Depending on your deployment and configuration choices, the Ethernet ports on the NIOS appliance perform different functions. The Ethernet ports that handle traffic on the NIOS appliance are as follows:
...
You can implement DiffServ (Differentiated Services) on the appliance by configuring the DSCP (Differentiated Services Code Point) value. DiffServ is a scalable and class-based mechanism that provides relative priorities to the type of services on your network. It can provide low latency for critical network traffic while providing simple best-effort service for non-critical services. The Infoblox DSCP implementation fully conforms to RFC 2475. For more information about DiffServ, refer to RFC 2475, An Architecture for Differentiated Services.
In IPv4 and IPv6 headers, DiffServ uses the DS (Differentiated Services) field for packet classification purposes. The DS field defines the layout of the ToS (Type of Services) octet in IPv4 and the Traffic Class octet in IPv6. The first six bits of the DS field are used as the DSCP value, which determines the PHBs (per-hope behaviors) on DiffServ compliant nodes and enables priorities of services to be assigned to network traffic. For more information about the DS field, refer to RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers.
When you configure the DSCP value for DiffServ, the appliance sets priorities for all outgoing IP traffic. It implements QoS (quality of service) rules so you can effectively classify and manage your critical network traffic. To ensure that core network services, such as DNS services, continue to operate in the event of network traffic congestion, you can set the DSCP value for the entire Grid and override it at the member level. Note that on an appliance, all outgoing IP traffic on all interfaces uses the same DSCP value.
DSCP is supported on both IPv4 and IPv6 transports and the DSCP value for both IPv4 and IPv6 transports must be the same. This feature is currently supported on the following Infoblox appliances: Trinzic 2215, 2225, Infoblox-4030-10GE, PT-1405, PT-2205, TE-1415, TE-1425, and TE-4015. For information about these appliances, refer to the respective installation guides on the Infoblox Support web site at https://www.infoblox.com/support.
...
Service | SRC IP | DST IP | Proto | SRC | DST Port | Notes |
---|---|---|---|---|---|---|
Key Exchange (Member Connection) | LAN1 or MGMT on all Grid members (including Grid Master and Grid Master Candidate) | VIP on HA Grid Master, or LAN1 on single Grid Master | 17 UDP | 2114 | 2114 | Initial key exchange for |
Key Exchange (Grid Master Candidate Promotion) | VIP on HA Grid Master, or LAN1 on single Grid Master | LAN1 or MGMT on all Grid members (including Grid Master and Grid Master Candidate) | 17 UDP | 2114 | 2114 | |
Accounting | LAN1 or MGMT on Grid member | VIP on HA Grid Master, or LAN1 on single Grid Master | 17 UDP | 1194 or | 1194 or | Default VPN port 1194 for Grids with new DNSone 3.2 installations and 5002 for Grids upgraded to DNSone 3.2; the port number is configurable Required for Grid |
Network Insight VPN | LAN1 or LAN2 on Probes | LAN1 or LAN2 on Consolidator | UDP | 1194 | 1194 | All default VPN tunnels for Network Insight |
Discovery | LAN1 or LAN2 on Probes | UDP | 161 | SNMP | ||
Discovery | LAN1 or LAN2 on Probes | UDP | 260 | SNMP - Needed for full discovery of some older Check Point models | ||
Discovery | LAN1 or LAN2 on Probes | ICMP | n/a | Ping Sweep | ||
Discovery | LAN1 or LAN2 on Probes | UDP, TCP | 53 | DNS | ||
Discovery | LAN1 or LAN2 on Probes | ICMP | Path Collection, for IPv4 addresses | |||
Discovery | LAN1 or LAN2 on Probes | UDP | 33434+1 | Path Collection. Standard traceroute, for IPv6 addresses | ||
Discovery | LAN1 or LAN2 | ICMP, UDP, TCP | Port scan - all configured by us | |||
Discovery | LAN1 or LAN2 on Probes | UDP | 137 | NetBIOS | ||
Discovery | LAN1 or LAN2 on Probes | UDP | 40125 | NMAP, UDP Ping, and credential checking | ||
Discovery | LAN1 or LAN2 | TCP | 23 | Telnet can be used based on Network Insight configuration for Network Discovery. | ||
Discovery | LAN1 or LAN2 | TCP | 22 | SSH can be used based on Network Insight configuration for Network Discovery. | ||
DHCP | Client | LAN1, LAN2, VIP, or broadcast on NIOS appliance | 17 UDP | 68 | 67 | Required for IPv4 DHCP service |
