Strict enforcement of valid network configuration
After upgrading firmware or making changes in network configuration, the network interface is operationally down and nonmanagement network traffic to all interfaces is blocked.
DataPower version 7.0.0 introduces enhanced validation of network configuration. Earlier versions of DataPower logged error messages for incorrect network definitions but did not force immediate correction of the errors. The 7.0.0 behavior is designed to prevent the accumulation of errors that might not cause immediate issues but, when uncorrected, might lead to undesirable behaviors and increased uncertainty during problem determination.
Invalid network configuration produces the following results:
- The incorrectly configured network interface (Ethernet, VLAN or link aggregation) is set operationally down.
- By default, nonmanagement traffic to all network interfaces is blocked. Only management traffic over Telnet, SSH, web management interfaces (WebGUI and Blueprint Console) and the XML management interface is permitted. Production traffic is blocked.
- The following error message is displayed in the WebGUI or CLI:
At least one network interface has an invalid configuration. Until corrected, nonmanagement traffic is blocked.
In the CLI, the error message is displayed when exiting a configuration mode. In the WebGUI, the error message appears in a red warning box on every window. Note, however, that the Blueprint Console does not support display of this error message.
Common examples of invalid network configuration include:
- A default gateway address that is not within the subnet defined for a primary or secondary IP address on the interface.
- An interface that is configured with a default IPv6 gateway but no primary or secondary IPv6 address.
- Definition of a network interface that is not physically present on the appliance. For example, if the default domain from a virtual appliance is imported to a physical appliance, eth0 is created in the configuration. Because eth0 is not defined as a valid interface on the physical appliance, the network configuration is marked invalid.
Resolving the problem
Network configuration errors might be detected when upgrading firmware from releases earlier than version 7.0.0 or when making network configuration changes. Therefore, perform these changes when you have access to the appliance via the serial console or IPMI LAN channel and when no production traffic is running.
To permit the flow of nonmanagement traffic and to remove the warning message from the WebGUI windows, address the network configuration error. In the WebGUI, use the link from the error message to navigate to the network interface configuration that needs to be corrected. Examine the logs for specific configuration error messages. If errors exist on multiple network interfaces (Ethernet, VLAN or link aggregation interfaces), all errors must be corrected.
Changing the default behavior to not block nonmanagement traffic for invalid network configuration:
By default, nonmanagement traffic is blocked on all interfaces if at least one network interface has invalid configuration. To permit nonmanagement traffic on a best-effort basis despite invalid configuration, change the network settings:
- In the WebGUI, navigate to the Network Settings configuration and set Block nonmanagement traffic for invalid interface configuration to off.
- In the CLI, set the block-traffic attribute on the network object to off. For example:
top; config; network; block-traffic off; exit
Then save the configuration changes to prevent recurrence after reboot.
When this option is turned off, nonmanagement traffic is permitted over network interfaces that are not incorrectly configured. The same error message is displayed in the WebGUI and in the CLI until the network configuration error is corrected.
Translate this page: