Advanced Network Configuration

This chapter contains the following sections:

Media Settings on Ethernet Interfaces

Media settings for the ethernet interfaces can be accessed via the use of the etherconfig command. Each ethernet interface is listed with its current setting. By selecting the interface, the possible media settings are displayed. See Example of Editing Media Settings for an example.

Using etherconfig to Edit Media Settings on Ethernet Interfaces

The etherconfig command can be used to set the duplex settings (full/half) as well as the speed (10/100/1000 Mbps) of ethernet interfaces. By default, interfaces automatically select the media settings; however, in some cases you may wish to override this setting.


Note

If you have completed the GUI’s System Setup Wizard (or the Command Line Interface systemsetup command) as described in the “Setup and Installation” chapter and committed the changes, the default ethernet interface settings should already be configured on your email gateway.

Some email gateways contain a fiber optic network interface option. If available, you will see two additional ethernet interfaces (Data 3 and Data 4) in the list of available interfaces on these email gateways. These gigabit fiber optic interfaces can be paired with the copper (Data 1, Data 2, and Management) interfaces in a heterogeneous configuration. See Network Interface Card Pairing/Teaming.

Example of Editing Media Settings 

mail3.example.com> etherconfig

Choose the operation you want to perform:
- MEDIA - View and edit ethernet media settings.
- PAIRING - View and configure NIC Pairing.
- VLAN - View and configure VLANs.
- LOOPBACK - View and configure Loopback.
- MTU - View and configure MTU.
- MULTICAST - Accept or reject ARP replies with a multicast address.

[]> media
Ethernet interfaces:
1. Data 1 (Autoselect: <100baseTX full-duplex>) 00:06:5b:f3:ba:6d
2. Data 2 (Autoselect: <100baseTX full-duplex>) 00:06:5b:f3:ba:6e
3. Management (Autoselect: <100baseTX full-duplex>) 00:02:b3:c7:a2:da

Choose the operation you want to perform:
- EDIT - Edit an ethernet interface.
[]> edit
Enter the name or number of the ethernet interface you wish to edit.
[]> 2
Please choose the Ethernet media options for the Data 2 interface.
1. Autoselect
2. 10baseT/UTP half-duplex
3. 10baseT/UTP full-duplex
4. 100baseTX half-duplex

5. 100baseTX full-duplex


6. 1000baseTX half-duplex
7. 1000baseTX full-duplex
[1]> 5
Ethernet interfaces:
1. Data 1 (Autoselect: <100baseTX full-duplex>) 00:06:5b:f3:ba:6d
2. Data 2 (100baseTX full-duplex: <100baseTX full-duplex>) 00:06:5b:f3:ba:6e
3. Management (Autoselect: <100baseTX full-duplex>) 00:02:b3:c7:a2:da
Choose the operation you want to perform:
- EDIT - Edit an ethernet interface.
[]>
Choose the operation you want to perform:
- MEDIA - View and edit ethernet media settings.
- PAIRING - View and configure NIC Pairing.
- VLAN - View and configure VLANs.
- LOOPBACK - View and configure Loopback.
- MTU - View and configure MTU.
- MULTICAST - Accept or reject ARP replies with a multicast address.
[]>

Network Interface Card Pairing/Teaming

NIC pairing allows you to combine any two physical data ports in order to provide a backup Ethernet interface if the data path from the NIC to the upstream Ethernet port should fail. Basically, pairing configures the Ethernet interfaces so that there is a primary interface and a backup interface. If the primary interface fails (i.e. if the carrier between the NIC and the upstream node is disrupted), the backup interface becomes active and an alert is sent. When the primary interface is up again, this interface will become active automatically. Within the documentation for this product, NIC pairing is synonymous with NIC teaming.


Note

NIC pairing is not available on C170, C190 and C195 email gateways.

You can create more than one NIC pair, providing you have enough data ports. When creating pairs, you can combine any two data ports. For example:

Data 1 and Data 2

Data 3 and Data 4

Data 2 and Data 3

etc.

Some email gateways contain a fiber optic network interface option. If available, you will see two additional ethernet interfaces (Data 3 and Data 4) in the list of available interfaces on these email gateways. These gigabit fiber optic interfaces can be paired with the copper (Data 1, Data 2, and Management) interfaces in a heterogeneous configuration.

NIC Pair Naming

When creating NIC pairs, you must specify a name to use to refer to the pair. NIC pairs created in versions of AsyncOS prior to version 4.5 will automatically receive the default name of ‘Pair 1’ following an upgrade.

Any alerts generated regarding NIC pairing will reference the specific NIC pair by name.

