Depending on your deployment and configuration choices, the Ethernet ports on the NIOS appliance perform different functions. The Ethernet ports that handle traffic on the NIOS appliance are as follows:
LAN1 port – A 10/100/1000-Mbps gigabit Ethernet port that connects the appliance to the network. This is the default port for single independent appliances, single Grid members, and passive nodes in HA pairs. You must use the LAN1 port to set up the appliance initially. It handles traffic for all management services if you do not enable the MGMT and LAN2 ports. The passive node in an HA pair uses this port to synchronize the database with the active node.
LAN2 port – A 10/100/1000-Mbps gigabit Ethernet port that connects the appliance to the network. The LAN2 port is not enabled by default. You can enable the LAN2 port and define its use through the GUI after the initial setup. By default, the appliance uses the LAN1 port (and HA port when deployed in an HA pair). To enable and configure the LAN2 port, you must have read/write permission to the Grid member on which you want to enable the port. The LAN2 port is available on the TE-815, TE-825, TE-1415, TE-1425, TE-2215, TE-2225, TE-4015 and TE-4025 appliances. For information about how to use the LAN2 port, see Using the LAN2 PortUsingUsing the LAN2 PorttheUsing the LAN2 PortLAN2Using the LAN2 PortPort.The LAN2 port is available on all appliance models both physical and virtual except those appliances deployed in public cloud. For information about how to use the LAN2 port, see Using the LAN2 Port.
HA port – A 10/100/1000-Mbps gigabit Ethernet port through which the active node in an HA (high availability) pair connects to the network using a VIP (virtual IP) address. HA pair nodes also use their HA ports for VRRP (Virtual Router Redundancy Protocol) advertisements.
MGMT port – A 10/100/1000-Mbps gigabit Ethernet port that you can use for appliance management or DNS service. You can enable the MGMT port and define its use through the GUI after the initial setup. If the MGMT port is enabled, the NIOS appliance uses it for management services (see the Sources and Destinations for Services table below for specific types).
...
You can access the Infoblox GUI and API through the MGMT and LAN1 or VIP interfaces simultaneously. To do so, you must first configure the MGMT port on the appliance, and then enable the Enable GUI/API Access via both MGMT and LAN1/VIP feature. For information about the MGMT port, see Using the MGMT PortUsingUsing the MGMT PorttheUsing the MGMT PortMGMTUsing the MGMT Port Port. When you enable this feature, you can use the MGMT and LAN1ports for standalone appliances and MGMT and VIP ports for an HA pair. This feature is disabled for all new installations and upgrades.
...
Note |
---|
NoteWhen you configure VLANs on the following Network Insight appliances: ND-1405, ND-2205, ND-4000, ND-V1405, and ND-V2205, the VLAN interfaces are used , the VLAN interfaces are used exclusively for discovery. You cannot bind other services on these VLAN interfaces of the supported Network Insight appliances. For more information about Network Insight, see About Network Insight. |
...
VLANs and VLAN tagging are supported on both IPv4 and IPv6 transports . This feature is currently supported on the following Infoblox appliances: Trinzic 1405, 1415, 1425, 2205, 2215, 2225, 4005, Infoblox-4030-10GE, PT-1405, PT-2205, CP-VM-800, CP-VM-1400, and CP-VM-2200. It is also supported on all the Trinzic virtual appliances. VLAN tagging is not supported on TE-100, TE-805, ND-805, TR-805, TE-815, and TE-825. For information about these appliances, refer to the respective installation guides on the Infoblox Support web site at https://www.infoblox.com/support.
Currently, only the DNS service can listen on specific VLAN interfaces. on both physical and virtual Infoblox appliances. VLANs and VLAN tagging are not supported on Infoblox appliances deployed in public cloud and are not supported on Infoblox reporting appliances. Binding non-Discovery services on the VLAN interfaces of the Network Insight appliances is not supported. The following appliances require NIOS 9.0.4 or higher to support VLAN tagging: TE-815, TE-825, TE-926, ND-805 and ND-906.
Currently, only the DNS service can listen on specific VLAN interfaces. The DHCP service listens only on the primary VLAN interface (tagged or untagged). You can also specify VLANs as the source port for sending DNS queries and notify messages. For information about how to configure these, see Specifying Port Settings for DNS.
Additional VLAN support is available exclusively for discovery on the following Network Insight appliances: ND-906, ND-1606, ND-2306, ND-4106, ND-1405, ND-2205, ND-4000, ND-V1405, and ND-V2205. Binding other services on the VLAN interfaces of the Network Insight appliances is not supported.
...
From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member checkbox, and then click the Edit icon.
Select the Network -> Basic tab in the Grid Member Properties editor.
In the Additional Ports and Addresses table, click the Add icon and select either MGMT (IPv4), MGMT (IPv6), LAN2 (IPv4), LAN2 (IPv6), Additional Address (loopback) (IPv4), Additional Address (loopback) (IPv6), LAN1 (VLAN)(IPv4), LAN1 (VLAN)(IPv6), LAN2 (VLAN)(IPv4) or LAN2 (VLAN)(IPv6) from the drop-down list. You can add up to 10 IPv4 and 10 IPv6 VLANs for each interface.
You can configure only IPv4 VLAN addresses for an IPv4 Grid member and only IPv6 VLAN addresses for an IPv6 Grid member, but for a dual mode Grid member you can configure both IPv4 and IPv6 VLAN addresses.For vNIOS appliances, some of the options in the drop-down list may vary depending on your vNIOS configuration. For example, if you are using a single network interface instance of vNIOS for GCP, you will see choices specific to the LAN1 interface and Additional Address only. For more information, see the vNIOS documentation specific to your product at Appliances. Note that you can:
You can configure only IPv4 VLAN addresses for an IPv4 Grid member and only IPv6 VLAN addresses for an IPv6 Grid member, but for a dual mode Grid member you can configure both IPv4 and IPv6 VLAN addresses.
For vNIOS appliances, some of the options in the drop-down list may vary depending on your vNIOS configuration. For example, if you are using a single network interface instance of vNIOS for GCP, you will see choices specific to the LAN1 interface and Additional Address only. For more information, see the vNIOS documentation specific to your product at Appliances.
MGMT (IPv4): Select this to configure IPv4 address for MGMT port.
MGMT (IPv6): Select this to configure IPv6 address for MGMT port.
LAN2 (IPv4): Select this to configure IPv4 address for the LAN2 port for DHCP or DNS. This is not applicable to Trinzic 100 appliance.
LAN2 (IPv6): Select this to configure IPv6 address for the LAN2 port for DHCP or DNS. This is not applicable to Trinzic 100 appliance.
Additional Address (loopback) (IPv4): Select this to add a non-anycast IPv4 address to the loopback interface. Note that you can configure this for IPv4 and dual mode Grid member.
Additional Address (loopback) (IPv6): Select this to add a non-anycast IPv6 address to the loopback interface. Note that you can configure this for IPv6 and dual mode Grid member.
LAN1 (VLAN) (IPv4): Select this to add a VLAN to the LAN1 interface. You can add up to 10 IPv4 VLAN addresses. Note that you You can configure this for IPv4 and dual mode Grid member. This VLAN tagging is supported on the following Infoblox appliances: Trinzic 1405, 1415, 1425, 2205, 2215, 2225, 4005, Infoblox-4030-10GE, PT-1405, PT-2205, CP-VM-800, CP-VM-1400, and CP-VM-2200. It is also supported on all the Trinzic virtual appliances. VLAN tagging is not supported on TE-100, TE-805, ND-805, TR-805, TE-815, and TE-825.LAN1 (VLAN) (IPv6not supported in public cloud.
LAN1 (VLAN) (IPv6): Select this to add a VLAN to the LAN1 interface. You can add up to 10 IPv4 and 10 IPv6 VLAN addresses. You can configure this for IPv6 and dual mode Grid member. VLAN tagging is not supported in public cloud.
LAN2 (VLAN) (IPv4): Select this to add a VLAN to the LAN1 LAN2 interface. You can add up to 10 IPv4 and 10 IPv6 VLAN addresses. Note that you You can configure this for IPv6 IPv4 and dual mode Grid member. This is supported on the following Infoblox appliances: Trinzic 1405, 1415, 1425, 2205, 2215, 2225, 4005, Infoblox-4030-10GE, PT-1405, PT-2205, CP-VM-800, CP-VM-1400, and CP-VM-2200. It is also supported on all the Trinzic virtual appliances. VLAN tagging is not supported on TE-100, TE-805, ND-805, TR-805, TE-815, and TE-825.in public cloud.
LAN2 (VLAN) (IPv4IPv6): Select this to add a VLAN to the LAN2 interface. You can add up to 10 IPv4 IPv6 VLAN addresses. Note that you You can configure this for IPv4 and dual mode Grid member. This is supported on the following Infoblox appliances: Trinzic 1405, 1415, 1425, 2205, 2215, 2225, 4005, Infoblox-4030-10GE, PT-1405, PT-2205, CP-VM-800, CP-VM-1400, and CP-VM-2200. It is also supported on all the Trinzic virtual appliances. VLAN tagging is not supported on TE-100, TE-805, ND-805, TR-805, TE-815, and TE-825.LAN2 (VLAN) (IPv6): Select this to add a VLAN to the LAN2 interface. You can add up to 10 IPv6 VLAN addresses. Note that you can configure this for IPv6 and dual mode Grid member. This is supported on the following Infoblox appliances: Trinzic 1405, 1415, 1425, 2205, 2215, 2225, 4005, Infoblox-4030-10GE, PT-1405, PT-2205, CP-VM-800, CP-VM-1400, and CP-VM-2200. It is also supported on all the Trinzic virtual appliances. VLAN tagging is not supported on TE-100, TE-805, ND-805, TR-805, TE-815, and TE-825.IPv6 and dual mode Grid member. VLAN tagging is not supported in public cloud.
Enter the following:
Interface: Displays the name of the VLAN interface. This can be LAN1 (VLAN)(IPv4), LAN1 (VLAN)(IPv6), LAN2 (VLAN)(IPv4), or LAN2 (VLAN)(IPv6) depending on your selection. You cannot modify this.
Address: Type the IP address for the VLAN port.
Subnet Mask (IPv4) or Prefix Length (IPv6): For IPv4 address, specify an appropriate subnet mask and for IPv6 address, specify the prefix length. The prefix length ranges from 2 to 127, with common-sense values ranging from /48 to /127 due to the larger number of bits in the IPv6 address.
Gateway: Type the IPv4 or IPv6 default gateway address for the VLAN port depending on the type of interface. For IPv6 interface, you can also type Automatic to enable the appliance to acquire the IPv6 address of the default gateway and the link MTU from router advertisements.
You can now define a link-local address as the default IPv6 gateway and isolate the LAN segment so the local router can provide global addressing and access to the network and Internet. This is supported for both LAN1 and LAN2 interfaces as well as LAN1 and LAN2 in the failover mode.VLAN Tag: Enter the VLAN tag or ID. You can enter a number from 1 to 4094. Ensure that you configure the corresponding switch accordingly.
Port Settings: For IPv4 only. From the drop-down list, choose the connection speed that you want the port to use. You can also choose the duplex setting. Choose Full for concurrent bidirectional data transmission or Half for data transmission in one direction at a time. Select Automatic to instruct the NIOS appliance to negotiate the optimum port connection type (full or half duplex) and speed with the connecting switch automatically. This is the default setting. You cannot configure port settings for vNIOS appliances.
DSCP Value: Displays the Grid DSCP value, if configured. To modify, click Override and enter the DSCP value. You can enter a value from 0 to 63.
Save the configuration and click Restart if it appears at the top of the screen.
...
You can implement DiffServ (Differentiated Services) on the appliance by configuring the DSCP (Differentiated Services Code Point) value. DiffServ is a scalable and class-based mechanism that provides relative priorities to the type of services on your network. It can provide low latency for critical network traffic while providing simple best-effort service for non-critical services. The Infoblox DSCP implementation fully conforms to RFC 2475. For more information about DiffServ, refer to RFC 2475, An Architecture for Differentiated Services.
In IPv4 and IPv6 headers, DiffServ uses the DS (Differentiated Services) field for packet classification purposes. The DS field defines the layout of the ToS (Type of Services) octet in IPv4 and the Traffic Class octet in IPv6. The first six bits of the DS field are used as the DSCP value, which determines the PHBs (per-hope behaviors) on DiffServ compliant nodes and enables priorities of services to be assigned to network traffic. For more information about the DS field, refer to RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers.
When you configure the DSCP value for DiffServ, the appliance sets priorities for all outgoing IP traffic. It implements QoS (quality of service) rules so you can effectively classify and manage your critical network traffic. To ensure that core network services, such as DNS services, continue to operate in the event of network traffic congestion, you can set the DSCP value for the entire Grid and override it at the member level. Note that on an appliance, all outgoing IP traffic on all interfaces uses the same DSCP value.
DSCP is supported on both IPv4 and IPv6 transports and the DSCP value for both IPv4 and IPv6 transports must be the same. This feature is currently supported on the following Infoblox appliances: Trinzic 2215, 2225, Infoblox-4030-10GE, PT-1405, PT-2205, TE-1415, TE-1425, and TE-4015. For information about these appliances, refer to the respective installation guides on the Infoblox Support web site at https://www.infoblox.com/supportmust be the same.
Note |
---|
Note
|
...
This section provides tables that detail the port usage and source and destination ports for different services, depending on your Grid configuration. The below table displays the type of traffic per port for both Grid and independent deployments. For a more detailed list of the different types of traffic, see the Sources and Destinations for Services table below.It contains the following tables:
Appliance Roles and Configuration, Communication Types, and Port
...
Usage
The following table displays the type of traffic per port for both Grid and independent deployments.
Appliance Role | HA Pair | HA Status | MGMT Port | Database Synchronization | Core Network Services | Management Services | GUI Access |
---|---|---|---|---|---|---|---|
HA Grid Master | Yes | Active | Disabled | VIP on HA | VIP on HA | LAN1 | VIP on HA |
HA Grid Master | Yes | Passive | Disabled | LAN1 | – | LAN1 | – |
Single Grid Master | No | – | Disabled | LAN1 | LAN1 | LAN1 | LAN1 |
HA Grid Member | Yes | Active | Disabled | LAN1 | VIP on HA | LAN1 | – |
HA Grid Member | Yes | Passive | Disabled | LAN1 | – | LAN1 | – |
Single Grid Member | No | – | Disabled | LAN1 | LAN1 | LAN1 | – |
Independent HA Pair | Yes | Active | Disabled | VIP on HA | VIP on HA | LAN1 | VIP on HA |
Independent HA Pair | Yes | Passive | Disabled | LAN1 | – | LAN1 | – |
Single Independent | No | – | Disabled | – | LAN1 | LAN1 | LAN1 |
HA Grid Master | Yes | Active | Enabled | VIP on HA | VIP on HA | MGMT | MGMT |
HA Grid Master | Yes | Passive | Enabled | LAN1 | – | MGMT | – |
Single Grid Master | No | – | Enabled | LAN1 | LAN1 or MGMT | MGMT | MGMT and LAN1/VIP |
HA Grid Member | Yes | Active | Enabled | LAN1 or MGMT | VIP on HA | MGMT | – |
HA Grid Member | Yes | Passive | Enabled | LAN1 or MGMT | – | MGMT | – |
Single Grid Member | No | – | Enabled | LAN1 or MGMT | LAN1 or MGMT | MGMT | – |
Independent HA Pair | Yes | Active | Enabled | VIP on HA | VIP on HA | MGMT | MGMT |
Independent HA Pair | Yes | Passive | Enabled | LAN1 | – | MGMT | – |
Single Independent | No | – | Enabled | – | LAN1 or MGMT | MGMT | MGMT |
Reporting Member | No | – | Enabled | LAN1 or MGMT | LAN1 or MGMT | MGMT | MGMT |
Appliance Roles and Configuration, Communication Types, and Port Usage for Appliances with LAN2 Ports
Appliance Role | HA | MGMT Port | LAN2 Port | Database | Core Network Services | Management Services | GUI Access |
---|---|---|---|---|---|---|---|
HA Grid Master | Active | Disabled | Enabled | VIP on HA | VIP on HA | LAN1 or LAN2 | VIP on HA |
HA Grid Master | Passive | Disabled | Enabled | LAN1 | – | LAN1 or LAN2 | – |
Single Grid Master | – | Disabled | Enabled | LAN1 | LAN1 and/or LAN2 | LAN1 or LAN2 | LAN1 |
HA Grid Member | Active | Disabled | Enabled | LAN1 | VIP on HA | LAN1 or LAN2 | – |
HA Grid Member | Passive | Disabled | Enabled | LAN1 | – | LAN1 or LAN2 | – |
Single Grid Member | – | Disabled | Enabled | LAN1 | LAN1 and/or LAN2 | LAN1 or LAN2 | – |
Independent HA Pair | Active | Disabled | Enabled | VIP on HA | VIP on HA | LAN1 or LAN2 | VIP on HA |
Independent HA Pair | Passive | Disabled | Enabled | LAN1 | – | LAN1 or LAN2 | – |
Single Independent | – | Disabled | Enabled | – | LAN1 and/or LAN2 | LAN1 or LAN2 | LAN1 |
HA Grid Master | Active | Enabled | Enabled | VIP on HA | VIP on HA | MGMT | MGMT |
HA Grid Master | Passive | Enabled | Enabled | LAN1 | – | MGMT | – |
Single Grid Master | – | Enabled | Enabled | LAN1 | LAN1, LAN2 | MGMT | MGMT |
HA Grid Member | Active | Enabled | Enabled | LAN1 or MGMT | VIP on HA | MGMT | – |
HA Grid Member | Passive | Enabled | Enabled | LAN1 or MGMT | – | MGMT | – |
Single Grid Member | – | Enabled | Enabled | LAN1 or MGMT | LAN1, LAN2 | MGMT | – |
Independent HA Pair | Active | Enabled | Enabled | VIP on HA | VIP on HA | MGMT | MGMT |
Independent HA Pair | Passive | Enabled | Enabled | LAN1 | – | MGMT | – |
Single Independent | – | Enabled | Enabled | – | LAN1, LAN2 | MGMT | MGMT |
Reporting Member | – | Enabled | Enabled | LAN1 or MGMT | LAN1, LAN2, | MGMT | MGMT |
...
Note |
---|
NoteThe colors in both tables represent a particular type of traffic and correlate with each other. |
...
Source and
...
Destination Ports for Services
The following table displays the different type of traffic present on ports.
Service | SRC IP | DST IP | Proto | SRC | DST Port | Notes |
---|---|---|---|---|---|---|
Key Exchange (Member Connection) | LAN1 or MGMT on all Grid members (including Grid Master and Grid Master Candidate) | VIP on HA Grid Master, or LAN1 on single Grid Master | 17 UDP | 2114 | 2114 | Initial key exchange for |
Key Exchange (Grid Master Candidate Promotion) | VIP on HA Grid Master, or LAN1 on single Grid Master | LAN1 or MGMT on all Grid members (including Grid Master and Grid Master Candidate) | 17 UDP | 2114 | 2114 | |
Accounting | LAN1 or MGMT on Grid member | VIP on HA Grid Master, or LAN1 on single Grid Master | 17 UDP | 1194 or | 1194 or | Default VPN port 1194 for Grids with new DNSone 3.2 installations and 5002 for Grids upgraded to DNSone 3.2; the port number is configurable Required for Grid |
Network Insight VPN | LAN1 or LAN2 on Probes | LAN1 or LAN2 on Consolidator | UDP | 119421197 | 1194 | All default VPN tunnels for Network Insight |
Discovery | LAN1 or LAN2 on Probes | UDP | 161 | SNMP | ||
Discovery | LAN1 or LAN2 on Probes | UDP | 260 | SNMP - Needed for full discovery of some older Check Point models | ||
Discovery | LAN1 or LAN2 on Probes | ICMP | n/a | Ping Sweep | ||
Discovery | LAN1 or LAN2 on Probes | UDP, TCP | 53 | DNS | ||
Discovery | LAN1 or LAN2 on Probes | ICMP | Path Collection, for IPv4 addresses | |||
Discovery | LAN1 or LAN2 on Probes | UDP | 33434+1 | Path Collection. Standard traceroute, for IPv6 addresses | ||
Discovery | LAN1 or LAN2 | ICMP, UDP, TCP | Port scan - all configured by us | |||
Discovery | LAN1 or LAN2 on Probes | UDP | 137 | NetBIOS | ||
Discovery | LAN1 or LAN2 on Probes | UDP | 40125 | NMAP, UDP Ping, and credential checking | ||
Discovery | LAN1 or LAN2 | TCP | 23 | Telnet can be used based on Network Insight configuration for Network Discovery. | ||
Discovery | LAN1 or LAN2 | TCP | 22 | SSH can be used based on Network Insight configuration for Network Discovery. | ||
DHCP | Client | LAN1, LAN2, VIP, or broadcast on NIOS appliance | 17 UDP | 68 | 67 | Required for IPv4 DHCP service |
DHCP | LAN1, LAN2 or VIP on NIOS appliance | Client | 17 UDP | 67 | 68 | Required for IPv4 DHCP service |
DHCP | Client | LAN1, LAN2, VIP, or broadcast on NIOS appliance | 17 UDP | 546 | 547 | Required for IPv6 DHCP service |
DHCP | LAN1, LAN2 or VIP on NIOS appliance | Client | 17 UDP | 547 | 546 | Required for IPv6 DHCP service |
DHCP Failover | LAN1, LAN2 or VIP on Infoblox DHCP failover peer | LAN1, LAN2 or VIP on Infoblox DHCP failover peer | 6 TCP | 1024 → 65535 | 519 or 647 | Required for DHCP failover |
DHCP Failover | VIP on HA Grid Master or LAN1 or LAN2 on single master | LAN1, LAN2 or VIP on Grid member in a DHCP failover pair | 6 TCP | 1024 -> | 647 ir 7911 | Required for DHCP failover Port 7911 is used by an API for limited control over ISC DHCP server operations. |
DDNS Updates | LAN1, LAN2, or VIP | LAN1, LAN2, or VIP | 17 UDP | 1024 → 65535 | 53 | Required for DHCP to send DNS dynamic updates |
DNS Transfers | LAN1, LAN2, VIP, or MGMT, or client | LAN1, LAN2, VIP, or MGMT | 6 TCP | 53, or | 53 | For DNS zone transfers, large client queries, and for Grid members to communicate with external name servers Required for DNS |
DNS Queries | Client | LAN1, LAN2, VIP, or broadcast on NIOS appliance | 17 UDP | 53, or 1024 → 65535 | 53 | For DNS queries Required for DNS |
DNS Queries | Client | LAN1, LAN2, VIP, or broadcast on NIOS appliance | 6 TCP | 53, or 1024 → 65535 | 53 | For DNS queries Required for DNS |
DNSTAP | NIOS | DNSTAP server | TCP | 6000 | 6000 | |
NTP | NTP client | LAN1, LAN2, VIP, or MGMT | 17 UDP | 1024 -> | 123 | Required if the NIOS appliance is an NTP server |
NTP | NTP client | LAN1, LAN2, VIP, or MGMT | 17 UDP | 1024 -> | 123 | Required if the NIOS appliance is an NTP server. On an HA member, the NTP service runs on the active node. If there is an HA failover, the NTP service is automatically launched after the passive node becomes active and the NTP traffic uses the LAN2, VIP, or MGMT port on one of the nodes from an HA pair, instead of the LAN1 port. During another HA failover, the currently passive node becomes active again and the NTP traffic uses the LAN1 port, and the NTP is back in synchronization. |
RADIUS Authentication | NAS (network access server) | LAN1 or VIP | 17 UDP | 1024 – 65535 | 1812 | For proxying RADIUS Authentication-Requests. The default destination port number is 1812, and can be changed to 1024 – 63997. When configuring an HA pair, ensure that you provision both LAN IP addresses on the RADIUS server. |
RADIUS Accounting | NAS (network access server) | LAN1 or VIP | 17 UDP | 1024 – 65535 | 1813 | For proxying RADIUS Accounting-Requests. The default destination port number is 1813, and can be changed to 1024 – 63998. |
RADIUS Proxy | LAN1 or VIP | RADIUS home server | 17 UDP | 1814 | 1024 -> | Required to proxy requests from RADIUS clients to servers. The default source port number is 1814, and although it is not configurable, it is always two greater than the port number for RADIUS authentication. |
ICMP Dst Port Unreachable | VIP, LAN1, LAN2, or MGMT, | LAN1, LAN2, or | 1 ICMP | – | – | Required to respond to the UNIX-based traceroute tool to determine if a destination has been reached |
ICMP Echo Reply | VIP, LAN1, LAN2, or MGMT, or client | VIP, LAN1, LAN2, or MGMT, or client | 1 ICMP Type 0 | – | – | Required for response from ICMP echo request (ping) |
ICMP Echo Request | VIP, LAN1, LAN2, or MGMT, | VIP, LAN1, LAN2, or | 1 ICMP | – | – | Required to send pings and respond to the Windows- |
ICMP TTL | Gateway device (router or firewall) | Windows client | 1 ICMP | – | – | Gateway sends an ICMP TTL exceeded message to a Windows client, which then records router hops along a data path |
NTP | LAN1 on active node of Grid Master or LAN1 of independent appliance | NTP server | 17 UDP | 1024 -> | 123 | Required to synchronize Grid, TSIG authentication, and DHCP failover Optional for synchronizing logs among multiple appliances |
SMTP | LAN1, LAN2, or VIP | Mail server | 6 TCP | 1024 → 65535 | 25 | Required if SMTP alerts are enabled |
SNMP | NMS (network management system) server | VIP, LAN1, LAN2, or MGMT | 17 UDP | 1024 → 65535 | 161 | Required for SNMP management |
SNMP Traps | MGMT or LAN1 on Grid Master or HA pair, or LAN1 on independent appliance | NMS server | 17 UDP | 1024 -> 65535 | 162 | Required for SNMP trap management. |
SSHv2 | Client | LAN1, LAN2, VIP, or MGMT on NIOS | 6 TCP | 1024 -> | 22 | Administrators can make an SSHv2 connection to the LAN1, LAN2, VIP, or MGMT port Optional for management |
Syslog | LAN1, LAN2, or MGMT of NIOS appliance | syslog server | 17 UDP | 1024 → 65535 | 514 | Required for remote syslog logging |
Traceroute | LAN1, LAN2, or UNIX-based appliance | VIP, LAN1, LAN2, or MGMT, or client | 17 UDP | 1024 → 65535 | 33000 → 65535 | NIOS appliance responds with ICMP type code 3 (port unreachable) |
TFTP Data | LAN1 or MGMT | TFTP server | 17 UDP | 1024 → 65535 | 69, then 1024 → 63999 | For contacting a TFTP server during database and configuration backup and restore operations |
VRRP | HA IP on the active node of HA pair | Multicast address 224.0.0.18 | 112 | 802 | For periodic announcements of the availability of the HA node that is linked to the VIP. The nodes in the HA pair must be in the same subnet. | |
HTTP | Management System | VIP, LAN1, or MGMT | 6 TCP | 1024 -> | 80 | Required if the HTTP-redirect option is set on the Grid properties security page |
HTTPS/SSL | Management System | VIP, LAN1, or MGMT | 6 TCP | 1024 → 65535 | 443 | Required for administration through the GUI |
Reporting | Reporting Forwarders | LAN1, LAN2, or MGMT on the indexer | 6 TCP | 1024 - | 9997 | Required for the reporting service. Communication is single directional from forwarders to the indexer. For example, a forwarder detects events and forwards them to the indexer. |
Reporting - Peer Replication | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP | 1024 - 65535 | 7887 | Splunk cluster peer replication (traffic among reporting members) |
Distributed Search | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP | 1024 - 65535 | 7089 | Distributed searches from Search Head to Reporting Members |
Reporting Management | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP | 1024 - 65535 | 8089 | Grid Master to reporting members |
Reporting Management | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP – IPv4 | 1024 - 65535 | 8000 | Grid Master to reporting members |
Reporting Management | All Reporting Members | LAN1, LAN2, MGMT on each reporting member | TCP – IPv6 | 1024 - 65535 | 8000 | Grid Master to reporting members |
Threat Protection | VIP on HA Grid Master or MGMT on single appliance (with threat protection service running) | N/A (using FQDN = https://ts.infoblox.com) This URL is configured to work with NIOS appliances. It has a self-signed certificate; it may not work properly with web browsers but works with appliances. | HTTPS | N/A | 443 | For threat protection rule updates. |
Threat Insight | Client | N/A (using FQDN = https://ts.infoblox.com) | HTTPS | N/A | 443 | For downloading module set and whitelist updates. |
