Depending on your deployment and configuration choices, the Ethernet ports on the NIOS appliance perform different functions. The Ethernet ports that handle traffic on the NIOS appliance are as follows:
-
- LAN1 port – A 10/100/1000-Mbps gigabit Ethernet port that connects the appliance to the network. This is the default port for single independent appliances, single Grid members, and passive nodes in HA pairs. You must use the LAN1 port to set up the appliance initially. It handles traffic for all management services if you do not enable the MGMT and LAN2 ports. The passive node in an HA pair uses this port to synchronize the database with the active node.
- LAN2 port – A 10/100/1000-Mbps gigabit Ethernet port that connects the appliance to the network. The LAN2 port is not enabled by default. You can enable the LAN2 port and define its use through the GUI after the initial setup. By default, the appliance uses the LAN1 port (and HA port when deployed in an HA pair). To enable and configure the LAN2 port, you must have read/write permission to the Grid member on which you want to enable the port. The LAN2 port is available on the TE-810, TE-820, TE-1410, TE-1420, TE-2210, TE-2220, and IB-4010 appliances. For information about how to use the LAN2 port, see Using the LAN2 Port 6.
- HA port – A 10/100/1000-Mbps gigabit Ethernet port through which the active node in an HA (high availability) pair connects to the network using a VIP (virtual IP) address. HA pair nodes also use their HA ports for VRRP (Virtual Router Redundancy Protocol) advertisements.
NIOS 8.1NIOS Administrator Guide (Rev. A)451
Managing Appliance Operations
-
- MGMT port – A 10/100/1000-Mbps gigabit Ethernet port that you can use for appliance management or DNS service. You can enable the MGMT port and define its use through the GUI after the initial setup. If the MGMT port is enabled, the NIOS appliance uses it for management services (see Table 8.5 for specific types).
You can do the following on some of the Ethernet ports, depending on your network requirements and configurations:
-
- Assign VLANs (Virtual LANs) to the LAN1 and LAN2 ports so that NIOS can provide DNS service to different subnetworks on the same interface. For more information about VLANs, see About Virtual LANs.
- Implement DiffServ (Differentiated Services) on the appliance by configuring the DSCP (Differentiated Services Code Point) value. For more information about DiffServ and DSCP, see Implementing Quality of Service Using DSCP .
Enabling GUI and API Access on the MGMT and LAN1/VIP Ports
You can access the Infoblox GUI and API through the MGMT and LAN1 or VIP interfaces simultaneously. To do so, you must first configure the MGMT port on the appliance, and then enable the Enable GUI/API Access via both MGMT and LAN1/VIP feature. For information about the MGMT port, see Using the MGMT Port . When you enable this feature, you can use the MGMT and LAN1ports for standalone appliances and MGMT and VIP ports for an HA pair. This feature is disabled for all new installations and upgrades.
Note: When the Threat Protection service is running on the Advanced Standalone Appliance, then the GUI and API access is allowed only on the MGMT port.
To enable GUI and API access on the MGMT and LAN1/VIP ports:
- From the Grid tab, select the Grid Manager tab.
- Expand the Toolbar and select Grid Properties -> Edit.
- In the Grid Properties editor, select the General tab -> click the Advanced tab (or click Toggle Advanced Mode) and complete the following:
— Enable GUI/API Access via both MGMT and LAN1/VIP: Select this check box to allow access to the Infoblox GUI and API using both the MGMT and LAN1 ports for standalone appliances and allow both the MGMT and VIP ports for an HA pair. This feature is valid only if you have enabled the MGMT port. For information about enabling the MGMT port, see Appliance Management 1.
- Click Save to save the changes.
About Virtual LANs
You can assign VLANs (Virtual Local Area Networks) to the LAN1, LAN2, and VIP (for HA pairs) interfaces so the appliance can provide DNS service to different subnetworks on the same interface. You can also configure VLANs interfaces on supported Network Insight appliances and use them exclusively for discovery purposes. VLANs are independent logical networks that are mutually isolated on the interface so that IP packets can pass between them through one or more switches or routers. You can assign VLANs to provide segmentation services to address issues such as scalability, security, and network management. For example, you can partition your network into segments such as DHCP address allocation, DNS service, guest network, and DMZ (demilitarized zone) to achieve a higher level of security and to increase performance by limiting broadcast domains. You can also add quality of service schemes to optimize your network traffic on the VLAN trunk links by configuring the DSCP (Differentiated Services Code Point) value for the corresponding physical and virtual interfaces. For information about DSCP, see Implementing Quality of Service Using DSCP .
Note: When you configure VLANs on the following Network Insight appliances: ND-1400, ND-1405, ND-2200,
ND-2205, ND-4000, ND-V1400 ND-V1405, ND-V2200, and ND-V2205, the VLAN interfaces are used
exclusively for discovery. You cannot bind other services on these VLAN interfaces of the supported Network Insight appliances. For more information about Network Insight, see About Network Insight .
452NIOS Administrator Guide (Rev. A)NIOS 8.1
Configuring Ethernet Ports
VLAN Tagging
When your VLANs span across multiple networks, VLAN tagging is required. This enables the NIOS appliance to connect to different networks using the same port. VLAN tagging involves adding a VLAN tag or ID to the header of an IP packet so the appliance can identify the VLAN to which the packet belongs. In addition, switches use the VLAN tag to determine the port to which it should send a broadcast packet. The appliance uses the IEEE 802.1Q networking standard to support VLANs and VLAN tagging. On the appliance, you can configure VLANs as tagged networks by adding VLAN tags to them. You can create up to 10 IPv4 and IPv6 addresses per interface and configure a VLAN ID from one to 4094. You can also configure an address, gateway, and a netmask for VLAN. Any IPv4 or IPv6 address with a VLAN ID is considered as a tagged network. For HA pairs, the appliance supports only one VLAN interface for VRRP over an IPv4 or IPv6. It supports one untagged IPv4 and IPv6 address for each interface and considers this as the primary IP address for the network. For an HA pair, if you have multiple VLANs assigned to a VIP interface, then a network failure in any one of the VLAN interface does not trigger a failover of the active member.
