| Home Prev |  cOS Stream 4.00.03 Administration Guide
|
Next |
|---|
Any interface, either physical or logical (for example, an IPsec tunnel or VLAN), has the property SecurityEquivalentInterfaces. By default, this has the value <empty> which means that both the incoming data and outgoing traffic for any data flow associated with the interface must be through that same interface, otherwise the traffic will be dropped by cOS Stream.
In some situations, however, it may be desirable that a flow's traffic leaves on one interface and arrives on a different interface. This might happen, for example, when using route failover or OSPF or with traffic to the Clavister NetShield Firewall coming from an external load-balancer. In these cases, the interfaces involved must have their SecurityEquivalentInterfaces property set to the other interfaces in the group which can be involved in a flow. All the interfaces in this group of interfaces are now said to be security/transport equivalent. Such a group must consist of at least 2 interfaces and could consist of several interfaces.
The following should be noted when using this feature:
Setting the SecurityEquivalentInterfaces interface property needs to be done only for a single interface in a group of interfaces since cOS Stream will automatically set the SecurityEquivalentInterfaces property for the other interfaces specified to the correct value.
To remove an interface from a group of security/transport equivalent interfaces, the SecurityEquivalentInterfaces interface property on just that one interface needs to be set to nothing. cOS Stream will then automatically update the other interfaces in the group so their SecurityEquivalentInterfaces property has that interface removed. If there were only two interfaces in the group to start with, both will no longer have their SecurityEquivalentInterfaces property set to a value.
Example 3.5. Setting the Security/Transport Equivalent Interface Property
Assume that the configuration has 3 Ethernet interfaces called if1, if2 and if3. All three are to be part of the same security/transport equivalent group.
Command-Line Interface
System:/> set Interface EthernetInterface if1
SecurityEquivalentInterfaces=if2,if3
Suppose now that the interface if1 is to be removed from this group. This is done by setting the same property to no value (<empty>):
System:/> set Interface EthernetInterface if1
SecurityEquivalentInterfaces=<empty>The interface if2 and if3 will still be part of the same security/transport equivalent group but now with only 2 members.
