Fortinet white logo
Fortinet white logo
7.4.0

Configuring MACVLAN networks for Linux-based deployments

Configuring MACVLAN networks for Linux-based deployments

Applications such as network traffic monitoring and system management tools may require the FortiAnalyzer-Docker to be connected directly to the physical network. In these situations, you can use MACVLAN networking.

In a MACVLAN network, the MACVLAN network driver assigns a MAC address to each container's virtual network interface, making it appear as though it is a physical network interface that is directly connected to the network. In order to use a MACVLAN network, the networking equipment must be able to handle "promiscuous mode", where one physical interface can be assigned multiple MAC addresses.

When using a MACVLAN network it is possible to unintentionally damage the network due to IP address exhaustion or to "VLAN spread", in which an inappropriately large number of unique MAC addresses become available in the network. The benefit of running a FortiAnalyzer-Docker on a MACVLAN network is that no additional port mapping is required.

This topic explains how to configure a MACVLAN network for use with your FortiAnalyzer Docker.

MACVLAN network topology

The examples included in the instructions below use the following information and network topology. Although FortiManager is used in the example, the instructions can apply for a FortiAnalyzer-Docker as well.

  • MACVLAN Network Name: mnd01

  • Docker host interface: enp1s0
  • FortiManager-Docker image: fortinet/qa-fortimanager:7.0.2.0174

Configuration

To set up a MACVLAN network configuration:
  1. Create a new MACVLAN network in your docker host. You must specify the subnet, IP range, gateway, docker interface, and name of the MACVLAN network.
    In your docker host, run the following commands:

    docker network create \

    -d macvlan \

    --subnet=<Subnet mask> \

    --ip-range=<Ip range and its prefix> \

    --gateway=<Gateway IP> \

    -o parent=<Docker host interface name> \

    <MACVLAN network name>

    For example:

    docker network create -d macvlan --subnet=10.2.124.0/16 --ip-range=10.2.124.208/28 --gateway=10.2.0.250 -o parent=ens160 mnd01

  2. Provision the FortiAnalyzer-Docker container. For more information, see Introduction.
    In your docker host, run the following commands:

    docker run \

    -dit \

    --name <Container name> \

    --restart always \

    --cap-add=ALL \

    -v/var/faz/var:/var \

    -v/var/faz/data:/data \

    --network <MACVLAN network> \

    --ip <FAZ-Docker IP> \

    <FAZ-Docker image>

    For example:

    docker run -dit --name faztest --restart always --cap-add=ALL -v/var/faz/var_b0174_03:/var -v/var/faz/data_b0174_03:/data --network mnd01 --ip 172.18.49.239 fortinet/fortianalyzer:7.0.2.0174

  3. Next, configure the container to have access to the docker host.
    In your docker host, run the following commands:

    ip link add <MACVLAN network>_SelfN link <docker host interface> type macvlan mode bridge

    ip addr add <IP address> dev <MACVLAN network>_SelfN

    ip link set <MACVLAN network>_SelfN up

    ip route add <IP route> dev <MACVLAN network>_SelfN

    For example:

    ip link add mnd01_SelfN link enp1s0 type macvlan mode bridge

    ip addr add 172.18.49.236/32 dev mnd01_SelfN

    ip link set mnd01_SelfN up

    ip route add 172.18.49.236/30 dev mnd01_SelfN

Results

Once the MACVLAN network is configured, the FortiAnalyzer-Docker container has a MAC address and appears as though it is connected using a physical network interface. For more information on licensing the docker, see Introduction.

You can modify the GUI access port through the settings menu in FortiAnalyzer-Docker.

Optionally, FortiAnalyzer-Dockers configured in a MACVLAN network can be configured in an HA cluster.

Configuring MACVLAN networks for Linux-based deployments

Configuring MACVLAN networks for Linux-based deployments

Applications such as network traffic monitoring and system management tools may require the FortiAnalyzer-Docker to be connected directly to the physical network. In these situations, you can use MACVLAN networking.

In a MACVLAN network, the MACVLAN network driver assigns a MAC address to each container's virtual network interface, making it appear as though it is a physical network interface that is directly connected to the network. In order to use a MACVLAN network, the networking equipment must be able to handle "promiscuous mode", where one physical interface can be assigned multiple MAC addresses.

When using a MACVLAN network it is possible to unintentionally damage the network due to IP address exhaustion or to "VLAN spread", in which an inappropriately large number of unique MAC addresses become available in the network. The benefit of running a FortiAnalyzer-Docker on a MACVLAN network is that no additional port mapping is required.

This topic explains how to configure a MACVLAN network for use with your FortiAnalyzer Docker.

MACVLAN network topology

The examples included in the instructions below use the following information and network topology. Although FortiManager is used in the example, the instructions can apply for a FortiAnalyzer-Docker as well.

  • MACVLAN Network Name: mnd01

  • Docker host interface: enp1s0
  • FortiManager-Docker image: fortinet/qa-fortimanager:7.0.2.0174

Configuration

To set up a MACVLAN network configuration:
  1. Create a new MACVLAN network in your docker host. You must specify the subnet, IP range, gateway, docker interface, and name of the MACVLAN network.
    In your docker host, run the following commands:

    docker network create \

    -d macvlan \

    --subnet=<Subnet mask> \

    --ip-range=<Ip range and its prefix> \

    --gateway=<Gateway IP> \

    -o parent=<Docker host interface name> \

    <MACVLAN network name>

    For example:

    docker network create -d macvlan --subnet=10.2.124.0/16 --ip-range=10.2.124.208/28 --gateway=10.2.0.250 -o parent=ens160 mnd01

  2. Provision the FortiAnalyzer-Docker container. For more information, see Introduction.
    In your docker host, run the following commands:

    docker run \

    -dit \

    --name <Container name> \

    --restart always \

    --cap-add=ALL \

    -v/var/faz/var:/var \

    -v/var/faz/data:/data \

    --network <MACVLAN network> \

    --ip <FAZ-Docker IP> \

    <FAZ-Docker image>

    For example:

    docker run -dit --name faztest --restart always --cap-add=ALL -v/var/faz/var_b0174_03:/var -v/var/faz/data_b0174_03:/data --network mnd01 --ip 172.18.49.239 fortinet/fortianalyzer:7.0.2.0174

  3. Next, configure the container to have access to the docker host.
    In your docker host, run the following commands:

    ip link add <MACVLAN network>_SelfN link <docker host interface> type macvlan mode bridge

    ip addr add <IP address> dev <MACVLAN network>_SelfN

    ip link set <MACVLAN network>_SelfN up

    ip route add <IP route> dev <MACVLAN network>_SelfN

    For example:

    ip link add mnd01_SelfN link enp1s0 type macvlan mode bridge

    ip addr add 172.18.49.236/32 dev mnd01_SelfN

    ip link set mnd01_SelfN up

    ip route add 172.18.49.236/30 dev mnd01_SelfN

Results

Once the MACVLAN network is configured, the FortiAnalyzer-Docker container has a MAC address and appears as though it is connected using a physical network interface. For more information on licensing the docker, see Introduction.

You can modify the GUI access port through the settings menu in FortiAnalyzer-Docker.

Optionally, FortiAnalyzer-Dockers configured in a MACVLAN network can be configured in an HA cluster.