NSRP/HA with model mismatch
|
View:
New views
5 Messages
—
Rating Filter:
Alert me
|
 |
NSRP/HA with model mismatch
by Ramon Fernandez-2
::
Rate this Message:
Hello,
I have been looking to get a second firewall for a project I am working on. We currently have a 204 advanced handling the load fine. I am pretty impressed with the 204, but the lack of ports is the only issue I currently have with it. I have been looking at the 208 advanced, and have been thinking about swapping out the 204 for the 208, but setting up the 204 to act as a secondary firewall in an active/passive configuration. Can anybody shed some light on this issue? From my reading, the only difference between the two models is the number of interfaces, and interface information is not shared between the two devices via NSRP. I am just curious is anybody has been successful with doing this and if they ran into any issues. Cheers, Ray _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: NSRP/HA with model mismatch
by Tim E
::
Rate this Message:
Interface configuration IS shared between two firewalls in an active/passive situation. I would not recommend this set up/configuration as it's just asking for trouble with a non redundant state which completely goes against everything you're trying to accomplish here.
Tim Eberhard 2008/1/11 Ramon Fernandez <hookups007@...>: Hello, _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: NSRP/HA with model mismatch
by Boni Bruno
::
Rate this Message:
I would have to agree with Tim. It is a best practice to keep the redundant pair of netscreen firewalls to be of the same model. You will run into state sync issues and HA errors in your logs. Use the 204 elsewhere and get two 208's.
Regards,
boni bruno From: nn-bounces@... on behalf of Tim Eberhard Sent: Fri 1/11/2008 11:54 AM To: Ramon Fernandez Cc: nn@... Subject: Re: [nn] NSRP/HA with model mismatch Interface configuration IS shared between two firewalls in an active/passive situation. I would not recommend this set up/configuration as it's just asking for trouble with a non redundant state which completely goes against everything you're trying to accomplish here. Tim Eberhard 2008/1/11 Ramon Fernandez <hookups007@...>: Hello, Click here to report this email as spam. _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: NSRP/HA with model mismatch
by Ramon Fernandez-2
::
Rate this Message:
Tim,
Thanks for your prompt reply and your advice. I agree with you that my main goal is HA and fault tolerance and I should not be introducing any possible avenues for faults to sneak in. I am however confused by your statement compare to what is in the docs for ScreenOS. ScreenOS 5.4 (Found it in 6.0 as well) Admin Manual, Volume 11 "High Availability": --- Members of the same NSRP cluster maintain identical settings for the following: - Policies and policy objects (such as addresses, services, VPNs, users, and schedules) - System parameters (such as settings for authentication servers, DNS, SNMP, syslog, URL blocking, firewall detection options, and so on) Members of a cluster do not propagate the following configuration settings, as shown in Table 1. Table 1: Non-Propagating Commands <snip> Interface - set/unset interface interface manage-ip ip_addr - set/unset interface interface phy … - set/unset interface interface bandwidth number - set/unset interface redundant number phy primary interface - All commands pertaining to local interfaces </snip> --- Could you shed more light on this? Does this only apply to active/active configurations? Perhaps it only disregards a subset of the interface configuration and there are ones which I have overlooked which would cause two identical devices with different number of interfaces not to mesh well. Any further information you can provide or specific examples you can share is appreciated. Cheers, Ray On Jan 11, 2008 2:54 PM, Tim Eberhard <xmin0s@...> wrote: Interface configuration IS shared between two firewalls in an active/passive situation. I would not recommend this set up/configuration as it's just asking for trouble with a non redundant state which completely goes against everything you're trying to accomplish here. _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
|
|
Re: NSRP/HA with model mismatch
by Tim E
::
Rate this Message:
Physical interface settings, management-ip, settings and other such configuration items are not shared.
However Interface configuration (I.E IP addresses, zones, routes) are synced via HA. Excellent attention to detail Ramon. I apologize for not being completely clear in the original email! Good luck, Tim Eberhard On Jan 11, 2008 2:42 PM, Ramon Fernandez <hookups007@...> wrote: Tim, _______________________________________________ nn mailing list nn@... http://www.compsoc.com/cgi-bin/mailman/listinfo/nn |
| Free Forum Powered by Nabble | Forum Help |