.png?width=180&height=32&name=NW%20Logo%20(2).png){kind=small}
How to change the Server ID / MAC address persistently on an RSA Security Analytics server appliance
Issue
On a physical appliance the virtual bridge eth9 should be mapped to em3 interface by default.There might be cases where this special bridge is unmapped due to a reimage or a NIC replacement or simply to avoid license ID duplicate conflicts we need to force the mapping manually and persistently.
Tasks
SSH to the sa server and issue the below command:
brctl show
Observe your output and compare it with the ones below:
bridge name bridge id STP enabled interfaces
eth9 8000.c81f66dc55a4 no em3
eth9 8000.c81f66dc55a4 no
eth9 8000.c81f66dc55a4 no em3
eth9 8000.c81f66dc55a4 no
in the first case eth9 is using em3 as a slave interface for the bridge and in the latter eth9 is completely unmapped.
Run the following command for a further investigation about the NICs configured in the system and also compare with the following output:
ip addr
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether c8:1f:66:xx:xx:a1 brd ff:ff:ff:ff:ff:ff
inet 10.xx.xx.xx/xx brd 10.xx.xx.xx scope global em1
inet6 fe80::xxxx:66ff:xxxx:55a1/64 scope link
valid_lft forever preferred_lft forever
3: em2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether c8:1f:66:xx:xx:a2 brd ff:ff:ff:ff:ff:ff
4: em3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether c8:1f:66:xx:xx:a3 brd ff:ff:ff:ff:ff:ff
5: em4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state UNKNOWN qlen 1000
link/ether c8:1f:66:xx:xx:a4 brd ff:ff:ff:ff:ff:ff
6: eth9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether c8:1f:66:xx:xx:a3 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ca1f:66ff:xxxx:xxa3/64 scope link
valid_lft forever preferred_lft forever
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: em1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP qlen 1000
link/ether c8:1f:66:xx:xx:a1 brd ff:ff:ff:ff:ff:ff
inet 10.xx.xx.xx/xx brd 10.xx.xx.xx scope global em1
inet6 fe80::xxxx:66ff:xxxx:55a1/64 scope link
valid_lft forever preferred_lft forever
3: em2: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether c8:1f:66:xx:xx:a2 brd ff:ff:ff:ff:ff:ff
4: em3: <BROADCAST,MULTICAST> mtu 1500 qdisc noop state DOWN qlen 1000
link/ether c8:1f:66:xx:xx:a3 brd ff:ff:ff:ff:ff:ff
5: em4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state UNKNOWN qlen 1000
link/ether c8:1f:66:xx:xx:a4 brd ff:ff:ff:ff:ff:ff
6: eth9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether c8:1f:66:xx:xx:a3 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ca1f:66ff:xxxx:xxa3/64 scope link
valid_lft forever preferred_lft forever
In this configuration em3 is mapped to eth9 and we can observe the same MAC address for both interface that ends with :a3
We can confirm by running brctl show:
#brctl show
bridge name bridge id STP enabled interfaces
eth9 8000.c81f66dc55a4 no em3
You can also notice that em1 is configured with an ip address, infact it's the interface used for management we are using to connect to the appliance with SSH!
bridge name bridge id STP enabled interfaces
eth9 8000.c81f66dc55a4 no em3
Please note make sure to not map eth9 to any em* interface configured as management otherwise you will lose connectivity!
Resolution
In order to map a different interface to eth9 (in our case we will use em4) we need to remove the previuos interface (em3) from the bridge and then readd the new one back again:
brctl delif eth9 em3
brctl addif eth9 em4
if we run brctl show and ip addr we can confirm that the configuration has been applied successfully:
brctl addif eth9 em4
brctl show
bridge name bridge id STP enabled interfaces
eth9 8000.c81f66dc55a4 no em4
bridge name bridge id STP enabled interfaces
eth9 8000.c81f66dc55a4 no em4
#ip addr
5: em4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state UNKNOWN qlen 1000
link/ether c8:1f:66:xx:xx:a4 brd ff:ff:ff:ff:ff:ff
6: eth9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether c8:1f:66:xx:xx:a4 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ca1f:66ff:xxxx:xxa3/64 scope link
valid_lft forever preferred_lft forever
5: em4: <BROADCAST,MULTICAST,UP> mtu 1500 qdisc mq state UNKNOWN qlen 1000
link/ether c8:1f:66:xx:xx:a4 brd ff:ff:ff:ff:ff:ff
6: eth9: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UNKNOWN
link/ether c8:1f:66:xx:xx:a4 brd ff:ff:ff:ff:ff:ff
inet6 fe80::ca1f:66ff:xxxx:xxa3/64 scope link
valid_lft forever preferred_lft forever
Now If we browse into the SA UI under Administration--System-->Info we should be able to see that the Server ID is changed to a new one that ends with :a4
In order to apply this configuration persistently at every boot we need to modify the fneserver init script.
We can achieve this by running sed command:
sed -i 's/em3/em4/g' /etc/init.d/fneserver
If we reboot the machine we can confimr that the Server ID and the Mac address are both stick with the same :a4
Notes
Please note that Bond interfaces are supported only if we will leave at least an em* available for eth9 mapping hence licensing purpose.Product Details
RSA Product Set: Security AnalyticsRSA Product/Service Type: Security Analytics Server / Head Unit
RSA Version/Condition: 10.x
Summary
In order to configure a fixed Server ID on the SA server appliance sometimes it is required to change the MAC address persistently. Reasons may be to avoid duplicate conflicts or after performing a re-image or a NIC replacement.
Approval Reviewer Queue
RSA NetWitness Suite Approval Queue