254/24           # virtual IP for VRRP group 1

set interface ethernet0/6:1 protocol vrrp preempt         # preemption (if desired)

set interface ethernet0/6:1 protocol vrrp priority 50     # priority (default is 100)

“get vrrp” command:

SSG-140-> get vrrp ?

interface            vrrp info for all interfaces

statistics           vrrp statistics

virtual-group        vrrp info for all virtual groups

SSG-140->

There are also a lot of restrictions:

• It only works for native ethernet interfaces
• You can only have one VRRP group supported per interface
• There is no secondary VRRP ip possible
• Only VRRP or NSRP can be activated for the whole device, not both
• No VRRP authentication is supported

Hope this helps you,

Gavrilo

That sucks, my convoluted overly complex plan won't work!

Thanks for the info...

Sorry to bring bad news but don't shoot the messenger .................please! 

Gavrilo