|
Home > |
|---|
SafeNet Network HSM has two physical interfaces: eth0 and eth1. They can be configured into a single virtual interface, bond0, for a round robin load balancing service on the two physical interfaces. The primary purpose of the service is a hot standby mode for network interface failure, no performance or throughput gains are intended.
The following conditions and recommendations apply to the port bonding feature:
•Bonded interfaces must both be attached to the same network segment. For example, if a bonded interface of IP 192.168.9.126 is chosen, both interfaces must be connected to devices that can access the 192.168.9.* network.
•Use bonding only with static addressing. If you set bonding where dynamically allocated addressing is in use, then any future change in a DHCP lease would break interface bonding.
•Avoid executing bonding commands while clients are running applications against the SafeNet Network HSM.
Where a bonding interface has the same IP as the IP of eth0, no ill effects have been observed on running clients other than normal fail-over/recover behavior.
•Avoid executing bonding commands over SSH, which can result in the closure of the active SSH session.
Note: Restart the system after the network interface bonding enable command, with sysconf appliance restart, to allow the system to begin using the new configuration.
Once bonding is configured, client connections as well as SSH connections continue uninterrupted if either eth0 or eth1 fails.
Note: This feature is not currently supported for use with IPv6 networks.
SafeNet Network HSM uses the Linux Ethernet Channel Bonding Driver (v3.4.0-2) configured for link aggregation control protocol (LACP). Specifically:
•mode is active-backup
•primary is eth0
•primary_reselect is failure
•updelay is 2000
•miimon is 100
Additional details and descriptions of the above parameters can be reviewed in the document "Linux Ethernet Bonding Driver HOWTO" at https://www.kernel.org/doc/Documentation/networking/bonding.txt
(If your browser blocks pop-ups and new windows, copy and paste the link to the address field.)
Use LunaSH to configure, enable, or disable port bonding, and to display the current port bonding status. See network interface bonding in the LunaSH Command Reference Guide for a list of the port bonding commands.
1.If you have previously configured port bonding, and are reconfiguring to specify a different mode, first disable the current configuration with network interface bonding disable.
2.Use the command network interface bonding config to specify an IP address, subnet mask, and gateway for the bond0 interface.
Note: To avoid breaking the NTLS connection to the appliance, ensure that the IP address you specify for the bond0 interface is the IP address used for the current NTLS connection (either eth0 or eth1).
Note: Beginning with SafeNet Network HSM version 6.2.1, all of the standard Linux port bonding modes are supported, and specified with the -mode option of the command network interface bonding config:
mode=0 (Balance Round Robin)
mode=1 (Active backup)
mode=2 (Balance XOR)
mode=3 (Broadcast)
mode=4 (802.3ad)
mode=5 (Balance TLB)
mode=6 (Balance ALB)
3.Use the command network interface bonding enable to enable the bond0 interface.
4.Use the command sysconf appliance reboot to reboot the appliance.
You can configure NTLS to "all" if you wish, and that will work fine with port bonding.
Alternatively, if you intend to use port bonding, you can,
•physically connect eth0 to a network and set eth0 to an IP address,
•configure NTLS for eth0,
•physically connect eth1 to another network but don't bother establishing a separate eth1 IP address (because it will disappear with bonding), and then
•enable bonding.
This ensures that the bonding address is the address already established for NTLS. This has the desired effect of having NTLS work with either port (due to the bonding), but you later disable bonding for any reason, you don't have to remember to assign NTLS to eth0. That is, it was already assigned to eth0 from the start, it picks up the dual physical interface redundancy advantages when bonding is established, and it reverts cleanly to eth0-only in the event that bonding is disabled.