NetWitness Community

HemantKumar1 · ‎2016-08-22

I am wondering if it is possible to assign two active IP address to SA appliances (SA server and log hybrid in this case). I already have the SA appliances working with 1 IP address. But, there are few network changes happening in our environment due to which we have to re-ip our SA boxes.

1) Can we keep the existing IP and add another IP, keeping both these active?

Reason being, we want to collect logs on both the old and new Ip and once all the syslogs are forwarded to new IP, we will remove the old ones.

EddieFennell · ‎2016-12-27

****DISCLAIMER**** This is not an RSA Security Supported Process!!!!! ****DISCLAIMER*****

However, this works!!!

example:

Primary Management IP: 192.168.10.15 Gateway: 192.168.10.1

Secondary Management IP: 10.10.35.5 Gateway: 10.10.35.1

# netstat -anr
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.10.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1 (Primary)
10.10.35.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0 (Secondary)
0.0.0.0 192.168.10.1 0.0.0.0 UG 0 0 0 eth1

Create a new policy routing table entry in the following file /etc/iproute2/rt_tables.
Name it table #1, named “admin” (for routing administrative traffic onto eth0).

echo "1 admin" >> /etc/iproute2/rt_tables

Next, set a couple of new entries within this “admin” table. Provide information about eth0‘s local /24 subnet, along with eth0‘s default gateway.

ip route add 10.10.35.0/24 dev eth0 src 10.10.35.5 table admin
ip route add default via 10.10.35.1 dev eth0 table admin

Now you’ve created a new, isolated routing table named “admin”. You will now need to create a rule referencing how the operating system will use this table.

Type "ip rule show" to see your current policy routing ruleset. Here’s what an empty ruleset looks like:

   0: from all lookup local
   32766: from all lookup main
   32767: from all lookup default

Each rule entry is evaluated in ascending order.

You will create two new rule entries that will be evaluated before the main rule entry.

ip rule add from 10.10.35.5/32 table admin
ip rule add to 10.10.35.5/32 table admin

Now when you type "ip rule show" it show the following policy routing rulesets including the ones just created:

   0: from all lookup local
   32764: from all to 10.10.35.5 lookup admin
   32765: from 10.10.35.5 lookup admin
   32766: from all lookup main
   32767: from all lookup default

Rule 32764 specifies that for all traffic going to eth0‘s IP, use the routing table named "admin instead of the routing table name “main”. Likewise, rule 32765 indicates that for all traffic originating from eth0‘s IP, make sure to use the “admin” routing table as well. For all other packets, use the “main” routing table.

Type "ip route flush cache" to flush the cache. You may also need to restart network services or toggle the interface.

Hope this helps!

View solution in original post

TomiReiman · ‎2016-08-23

Commenting because I was also going to ask the exact same question. However, in our case we would like to assign secondary interfaces to all components (SA Server, Concentrator, Log Decoder, Archiver, and Virtual Log Collector). We would like to be able to manage the appliances (SSH, HTTPS) via the secondary interface, and to also listen to Syslog on all active interfaces on the Virtual Log Collectors.

EddieFennell · ‎2016-12-27