search cancel

Avoiding connections issues with implementing Network Defiinitions

book

Article ID: 243664

calendar_today

Updated On:

Products

SSP-S410 PLATFORM ISG Content Analysis ISG Proxy

Issue/Introduction

After creating the SG and CAS applications and assigning the management IPs to them,  the applications could not be reached till the customer disabled and enabled the host (appliance) management interface many times.

Environment

Release: 2.3.1.1

Cause

Key prerequisites/conditions were missed, in the order of implementation.

Resolution

Having investigated a reported case scenario, we understand that this was caused by possible improper implementation of the network definitions for the created applications. We also see that you may have implemented the network definition in reserve mode but key prerequisites/conditions were missed. These prerequisites/conditions have been explained in our submission below.

Network definitions control which interfaces and LAGs are mapped to which applications. You can assign a definition when creating applications or edit the definition after creating the application.

Network definitions contain:

Interfaces - Can be shared or reserved. Shared interfaces can be included in more than one network definition and be used by multiple running applications. Reserved interfaces can only be included in one network definition and only be used by one application at a time.

LAGs - Can only be shared and any interfaces that are part of a LAG cannot be used as individual interfaces in a network definition. If you want to add an interface that is part of a network definition to a LAG, remove the interface from any custom network definitions and then add it to a LAG.

Network definitions can be sorted into one of two categories:

auto - The default definition that the appliance automatically creates and dynamically adjusts. If you do not specify a network definition when creating your application, the appliance automatically assigns auto as the definition.

Custom network definition - Network definitions you create and modify that you specify during or after creating applications.

When you create applications, either the appliance assigns the default definition or you specify a custom definition. If you want to change the network definition of an application after creating it, you must first stop the application and then make the change using the applications edit command. To configure network definitions, use the network-definition command. You can assign the same network definition to multiple applications.

If a network definition is not properly configured, an application might not start, such as in the following example.

(config-applications)# start example-sg-1
Error: Can not start application with empty network definition

For information on resolving this type of error, see https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/integrated-secure-gateway/2-4/cli_Command-Line-Overview/Error-Messages.html

Auto Network Definition

By default, the auto network definition exists and you cannot edit or delete it. If you have not defined a custom network definition, the appliance uses the auto definition to manage the network in a way that is backward compatible with earlier versions of ISG.

The auto definition contains all of the physical interfaces in shared mode and automatically updates when you make changes to the interfaces, such as adding or removing interfaces to and from LAGs or custom network definition in reserved mode.

The following example shows how the auto network definition updates as a LAG is created with the interface 2:0 and then has the interface removed.

Custom Network Definitions


You can use custom network definitions to assign specific interfaces and LAGs to specific applications. If the interfaces you are adding or removing to or from a network definition are in shared mode, you can add and remove them to and from multiple network definitions without impacting any network definitions. The following example shows the network definition example-net-def-2 being edited to use the shared 2:0 interface that the network definitions auto and example-net-def are already using, and then the interface being removed from example-net-def-2.

If you are using reserved interfaces, note the following limitations:

  • When adding or removing reserved interfaces, you must stop all applications, including applications that are assigned to the auto network definition. The following example shows what happens if you attempt to add a reserved interface to a network definition while applications are running.

(config-network-definition)# view
Network Definition: auto
        Interfaces (shared): 0:0 2:0 2:1 2:2 2:3 3:0 3:1 3:2 3:3
Network Definition: example-net-def
        Interfaces (shared): 2:0
Network Definition: example-net-def-2
(config-network-definition)# exit
(config)# applications
(config-applications)# view
NAME          TYPE  VCPU  MEMORY   DISK SIZE  MODEL      STATUS     LICENSE ID   IMAGE ID             ZTP NETWORK DEFINITION
------------  ----  ----  -------- ---------- ---------- ---------- ------------ -------------------- --- -----------------
example-sg-1  SG    2     12 GB    200 GB     C2S        Running    0025990017   sg-7.3.6.2-268762        example-net-def
example-sg-2  SG    2     12 GB    200 GB     C2S        Created    0025990017   sg-7.3.6.2-268762        example-net-def-2
(config-applications)# exit
(config)# network-definition
(config-network-definition)# edit example-net-def-2 add mode reserved interfaces 2:1
Error: Can not add or remove reserved interfaces to a network definition when applications are Running

  • An interface can only be reserved by one network definition. The following example shows what happens if you attempt to add an interface that is reserved by another network definition to another network definition.

(config-network-definition)# edit example-net-def add mode reserved interfaces 2:1
  ok
(config-network-definition)# edit example-net-def-2 add mode reserved interfaces 2:1
Error: Can not add reserved interfaces since an interface is added to another network definition: example-net-def

  • The interface to be reserved cannot have an IP address associated with it from the ISG.

