Configuring High Availability ============================= Genians can be set up using two Appliances in a active/standby configuration, one acting as a primary while the other as a secondary. These two Appliances communicate with each other to synchronize data and will failover from one to the other in the event of a system failure. - **Group** – VRRP Group ID - **Linkupdelay** – Time to wait until interface is activated - **No-Virtual-Mac** – Does not convert MAC Address info to Virtual-MAC when switching to Master - **Nopreempt** – Device as Master takes precedence regardless of priority - **Priority** – Priority Value. Highest Value is Master - **Timeout** – Wait time for VRRP packet loss - **Virtual-IP** – Shared IP for devices and UI .. note:: | All-in-One (Policy Server + Network Sensor) is not supported. Serial Connection to Server if SSH is not established ----------------------------------------------------- - Protocol: **Serial** - Port: **COM1** - Baud Rate: **115200** (*9600 for Mini-PC*) - Data Bits: **8** - Parity: **None** - Stop Bits: **1** How to configure Servers for High Availability ---------------------------------------------- #. Connect the prepared equipment to the network. #. Connect to each Server by connecting to Command Line Interface #. Run a show configuration to see current configuration. (*Record Master Server device-id as this needs to be the same on both Policy Servers*) #. Enter Global Config mode: config terminal #. On each Server enter the following configurations: Master Policy Server ------------------------ .. code:: bash 1. Interactive Wizard 2. Manual Configuration Select installation type: 2 Enter administrator username (4-31 characters) [admin]: admin # Password must contain at least one alphabet, number and special character Enter administrator password (minimum 9 characters): ********* Re-enter Password: Welcome to Genian NAC Username: admin Password: The privileged EXEC mode password is the same as the console login password. For security reasons please change your password. Type ‘enable’ to access privileged EXEC mode for password change. genian> enable Password: genian(config)# hostname PRIMARY PRIMARY(config)# interface eth0 address [IP address] [Subnetmask] PRIMARY(config)# interface eth0 gateway [Gateway IP] PRIMARY(config)# ip default-gateway [Gateway IP] PRIMARY(config)# ip name-server [DNS IP] PRIMARY(config)# data-server username [username] PRIMARY(config)# data-server enable PRIMARY(config)# data-server password [password] PRIMARY(config)# data-server access-list [Secondary DB IP,Admin IP] PRIMARY(config)# data-server replica serverid 1 PRIMARY(config)# data-server replica enable PRIMARY(config)# log-server enable PRIMARY(config)# log-server cluster-peers [Primary Policy Server real IP,Secondary Log Server real IP] PRIMARY(config)# log-server publish-port eth0 PRIMARY(config)# interface eth0 management-server enable PRIMARY(config)# interface eth0 node-server enable PRIMARY(config)# interface eth0 ha priority 200 PRIMARY(config)# interface eth0 ha group 20 PRIMARY(config)# interface eth0 ha linkupdelay 30 PRIMARY(config)# interface eth0 ha nopreempt enable PRIMARY(config)# interface eth0 ha timeout 20 PRIMARY(config)# interface eth0 ha virtual-ip [Virtual IP] PRIMARY(config)# show configuration cli-pass change interval 0D cli-pass history num 0 cli-pass minimum age 0D data-server enable data-server password ****** data-server replica enable data-server replica serverid 1 data-server username root device-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (*Use same device-id for both Policy Servers*) hostname PRIMARY interface eth0 address [IP address] [Subnetmask] interface eth0 gateway [Gateway IP] interface eth0 ha group 20 interface eth0 ha linkupdelay 30 interface eth0 ha nopreempt enable interface eth0 ha priority 200 interface eth0 ha timeout 20 interface eth0 ha virtual-ip [Virtual IP] interface eth0 management-server enable interface eth0 node-server enable ip default-gateway [Gateway IP] ip name-server [DNS IP] log-server enable log-server cluster-name GENIAN log-server cluster-peers [Primary Policy Server real IP,Secondary Log Server real IP] log-server publish-port eth0 Secondary Policy Server --------------------------- .. code:: bash 1. Interactive Wizard 2. Manual Configuration Select installation type: 2 Enter