Appliance interface configuration

CLI Guide | TRITON Appliances | v8.3.x

Use the following command sets to configure the TRITON Appliance interface.

Display appliance interface configurations

Set appliance interface configurations

Interface bonding

Interface assignments

Interface ports

Support for IPv6

About appliance management interface (C)

About the Content Gateway proxy interfaces (P1, P2)

About the Network Agent interface (N)

About TRITON AP-EMAIL interfaces (E1, E2)

Display appliance interface configurations


Action and Syntax	Details
Display the current network interface configuration. show interface info [--module <app\|email\|proxy\|web\|network-agent>]	If the interface has been configured with an IP address, the output will include enabled/disabled status. Module: The appliance module. Example: (config)# show interface info --module email
Display the unused physical interfaces. show interface unused	Example: (view)# show interface unused

Set appliance interface configurations


	Warning If at all possible, do not change the C interface IP address. If you must change it, see the article Changing the C Interface IP Address.


Action and Syntax	Details
Enable or disable the specified interface. set interface status --interface <e2\|p2> <--disabled\|--enabled>	Interface: The interface to enable or disable. Example: (config)# set interface status --interface e2 --enabled
Configure appliance interface in IPv4 settings. set interface ipv4 --interface <c\|n\|p1\|p2\|e1\|e2> --ip <ipv4_address> --mask <ipv4_netmask> [--gateway <ipv4_address>]	Interface: The interface being configured. ip: IP address in IPv4 format. Mask: (required only if the IPv4 has not yet been set) Netmask in IPv4 format. Gateway: (optional) Gateway IPv4 address. Note: This command sets the gateway to the interface. Setting the interface parameter to P1 with an IP address in the gateway parameter will assign the gateway to P1 even if P2 is enabled. Example: (config)# set interface ipv4 --interface p1 --ip 10.206.6.195 --gateway 10.206.7.254
Delete appliance IPv4 settings. delete interface ipv4 --interface <n\|p1\|p2\|e1\|e2>	Interface: The interface being configured. Example: (config)# delete interface ipv4 --interface e1
Configure appliance interface in IPv6 settings. set interface ipv6 --interface <c\|n\|p1\|p2\|e1\|e2> [--status <enabled\|disabled>] [--ip <ipv6_address>] [--prefixlen <integer>] [--gateway <ipv6_address>]	Interface: The interface being configured. Status: Enable or disable IPv6. ip: IP address in IPv6 format. Prefixlen: IPv6 address prefix length. Must be an integer 1-128; typically 64. Gateway: Gateway IPv6 address. Example: (config)# set interface ipv6 --interface p1 --status enabled --ip 1234::4321:0:1234 --prefixlen 64 --gateway 1234::0
Delete appliance IPv6 settings. delete interface ipv6 --interface <n\|p1\|p2\|e1\|e2>	Interface: The interface being configured. Example: (config)# delete interface ipv6 --interface e1
Configure appliance DNS settings. set interface dns --dns1 <ipv4_address> [--dns2 <ipv4_address>] [--dns3 <ipv4_address>] [--module <email\|network-agent\|proxy>]	Module: (optional) The appliance module. If no option is entered, DNS for appliance will be configured. DNS1: The IP address of the primary domain name server. You can optionally also specify a second and third DNS server. Example: (config)# set interface dns --dns1 8.8.8.8 --dns2 8.8.4.4 --dns3 10.51.80.10 --module proxy
Delete appliance DNS settings. delete interface dns [--dns-server <dns2\|dns3>]	Module: The appliance module. dns-server: The server whose DNS settings are being deleted. You can only delete one server at a time. Example: (config)# delete interface dns --module proxy --dns-server dns2
Configure appliance VLAN settings. set interface vlan --interface <c\|p1\|p2> --vid <integer>	(X-Series appliances only) Interface: The interface being configured. vid: The VLAN ID to be set. Must be an integer 2-4094. In order for appliances to receive VLAN traffic, the A1 and A2 switches must be configured for VLAN support. See the Switch Configuration Guide for details. Example: (config)# set interface vlan --interface p1 --vid 260
Delete appliance VLAN settings. delete interface vlan --interface <c\|p1\|p2>	(X-Series appliances only) Interface: The interface being configured. Example: (config)# delete interface vlan --interface p1

Interface bonding

V10000 appliances can bond interfaces for failover or load balancing (sometimes referred to as balance-rr). Interface bonding is not supported on other appliances.


	Important Do not bond interfaces that have different speeds or duplex modes. Doing so can result in performance problems.

V10000 with TRITON AP-WEB

Interfaces E1 and E2 can be cabled to your network and then bonded through software settings to a Content Gateway interface, with E1 optionally bonded to P1, and E2 optionally bonded to P2. No other pairing is possible.

