6.2.2.16.2. high-availability

6.2.2.16.2.1. Introduction

The high-availability command of the advanced-configuration subgroup enables configuring high availability between 2 GCap (function added from version 2.5.3.105).

Operation:

Refer to the paragraph on Operation of high availability.

Type of network configuration:

  • link with 1 interface: mon0 is replaced by ha0
    The available capture interfaces are therefore mon1, mon2, etc.

  • link with 2 interfaces: mon0 and mon1 are replaced by ha0 and ha1.
    The available capture interfaces are therefore mon2, mon3, etc.

A GCap leader becomes a follower under the following conditions:

  • Loss of connection to the GCenter for 1 min

  • Loss of the detection engine for five minutes

6.2.2.16.2.2. Prerequisites

  • User: setup

  • Dependencies: the detection engine must be switched off

6.2.2.16.2.3. Command

set advanced-config high-availability [public-ip IPV6/MASK] [gateway GATEWAY|null] [peer-ip IPV6] [multicast-group IPV6] [shared-secret SECRET] [peer-pubkey KEY] [bonding-enabled|bonding-disabled]

set advanced-config high-availability [enable|disable] [confirm]

Explanation of the parameters:

  • bonding-enabled: enable card aggregation mon0 + mon1.

  • bonding-disabled: disable card aggregation mon0 + mon1.

  • enable: enable high availability.

  • disable: disable high availability.

  • gateway: IPv6 address of the gateway in case the GCAPs are not in the same subnet.

  • Multicast-group: IPv6 multicast address for communication between GCaps. Range FD00::/8. Ex: FF02::200.

  • peer-ip: IPv6 address of the neighbouring GCap among:

    • Link-local: if the GCaps are in the same subnet. Range FE80::/10. Ex: FE80::100/64.

    • Unique Local Address (ULA): If the GCaps are in different subnets. Range FD00::/7. Ex: FD00::100/64.

    • Global Unicast: If the GCap's need to communicate via the internet. Range 2001::/3. Ex: 2001::1/64.

  • peer-pubkey: Public key of the neighbouring GCap via the show advanced-configuration high-availability pubkey command.

  • peer-ip: IPv6 address of the GCap among:

    • Link-local: if the GCaps are in the same subnet. Range FE80::/10. Ex: FE80::100/64.

    • Unique Local Address (ULA): If the GCaps are in different subnets. Range FD00::/7. Ex: FD00::100/64.

    • Global Unicast: If the GCap's need to communicate via the internet. Range 2001::/3. Ex: 2001::1/64.

  • shared-secret: secret of 16 bytes encoded in base 64 that must be identical between the 2 GCaps.

6.2.2.16.2.4. Example of configuring high availability on the first GCap

  • Enter the following command.

    (gcap-cli) set advanced-configuration high-availability peer-ip fe80::XXX public-ip fe80::YYY multicast-group ff02::200 peer-pubkey 2wtmY/oCaoUGreyr2CROnKAIoEgTXkSOedXlXDvUfBU= shared-secret Xxf4fknh4KoOH2zgrI4Wyw==

  • Validate.
    The system displays the result.

    Updating HA configuration
High availability configuration successfully updated

6.2.2.16.2.5. Example of configuring high availability on the second GCap

  • Enter the following command.

    (gcap-cli) set advanced-configuration high-availability peer-ip fe80::YYY public-ip fe80::XXX multicast-group ff02::200 peer-pubkey xehXnrigZ0IZZEvWbWri8XegNh0KaAQk8vC6mKj27Ug= shared-secret Xxf4fknh4KoOH2zgrI4Wyw==

  • Validate.
    The system displays the result.

    Updating HA configuration
High availability configuration successfully updated

6.2.2.16.2.6. Example of eanbling high availability on each GCap

  • Enter the following command.

    (gcap-cli) set advanced-configuration high-availability enable confirm

  • Validate.
    The system displays the result.

    Interfaces naming rules updated, reloading configuration
Operation successful.
High availability configuration successfully updated

6.2.2.16.2.7. Example of generating a shared secret with the following Python script

import base64
import secrets

shared_secret = base64.b64encode(secrets.token_bytes(16))