NIC Pairing and Existing Listeners

If you enable NIC pairing on an interface that has listeners assigned to it, you are prompted to either delete, reassign, or disable all listeners assigned to the backup interface.

Enabling NIC Pairing via the etherconfig Command


Note

NIC pairing is not available on C170, C190 and C195 email gateways. 

mail3.example.com> etherconfig


Choose the operation you want to perform:

- MEDIA - View and edit ethernet media settings.

- PAIRING - View and configure NIC Pairing.

- VLAN - View and configure VLANs.

- LOOPBACK - View and configure Loopback.

- MTU - View and configure MTU.

- MULTICAST - Accept or reject ARP replies with a multicast address.

[]> pairing

Paired interfaces:

Choose the operation you want to perform:

- NEW - Create a new pairing.

[]> new

Please enter a name for this pair (Ex: "Pair 1"):

[]> Pair 1

Warning: The backup (Data 2) for the NIC Pair is currently configured with one or more
IP addresses. If you continue, the Data 2 interface will be deleted.

Do you want to continue? [N]> y

The interface you are deleting is currently used by listener "OutgoingMail".

What would you like to do?

1. Delete: Remove the listener and all its settings.

2. Change: Choose a new interface.

3. Ignore: Leave the listener configured for interface "Data 2" (the listener will be
disabled until you add a new interface named "Data 2" or edit the listener's settings).


[1]>

Listener OutgoingMail deleted for mail3.example.com.

Interface Data 2 deleted.

Paired interfaces:

1. Pair 1:


Primary (Data 1) Active, Link is up

Backup (Data 2) Standby, Link is up

Choose the operation you want to perform:

- DELETE - Delete a pairing.

- STATUS - Refresh status.

[]>

Virtual Local Area Networks (VLANs)

You can configure multiple virtual local area networks (VLANs) on any physical network port on the email gateway.

You can use VLANs to:

  • Increase the number of networks the email gateway can connect to beyond the number of physical interfaces on the email gateway.
  • Allow more networks to be defined on separate “ports” on existing listeners.
  • Segment networks for security purposes, to ease administration, or increase bandwidth.

Example use case:

Two mail servers that are unable to communicate directly due to VLAN limitations can send mail through the email gateway. The Data 2 interface on the email gateway is configured with VLAN1 and VLAN2. The blue line shows mail coming from the sales network (VLAN1) to the appliance. The email gateway processes the mail as normal and then, upon delivery, tags the packets with the destination VLAN2 information (red line).

Using VLANs to Facilitate Communication Between Email Gateways

Figure 1. Using VLANs to Facilitate Communication Between Email Gateways

About Configuring VLANs

You can configure multiple VLANs on any physical network port on the email gateway, including “Data” and “Management” ports and the fiber optic data ports available on some email gateway models. AsyncOS supports up to 30 VLANs.

A physical port does not need an IP address configured in order to be in a VLAN. The physical port on which a VLAN is created can have an IP that will receive non-VLAN traffic, so you can have both VLAN and non-VLAN traffic on the same interface.

VLANs can be used with NIC pairing (available on paired NICs) and with Direct Server Return (DSR).

VLANs appear as dynamic “Data Ports” labeled in the format of: “VLAN DDDD” where the “DDDD” is the ID and is an integer up to 4 digits long (VLAN 2, or VLAN 4094 for example). VLAN IDs must be unique on your appli email gatewayance.

Related Topics

FTP, SSH, and SCP Access

Managing VLANs

You can create, edit and delete VLANs via the etherconfig command. Once created, a VLAN can be configured via the Network > Interfaces page or the interfaceconfig command in the CLI. Remember to commit all changes.

Creating a New VLAN via the etherconfig Command

In this example, two VLANs are created (named VLAN 31 and VLAN 34) on the Data 1 port: 

mail3.example.com> etherconfig


Choose the operation you want to perform:

- MEDIA - View and edit ethernet media settings.

- PAIRING - View and configure NIC Pairing.

- VLAN - View and configure VLANs.

- LOOPBACK - View and configure Loopback.

- MTU - View and configure MTU.

- MULTICAST - Accept or reject ARP replies with a multicast address.

[]> vlan

VLAN interfaces:

Choose the operation you want to perform:

- NEW - Create a new VLAN.

[]> new

VLAN ID for the interface (Ex: "34"):

[]> 34

Enter the name or number of the ethernet interface you wish bind to:

1. Data 1

2. Data 2

3. Management

[1]> 1


VLAN interfaces:

1. VLAN 34 (Data 1)

Choose the operation you want to perform:


- NEW - Create a new VLAN.