Interface bonding provides these alternatives:

Active/Standby mode: P1 (or P2) is active, and E1 (or E2) is in standby mode. Only if the primary interface fails would its bonded interface (E1 or E2) become active.

Load balancing: If the switch or router that is directly connected to the V10000 supports load balancing (etherchannel, trunk group, or similar), then traffic to and from the primary interface can be balanced between the primary interface and its bonded interface (E1 or E2).

You can choose to bond or not bond each Content Gateway interface independently. You do not have to bond at all.

If you do bond an interface, choose one mode for that bonding (either active/standby or load balancing). You do not have to choose the same bonding mode for both interfaces.

Ensure that all interfaces are cabled properly before bonding.

V10000 with TRITON AP-EMAIL only

Interfaces P1 and P2 can be cabled to your network and then bonded through software settings to a TRITON AP-EMAIL interface, with P1 optionally bonded to E1, and P2 optionally bonded to E2. No other pairing is possible.

Interface bonding provides these alternatives:

Active/Standby mode: E1 (or E2) is active, and P1 (or P2) is in standby mode. Only if the primary interface fails would its bonded interface (P1 or P2) become active.

You can choose to bond or not bond each TRITON AP-EMAIL interface independently. You do not have to bond at all.

If you do bond an interface, choose one mode for that bonding (either active/standby or load balancing). You do not have to choose the same bonding mode for both interfaces.

Ensure that all interfaces are cabled properly before bonding.

Action and Syntax

Details

Display the bonded interfaces.

show interface bond

(V10000 appliances only)

Example:

(view)# show interface bond

Bond the interfaces.

set interface bond
[--mode <active-standby|load-balancing>]

(V10000 appliances only)

V10000 appliances that run only one product can bond interfaces for failover or load balancing.

Note:

For more information about interface bonding, see the TRITON Appliances Getting Started Guide.

Selections are made using a sub-menu in the CLI; if unpopulated, there are no free interfaces.

Mode: (optional) In active-standby mode, interface P1 (or P2) is active, and E1 (or E2) is in stand-by mode. If the primary interface fails, E1 (or E2) becomes active.
In load balancing mode, traffic to and from the primary interface can be balanced between the primary and the bonded interfaces.
Mode defaults to active-standby.

Example:

(config)# set interface bond
--mode load-balancing

Remove interface bonding.

set interface unbond

(V10000 appliances only)

Selections are made using a sub-menu in the CLI.

Example:

(config)# set interface unbond

Interface assignments


Action and Syntax	Details
Display the interfaces assigned to a module. show interface assignment --module <proxy>	Module: The appliance module (proxy only). Example: (config)# show interface assignment --module proxy
Assigns unused interfaces to an application. set interface assignment --module <proxy> --interface <e1\|e2> --virt_interface <virtual interface> --span_output_interface <virtual or physical interface>	(V-Series only) Module: The appliance module (proxy only). Interface: The physical interface to assign. Virt_interface: The virtual interface to attach to the physical interface. Span_output_interface: The interface on which to output span traffic. Example: (config)# set interface assignment --module proxy --interface e1 --virt_interface aux1 --span_output_interface aux1
Delete interface assignments for a module. delete interface assignment --module <proxy> --interface <e1\|e2>	Module: The appliance module (proxy only). Interface: The physical interface to assign. Example: (config)# delete interface assignment --module proxy --interface e1

Interface ports


Action and Syntax	Details
Displays the status of the specified port on a virtual interface. show port --module <proxy\|web\|email\|network-agent>	Example: (config)# show port --module email
Opens or closes the specific port and each interface. set port --status <open\|close> --protocol <tcp\|udp> --port <port_num> --module <proxy\|web\|email\|network-agent>	Status: The status of the port. Protocol: Uses the TCP or UDP protocol to read and write data. Port: The port to open or close. Module: The appliance module. Example: (config)# set port --module email --port 25 --protocol tcp --status open
Displays the status of diagnostic ports for use by Tech Support for remote troubleshooting. show diagnostic_ports	Example: (view)# show diagnostic_ports
Sets the status of diagnostic ports for use by Tech Support for remote troubleshooting. set diagnostic_ports --status <on\|off>	Status: The status of the port. Example: (config)# set diagnostic_ports --status on

Support for IPv6

IPv6 support in TRITON AP-WEB and Web Filter & Security is disabled by default.


	Important After IPv6 support is enable, subsequent disablement requires a full restart of the appliance.

