How To
Summary
A crossover (also known as back to back) is a connection between two QRadar appliances that enhances latency measurements and bandwidth on High Availability (HA) deployments. The main purpose of a crossover is to offload some traffic from the management interface.
Objective
- Single interface crossover.
- Bonded interfaces crossover.
- "Temporary" interface crossover.
Environment
Steps
The administrators are advised to read the QRadar HA documentation to familiarize themselves with these deployments before running the steps in this technote.
Also, the administrators must verify whether a crossover configuration exists on their systems. To do so, the following command can be used:
/opt/qradar/ha/bin/qradar_nettune.pl crossover status
Note: The crossover configuration can be configured on virtual machines and must meet the same requisites as the physical appliances explained in this technote.
Crossover configuration prerequisites
To configure a crossover, the following prerequisites must be met:
- The intended interface must be the same on both HA peers.
- The interface rate must be the same on both HA peers.
- The MTU configured must be the same on both HA peers.
To list the interfaces and the MTU, run ip link command:
# ip link
-- Output snipped ---
3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc prio state UP mode DEFAULT group default qlen 1000
link/ether 8c:16:45:b3:ee:ca brd ff:ff:ff:ff:ff:ff
4: eno3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc prio state DOWN mode DEFAULT group default qlen 1000
link/ether 8c:16:45:b3:ee:cb brd ff:ff:ff:ff:ff:ff
-- Output snipped ---
6: ens4f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc prio state DOWN mode DEFAULT group default qlen 1000
link/ether f8:f2:1e:12:07:bc brd ff:ff:ff:ff:ff:ff
-- Output snipped ---
Crossover physical connection
Note: The following steps use eno2, eno3 (both 1GigabitEthernet), and ens4f0 (10GigabitEthernet) as examples. The administrator must change the commands according to each environment.
- Connect the cable between both QRadar appliances.
Note: Administrators must check the documentation of the appliance model purchased to identify the slots and the list of compatible SFPs. Third-party hardware (not provided by IBM) must meet the same requisites.
For QRadar M6 Appliances. See QRadar M6 appliance overview.For QRadar M5 Appliances. See QRadar M5 appliance overview.
For QRadar M4 Appliances. See QRadar M4 appliance overview.- When using copper interfaces (1 GigabitEthernet)UTP or STP patch cords (Cat6 or newer).
- When using fiber interfaces:
- Plug the transceiver shipped with the appliances. These SFPs are SR (short range) 10Gbps Ethernet or another pair that is compatible with QRadar appliances.
- Connect a fiber patch cord compatible with both SFPs. For example, when using single-mode, use single-mode fiber and single-mode SFP.
- Verify both interfaces are up on both servers.
- Enable the interfaces on both servers.
ip link set ens4f0 up
- Run the ethtool command
# ethtool ens4f0 | grep -E 'Settings for|Speed|Port|Link detected:' Settings for ens4f0: Speed: 10000Mb/s Port: Fiber Link detected: yes
- Enable the interfaces on both servers.
- Optional. When interfaces do not report a link.
- When using copper interfaces, it is likely the cable is not correctly plugged in or has a faulty connector. The administrator must check that a certified Cat 6 or newer is connected to the interface.
- When using fiber interfaces:
- Verify that the SFP module reports values with the ethool command.
# ethtool -m ens4f0
- Verify that an unsupported SFP transceiver was not plugged in.
# dmesg | grep -iE 'sfp|ixgbe|unsupported|<interface name>'
Example on unsupported SFP message:<hostname> kernel: ixgbe 0000:0f:00.0: failed to load because an unsupported SFP+ module type was detected.
- Verify that the SFP module reports values with the ethool command.
Accessing the QRadar HA Wizard
- On the navigation menu ( ), click Admin.
- Click System and License Management.
- Select the host for which you want to configure HA.
- When adding HA for the first time: From the Actions menu, select Add HA Host and click OK.
- When enabling crossover on an existing HA Cluster: From the High Availability menu, select Edit HA Host and click OK.
- Read the introductory text.
- Click Next.
Configuring bonded interface crossover
Note: For a faster Disk Synchronization Rate, a single 10GE interface is preferred over a single 1GE interface or 2 bonded 1GE interface.
- Select the Configure Crossover Cable check box.
- Select the interface to be used. In this example ens4f0 (10GE)
- Optional. When a different subnet for the crossover or MTU value is wanted by the administrator.
- Optional. Increase the Disk Synchronization Rate. The administrators can use the following values as reference:
- For 1GE interfaces, use 100 MB/s.
- For 10GE interfaces, use 300 – 500 MB/s.
- Click Next, then Finish.
Result
The crossover configuration is enabled and the synchronization for Distributed Replication Block Device and heartbeat between the peers occurs over the crossover interface. The administrators can verify the connection with the command:
# /opt/qradar/ha/bin/qradar_nettune.pl crossover status
Crossover status: configured/running
Role: primary
Admin status: enabled
Operative status: running
Interface: ens4f0
Interface status: UP
Interface MTU: 1500
Firewall status: enabled
Routing status: enabled
Configuring "temporary" interface crossover for data transfer
This implementation can be used when a hardware refresh must be done or simply a data migration between two QRadar appliances. This configuration is temporary and does not persist across reboots.
See QRadar SIEM Hardware Migration Scenarios.
- Configure a private IP that is not configured on either of the appliances.
Note: The following IP addresses are only meant to illustrate the example scenarios. All of them are considered "Private IP addresses" by the RFC 1918.- Run on the "old" appliance:
# ip addr add 10.11.12.1/24 dev ens4f0
- Run on the "new" appliance:
# ip addr add 10.11.12.2/24 dev ens4f0
- Run on the "old" appliance:
- Verify that a connection by using the previous IP addresses can be established from the "old" to the "new" appliance.
- Run on the "old" appliance:
# ssh 10.11.12.2
- Run on the "old" appliance:
- Use the syncAriel.sh script to transfer the data between both appliances. For more on the syncAriel.sh script, see: QRadar: Replacing a Console appliance in a deployment using a new IP address or hostname
Result
The crossover configuration is enabled and the data transfer can happen over an exclusive interface.
Related Information
Document Location
Worldwide
Was this topic helpful?
Document Information
Modified date:
22 September 2021
UID
ibm16486759