Note: Throughout this document, the terms NIC, network interface, and network adapter are used interchangeably.
The Umbrella VA supports a dual-NIC configuration. This dual-NIC configuration is intended to enable DMZ deployment of a VA for traffic segregation with one network interface being used for outbound communication and the other network interface used for internal communication.
Dual-NIC support has only been qualified on virtual appliances (VA) running on Hyper-V and VMware. There is no change to existing behavior if the VA is deployed with a single NIC. Configuring more than two NICs on the VA is not supported.
Note: IPv6 addresses cannot be configured for network adapters when using the dual-NIC configuration.
- Open your existing VA in your preferred hypervisor’s console or SSH to the VA.
- Run the command
config va show.
Ensure that the IP configured here is the IP that will be used for internal communication. This is the IP that your endpoints will use for DNS resolution.
Tip: Note the MAC address of the existing network adapter before adding a secondary network adapter.
- Shut down the VA and add a second network adapter using your hypervisor console.
This is the network adapter you will be using for your outbound communication. This should be of the same driver type as your primary network adapter.
Note: Some platforms may not permit the addition of a second network adapter after the VA has been created.
- Turn the VA on, enter the Configuration mode from the console or through SSH, and run the command
config va show. This command returns the name of the second adapter.
Note: Adding a second adapter when the VA is powered on may result in the adapter not being detected or corruption of the existing configuration. The VA needs to be compulsorily shut down before adding the second adapter.
- For the secondary adapter, assign the IP, netmask, and gateway parameters to be used for outbound (Internet) communication. Enter:
config va interface <interface name> <ip address> <netmask> <gateway>.
Verify against the MAC address of the respective adapters to ensure that the IP addresses are not misconfigured.
Note: You cannot direct DNS requests to the IP configured on the secondary adapter because incoming DNS traffic will be blocked on this IP.
- Once you have saved changes, enable traffic segregation. Enter:
config va dmz enable
Static routes are configured for the IP on the secondary adapter to all Umbrella destinations required for the proper functioning of the VA. Configuring additional static routes is currently not supported.
You can deploy a new VA with dual-NIC support. The configuration steps are similar to configuring an upgraded VA. You can add the secondary adapter to the VM using the hypervisor console, before powering on the VM. Both adapters should be of the same driver type.
- Enter configuration mode on the VA and retrieve the name of both adapters. Enter:
config va show
- Configure the primary adapter and then secondary adapter. Enter
config va interface <interface name> <ip address> <netmask> <gateway>
Ensure that the primary adapter is configured with the IP that you wish to use for internal communication and that the secondary adapter is configured with the IP to be used for internet-bound communication.
- Once both adapters are configured, enable traffic segregation. Enter:
config va dmz enable
Updated 4 months ago