Configure teamed NICs

Installing the Windows and Solaris Agents in a Teamed NICs Environment

"Teamed NICs" describes using multiple Ethernet adapters in parallel to increase data transfer speed or to provide redundancy. The following information provides guidance for configuring teamed NICs installations in Windows and Solaris so that they are compatible with the Deep Security Agent. If you encounter difficulties, please contact your support provider.

Windows

Windows NIC teaming software creates a new virtual master interface which adopts the MAC address of the first slave interface. By default, the Windows Agent will bind to all virtual and physical interfaces during installation. As a result, in a teamed NIC environment the Agent will bind to the physical interfaces as well as the virtual interface created by the teaming software. The Agent cannot function properly with multiple interfaces having the same MAC address. To function properly, the Agent must be bound only to the virtual interface created by the teaming software.

Using the Agent in a teamed NICs environment on Windows 2003 requires SP 2 or later.
Using the Agent in a teamed NICs environment on Windows 2000 is not supported.
The Agent's network driver is bound to the network interfaces only at install or upgrade time. After installation, it is not possible for the bindings to be automatically adjusted when you add or remove network interfaces to or from a Teamed NIC. Doing so can lead to network connectivity problems, or to the host system not being properly protected. After adding or removing a network interface in a teamed environment where the Agent's network driver is installed, you should verify that the driver is only bound to the virtual interface and not bound to any physical adapters.

Solaris

IPMP failover (active-standby) mode in Solaris allows two NICs to have the same hardware (MAC) address. Since the Deep Security Agent identifies adapters by their MAC address, such duplication prevents the Agent from functioning properly.

The solution is to manually assign unique MAC addresses to each adapter.

Sample ifconfig output:

# ifconfig -a
hme0: flags=1000843<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 2
inet 10.20.30.40 netmask 0
ether 8:0:20:f7:c3:f

hme1: flags=1000842<BROADCAST,RUNNING,MULTICAST,IPv4> mtu 1500 index 8
inet 0.0.0.0 netmask 0
ether 8:0:20:f7:c3:f

The "ether" line displays the adapter's MAC address. If any interfaces are showing identical MAC addresses and are connected to the same subnet, new unique MAC addresses must be set manually using the following ifconfig command:

# ifconfig <interface> ether <new MAC address>

Although the chance of a MAC address conflict is extremely small, you should verify that there isn't one by using the snoop command to search for the chosen MAC address. Then use the ping command to test connection to the broadcast address of the subnet.

On Solaris systems with multiple interfaces on the same subnet, the operating system may route packets through any of the interfaces. Because of this, any Firewall Stateful Configuration options or Intrusion Prevention Rules should be applied to all interfaces equally.