administrator username (4-31 characters) [admin]: [Admin ID] # Password must contain at least one alphabet, number and special character Enter administrator password (minimum 9 characters): Re-enter Password: Welcome to Genian NAC Username: [Admin ID] Password: The privileged EXEC mode password is the same as the console login password. For security reasons please change your password. Type ‘enable’ to access privileged EXEC mode for password change. genian> en Password: genian# configure terminal genian(config)# hostname SECONDARY SECONDARY(config)# device-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx (From PRIMARY server) SECONDARY(config)# interface eth0 address [IP address] [Subnetmask] SECONDARY(config)# interface eth0 gateway [Gateway] SECONDARY(config)# ip default-gateway [Gateway] SECONDARY(config)# ip name-server [DNS] SECONDARY(config)# data-server username [username] SECONDARY(config)# data-server enable SECONDARY(config)# data-server password [password] SECONDARY(config)# data-server access-list [Primary DB IP,Admin IP] SECONDARY(config)# data-server replica serverid 2 SECONDARY(config)# data-server replica enable SECONDARY(config)# data-server replica masterhost [PRIMARY DB IP] SECONDARY(config)# data-server replica username [PRIMARY DB username] SECONDARY(config)# data-server replica password [PRIMARY DB password] SECONDARY(config)# log-server enable SECONDARY(config)# log-server cluster-peers [Secondary Policy Server real IP,Primary Log Server real IP] SECONDARY(config)# log-server publish-port eth0 SECONDARY(config)# interface eth0 management-server enable SECONDARY(config)# interface eth0 node-server enable SECONDARY(config)# interface eth0 ha priority 100 SECONDARY(config)# interface eth0 ha group 20 SECONDARY(config)# interface eth0 ha linkupdelay 30 SECONDARY(config)# interface eth0 ha nopreempt enable SECONDARY(config)# interface eth0 ha timeout 20 SECONDARY(config)# interface eth0 ha virtual-ip [Virtual IP] SECONDARY(config)# show configuration cli-pass change interval 0D cli-pass history num 0 cli-pass minimum age 0D data-server enable data-server access-list [Admin IP] data-server password ****** data-server replica enable data-server replica masterhost [PRIMARY DB IP] data-server replica password ****** data-server replica serverid 2 data-server replica username [username] data-server username [username] device-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx hostname SECONDARY interface eth0 address [IP address] [Subnetmask] interface eth0 gateway [Gateway] interface eth0 ha group 20 interface eth0 ha linkupdelay 30 interface eth0 ha nopreempt enable interface eth0 ha priority 100 interface eth0 ha timeout 20 interface eth0 ha virtual-ip [Virtual IP] interface eth0 management-server enable interface eth0 node-server enable ip default-gateway [Gateway] log-server enable log-server cluster-name [Cluster name] log-server cluster-peers [Secondary Policy Server real IP,Primary Log Server real IPP] log-server publish-port eth0 Primary Sensor --------------------------- .. code:: bash device-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx interface eth0 vlan 10,11,12 interface eth0.10 address [IP address] [Subnetmask] interface eth0.10 gateway [Gateway] interface eth0.10 ha group 100 interface eth0.10 ha priority 200 interface eth0.11 address [IP address] [Subnetmask] interface eth0.11 gateway [Gateway] interface eth0.12 address [IP address] [Subnetmask] interface eth0.12 gateway [Gateway] ip default-gateway [Gateway] ip name-server [DNS] node-server ip [Policy Server IP] Secondary Sensor --------------------- .. code:: bash device-id xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx interface eth0 vlan 10,11,12 interface eth0.10 address [IP address] [Subnetmask] interface eth0.10 gateway [Gateway] interface eth0.10 ha group 100 interface eth0.10 ha priority 100 interface eth0.11 address [IP address] [Subnetmask] interface eth0.11 gateway [Gateway] interface eth0.12 address [IP address] [Subnetmask] interface eth0.12 gateway [Gateway] ip default-gateway [Gateway IP] ip name-server [DNS IP] node-server ip [Policy server IP] .. attention:: | Network Sensor HA is available in the multi VLAN environment. | And the failover condition is as below. | - When the Network Sensor is down. | - When the link or interface between Network Sensor and