Configuring One-Arm Mode for iNodes

In this section, learn how to use Secure Edge Portal to enable and configure one-arm mode on an iNode.

One-Arm Mode Overview

In traditional iNode deployments, the network is separated physically by using eth0 port as the WAN and cloud (northbound) uplink interface, and the other port eth1 as the local (southbound) downlink interface. Deployment is simple: one cable in, one cable out, resulting in physical separation of northside and southside networks, illustrated in the figure that follows.

Figure 3. Traditional iNode Deployment

One-arm mode enables a single port to act as both uplink and downlink. This lets you use fewer physical network connections and allows for network redundancy.

One-arm mode is useful in cases where:

• The network switch doesn’t have two extra ports for two additional cables. Instead, using one-arm mode, you can create the separation needed through VLANs. All networks, both northbound and southbond, use the same physical connection. By default, the WAN uses an untagged VLAN (although it can be tagged) and the other local networks are tagged VLANs, as the following figure shows.
  
  Figure 4. Virtual Separation of Networks Using One-Arm Mode
   
• The network requires high availability and redundancy. When in one-arm mode, unused ports can be used for link redundancy. (For devices with more than two ports, other ports are disabled.) The eth1 port can be connected to a duplicate of the switch connected to eth0. Both eth0 and eth1 could also be connected to the same switch.

In these types of deployments, the second cable on eth1 acts as a duplicate of eth0, but it is in a state of hibernation as long as eth0 is functioning. It becomes active only when eth0 goes down. See the following figure.

Figure 5. Redundancy and High Availability Using One-Arm Mode

 To use one-arm mode, you also must have enabled VLANs for your Secure Edge Portal account. (See Using VLANs on Edge iNodes.)

One-Arm Mode Network Scenarios

For your network to function as expected in one-arm mode, in addition to configuring the iNode, you must make sure that VLANs on both the iNode and peer switch match. Specifics of network changes depend on your network and goals for one-arm mode.

In the case of a flat network for local network and WAN, we do not recommended applying a Custom Security Policy that has rules to control traffic within the network.

In this section, we describe three scenarios using one-arm mode.

Untagged WAN Traffic

The simplest scenario for one-arm mode is when a user has a switch with one port available to connect with an iNode. The WAN traffic is untagged, but the local network traffic is all tagged VLANs.

To implement this scenario, you connect a single Ethernet cable from the iNode to the port on the switch to route the WAN traffic to Secure Edge Portal, bringing the iNode to life. Once you enable one-arm mode, the iNode reboots.

Because the WAN is untagged, the traffic continues to route to Secure Edge Portal. Now you can configure the local networks with tagged VLANs and access southside networks.

Tagged WAN Traffic

A more complicated scenario is the case in which a user has a single switch with one port available, in which the WAN traffic is tagged. (By default, WANs are untagged.)

In this case, when you plug the iNode to eth0, it won’t be able to route traffic to Secure Edge Portal. You have to use the SSH command to connect to the iNode console using its IP address.

You can then use the iNode command-line interface to configure the WAN to have the correct VLAN tag so the iNode can connect to Secure Edge Portal. Once connected, you can use Secure Edge Portal to enable one-arm mode and configure the southside VLANs.

For detailed instructions on connecting to the iNode CLI and changing a VLAN on the uplink, see Appendix A Using the iNode Command-Line Interface, especially the section Configuring an iNode with Tagged WAN Traffic for One-Arm Mode.

Adding Redundancy to the Network

To provide redundancy to the network, you can start with a scenario like either of the previous two. After you’ve configured one-arm mode using either tagged or untagged WAN, connect the iNode’s second eth1 to the eth0 port of a second identical switch, creating a redundant local network.

Additional instructions you might need in creating networks include:

• Provisioning networks is in Provisioning Edge iNodes
• Enabling and using VLANs is in Using VLANs on Edge iNodes
• Using the iNode command-line interface is in Appendix A Using the iNode Command-Line Interface

Configure an iNode for One-Arm Mode

Configuring an iNode for one-arm mode includes these processes, described in the following sections.

• Switch from default mode to one-arm mode on the iNode
• Create networks

Switching from Default Mode to One-Arm Mode

In this section, learn to switch and iNode from default mode to one-arm mode.

When you boot an iNode for the first time, before it connects to Secure Edge Portal, it is in default mode with one northbound and one southbound port. When you switch to one-arm mode, in which one port can act as an uplink and a downlink, the iNode reboots.

Note also that if both the WAN and local networks are untagged, the networks will be merged into one VLAN.

Follow these steps to switch from default to one-arm mode on an Edge iNode:

1. From the Secure Edge Portal Dashboard, select the iNode icon to display the iNode page.
2. From the Manage iNode menu, select Edit.
3. In Edit iNode > Advanced Settings, select One-Arm Mode to toggle on. A confirmation dialog displays to remind you that enabling one-arm mode reboots the iNode.
   
4. Select Yes - Switch Mode to continue the one-arm mode configuration.
5. Select Update. The iNode reboots. When its status returns to ALIVE, both ports are capable of acting as uplink and downlink interfaces.