7 Replies Latest reply on Jul 31, 2017 7:11 AM by tomu

    SIEM Device NIC Bonding

    sssyyy

      Network team asked me, for NIC bonding/teaming, does McAfee SIEM device uses LACP and Port Channel method.

       

      I'm not a network engineer, does anyone here know how to best answer this question?

        • 1. Re: SIEM Device NIC Bonding
          schrodinger

          hello,

           

          ESM and ERC support bonding mode 0 only. Mode can not be changed.

          LACP and Port Channel are not supported.

          • 2. Re: SIEM Device NIC Bonding
            rth67

            This is information I got from Tier3 / Engineering back in 2014:

            802.3ad (LACP) link aggregation is not supported. Bonding NICS in the UI is as simple as setting the two management interfaces to the same IP address. The NIC takes care of the rest on the back end.

             

            Back to the here and now...

            As we recently moved from connections to Catalyst Core switches over to Nexus switches, our LAN/WAN team is seeing the following errors over and over:

            FWM-2-STM_LOOP_DETECT: Loops detected in the network for mac xxxxxx among ports Eth1

            Disabling dynamic learn notifications for 180 seconds

            FWM-2-STM_LEARNING_RE_ENABLE: Re enabling dynamic learning on all interfaces

             

            We are going to test making a port channel with mode "on" as LACP is not supported.  If that does not work to clear the errors or doesn't break the NIC Bonding, they will open up a Cisco TAC case.

            • 3. Re: SIEM Device NIC Bonding
              sssyyy

              In a case of the devices have been configured already with NIC teaming and shipped to the data centres. Without remote physical access, how can I disable NIC bonding?

               

              Can I just connect MGMT1/eth0 to a switch port, leave the MGMT2 unplugged. Should I be able to access the CLI and GUI? Once I have access to the GUI, I can disable NIC teaming.

              • 4. Re: SIEM Device NIC Bonding
                rth67

                Yes, when I was first testing NIC Bonding I was given a two cables, one of which was bad, I setup the NIC Bonding and the connectivity was bouncing, so I couldn't access it for very long before loosing connectivity. We had to go in to the Data Center and pull the cable from the MGMT2 interface and the system stabilized. Then I went in to the UI and removed the configuration from MGMT2 interface and the NIC Bonding was removed.

                 

                My ETM still has it enabled, we will be testing the port channel mode "on" tomorrow.

                • 5. Re: SIEM Device NIC Bonding
                  tomu

                  What are the results of your tests? I'm also planning on connecting an ESM with redundant ethernet links, and am exploring my options.

                  • 6. Re: SIEM Device NIC Bonding
                    rth67

                    Setting up an Etherchannel with the default mode of "on" and not specifying LACP or any other protocols does work, and it eliminates any looping errors you may see on your Cisco switches for a duplicate MAC address.

                     

                    If your MGMT1 and MGMT2 ports are connected to two different switches, the etherchannel has to be configured the same on both switches, otherwise your connectivity will go up and down.

                     

                    We have successfully done this in our LAB on an old Gen3 5750 ESM, as well as in production on 2 ERC-2600's and our X6 ESM.

                    • 7. Re: SIEM Device NIC Bonding
                      tomu

                      Thanks for your response, this helps a lot. I'm still waiting for our new ESM to arrive to test this, but will post my experiences as soon as I'm done.