IBM Support

QRadar: How to configure a crossover interface

How To


Summary

A crossover (also known as back to back) is a connection between two QRadar appliances that enhances latency measurements and bandwidth on High Availability (HA) deployments. The main purpose of a crossover is to offload some traffic from the management interface.

Objective

Configure crossover with different implementations and understand their prons, and cons:
  1. Single interface crossover.
  2. Bonded interfaces crossover.
  3. "Temporary" interface crossover.

Environment

QRadar deployments with HA or migration scenarios.

Steps

The administrators are advised to read the QRadar HA documentation to familiarize themselves with these deployments before running the steps in this technote.

  1. HA Overview. 
  2. QRadar High Availability Guide.

Also, the administrators must verify whether a crossover configuration exists on their systems. To do so, the following command can be used:

/opt/qradar/ha/bin/qradar_nettune.pl crossover status

Note: The crossover configuration can be configured on virtual machines and must meet the same requisites as the physical appliances explained in this technote.

Crossover configuration prerequisites

To configure a crossover, the following prerequisites must be met:

  1. The intended interface must be the same on both HA peers.
  2. The interface rate must be the same on both HA peers.
  3. The MTU configured must be the same on both HA peers.

To list the interfaces and the MTU, run ip link command:

# ip link

-- Output snipped ---

3: eno2: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc prio state UP mode DEFAULT group default qlen 1000
    link/ether 8c:16:45:b3:ee:ca brd ff:ff:ff:ff:ff:ff

4: eno3: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc prio state DOWN mode DEFAULT group default qlen 1000
    link/ether 8c:16:45:b3:ee:cb brd ff:ff:ff:ff:ff:ff

-- Output snipped ---

6: ens4f0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc prio state DOWN mode DEFAULT group default qlen 1000
    link/ether f8:f2:1e:12:07:bc brd ff:ff:ff:ff:ff:ff

-- Output snipped ---


 

Crossover physical connection

Note: The following steps use eno2, eno3 (both 1GigabitEthernet), and ens4f0 (10GigabitEthernet) as examples. The administrator must change the commands according to each environment.

  1. Connect the cable between both QRadar appliances.
    Note: Administrators must check the documentation of the appliance model purchased to identify the slots and the list of compatible SFPs. Third-party hardware (not provided by IBM) must meet the same requisites.
     
    For QRadar M6 Appliances. See QRadar M6 appliance overview.

    For QRadar M5 Appliances. See QRadar M5 appliance overview.
    For QRadar M4 Appliances. See QRadar M4 appliance overview.

    1. When using copper interfaces (1 GigabitEthernet)UTP or STP patch cords (Cat6 or newer).
    2. When using fiber interfaces:
      1. Plug the transceiver shipped with the appliances. These SFPs are SR (short range) 10Gbps Ethernet or another pair that is compatible with QRadar appliances.
      2. Connect a fiber patch cord compatible with both SFPs. For example, when using single-mode, use single-mode fiber and single-mode SFP.
  2. Verify both interfaces are up on both servers.
    1. Enable the interfaces on both servers.
      ip link set ens4f0 up
    2. Run the ethtool command
      # ethtool ens4f0 | grep -E 'Settings for|Speed|Port|Link detected:'
      
      Settings for ens4f0:
              Speed: 10000Mb/s
              Port: Fiber
              Link detected: yes
      
  3. Optional. When interfaces do not report a link.
    1. When using copper interfaces, it is likely the cable is not correctly plugged in or has a faulty connector. The administrator must check that a certified Cat 6 or newer is connected to the interface.
    2. When using fiber interfaces:
      1. Verify that the SFP module reports values with the ethool command.
        # ethtool -m ens4f0
        
      2. Verify that an unsupported SFP transceiver was not plugged in.
        # dmesg | grep -iE 'sfp|ixgbe|unsupported|<interface name>'
        

        Example on unsupported SFP message:
        <hostname> kernel: ixgbe 0000:0f:00.0: failed to load because an unsupported SFP+ module type was detected.
        

Accessing the QRadar HA Wizard

The crossover interface is configured through the QRadar HA Wizard. To access this menu, the administrators must follow:
 
  1. On the navigation menu ( Navigation menu icon ), click Admin.
  2. Click System and License Management.
  3. Select the host for which you want to configure HA.
    1. When adding HA for the first time: From the Actions menu, select Add HA Host and click OK.
    2. When enabling crossover on an existing HA Cluster: From the High Availability menu, select Edit HA Host and click OK.
  4. Read the introductory text.
  5. Click Next.

Configuring bonded interface crossover

Note: For a faster Disk Synchronization Rate, a single 10GE interface is preferred over a single 1GE interface or 2 bonded 1GE interface.

  1. Select the Configure Crossover Cable check box.
  2. Select the interface to be used. In this example ens4f0 (10GE)
  3. Optional. When a different subnet for the crossover or MTU value is wanted by the administrator.
  4. Optional. Increase the Disk Synchronization Rate. The administrators can use the following values as reference:
    1. For 1GE interfaces, use 100 MB/s.
    2. For 10GE interfaces, use 300 – 500 MB/s.
  5. Click Next, then Finish.
    Figure1

Result

The crossover configuration is enabled and the synchronization for Distributed Replication Block Device and heartbeat between the peers occurs over the crossover interface. The administrators can verify the connection with the command:

# /opt/qradar/ha/bin/qradar_nettune.pl crossover status

Crossover status: configured/running
        Role: primary
        Admin status: enabled
        Operative status: running
        Interface: ens4f0
        Interface status: UP
        Interface MTU: 1500
        Firewall status: enabled
        Routing status: enabled

Configuring "temporary" interface crossover for data transfer

This implementation can be used when a hardware refresh must be done or simply a data migration between two QRadar appliances. This configuration is temporary and does not persist across reboots.

See QRadar SIEM Hardware Migration Scenarios.

  1. Configure a private IP that is not configured on either of the appliances.
    Note: The following IP addresses are only meant to illustrate the example scenarios. All of them are considered "Private IP addresses" by the RFC 1918.
    1. Run on the "old" appliance:
      # ip addr add 10.11.12.1/24 dev ens4f0
    2. Run on the "new" appliance:
      # ip addr add 10.11.12.2/24 dev ens4f0
  2. Verify that a connection by using the previous IP addresses can be established from the "old" to the "new" appliance.
    1. Run on the "old" appliance:
      # ssh 10.11.12.2
  3. Use the syncAriel.sh script to transfer the data between both appliances. For more on the syncAriel.sh script, see: QRadar: Replacing a Console appliance in a deployment using a new IP address or hostname


Result

The crossover configuration is enabled and the data transfer can happen over an exclusive interface.

Document Location

Worldwide

[{"Type":"MASTER","Line of Business":{"code":"LOB24","label":"Security Software"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Product":{"code":"SSBQAC","label":"IBM Security QRadar SIEM"},"ARM Category":[{"code":"a8m0z000000cwtXAAQ","label":"High Availability"}],"ARM Case Number":"","Platform":[{"code":"PF016","label":"Linux"}],"Version":"All Versions"}]

Document Information

Modified date:
22 September 2021

UID

ibm16486759