- EDIT - Edit a VLAN.

- DELETE - Delete a VLAN.

[]> new

VLAN ID for the interface (Ex: "34"):

[]> 31

Enter the name or number of the ethernet interface you wish bind to:

1. Data 1

2. Data 2

3. Management

[1]> 1

VLAN interfaces:

1. VLAN 31 (Data 1)

2. VLAN 34 (Data 1)

Choose the operation you want to perform:

- NEW - Create a new VLAN.

- EDIT - Edit a VLAN.

- DELETE - Delete a VLAN.

[]>

Choose the operation you want to perform:

- MEDIA - View and edit ethernet media settings.

- PAIRING - View and configure NIC Pairing.

- VLAN - View and configure VLANs.

- LOOPBACK - View and configure Loopback.

- MTU - View and configure MTU.

- MULTICAST - Accept or reject ARP replies with a multicast address.

[]>

Creating an IP Interface on a VLAN via the interfaceconfig Command

In this example, a new IP interface is created on the VLAN 31 ethernet interface.

Making changes to an interface may close your connection to the email gateway. 

mail3.example.com> interfaceconfig

Currently configured interfaces:

1. Data 1 (10.10.1.10/24: example.com)

2. Management (10.10.0.10/24: example.com)

Choose the operation you want to perform:

- NEW - Create a new interface.

- EDIT - Modify an interface.

- GROUPS - Define interface groups.

- DELETE - Remove an interface.

[]> new


Please enter a name for this IP interface (Ex: "InternalNet"):


[]> InternalVLAN31

Would you like to configure an IPv4 address for this interface (y/n)? [Y]>

IPv4 Address (Ex: 10.10.10.10):

[]> 10.10.31.10

Netmask (Ex: "255.255.255.0" or "0xffffff00"):

[255.255.255.0]>

Would you like to configure an IPv6 address for this interface (y/n)? [N]>

Ethernet interface:

1. Data 1

2. Data 2

3. Management

4. VLAN 31

5. VLAN 34

[1]> 4

Hostname:

[]> mail31.example.com

Do you want to enable SSH on this interface? [N]>

Do you want to enable FTP on this interface? [N]>

Do you want to enable HTTP on this interface? [N]>

Do you want to enable HTTPS on this interface? [N]>

Currently configured interfaces:

1. Data 1 (10.10.1.10/24: example.com)

2. InternalVLAN31 (10.10.31.10/24: mail31.example.com)

3. Management (10.10.0.10/24: example.com)

Choose the operation you want to perform:

- NEW - Create a new interface.

- EDIT - Modify an interface.

- GROUPS - Define interface groups.

- DELETE - Remove an interface.

[]>

Configuring VLANs Using the Web Interface

After a VLAN is created using the etherconfig command, you can configure it using the Network > Listeners page.

Direct Server Return

Direct Server Return (DSR) is a way of providing support for a light-weight load balancing mechanism to load balance between multiple email gateways sharing the same Virtual IP (VIP).

DSR is implemented via an IP interface created on the “loopback” ethernet interface on the email gateway.


Note

Configuring load balancing for email gateways is beyond the scope of this document

Enabling Direct Server Return

Enable DSR by enabling the “loopback” ethernet interface on each participating email gateway. Next, create an IP interface on the loopback interface with a virtual IP (VIP) via the interfaceconfig command in the CLI or via the Network > Interfaces page in the GUI. Finally, create a listener on the new IP interface via the listenerconfig command in the CLI or via the Network > Listeners page in the GUI. Remember to commit all changes.


Note

Using the loopback interface prevents the email gateway from issuing ARP replies for that specific interface

When enabling DSR, the following rules apply:

All systems use the same Virtual IP (VIP) address

All systems must be on the same switch and subnet as the load balancer
Figure 2. Using DSR to Load Balance Between Multiple Email Gatewayson a Switch

Using DSR to Load Balance Between Multiple Email Gateways on a Switch

Enabling the Loopback Interface via the etherconfig Command

Once enabled, the loopback interface is treated like any other interface (e.g. Data 1): 

mail3.example.com> etherconfig

Choose the operation you want to perform:

- MEDIA - View and edit ethernet media settings.

- PAIRING - View and configure NIC Pairing.

- VLAN - View and configure VLANs.

- LOOPBACK - View and configure Loopback.

- MTU - View and configure MTU.

- MULTICAST - Accept or reject ARP replies with a multicast address.


[]> loopback

Currently configured loopback interface:

Choose the operation you want to perform:


- ENABLE - Enable Loopback Interface.