Untagged networks are those without VLAN tags assigned to them. When you set up a VLAN as either a tagged or untagged network, ensure that you properly configure the corresponding switch for the VLAN to function properly.
Note: A tagged VLAN interface receives only those packets that belongs to the tagged network, but an untagged VLAN interface receives all the packets belonging to the tagged and untagged networks of the interface.
VLANs and VLAN tagging are supported on both IPv4 and IPv6 transports. This feature is currently supported on the following Infoblox appliances: Trinzic 1410, 1415, 1420, 1425, 2210, 2215, 2220, 2225, Infoblox-4010,
Infoblox-4030-Rev1, Infoblox-4030-Rev2, Infoblox-4030-10G, PT-1400, PT-1405, PT-2200, PT-2205, PT-4000, and
PT-4000-10GE. VLAN tagging is not supported on TE-100, TE-810, TE-815, TE-820, and TE-825. For more information about VLAN support for an Infoblox-4030 appliance, refer to the DNS Cache Acceleration Application Guide. For information about these appliances, refer to the respective installation guides on the Infoblox Support web site at {_}http://www.infoblox.com/support_.
Currently, only the DNS service can listen on specific VLAN interfaces. The DHCP service listens only on the primary VLAN interface (tagged or untagged). However, if the primary VLAN interface is untagged, DHCP will serve all VLANs on that interface because an untagged primary VLAN receives all broadcast packets. You can also specify VLANs as the source port for sending DNS queries and notify messages. For information about how to configure these, see Specifying Port Settings for DNS .
Additional VLAN support is available exclusively for discovery on the following Network Insight appliances: ND-1400, ND-1405, ND-2200, ND-2205, ND-4000, ND-V1400, ND-V1405, ND-V2200, and ND-V2205. Binding other services on
the VLAN interfaces of the Network Insight appliances is not supported.
Note: When you join an appliance that supports VLANs to a Grid that does not support VLANs or revert the appliance to a NIOS version that does not support VLANs, the appliance will become unreachable after joining the Grid or being reverted. You must remove VLAN tagging from the corresponding switch in order to reach the downgraded appliance.
Consider the following guidelines when tagging VLANs on the LAN1 and LAN2 ports:
-
- You can assign VLAN addresses to an interface and add VLAN tags to them. However, you must designate one of the tagged VLANs as a primary address.
- If the primary IPv4 address is tagged with a VLAN ID, all other addresses on the same interface must be tagged with a VLAN ID as well.
- You can use the same VLAN ID to tag only one IPv4 and one IPv6 address on the same interface. You cannot use the same VLAN ID to tag multiple IPv4 and IPv6 addresses on the same interface.
- You can assign one untagged IPv4 and one untagged IPv6 address to the same interface. These addresses are designated as the primary address for the interface.
- For IPv6, you must have a primary IPv6 address (either tagged or untagged) before you can add other tagged IPv6 addresses on the same interface.
- If you have multiple VLANs assigned to the LAN1 interface and the primary VLAN is untagged, DHCP listens on all VLAN interfaces and thus DHCP lease requests will succeed for the additional VLANs assigned to the LAN1 interface, but the request will actually be handled by the primary untagged VLAN interface.
NIOS 8.1NIOS Administrator Guide (Rev. A)453
Managing Appliance Operations
-
- You can set up the system to define only tagged networks:
- When the VLAN tag is not set, the appliance considers the network as an untagged network.
- You can specify a single untagged IPv4 and IPv6 network per interface.
- The primary network can be tagged or untagged but you must tag the additional VLANs.
- You can set up the system to define only tagged networks:
Configuring VLANs
When you first set up a NIOS appliance, you can assign VLANs through the Grid Setup Wizard. For more information, see Using the Setup Wizard . After the initial setup, you can assign VLANs to the LAN1 or LAN2 ports in the Required Ports and Addresses table, as described in Modifying Ethernet Port Settings .
On a Grid member, you can assign up to 10 VLANS for each protocol (IPv4 or IPv6) on the LAN1 and LAN2 ports. You can assign up to 10 IPv4 VLAN addresses and 10 IPv6 VLAN addresses for each interface. You can configure only IPv4 VLAN addresses for an IPv4 Grid member and only IPv6 VLAN addresses for an IPv6 Grid member, but for a dual mode Grid member you can configure both IPv4 and IPv6 VLAN addresses.
To assign additional VLANs to the LAN1 or LAN2 port, complete the following:
- From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box, and then click the Edit icon.
- Select the Network -> Basic tab in the Grid Member Properties editor.
- In the Additional Ports and Addresses table, click the Add icon and select either MGMT (IPv4), MGMT (IPv6), LAN2 (IPv4), LAN2 (IPv6), Additional Address (loopback) (IPv4), Additional Address (loopback) (IPv6), LAN1 (VLAN)(IPv4), LAN1 (VLAN)(IPv6), LAN2 (VLAN)(IPv4) or LAN2 (VLAN)(IPv6) from the drop-down list. You can add up to 10 IPv4 and 10 IPv6 VLANs for each interface. Note that you can configure only IPv4 VLAN addresses for an IPv4 Grid member and only IPv6 VLAN addresses for an IPv6 Grid member, but for a dual mode Grid member you can configure both IPv4 and IPv6 VLAN addresses.
- MGMT (IPv4): Select this to configure IPv4 address for MGMT port. Note that the Infoblox-4030 appliance supports a /32 configuration for IPv4 on MGMT and supports multi-interface only when both LAN1 and MGMT are on the same subnet.
- MGMT (IPv6): Select this to configure IPv6 address for MGMT port. Note that Infoblox-4030 appliance supports a /128 prefix configuration for IPv6 on MGMT and supports multi-interface only when both LAN1 and MGMT are on the same subnet.
- LAN2 (IPv4): Select this to configure IPv4 address for the LAN2 port for DHCP or DNS. Note that
Infoblox-4030 appliance supports a /32 configuration for IPv4 on LAN2 and supports multi-interface only when both LAN1 and LAN2 are on the same subnet. This is not applicable to Trinzic 100 appliance.
-
- LAN2 (IPv6): Select this to configure IPv6 address for the LAN2 port for DHCP or DNS. Note that Infoblox-4030 appliance supports a /128 prefix configuration for IPv6 on LAN2 and supports
multi-interface only when both LAN1 and LAN2 are on the same subnet. This is not applicable to Trinzic 100 appliance.
-
- Additional Address (loopback) (IPv4): Select this to add a non-anycast IPv4 address to the loopback interface. Note that you can configure this for IPv4 and dual mode Grid member.
- Additional Address (loopback) (IPv6): Select this to add a non-anycast IPv6 address to the loopback interface. Note that you can configure this for IPv6 and dual mode Grid member.
- LAN1 (VLAN) (IPv4): Select this to add a VLAN to the LAN1 interface. You can add up to 10 IPv4 VLAN addresses. Note that you can configure this for IPv4 and dual mode Grid member. This is supported on Trinzic 2210, 2215, 2220, 2225, Infoblox-1410, Infoblox-4010, Infoblox-4030-Rev1, Infoblox-4030-Rev2, Infoblox-4030-10G, PT-1400, PT-1405, PT-2200, PT-2205, PT-4000, and PT-4000-10GE appliances. VLAN
tagging is not supported on TE-100, TE-810, TE-815, TE-820, TE-825, and vNIOS virtual appliances.
-
- LAN1 (VLAN) (IPv6): Select this to add a VLAN to the LAN1 interface. You can add up to 10 IPv4 and 10 IPv6 VLAN addresses. Note that you can configure this for IPv6 and dual mode Grid member. This is supported on Trinzic 2210, 2215, 2220, 2225, Infoblox-1410, Infoblox-4010, Infoblox-4030-Rev1,
Infoblox-4030-Rev2, Infoblox-4030-10G, PT-1400, PT-1405, PT-2200, PT-2205, PT-4000, and PT-4000-10GE
appliances.
454NIOS Administrator Guide (Rev. A)NIOS 8.1
Configuring Ethernet Ports
- LAN2 (VLAN) (IPv4): Select this to add a VLAN to the LAN2 interface. You can add up to 10 IPv4 VLAN addresses. Note that you can configure this for IPv4 and dual mode Grid member. This is supported on Trinzic 2210, 2215, 2220, 2225, Infoblox-1410, Infoblox-4010, Infoblox-4030-Rev1, Infoblox-4030-Rev2, Infoblox-4030-10G, PT-1400, PT-1405, PT-2200, PT-2205, PT-4000, and PT-4000-10GE appliances.
- LAN2 (VLAN) (IPv6): Select this to add a VLAN to the LAN2 interface. You can add up to 10 IPv6 VLAN addresses. Note that you can configure this for IPv6 and dual mode Grid member. This is supported on Trinzic 2210, 2215, 2220, 2225, Infoblox-1410, Infoblox-4010, Infoblox-4030-Rev1, Infoblox-4030-Rev2, Infoblox-4030-10G, PT-1400, PT-1405, PT-2200, PT-2205, PT-4000, and PT-4000-10GE appliances.
- Enter the following:
- Interface: Displays the name of the VLAN interface. This can be LAN1 (VLAN)(IPv4), LAN1 (VLAN)(IPv6), LAN2 (VLAN)(IPv4), or LAN2 (VLAN)(IPv6) depending on your selection. You cannot modify this.
- Address: Type the IP address for the VLAN port.
- Subnet Mask (IPv4) or Prefix Length (IPv6): For IPv4 address, specify an appropriate subnet mask and for IPv6 address, specify the prefix length. The prefix length ranges from 2 to 127, with common-sense values ranging from /48 to /127 due to the larger number of bits in the IPv6 address.
- Gateway: Type the IPv4 or IPv6 default gateway address for the VLAN port depending on the type of interface. For IPv6 interface, you can also type Automatic to enable the appliance to acquire the IPv6 address of the default gateway and the link MTU from router advertisements.
You can now define a link-local address as the default IPv6 gateway and isolate the LAN segment so the local router can provide global addressing and access to the network and Internet. This is supported for both LAN1 and LAN2 interfaces as well as LAN1 and LAN2 in the failover mode.
-
- VLAN Tag: Enter the VLAN tag or ID. You can enter a number from 1 to 4094. Ensure that you configure the corresponding switch accordingly. For information about VLANs, see About Virtual LANs .
- Port Settings: For IPv4 only. From the drop-down list, choose the connection speed that you want the port to use. You can also choose the duplex setting. Choose Full for concurrent bidirectional data transmission or Half for data transmission in one direction at a time. Select Automatic to instruct the NIOS appliance to negotiate the optimum port connection type (full or half duplex) and speed with the connecting switch automatically. This is the default setting. You cannot configure port settings for vNIOS appliances.
- DSCP Value: Displays the Grid DSCP value, if configured. To modify, click Override and enter the DSCP value. You can enter a value from 0 to 63. For information about DSCP, see Implementing Quality of Service Using DSCP .
- Save the configuration and click Restart if it appears at the top of the screen.
Implementing Quality of Service Using DSCP
You can implement DiffServ (Differentiated Services) on the appliance by configuring the DSCP (Differentiated Services Code Point) value. DiffServ is a scalable and class-based mechanism that provides relative priorities to the type of services on your network. It can provide low latency for critical network traffic while providing simple
best-effort service for non-critical services. The Infoblox DSCP implementation fully conforms to RFC 2475. For more information about DiffServ, refer to RFC 2475, An Architecture for Differentiated Services.
In IPv4 and IPv6 headers, DiffServ uses the DS (Differentiated Services) field for packet classification purposes. The DS field defines the layout of the ToS (Type of Services) octet in IPv4 and the Traffic Class octet in IPv6. The first six bits of the DS field are used as the DSCP value, which determines the PHBs (per-hope behaviors) on DiffServ compliant nodes and enables priorities of services to be assigned to network traffic. For more information about the DS field, refer to RFC 2474, Definition of the Differentiated Services Field (DS Field) in the IPv4 and IPv6 Headers.
When you configure the DSCP value for DiffServ, the appliance sets priorities for all outgoing IP traffic. It implements QoS (quality of service) rules so you can effectively classify and manage your critical network traffic. To ensure that core network services, such as DNS services, continue to operate in the event of network traffic congestion, you can set the DSCP value for the entire Grid and override it at the member level. Note that on an appliance, all outgoing IP traffic on all interfaces uses the same DSCP value.
NIOS 8.1NIOS Administrator Guide (Rev. A)455
Managing Appliance Operations
DSCP is supported on both IPv4 and IPv6 transports and the DSCP value for both IPv4 and IPv6 transports must be the same. This feature is currently supported on the following Infoblox appliances: Trinzic 2210, 2215, 2220, 2225, Infoblox-4010, Infoblox-4030, Infoblox-4030-10GE, PT-1400, PT-1405, PT-2200, PT-2205, PT-4000, and
PT-4000-10GE. For information about these appliances, refer to the respective installation guides on the Infoblox Support web site at {_}http://www.infoblox.com/support_.
Note: You can set the DSCP value of the primary LAN using the set network CLI command. For information about the CLI command, refer to the Infoblox CLI Guide. DSCP values for all other interfaces and VLANs must be set through Grid Manager.
Configuring the DSCP Value
The DSCP value is set to zero (lowest priority) by default. You can change this value for the Grid and override the value at the member level. When you configure the DSCP value at the Grid or member level, all outgoing IP traffic on all interfaces uses the same value. Valid DSCP values are from 0 to 63. You can also set the DSCP value using the Infoblox CLI. For more information, refer to the Infoblox CLI Guide.
To configure the DSCP value for the Grid:
- From the Grid tab -> Grid Manager tab, click Grid Properties -> Edit from the toolbar.
- In the General -> Advanced tab of the Grid Properties editor, complete the following:
— DSCP Value: Enter a value from 0 to 63. The default is 0 and it represents the lowest priority.
- Save the configuration.
To override the DSCP value for a member:
- From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box, and then click the Edit icon.
- In the Network tab -> Basic tab of the Grid Member Properties editor, complete the following:
— DSCP Value: Click Override, and then enter a value from 0 to 63. The default is 0 and it represents the lowest priority.
- Save the configuration.
You can override the Grid and member DSCP value at the interface level. For more information, see the following:
-
- For the LAN1 port, see Modifying Ethernet Port Settings .
- For the LAN2 port, see Configuring the LAN2 Port .
- For the MGMT port, see Using the MGMT Port 0.
Ethernet Port Usage
This section provides tables that detail the port usage and source and destination ports for different services, depending on your Grid configuration.
Table 8.3 displays the type of traffic per port for both Grid and independent deployments. For a more detailed list of the different types of traffic, see Table 8.5 .