DHCP | LAN1, LAN2 or VIP on NIOS appliance | Client | 17 UDP | 67 | 68 | Required for IPv4 DHCP service |
DHCP | Client | LAN1, LAN2, VIP, or broadcast on NIOS appliance | 17 UDP | 546 | 547 | Required for IPv6 DHCP service |
DHCP | LAN1, LAN2 or VIP on NIOS appliance | Client | 17 UDP | 547 | 546 | Required for IPv6 DHCP service |
DHCP Failover | LAN1, LAN2 or VIP on Infoblox DHCP failover peer | LAN1, LAN2 or VIP on Infoblox DHCP failover peer | 6 TCP | 1024 → 65535 | 519 or 647 | Required for DHCP failover |
DHCP Failover | VIP on HA Grid Master or LAN1 or LAN2 on single master | LAN1, LAN2 or VIP on Grid member in a DHCP failover pair | 6 TCP | 1024 -> | 647 or 7911 | Required for DHCP failover Port 7911 is used by an API for limited control over ISC DHCP server operations. |
DDNS Updates | LAN1, LAN2, or VIP | LAN1, LAN2, or VIP | 17 UDP | 1024 → 65535 | 53 | Required for DHCP to send DNS dynamic updates |
DNS Transfers | LAN1, LAN2, VIP, or MGMT, or client | LAN1, LAN2, VIP, or MGMT | 6 TCP | 53, or | 53 | For DNS zone transfers, large client queries, and for Grid members to communicate with external name servers Required for DNS |
DNS Queries | Client | LAN1, LAN2, VIP, or broadcast on NIOS appliance | 17 UDP | 53, or 1024 → 65535 | 53 | For DNS queries Required for DNS |
DNS Queries | Client | LAN1, LAN2, VIP, or broadcast on NIOS appliance | 6 TCP | 53, or 1024 → 65535 | 53 | For DNS queries Required for DNS |
DNSTAP | NIOS | DNSTAP server | TCP | 6000 | 6000 | |
NTP | NTP client | LAN1, LAN2, VIP, or MGMT | 17 UDP | 1024 -> | 123 | Required if the NIOS appliance is an NTP server |
NTP | NTP client | LAN1, LAN2, VIP, or MGMT | 17 UDP | 1024 -> | 123 | Required if the NIOS appliance is an NTP server. On an HA member, the NTP service runs on the active node. If there is an HA failover, the NTP service is automatically launched after the passive node becomes active and the NTP traffic uses the LAN2, VIP, or MGMT port on one of the nodes from an HA pair, instead of the LAN1 port. During another HA failover, the currently passive node becomes active again and the NTP traffic uses the LAN1 port, and the NTP is back in synchronization. |
RADIUS Authentication | NAS (network access server) | LAN1 or VIP | 17 UDP | 1024 – 65535 | 1812 | For proxying RADIUS Authentication-Requests. The default destination port number is 1812, and can be changed to 1024 – 63997. When configuring an HA pair, ensure that you provision both LAN IP addresses on the RADIUS server. |
RADIUS Accounting | NAS (network access server) | LAN1 or VIP | 17 UDP | 1024 – 65535 | 1813 | For proxying RADIUS Accounting-Requests. The default destination port number is 1813, and can be changed to 1024 – 63998. |
RADIUS Proxy | LAN1 or VIP | RADIUS home server | 17 UDP | 1814 | 1024 -> | Required to proxy requests from RADIUS clients to servers. The default source port number is 1814, and although it is not configurable, it is always two greater than the port number for RADIUS authentication. |
ICMP Dst Port Unreachable | VIP, LAN1, LAN2, or MGMT, | LAN1, LAN2, or | 1 ICMP | – | – | Required to respond to the UNIX-based traceroute tool to determine if a destination has been reached |
ICMP Echo Reply | VIP, LAN1, LAN2, or MGMT, or client | VIP, LAN1, LAN2, or MGMT, or client | 1 ICMP Type 0 | – | – | Required for response from ICMP echo request (ping) |
ICMP Echo Request | VIP, LAN1, LAN2, or MGMT, | VIP, LAN1, LAN2, or | 1 ICMP | – | – | Required to send pings and respond to the Windows- |
ICMP TTL | Gateway device (router or firewall) | Windows client | 1 ICMP | – | – | Gateway sends an ICMP TTL exceeded message to a Windows client, which then records router hops along a data path |
NTP | LAN1 on active node of Grid Master or LAN1 of independent appliance | NTP server | 17 UDP | 1024 -> | 123 | Required to synchronize Grid, TSIG authentication, and DHCP failover Optional for synchronizing logs among multiple appliances |
SMTP | LAN1, LAN2, or VIP | Mail server | 6 TCP | 1024 → 65535 | 25 | Required if SMTP alerts are enabled |
SNMP | NMS (network management system) server | VIP, LAN1, LAN2, or MGMT | 17 UDP | 1024 → 65535 | 161 | Required for SNMP management |
