In the latest release of the ISAM appliance (188.8.131.52 - March 2015) we made some fundamental changes to the network management of the appliance to try and improve flexibility, and also to remove some of the common traps that customers have been falling into when configuring their networking.
In the past we have maintained a clear separation between the network interfaces which are used for management of the appliance, and network interfaces which are used by applications (e.g. WebSEAL). The first two interfaces were reserved for management purposes, and the remaining interfaces were reserved for applications. This concept was mostly geared towards physical appliances which reside in the DMZ, where you want to isolate the management of the appliance, ensuring that it is not accessible from the outside world.
This approach has proven to be a little bit inflexible, especially if the appliance is virtual, in a private or public cloud.
In the 184.108.40.206 release we removed some of these restrictions. The appliance can now be configured with one or more interfaces, you can assign one or more addresses per interface, and each address is assigned a role (either management or application). So, we still maintain a separation between management and application functionality, but this separation is now at the address level instead of the interface level.
The following screen shot highlights the new menu items used to manage the networking:
Each menu item corresponds to a separate tab on the 'Network Configuration' panel:
The screen shot shown above indicates that I have a single interface defined in my virtual appliance (I can add further network devices to my virtual machine definition, reboot the appliance, and it will automatically detect the new interfaces). It also shows that I have two addresses defined on this interface, a management and an application address. The bottom part of the screen shows the 'live' address information, useful if you are using DHCP or need to know the MAC address of an interface.
If you are looking to upgrade your firmware from a version prior to 220.127.116.11 the migration of your network configuration is automated, with the following interface mapping:
This new flexibility has given us the opportunity to 'correct' one of the largest traps that customers fall into when configuring their networking. We no longer allow a single subnet to span multiple interfaces. Having a single subnet which spans multiple interfaces is a big no-no in general networking terms, and this is in no way specific to the ISAM appliance. If you google this concept you will see that it is universally discouraged.
Let me try and explain the problem which is introduced by spanning a single subnet over multiple interfaces. At the lowest networking layer each interface is identified by a MAC address. When a machine (for example, a router) wants to send a packet to another machine on the local subnet it must first obtain the MAC address for the destination machine (it uses the Address Resolution Protocol for this purpose). If you have configured a single subnet which spans multiple interfaces you are in the situation where the response to a packet will not necessarily originate from the interface to which the packet was sent. The routing logic within the operating system will not ensure that the request and response is sent over the same interface, but will simply use the routing table to determine which interface will be used when sending the response. If you have a single subnet which spans multiple interfaces the operating system will have multiple routes that can be used to send a packet to that subnet. This means that the originating machine will sometimes receive the packet response from an interface with a different MAC address. Most routers will interpret this as a spoofing attack and will subsequently discard the packet, giving the impression that there is a connectivity problem in the network.
For this same reason we do allow multiple IP addresses within the same subnet if they all reside on the same interface (i.e. the same interface will always be used for the request/response, which means that the MAC address will also be the same - thus avoiding the problem mentioned above). If you want to continue using multiple IP addresses on the same subnet you can do so, but will simply need to ensure that each of the IP addresses are configured on the same interface.
So, in the latest version of the appliance you will receive an error if you attempt to configure a subnet which spans multiple interfaces. If you are migrating from an earlier version of the appliance we will honor the existing configuration, even if it does break this rule. However, any future changes to the network configuration will adhere to this rule.