Hi Chris,
On 1/18/12 5:57 PM, Chris Kawchuk wrote:
As it stands right now, IM deals with them interfaces as separate... hence no way to
"pair" them up. Solutions:
1. The Packetshaper box itself would have to identify the interfaces as a single (virtual)
interface. I know some vendors do this with an "redundant ethernet interface" (which
is logical, but represents the status of the 2 links.. as long as 1 is up, the interface is
considered 'up', and hence is tracked in IM as a single port). Don't track the physical, just
track the "rethX' logical. I don't know if the Packetshaper boxes can be setup in HA mode
and thus reflect only a single interface, tho... YMMV.
Packetshapers don't work that way, unfortunately. Their HA
functionality is pretty basic. The firewalls have this, but then I'm
only monitoring the status of the virtual firewall, not the physical
attributes of each firewall. Ideally I want it all...
2. Get the Firewall vendor not to "Drop Link" on passive interfaces.. Instead, keep the
Link up, but block in/out instead. Might be worthwhile to discuss this with your Vendor - i.e.
Explain your situation to your Firewall Vendor, and the havoc it causes on connected equipment when
they "link down" things. I'm sure they have other customers who run into the same problem.
I agree completely, and I mentioned this at installation time. They
said it's already a feature request and added me to the list :)
3. Use a different firewall that doesn't drop link on passive interfaces. (ie.
Juniper SRX in HA mode... plug..plug.. =)..)
Yeah, I just plug..plugged in these fancy Palo Alto firewalls last year
(and I really like them overall) so I probably won't be migrating any
time soon. I hear Junipers are nice too, I haven't looked at them for a
while.
4. IM Feature request =).. "Hey IM, see this interface on this box? pair it with
this interface on this other box (or same box if it's a virtual-chassis).".. Much
coding required tho.
- Chris.
Yep, which is why I brought up the subject. I'm trying to gauge if
there's enough of a need for this functionality. If I'm the only one
who sees it as a useful feature it might not gain any traction. On the
other hand if a number of customers would find such functionality
helpful, then maybe we can get something in the pipeline.
One solution would be a new acknowledgement type for interfaces, where
we can define an acknowledgement group (underneath None, Indefinite,
Timed). Another solution might be an extra field in the Interfaces
view, where we can define a redundant link group. And then we only get
notified of the number of down interfaces in that group exceeds a threshold.
Any other thoughts?
Thanks,
Matt
On 2012-01-19, at 8:08 AM, Matt Richard wrote:
Hello Intermapper Fans,
Our Internet connection has a partial mesh topology for connecting our core
routers to the Internet. Each firewall + Packetshaper set is configured in an
active/passive mode. (see the image below, if it makes it out to the list)
When a firewall changes state from active to passive, it brings down its inside
and outside interfaces to prevent loops. So even though we're fully connected
to the Internet, the passive side will always have a bunch of links down.
I'd like a way to define a group of interfaces as a redundant group (such as "eth19" on
both routers, or "Outside" on both Packetshapers). As long as at least one of the group
is up, the map is happy and managers don't ask a lot of questions. As it is now, any time we do
maintenance we need to acknowledge the interfaces on the standby side before the managers see the
map.
Is this something we can do today, or does it look like a feature request?
Thanks,
Matt
http://img853.imageshack.us/img853/6757/internetu.jpg
____________________________________________________________________
--
Matt Richard '08
Access and Security Coordinator
Information Technology Services
Franklin& Marshall College
[email protected]
____________________________________________________________________
List archives:
http://www.mail-archive.com/intermapper-talk%40list.dartware.com/
To unsubscribe: send email to: [email protected]