SNMP Traps | MGMT or LAN1 on Grid Master or HA pair, or LAN1 on independent appliance | NMS server | 17 UDP | 1024 -> 65535 | 162 | Required for SNMP trap management. |
SSHv2 | Client | LAN1, LAN2, VIP, or MGMT on NIOS | 6 TCP | 1024 -> | 22 | Administrators can make an SSHv2 connection to the LAN1, LAN2, VIP, or MGMT port Optional for management |
Syslog | LAN1, LAN2, or MGMT of NIOS appliance | syslog server | 17 UDP | 1024 → 65535 | 514 | Required for remote syslog logging |
Traceroute | LAN1, LAN2, or UNIX-based appliance | VIP, LAN1, LAN2, or MGMT, or client | 17 UDP | 1024 → 65535 | 33000 → 65535 | NIOS appliance responds with ICMP type code 3 (port unreachable) |
TFTP Data | LAN1 or MGMT | TFTP server | 17 UDP | 1024 → 65535 | 69, then 1024 → 63999 | For contacting a TFTP server during database and configuration backup and restore operations |
VRRP | HA IP on the active node of HA pair | Multicast address 224.0.0.18 | 112 | 802 | For periodic announcements of the availability of the HA node that is linked to the VIP. The nodes in the HA pair must be in the same subnet. | |
HTTP | Management System | VIP, LAN1, or MGMT | 6 TCP | 1024 -> | 80 | Required if the HTTP-redirect option is set on the Grid properties security page |
HTTPS/SSL | Management System | VIP, LAN1, or MGMT | 6 TCP | 1024 → 65535 | 443 | Required for administration through the GUI |
Reporting | Reporting Forwarders | LAN1, LAN2, or MGMT on the indexer | 6 TCP | 1024 - | 9997 | Required for the reporting service. Communication is single directional from forwarders to the indexer. For example, a forwarder detects events and forwards them to the indexer. |
Reporting - Peer Replication | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP | 1024 - 65535 | 7887 | Splunk cluster peer replication (traffic among reporting members) |
Distributed Search | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP | 1024 - 65535 | 7089 | Distributed searches from Search Head to Reporting Members |
Reporting Management | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP | 1024 - 65535 | 8089 | Grid Master to reporting members |
Reporting Management | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP – IPv4 | 1024 - 65535 | 8000 | Grid Master to reporting members |
Reporting Management | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP – IPv6 | 1024 - 65535 | 8000 | Grid Master to reporting members |
Threat Protection | VIP on HA Grid Master or MGMT on single appliance (with threat protection service running) | N/A (using FQDN = https://ts.infoblox.com) This URL is configured to work with NIOS appliances. It has a self-signed certificate; it may not work properly with web browsers but works with appliances. | HTTPS | N/A | 443 | For threat protection rule updates. |
Threat Insight | Client | N/A (using FQDN = https://ts.infoblox.com) | HTTPS | N/A | 443 | For downloading module set and whitelist updates. |
Microsoft Management | Managing Member | Microsoft Server | TCP | 1024 - 65535 | 135, 139, 445 Dynamic Port Range 49152-65535 (Windows Server 2008) | Note that TCP ports 135, 139, and 445 must be open The SMB protocol uses port 139 for the NETBIOS connection to exchange data with the Microsoft server. |
DNS Forwarding to BloxOne Threat Defense Cloud: Cloud Services Portal | NIOS Appliance | BloxOne Threat Defense Cloud | TCP | 443 | 443 | csp.infoblox.com |
DNS Forwarding to BloxOne Threat Defense Cloud: Platform Management | NIOS Appliance | BloxOne Threat Defense Cloud | TCP | 443 | 443 | cp.noa.infoblox.com |
DNS Forwarding to BloxOne Threat Defense Cloud: Application Management | NIOS Appliance | BloxOne Threat Defense Cloud | TCP | 443 | 443 | app.noa.infoblox.com |
DNS Forwarding to BloxOne Threat Defense Cloud: NTP Server (Only if time sync with EXSi is disabled) | NIOS Appliance | BloxOne Threat Defense Cloud | UDP | 123 | 123 | ntp.ubuntu.com |
DNS Forwarding to BloxOne Threat Defense Cloud: NTP Server (Only if time sync with EXSi is disabled) | NIOS Appliance | BloxOne Threat Defense Cloud | UDP | 123 | 123 | ubuntu.pool.ntp.org |
DNS Forwarding to BloxOne Threat Defense Cloud: BloxOne Threat Defense Cloud DNS server | NIOS Appliance | BloxOne Threat Defense Cloud | UDP | 123 | 123 | 52.119.40.100 |
SAML Authentication service | LAN1 or MGMT on Grid Master | TCP | 8765 | Ports 443 (HTTPS) and 80 (HTTP) |
...