Table 8.3 Appliance Roles and Configuration, Communication Types, and Port Usage
|
|
|
|
Database Synchronization |
Core Network Services |
Management Services |
GUI |
HA Grid Master |
Yes |
Active |
Disabled |
VIP on HA |
VIP on HA |
LAN1 |
VIP on HA |
HA Grid Master |
Yes |
Passive |
Disabled |
LAN1 |
– |
LAN1 |
– |
Single Grid Master |
No |
– |
Disabled |
LAN1 |
LAN1 |
LAN1 |
LAN1 |
HA Grid Member |
Yes |
Active |
Disabled |
LAN1 |
VIP on HA |
LAN1 |
– |
456NIOS Administrator Guide (Rev. A)NIOS 8.1
Configuring Ethernet Ports
|
|
|
|
Database Synchronization |
Core Network Services |
Management Services |
GUI |
HA Grid Member |
Yes |
Passive |
Disabled |
LAN1 |
– |
LAN1 |
– |
Single Grid Member |
No |
– |
Disabled |
LAN1 |
LAN1 |
LAN1 |
– |
Independent HA Pair |
Yes |
Active |
Disabled |
VIP on HA |
VIP on HA |
LAN1 |
VIP on HA |
Independent HA Pair |
Yes |
Passive |
Disabled |
LAN1 |
– |
LAN1 |
– |
Single Independent |
No |
– |
Disabled |
– |
LAN1 |
LAN1 |
LAN1 |
HA Grid Master |
Yes |
Active |
Enabled |
VIP on HA |
VIP on HA |
MGMT |
MGMT |
HA Grid Master |
Yes |
Passive |
Enabled |
LAN1 |
– |
MGMT |
– |
Single Grid Master |
No |
– |
Enabled |
LAN1 |
LAN1 or MGMT |
MGMT |
MGMTand LAN1/VIP |
HA Grid Member |
Yes |
Active |
Enabled |
LAN1 or MGMT |
VIP on HA |
MGMT |
– |
HA Grid Member |
Yes |
Passive |
Enabled |
LAN1 or MGMT |
– |
MGMT |
– |
Single Grid Member |
No |
– |
Enabled |
LAN1 or MGMT |
LAN1 or MGMT |
MGMT |
– |
Independent HA Pair |
Yes |
Active |
Enabled |
VIP on HA |
VIP on HA |
MGMT |
MGMT |
Independent HA Pair |
Yes |
Passive |
Enabled |
LAN1 |
– |
MGMT |
– |
Single Independent |
No |
– |
Enabled |
– |
LAN1 or MGMT |
MGMT |
MGMT |
Reporting Member |
No |
– |
Enabled |
LAN1 or MGMT |
LAN1 or MGMT |
MGMT |
MGMT |
Table 8.4 Appliance Roles and Configuration, Communication Types, and Port Usage for Appliances with LAN2 Ports
|
|
|
|
|
Core Network Services |
|
|
HA Grid Master |
Active |
Disabled |
Enabled |
VIP on HA |
VIP on HA |
LAN1 or LAN2 |
VIP on HA |
HA Grid Master |
Passive |
Disabled |
Enabled |
LAN1 |
– |
LAN1 or LAN2 |
– |
Single Grid Master |
– |
Disabled |
Enabled |
LAN1 |
LAN1 and/or LAN2 |
LAN1 or LAN2 |
LAN1 |
HA Grid Member |
Active |
Disabled |
Enabled |
LAN1 |
VIP on HA |
LAN1 or LAN2 |
– |
HA Grid Member |
Passive |
Disabled |
Enabled |
LAN1 |
– |
LAN1 or LAN2 |
– |
Single Grid Member |
– |
Disabled |
Enabled |
LAN1 |
LAN1 and/or LAN2 |
LAN1 or LAN2 |
– |
Independent HA Pair |
Active |
Disabled |
Enabled |
VIP on HA |
VIP on HA |
LAN1 or LAN2 |
VIP on HA |
Independent HA Pair |
Passive |
Disabled |
Enabled |
LAN1 |
– |
LAN1 or LAN2 |
– |
Single Independent |
– |
Disabled |
Enabled |
– |
LAN1 and/or LAN2 |
LAN1 or LAN2 |
LAN1 |
HA Grid Master |
Active |
Enabled |
Enabled |
VIP on HA |
VIP on HA |
MGMT |
MGMT |
HA Grid Master |
Passive |
Enabled |
Enabled |
LAN1 |
– |
MGMT |
– |
Single Grid Master |
– |
Enabled |
Enabled |
LAN1 |
LAN1, LAN2 |
MGMT |
MGMT |
NIOS 8.1NIOS Administrator Guide (Rev. A)457
Managing Appliance Operations
|
|
|
|
|
Core Network Services |
|
|
HA Grid Member |
Active |
Enabled |
Enabled |
LAN1 or MGMT |
VIP on HA |
MGMT |
– |
HA Grid Member |
Passive |
Enabled |
Enabled |
LAN1 or MGMT |
– |
MGMT |
– |
Single Grid Member |
– |
Enabled |
Enabled |
LAN1 or MGMT |
LAN1, LAN2 |
MGMT |
– |
Independent HA Pair |
Active |
Enabled |
Enabled |
VIP on HA |
VIP on HA |
MGMT |
MGMT |
Independent HA Pair |
Passive |
Enabled |
Enabled |
LAN1 |
– |
MGMT |
– |
Single Independent |
– |
Enabled |
Enabled |
– |
LAN1, LAN2 |
MGMT |
MGMT |
Reporting Member |
– |
Enabled |
Enabled |
LAN1 or MGMT |
LAN1, LAN2, |
MGMT |
MGMT |
To see the service port numbers and the source and destination locations for traffic that can go to and from a NIOS appliance, see Table 8.5. This information is particularly useful for firewall administrators so that they can set policies to allow traffic to pass through the firewall as required.
Note: The colors in both tables represent a particular type of traffic and correlate with each other.
