topic The answer to the redundancy in Network Security

FS4000 interface bonding

Matthias Jeker — Tue, 12 Mar 2019 12:38:48 GMT

Hi all

I have a FireSIGHT 4000 mgmt appliance. Anyone knows how to configure a bond (ether-channel) to this appliance? Currently there is not much documentation on the cisco site.

Regards

Matthias

Never heard of trying to do

atatistc — Wed, 25 Mar 2015 21:33:38 GMT

Never heard of trying to do an ether-channel to the management interface of a Defense Center (FSMC). It's a 1Gb port and while there are two, the purpose of using the second one is to allow splitting up web UI management and event traffic - not to double the throughput of the management interface. The bottom line is ether-channel is not available on management devices. <-- Correcting myself, you actually can increase the throughput/redundancy of the management connection in v 5.4 by using the second interface. (still don't think ether-channel is supported though)

This is frustrating, isn't it

Matthias Jeker — Wed, 25 Mar 2015 21:33:39 GMT

This is frustrating, isn't it? The customer bought a mgmt appliance for 100k and in case of a link failure he loses the ability to collect data?:/ Maybe there is any buffer or something like that on the modules it self? Couldn't find it in the documentation.

I configured it manually in the underlying Linux. It works without any problems (the FSMC doesn't recognize the bond interface in the GUI but that doesn't matter).

Maybe I will go with the recommended solution and just split the mgmt and even traffic. Or is it possible to enable the mgmt and the event traffic on both interfaces to have some kind of redundancy?

The answer to the redundancy

atatistc — Wed, 25 Mar 2015 22:37:03 GMT

The answer to the redundancy question is to get a second Defense Center and configure a High Availability pair. Generally, protecting against failure in the management network is not a need we see while recovering from failure of the entire device/datacenter is a more common requirement.

Events are queued on the device(s) in case of a failure in the management connection to the Defense Center.

That being said, with version 5.4 there are several options for configuring the eh0 and eth1 management interfaces. You can split up management and event traffic or use both of them to process management and event traffic. This allows for faster event rates as well as redundancy. My advice is to look in the help or the FireSIGHT System User Guide and search for "management interfaces" you will find several pages there with diagrams on how the various traffic channels can be used.

Thanks a lot for your help

Matthias Jeker — Thu, 26 Mar 2015 10:17:10 GMT

Thanks a lot for your help and the clarifications. We currently have two FS4000 appliances for redundancy. I just wanted to have some link redundancy to prevent from a failover in case of a link failure.

I configured it in the following manner:

eth0 -> Events only address x.x.x.x

eth1 -> Mgmt only address y.y.y.y

When i pull off eth0 -> both addresses stops from responding (if I do an "ifup eth0" then the address y.y.y.y starts responding. I have no idea how to configure it for failover, loadsharing. It just doesn't work for me. Please not that this is a fresh box (no changes before I tried this).

When i pull off eth1 -> address x.x.x.x stops from responding, address y.y.y.y is reachable

Thanks again for your helpful answers. I really appreciate that!