[]> enable

Currently configured loopback interface:


1. Loopback

Choose the operation you want to perform:

- DISABLE - Disable Loopback Interface.

[]>

Choose the operation you want to perform:

- MEDIA - View and edit ethernet media settings.

- PAIRING - View and configure NIC Pairing.

- VLAN - View and configure VLANs.

- LOOPBACK - View and configure Loopback.

- MTU - View and configure MTU.

- MULTICAST - Accept or reject ARP replies with a multicast address.

[]>

Creating an IP Interface on Loopback via the interfaceconfig Command

Create an IP interface on the loopback interface: 

mail3.example.com> interfaceconfig

Currently configured interfaces:

1. Data 1 (10.10.1.10/24: example.com)

2. InternalV1 (10.10.31.10/24: mail31.example.com)

3. Management (10.10.0.10/24: example.com)

Choose the operation you want to perform:

- NEW - Create a new interface.

- EDIT - Modify an interface.

- GROUPS - Define interface groups.

- DELETE - Remove an interface.

[]> new

Please enter a name for this IP interface (Ex: "InternalNet"):

[]> LoopVIP

Would you like to configure an IPv4 address for this interface (y/n)? [Y]>

IPv4 Address (Ex: 10.10.10.10):

[]> 10.10.1.11

Netmask (Ex: "255.255.255.0" or "0xffffff00"):

[255.255.255.0]> 255.255.255.255

Would you like to configure an IPv6 address for this interface (y/n)? [N]>

Ethernet interface:

1. Data 1

2. Data 2

3. Loopback

4. Management

5. VLAN 31

6. VLAN 34

[1]> 3

Hostname:

[]> example.com

Do you want to enable SSH on this interface? [N]>


Do you want to enable FTP on this interface? [N]>


Do you want to enable HTTP on this interface? [N]>

Do you want to enable HTTPS on this interface? [N]>


Currently configured interfaces:

1. Data 1 (10.10.1.10/24: example.com)

2. InternalV1 (10.10.31.10/24: mail31.example.com)

3. LoopVIP (10.10.1.11/24: example.com)

4. Management (10.10.0.10/24: example.com)

Choose the operation you want to perform:

- NEW - Create a new interface.

- EDIT - Modify an interface.

- GROUPS - Define interface groups.

- DELETE - Remove an interface.

[]>

Creating a Listener on the New IP Interface

Create a listener on the new IP interface via the GUI or the CLI. For example, the following figure shows the newly created IP interface available in the Add Listener page in the GUI.

Figure 3. Creating a Listener on the New Loopback IP Interface


Ethernet Interface’s Maximum Transmission Unit

The maximum transmission unit (MTU) is the largest unit of data that an ethernet interface will accept. You can decrease the MTU for an ethernet interface using the etherconfig command. The default MTU size is 1500 bytes, which is the largest MTU that the ethernet interface can accept.

To edit an interface’s MTU: 

mail3.example.com> etherconfig

Choose the operation you want to perform:

- MEDIA - View and edit ethernet media settings.

- PAIRING - View and configure NIC Pairing.

- VLAN - View and configure VLANs.

- LOOPBACK - View and configure Loopback.

- MTU - View and configure MTU.

- MULTICAST - Accept or reject ARP replies with a multicast address.

[]> mtu

Ethernet interfaces:

1. Data 1 mtu 1400

2. Data 2 default mtu 1500

3. Management default mtu 1500

Choose the operation you want to perform:

- EDIT - Edit an ethernet interface.

[]> edit

Enter the name or number of the ethernet interface you wish to edit.

[]> 2

Please enter a non-default (1500) MTU value for the Data 2 interface.

[]> 1200

Ethernet interfaces:

1. Data 1 mtu 1400

2. Data 2 mtu 1200

3. Management default mtu 1500

Choose the operation you want to perform:

- EDIT - Edit an ethernet interface.

[]>

Accept or Reject ARP Replies with a Multicast Address

You can now specify whether to accept or reject ARP replies with a multicast address. Use the MULTICAST subcommand to configure this functionality.

The following example shows how to configure your email gateway to accept ARP replies with a multicast address: 


mail.example.com> etherconfig
Choose the operation you want to perform:
- MEDIA - View and edit ethernet media settings.
- VLAN - View and configure VLANs.
- LOOPBACK - View and configure Loopback.
- MTU - View and configure MTU.
- MULTICAST - Accept or reject ARP replies with a multicast address.
[]> multicast
ARP replies with a multicast address will be rejected.
Choose the operation you want to perform:
- ACCEPT - Accept ARP replies with a multicast address.
[]> accept
ARP replies with a multicast address will be accepted.