Table 8.5 Sources and Destinations for Services
ServiceSRC IPDST IP*Proto*LAN1 or MGMT
on all Grid members (including Grid Master and Grid Master Candidate)VIP on HA Grid
Master, or LAN1 on single Grid Master17 UDP*SRC*
Port
2114*DST* *Port Notes*Key Exchange
(Member Connection)2114Initial key exchange for
establishing VPN tunnels
Required for GridVIP on HA Grid
VIP on HA Grid Master Candidate, Master or LAN1 on single Candidate, orGrid Master
LAN1 on single Candidate Grid Master
Candidate
458NIOS Administrator Guide (Rev. A)NIOS 8.1
Configuring Ethernet Ports
Service |
SRC IP |
DST IP |
Proto |
SRC |
DST Port Notes |
|
Key Exchange (Grid Master Candidate Promotion) |
VIP on HA Grid Master, or LAN1 on single Grid Master |
LAN1 or MGMT on all Grid members (including Grid Master and Grid Master Candidate) |
17 UDP |
2114 |
2114 |
|
VPN |
LAN1 or MGMT |
VIP on HA Grid |
17 UDP |
1194 or |
1194 or |
Default VPN port 1194 |
|
on Grid |
Master, or LAN1 on |
|
5002, |
5002, or |
for Grids with new |
|
member |
single Grid Master |
|
or 1024 |
1024 -> |
DNSone 3.2 |
|
|
VIP on HA Grid Master Candidate, or LAN1 on single Grid Master |
|
-> 63999 |
63999 |
installations and 5002 for Grids upgraded to DNSone 3.2; the port number is configurable |
|
|
Candidate |
|
|
|
Required for Grid |
Network |
LAN1 or LAN2 |
LAN1 or LAN2 on |
UDP |
1194 |
1194 |
All default VPN tunnels |
Insight VPN |
on Probes |
Consolidator |
|
|
|
for Network Insight |
Discovery |
LAN1 or LAN2 |
|
UDP |
|
161 |
SNMP |
|
on Probes |
|
|
|
|
|
Discovery |
LAN1 or LAN2 |
|
UDP |
|
260 |
SNMP - Needed for full discovery of some older Check Point models |
Discovery |
LAN1 or LAN2 |
|
ICMP |
|
n/a |
Ping Sweep |
|
on Probes |
|
|
|
|
|
Discovery |
LAN1 or LAN2 |
|
UDP, |
|
53 |
DNS |
|
on Probes |
|
TCP |
|
|
|
Discovery |
LAN1 or LAN2 |
|
ICMP |
|
|
Path Collection, for IPv4 |
|
on Probes |
|
|
|
|
addresses |
Discovery |
LAN1 or LAN2 |
|
UDP |
|
33434+1 |
Path Collection. Standard traceroute, for IPv6 addresses |
Discovery |
LAN1 or LAN2 |
|
ICMP, UDP, TCP |
|
|
Port scan - all configured by user |
Discovery |
LAN1 or LAN2 |
|
UDP |
|
137 |
NetBIOS |
|
on Probes |
|
|
|
|
|
Discovery |
LAN1 or LAN2 |
|
UDP |
|
40125 |
NMAP, UDP Ping, and |
|
on Probes |
|
|
|
|
credential checking |
NIOS 8.1NIOS Administrator Guide (Rev. A)459
Managing Appliance Operations
Service |
SRC IP |
DST IP |
Proto |
SRC |
DST Port Notes |
|
Discovery |
LAN1 or LAN2 |
|
TCP |
|
23 |
Telnet can be used based on Network Insight configuration for Network Discovery. |
Discovery |
LAN1 or LAN2 |
|
TCP |
|
22 |
SSH can be used based on Network Insight configuration for Network Discovery. |
DHCP |
Client |
LAN1, LAN2, VIP, or |
17 UDP |
68 |
67 |
Required for IPv4 DHCP |
|
|
broadcast on NIOS |
|
|
|
service |
|
|
appliance |
|
|
|
|
DHCP |
LAN1, LAN2 or |
Client |
17 UDP |
67 |
68 |
Required for IPv4 DHCP |
|
VIP on NIOS |
|
|
|
|
service |
|
appliance |
|
|
|
|
|
DHCP |
Client |
LAN1, LAN2, VIP, or |
17 UDP |
546 |
547 |
Required for IPv6 DHCP |
|
|
broadcast on NIOS |
|
|
|
service |
|
|
appliance |
|
|
|
|
DHCP |
LAN1, LAN2 or |
Client |
17 UDP |
547 |
546 |
Required for IPv6 DHCP |
|
VIP on NIOS |
|
|
|
|
service |
|
appliance |
|
|
|
|
|
DHCP Failover |
LAN1, LAN2 or |
LAN1, LAN2 or VIP |
6 TCP |
1024 -> |
519, or |
Required for DHCP |
|
VIP on Infoblox |
on Infoblox DHCP |
|
65535 |
647 |
failover |
|
DHCP failover |
failover peer |
|
|
|
|
|
peer |
|
|
|
|
|
DHCP Failover |
VIP on HA Grid Master or LAN1 or LAN2 on single master |
LAN1, LAN2 or VIP |
6 TCP |
1024 -> |
7911 |
Informs functioning Grid member in a DHCP failover pair that its partner is down |
DDNS |
LAN1, LAN2, or |
LAN1, LAN2, or VIP |
17 UDP |
1024 -> |
53 |
Required for DHCP to |
Updates |
VIP |
|
|
65535 |
|
send DNS dynamic |
|
|
|
|
|
|
updates |
DNS Transfers |
LAN1, LAN2, |
LAN1, LAN2, VIP, or MGMT |
6 TCP |
53, or |
53 |
For DNS zone transfers, large client queries, and for Grid members to communicate with external name servers |
DNS Queries |
Client |
LAN1, LAN2, VIP, or |
17 UDP |
53, or |
53 |
For DNS queries |
|
|
broadcast on NIOS |
|
1024 -> |
|
Required for DNS |
|
|
appliance |
|
65535 |
|
|
DNS Queries |
Client |
LAN1, LAN2, VIP, or |
6 TCP |
53, or |
53 |
For DNS queries |
|
|
broadcast on NIOS |
|
1024 -> |
|
Required for DNS |
|
|
appliance |
|
65535 |
|
|
460NIOS Administrator Guide (Rev. A)NIOS 8.1
Configuring Ethernet Ports
Service |
SRC IP |
DST IP |