If you are adding or removing LAGs to your network definition, you can add and remove them to and from multiple network definitions without impacting any network definitions. The following example shows the network definition example-net-def-2 being edited to use LAG 0, which the network definitions auto and example-net-def are already using.

Network Definition Examples

The following examples show how you can use network definitions in practical situations.

Multiple ProxySG Application with Reservations

In this example, there are two ProxySG instances running on a single SSP-S410 appliance. Each application has a reserved interface for traffic processing, as well as shared use of the management interface. 

Note

Un-mapped interfaces are provided to the applications as down to avoid gaps in the interface numbering within the application. These virtual interfaces are not connected to the physical interfaces and the applications do not configure them.

(config-network-definition)# create CustomA
  ok
(config-network-definition)# create CustomB
  ok
(config-network-definition)# edit CustomA add mode shared interfaces 0:0
  ok
(config-network-definition)# edit CustomB add mode shared interfaces 0:0
  ok
(config-network-definition)# edit CustomA add mode reserved interfaces 2:2
  ok
(config-network-definition)# edit CustomB add mode reserved interfaces 2:3
  ok
(config-network-definition)# view
Network Definition: CustomA
        Interfaces (shared): 0:0
        Interfaces (reserved): 2:2
Network Definition: CustomB
        Interfaces (shared): 0:0
        Interfaces (reserved): 2:3
Network Definition: auto
        Interfaces (shared): 0:0 2:0 2:1
 
(config-applications)# create sg example-sg-1 model C2S license-id 0000990000 image-id sg-7.3.6.2-268762 network-definition CustomA
  ok
(config-applications)# create sg example-sg-2 model C2S license-id 0000990000 image-id sg-7.3.6.2-268762 network-definition CustomB
  ok
(config-applications)# start example-sg-1
  ok
(config-applications)# start example-sg-2
  ok
(config-applications)# view
NAME          TYPE  VCPU  MEMORY   DISK SIZE  MODEL      STATUS     LICENSE ID   IMAGE ID             ZTP NETWORK DEFINITION
------------  ----  ----  -------- ---------- ---------- ---------- ------------ -------------------- --- ------------
example-sg-1  SG    2     12 GB    200 GB     C2S        Running    0000990000   sg-7.3.6.2-268762        CustomA
example-sg-2  SG    2     12 GB    200 GB     C2S        Running    0000990000   sg-7.3.6.2-268762        CustomB

 

ProxySG, Content Analysis, and Malware Analysis Applications - Mimics your deployment

In this example, there is a Proxy SG, Content Analysis, and Malware Analysis application running on a single SSP-S410 appliance. The ProxySG application is using the auto network definition, which includes a LAG that contains interfaces 2:1 and 2:2. The Content Analysis application is using a custom network definition containing interfaces 0:0 and 2:0. The Malware Analysis application uses a custom network definition that contains interface 0:0 as shared and 2:3 as reserved.

(config-network-definition)# lag
(config-lag)# group id 0 add 2:1
  ok
(config-lag)# group id 0 add 2:2
Warning: interface 2:2 is down.
  ok
 
(config-network-definition)# create CustomA
  ok
(config-network-definition)# edit CustomA add mode shared interfaces 0:0
  ok
(config-network-definition)# edit CustomA add mode shared interfaces 2:0
  ok
(config-network-definition)# create CustomB
  ok
(config-network-definition)# edit CustomB add mode shared interfaces 0:0
  ok
(config-network-definition)# edit CustomB add mode reserved interfaces 2:3
  ok
 
(config-network-definition)# view
Network Definition: CustomA
        Interfaces (shared): 0:0 2:0
Network Definition: CustomB
        Interfaces (shared): 0:0
        Interfaces (reserved): 2:3
Network Definition: auto
        Interfaces (shared): 0:0 2:0 3:0 3:1 3:2 3:3
        LAGs (shared): 0 (2:1, 2:2)
 
(config-applications)# view
NAME           TYPE  VCPU  MEMORY   DISK SIZE  MODEL      STATUS     LICENSE ID   IMAGE ID             ZTP NETWORK DEFINITION
-------------  ----  ----  -------- ---------- ---------- ---------- ------------ -------------------- --- ------------
example-cas-1  CAS   4     8 GB     200 GB     C4S        Running    0000990000   cas-3.1.3.2-268775       CustomA
example-ma-1   MA    12    32 GB    400 GB     C12M       Running    0000990000   cas-3.1.3.2-268775       CustomB
example-sg-1   SG    2     12 GB    200 GB     C2S        Running    0000990000   sg-7.3.6.2-268762        auto