Microsoft Management | Managing Member | Microsoft Server | TCP | 1024 - 65535 | 135, 139, 445 Dynamic Port Range 49152-65535 (Windows Server 2008) | Note that TCP ports 135, 139, The SMB protocol uses port 139 for the NETBIOS connection to exchange data with the Microsoft server. |
DNS Forwarding to BloxOne Infoblox Threat Defense Cloud: Cloud Services Portal | NIOS Appliance | BloxOne Infoblox Threat Defense Cloud | TCP | 443 | 443 | csp.infoblox.com |
DNS Forwarding to BloxOne Infoblox Threat Defense Cloud: Platform Management | NIOS Appliance | BloxOne Infoblox Threat Defense Cloud | TCP | 443 | 443 | cp.noa.infoblox.com |
DNS Forwarding to BloxOne Infoblox Threat Defense Cloud: Application Management | NIOS Appliance | BloxOne Infoblox Threat Defense Cloud | TCP | 443 | 443 | app.noa.infoblox.com |
DNS Forwarding to BloxOne Infoblox Threat Defense Cloud: NTP Server (Only if time sync with EXSi is disabled) | NIOS Appliance | BloxOne Infoblox Threat Defense Cloud | UDP | 123 | 123 | ntp.ubuntu.com |
DNS Forwarding to BloxOne Infoblox Threat Defense Cloud: NTP Server (Only if time sync with EXSi is disabled) | NIOS Appliance | BloxOne Infoblox Threat Defense Cloud | UDP | 123 | 123 | ubuntu.pool.ntp.org |
DNS Forwarding to BloxOne Infoblox Threat Defense Cloud: BloxOne Infoblox Threat Defense Cloud DNS server | NIOS Appliance | BloxOne Infoblox Threat Defense Cloud | UDP | 123 | 123 | 52.119.40.100 |
BloxConnect | NIOS Appliance | Infoblox Portal | HTTPS | 1024 → 65535 | 443 | BloxConnect tries to establish a connection with the Infoblox Portal every 5 minutes. |
SAML Authentication service | LAN1 or MGMT on Grid Master | TCP | 8765 | Ports 443 (HTTPS) and 80 (HTTP) |
...
From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member checkbox, and then click the Edit icon.
Note: You must enable the MGMT port before modifying its port settings. See Using the MGMT Port.In the Network tab of the Grid Member Properties editor, the Required Ports and Addresses table lists the network settings that were configured. This table lists the network settings of LAN1(IPv4) interface for an IPv4 member and LAN1(IPv6) interface for an IPv6 member. For a dual mode Grid member, this table lists the settings for both LAN1(IPv4) and LAN1(IPv6) interfaces. Complete the following to modify port settings:
Interface: Displays the name of the interface. You cannot modify this.
Address: Click the field and modify the IP address for the LAN1 port, which must be in a different subnet from that of the LAN2 and HA ports.
Subnet Mask (IPv4) or Prefix Length (IPv6): For IPv4 address, click the field and specify an appropriate subnet mask and for IPv6 address, specify the prefix length.
Gateway: Click the field and modify the default gateway for the LAN1 port.
VLAN Tag: Click the field and enter the VLAN tag ID if the port is configured for VLANs. You can enter a number from 1 to 4095.
Port Settings: From the drop-down list, choose the connection speed that you want the port to use. You can also choose the duplex setting. Choose Full for concurrent bidirectional data transmission or Half for data transmission in one direction at a time. Select Automatic to instruct the NIOS appliance to negotiate the optimum port connection type (full or half duplex) and speed with the connecting switch automatically. This is the default setting. You cannot configure port settings for vNIOS appliances.
DSCP Value: Displays the Grid DSCP value. To modify, click Override and enter the DSCP value. You can enter a value from 0 to 63.
Save the configuration and click Restart if it appears at the top of the screen.
...