Proto |
SRC |
DST Port |
Notes |
NTP |
NTP client |
LAN1, LAN2, VIP, or MGMT |
17 UDP |
1024 -> |
123 |
Required if the NIOS appliance is an NTP server |
NTP |
NTP client |
LAN1, LAN2, VIP, or MGMT |
17 UDP |
1024 -> |
123 |
Required if the NIOS appliance is an NTP server. On an HA member, the NTP service runs on the active node. If there is an HA failover, the NTP service is automatically launched after the passive node becomes active and the NTP traffic uses the LAN2, VIP, or MGMT port on one of the nodes from an HA pair, instead of the LAN1 port. During another HA failover, the currently passive node becomes active again and the NTP traffic uses the LAN1 port, and the NTP is back in synchronization. |
RADIUS |
NAS (network |
LAN1 or VIP |
17 UDP |
1024 – |
1812 |
For proxying RADIUS |
Authenti- |
access server) |
65535 |
|
|
|
Authentication-Reques |
cation |
|
|
|
|
|
ts. The default |
|
|
|
|
|
|
destination port |
|
|
|
|
|
|
number is 1812, and |
|
|
|
|
|
|
can be changed to |
|
|
|
|
|
|
1024 – 63997. When |
|
|
|
|
|
|
configuring an HA pair, |
|
|
|
|
|
|
ensure that you |
|
|
|
|
|
|
provision both LAN IP |
|
|
|
|
|
|
addresses on the |
|
|
|
|
|
|
RADIUS server. |
RADIUS |
NAS (network |
LAN1 or VIP |
17 UDP |
1024 – |
1813 |
For proxying RADIUS |
Accounting |
access server) |
65535 |
|
|
|
Accounting-Requests. |
|
|
|
|
|
|
The default destination |
|
|
|
|
|
|
port number is 1813, |
|
|
|
|
|
|
and can be changed to |
|
|
|
|
|
|
1024 – 63998. |
NIOS 8.1NIOS Administrator Guide (Rev. A)461
Managing Appliance Operations
Service |
SRC IP |
DST IP |
Proto |
SRC |
DST Port Notes |
|
RADIUS Proxy |
LAN1 or VIP |
RADIUS home server |
17 UDP |
1814 |
1024 -> |
Required to proxy requests from RADIUS clients to servers. The default source port number is 1814, and although it is not configurable, it is always two greater than the port number for RADIUS authentication. |
ICMP Dst Port Unreach- able |
VIP, LAN1, LAN2, or MGMT, |
LAN1, LAN2, or |
1 ICMP |
– |
– |
Required to respond to the UNIX-based traceroute tool to determine if a destination has been reached |
ICMP Echo |
VIP, LAN1, |
VIP, LAN1, LAN2, or |
1 ICMP |
– |
– |
Required for response |
Reply |
LAN2, or MGMT, |
MGMT, or client |
Type 0 |
|
|
from ICMP echo request |
|
or client |
|
|
|
|
(ping) |
ICMP Echo Request |
VIP, LAN1, LAN2, or MGMT, |
VIP, LAN1, LAN2, or |
1 ICMP |
– |
– |
Required to send pings and respond to the Windows- |
ICMP TTL |
Gateway device (router or firewall) |
Windows client |
1 ICMP |
– |
– |
Gateway sends an ICMP TTL exceeded message to a Windows client, which then records router hops along a data path |
NTP |
LAN1 on active node of Grid Master or LAN1 of independent appliance |
NTP server |
17 UDP |
1024 -> |
123 |
Required to synchronize Grid, TSIG authentication, and DHCP failover |
SMTP |
LAN1, LAN2, or |
Mail server |
6 TCP |
1024 -> |
25 |
Required if SMTP alerts |
|
VIP |
|
|
65535 |
|
are enabled |
SNMP |
NMS (network |
VIP, LAN1, LAN2, or |
17 UDP |
1024 -> |
161 |
Required for SNMP |
|
management |
MGMT |
|
65535 |
|
management |
|
system) server |
|
|
|
|
|
462NIOS Administrator Guide (Rev. A)NIOS 8.1
Configuring Ethernet Ports
Service |
SRC IP |
DST IP |
Proto |
SRC |
DST Port |
Notes |
SNMP Traps |
MGMT or LAN1 |
NMS server |
17 UDP |
1024 -> |
162 |
Required for SNMP trap management. |
SSHv2 |
Client |
LAN1, LAN2, VIP, or MGMT on NIOS |
6 TCP |
1024 -> |
22 |
Administrators can make an SSHv2 connection to the LAN1, LAN2, VIP, or |
Syslog |
LAN1, LAN2, or |
syslog server |
17 UDP |
1024 -> |
514 |
Required for remote |
|
MGMT of NIOS |
|
|
65535 |
|
syslog logging |
|
appliance |
|
|
|
|
|
Traceroute |
LAN1, LAN2, or |
VIP, LAN1, LAN2, or |
17 UDP |
1024 -> |
33000 -> |
NIOS appliance |
|
UNIX-based |
MGMT, or client |
|
65535 |
65535 |
responds with ICMP |
|
appliance |
|
|
|
|
type code 3 (port |
|
|
|
|
|
|
unreachable) |
TFTP Data |
LAN1 or MGMT |
TFTP server |
17 UDP |
1024 -> |
69, then |
For contacting a TFTP |
|
|
|
|
65535 |
1024 -> |
server during database |
|
|
|
|
|
63999 |
and configuration |
|
|
|
|
|
|
backup and restore |
|
|
|
|
|
|
operations |
VRRP |
HA IP on the active node of HA pair |
Multicast address 224.0.0.18 |
112 |
802 |
|
For periodic announcements of the availability of the HA node that is linked to the VIP. The nodes in the HA pair must be in the same subnet. |
HTTP |
Management System |
VIP, LAN1, or MGMT |
6 TCP |
1024 -> |
80 |