Switch is down. | - If HA is enabled on all VLAN interfaces, failover proceeds if even one interface is down. How to test HA ------------------- .. code:: bash ——————PRIMARY——————— PRIMARY# show ha Status Status: MASTER Priority: 200 Group: 50 LinkupDelay: 30 Timeout: 10 Preempt: 0 VirtualIP: [Virtual IP] ——————SECONDARY——————— SECONDARY# show ha Status Status: SLAVE Priority: 100 Group: 50 LinkupDelay: 30 Timeout: 10 Preempt: 0 VirtualIP: [Virtual IP] How to test DB replication ------------------------------ .. code:: bash ——————PRIMARY—————- PRIMARY(config)# show dataserver replicastatus Replication health is good. (Confirm left message is displayed) ==================== Primary Replication Status ==================== Host : [Master DB IP displayed] File : mysqld.000009 **Position : 123456 (The log position value between the two servers must increase equally.) ==================== Secondary Replication Status ==================== Host : [Slave DB IP displayed] Slave_IO_Running : Yes Slave_IO_State : Waiting for master to send event Slave_SQL_Running : Yes Slave_SQL_Running_State : Slave has read all relay log; waiting for the slave I/O thread to update it Master_Log_File : mysqld.000009 Read_Master_Log_Pos : 123456 (The log position value between the two servers must increase equally.) Relay_Master_Log_File : mysqld.000009 Exec_Master_Log_Pos : 123456 Last_Errno : 0 Last_Error : Last_IO_Errno : 0 Last_IO_Error : Last_SQL_Errno : 0 Last_SQL_Error : Relay_Log_File : mysqld-relay-bin.000026 Relay_Log_Pos : 123456 ——————SECONDARY—————– SECONDARY# show dataserver replicastatus Replication health is good.(Confirm left message is displayed) ==================== Primary Replication Status ==================== Host : [Master DB IP displayed] File : mysqld.000009 (Check Primary Replication Files) Position : 123456 (Check Primary Replication Position) ==================== Secondary Replication Status ==================== Host : [Slave DB IP displayed] Slave_IO_Running : Yes (Must be marked as YES) Slave_IO_State : Waiting for master to send event Slave_SQL_Running : Yes (Must be marked as YES) Slave_SQL_Running_State : Slave has read all relay log; waiting for the slave I/O thread to update it Master_Log_File : mysqld.000009 (Verify that it is the same as the primary replication file) Read_Master_Log_Pos : 123456 Relay_Master_Log_File : mysqld.000009 Exec_Master_Log_Pos : 123456 Last_Errno : 0 Last_Error : Last_IO_Errno : 0 Last_IO_Error : Last_SQL_Errno : 0 Last_SQL_Error : Relay_Log_File : mysqld-relay-bin.000026 Relay_Log_Pos : 123456 .. attention:: Please run the Database Replication confirmation command at Primary and Secondary respectively. Bonding Configuration ---------------------------- Bonding is a technology that logically combines multiple physical interfaces into one logical interface. Bonding is used to increase service availability in case that one physical interface fails. Bonding settings ''''''''''''''''''''' **Policy Server & Network Sensor** .. code:: bash genians(config)#interface bond0 slave eth0,eth1 genians(config)#interface bond0 address [PolicyServer IP] [Subnetmask] genians(config)#interface bond0 gateway [gateway IP] genians(config)#bonding parameters mode=1 #Bonding parameter# #mode=0: for balance-rr #mode=1: for active-backup (recommended) .. warning:: - No settings should exist on the interface prior to the Bonding setting. - Equipment reboot is required to apply the Bonding parameters setting. - In some environments (virtual appliances) using Bonded interfaces, the function of other non-bonded interfaces may be impaired. Checking Bonding Interface Status '''''''''''''''''''''''''''''''''''''' Bonding interfaces have statuses in the form of Active/Active, Active/Backup. Below is an example of how to check the current status, and an example output: .. code:: bash Genians$ cat /proc/net/bonding/bond0 Ethernet Channel Bonding Driver: v3.7.1 (April 27, 2011) Bonding Mode: load balancing (round-robin) MII Status: up MII Polling Interval (ms): 100 Up Delay (ms): 0 Down Delay (ms): 0 Slave Interface: eth1 MII Status: up Speed: 1000 Mbps Duplex: full Link Failure Count: 0 Permanent HW addr: 00:0c:29:21:be:a9 Slave queue ID: 0 Slave Interface: eth2 MII Status: up Speed: 1000 Mbps Duplex: full Link Failure Count: 0 Permanent HW addr: 00:0c:29:21:be:b3 Slave queue ID: 0