For all web protection solutions, IPv6 support includes:

Dual IP stack configuration for interfaces C and N

IPv6 traffic to the Internet or clients on interfaces C and N, including block pages sent on C or N

IPv6 static routes

SNMP traps and counters for IPv6 data

Network diagnostic tools in the Command Line Utility and Command Line Interface

For TRITON AP-WEB, IPv6 support also includes:

Dual IP stack implementation on interfaces P1 and P2

Traffic to the Internet or clients on interfaces P1 and P2, and their bonded interface (E1/E2), if configured

Limits and restrictions:

IPv6-only internal networks are not supported

IPv4 must be used to communicate among V-Series appliances and with TRITON components

In any field that accepts an IPv6 address, the address can be entered in any format that conforms with the standard. For example:

Leading zeros within a 16-bit value may be omitted.

One group of consecutive zeros may be replaced with a double colon.

About appliance management interface (C)

Communicates with all TRITON management interfaces

Communicates with the TRITON management server and TRITON AP-DATA (if used)

Provides inter-appliance communication

Optionally provides non-HTTP(S) protocol enforcement

Handles Master Database downloads via the Internet (unless you optionally configure P1 for database downloads).


	Important If at all possible, do not change the C interface IP address. If you must change the C interface IP address, see the article Changing the C Interface IP Address.

About the Content Gateway proxy interfaces (P1, P2)

Content Gateway interfaces P1 and P2 handle traffic directed to and from the Content Gateway proxy module.

Both the P1 and P2 can be used to accept users' Internet requests (inbound traffic) and communicate with web servers (outbound traffic). In other words, both interfaces can be configured to handle traffic into and out of the proxy.

Typically, P1 is used for both inbound and outbound traffic; P2 is not used.

Optionally, configure P1 to accept users' Internet requests (inbound only) and P2 to communicate with web servers (outbound).

The gateway is assigned using the command "set interface ipv4". Enabling the P2 interface does not automatically move the gateway to the interface.


	Important If you use the P2 interface, the P1 interface is bound to eth0, and the P2 interface is bound to eth1. Keep this in mind when you configure Content Gateway. For example, suppose you are using a transparent proxy deployment, and the P1 interface is connected to a WCCP router. In this case, you must configure Content Gateway to use eth0 for WCCP communications (in Content Gateway manager, see the General tab of the Configure > Networking > WCCP page).

The P1 and P2 interfaces can be in the same or different subnets.

If they are in the same subnet, P2 is the default gateway (which is bound to eth1). Ensure that outbound packets can reach the Internet.

When P1 and P2 are in different subnets, the gateway must be in the same subnet as the appliance interface used to send traffic to the Internet (typically P2). All traffic communicated between Content Gateway and origin servers should go through that interface (P2).

For traffic communicated between Content Gateway and clients, please note:

If the clients are in the same subnet as P1, then all traffic communicated between Content Gateway and clients should go through P1.

If the clients are not in the same subnet as P1, then client-to-Content Gateway traffic goes through P1, while Content Gateway-to-client traffic goes through P2, regardless of whether an explicit or transparent deployment is used.

Note, however, that you can set up static routes to send client traffic (on subnets not attached to P1) back through P1 (inbound traffic).

About the Network Agent interface (N)

Network Agent can be used to provide security for protocols other than HTTP and HTTPS. It also provides bandwidth optimization data and enhanced logging detail.

Network Agent continually monitors overall network usage, including bytes transferred over the network. The agent sends usage summaries to other TRITON components at predefined intervals.

Network Agent is typically configured to see both inbound and outbound traffic in your network. The agent distinguishes between:

Requests sent from internal machines to internal machines (hits to an intranet server, for example)

Requests sent from internal machines to external machines such as Web servers (user Internet requests, for example)

You choose whether blocking information for non-HTTP protocols is routed through interface C or interface N.

About TRITON AP-EMAIL interfaces (E1, E2)

TRITON AP-EMAIL interfaces handle bidirectional email protection traffic.

Note

The names of the interfaces vary depending on the model of appliance.

With V10000, E1 and E2 are used.

With X10G, V5000, and VMware virtual appliances, P1 and P2 are used.

Both the E1 and E2 interfaces (V10000) or P1 and P2 interfaces (other appliances) can be used to accept inbound traffic and send outbound traffic.

In many deployments, E1 (or P1) is used for both inbound and outbound traffic; E2 (or P2) is not used.

E1 (or P1) can be configured to accept inbound traffic and E2 (or P2) can be configured to send outbound traffic.


	Important On the V10000, if you use the E2 interface, the E1 interface is bound to eth0, and the E2 interface is bound to eth1. On other appliances, if you use the P2 interface, the P1 interface is bound to eth0, and the P2 interface is bound to eth1. Keep this in mind when you configure TRITON AP-EMAIL.

If you use both E1 (or P1) and E2 (or P2), and you locate them in the same subnet, then the default gateway is automatically assigned to E2 (which is bound to eth1). Ensure that outbound packets can reach the Internet.