Networking Blog

A few weeks ago, i was confronted with a Juniper Secure Services Gateway (aka SSG) for the first time. After playing a little bit with the box, i quickly learned to like her.
Okay, it took a time to get used to the CLI with its behaviour and the Virtual-System/-Router stuff, but the WebUI is very intuitive and easy to use for the first steps.
Somewhere along the way, i intended to configure VRRP between two SSG140 firewalls but i couldn’t find it neither in CLI nor in WebUI.

I sift through the endless depth of Juniper website and discovered that VRRP was firstly introduced in ScreenOS 6.1.
My SSG140 sadly was running ScreenOS 6.or2. Thus i downloaded a 6.1 version and installed it.
Anyway there was still no possibility to configure VRRP via WebUI…

But here comes the necessary steps to configure VRRP with CLI:

set interface ethernet0/6 protocol vrrp
set interface ethernet0/6 protocol vrrp enable            # activate VRRP for eth6/0
set interface ethernet0/6 ip 192.168.1.253/24             # "real" IP for VRRP group 1
set interface ethernet0/6:1 ip 192.168.1.254/24           # virtual IP for VRRP group 1
set interface ethernet0/6:1 protocol vrrp preempt         # preemption (if desired)
set interface ethernet0/6:1 protocol vrrp priority 50     # priority (default is 100)

You can obtain inforbations about VRRP with the “get vrrp” command:

SSG-140-> get vrrp ?
interface            vrrp info for all interfaces
statistics           vrrp statistics
virtual-group        vrrp info for all virtual groups
SSG-140->

A lot of restritions:

• works only for native ethernet interfaces, not for bridge-groups
• only use of one VRRP group supported per interface
• no secondary VRRP ip possible
• either VRRP or NSRP can be activated for the whole device, not both
• no VRRP authentication supported

Hope this helps you, if you really need VRRP. But i think NSRP (NetScreen Redundancy Protocol) is the better choice.