Required if the |
HTTPS/ |
Management |
VIP, LAN1, or MGMT |
6 TCP |
1024 -> |
443 |
Required for |
SSL |
System |
|
|
65535 |
|
admini stration through |
|
|
|
|
|
|
the GUI |
NIOS 8.1NIOS Administrator Guide (Rev. A)463
Managing Appliance Operations
Service |
SRC IP |
DST IP |
Proto |
SRC |
DST Port Notes |
|
|
Reporting |
Reporting Forwarders |
LAN1, LAN2, or |
6 TCP |
1024 - |
9997 |
Required for the reporting service. Communication is single directional from forwarders to the indexer. For example, a forwarder detects events and forwards them to the indexer. |
|
Reporting - |
All Reporting |
LAN1, LAN2, MGMT |
TCP |
1024 - |
7887 |
Splunk cluster peer |
|
Peer |
Members |
on each reporting |
|
65535 |
|
replication (traffic |
|
Replication |
|
member |
|
|
|
among reporting |
|
|
|
|
|
|
|
members) |
|
Distributed |
All Reporting |
LAN1, LAN2, MGMT |
TCP |
1024 - |
7089 |
Distributed searches |
|
Search |
Members |
on each reporting |
|
65535 |
|
from Search Head to |
|
|
|
member |
|
|
|
Reporting Members |
|
Reporting |
All Reporting |
LAN1, LAN2, MGMT |
TCP |
1024 - |
8089 |
Grid Master to reporting |
|
Management |
Members |
on each reporting |
|
65535 |
|
members |
|
|
|
member |
|
|
|
|
|
Reporting |
All Reporting |
LAN1, LAN2, MGMT |
TCP – |
1024 - |
8000 |
Grid Master to reporting |
|
Management |
Members |
on each reporting |
IPv4 |
65535 |
|
members |
|
|
|
member |
|
|
|
|
|
Reporting |
All Reporting |
LAN1, LAN2, MGMT |
TCP – |
1024 - |
8000 |
Grid Master to reporting |
|
Management |
Members |
on each reporting |
IPv6 |
65535 |
|
members |
|
|
|
member |
|
|
|
|
|
Threat |
VIP on HA Grid |
N/A |
HTTPS |
N/A |
443 |
For threat protection |
|
Protection |
Master or |
(using FQDN = |
|
|
|
rule updates. |
|
|
MGMTonsingle |
|
|
|
|
||
|
appliance (with |
m) |
|
|
|
|
|
|
threat |
|
|
|
|
|
|
|
protection |
|
|
|
|
|
|
|
service |
|
|
|
|
|
|
|
running) |
|
|
|
|
|
|
Threat Insight |
Client |
N/A |
HTTPS |
N/A |
443 |
For downloading |
|
|
|
(using FQDN = |
|
|
|
module set and |
|
|
|
|
|
|
whitelist updates. |
||
|
|
m) |
|
|
|
|
|
Reporting and Threat Protection |
MGMT (with threat protection service running) |
Access www.threatstop.co m (64.87.26.148) |
HTTPS |
N/A |
443 |
Required to access[ www.threatstop.com |
http://www.threatstop.com/] to display threat details when generating reports and to export searches. |
464NIOS Administrator Guide (Rev. A)NIOS 8.1
Configuring Ethernet Ports
ServiceSRC IPDST IP*Proto*Managing
MemberMicrosoft ServerTCP*SRC*
Port
1024 -
65535*DST* Port*Notes*Microsoft
Management135, 445
Dynamic Port Range 1025-
5000
(Window s Server 2003)
Dynamic Port Range 49152-6
5535
(Window s Server 2008)Note that TCP ports 135
and 445 must be open on the Microsoft server, in addition to the dynamic port range.
Ports 135 and 445 are used by the port mapper interface, which is a service on the Microsoft server that provides information to clients on which port to use to connect to a specific service, such as the service that allows the management of the DNS service.
Modifying Ethernet Port Settings
By default, the NIOS appliance automatically negotiates the optimal connection speed and transmission type (full or half duplex) on the physical links between the 10/100Base-T and 10/100/1000Base-T ports on the NIOS appliance and the Ethernet ports on a connecting switch. It is usually unnecessary to change the default auto-negotiation setting; however, you can manually configure connection settings for a port if necessary.
Occasionally, for example, even though both the NIOS appliance and the connecting switch support 1000-Mbps (megabits per second) full-duplex connections, they might fail to auto-negotiate that speed and type, and instead connect at lower speeds of either 100 or 10 Mbps using potentially mismatched full- and half-duplex transmissions. If this occurs, first determine if there is a firmware upgrade available for the switch. If so, apply the firmware upgrade and test the connection. If that does not resolve the issue, manually set the ports on the NIOS appliance and on the switch to make 1000-Mbps full-duplex connections.
To change Ethernet port settings:
- From the Grid tab, select the Grid Manager tab -> Members tab -> Grid_member check box, and then click the Edit icon.
Note: You must enable the MGMT port before modifying its port settings. See Using the MGMT Port .
- In the Network tab of the Grid Member Properties editor, the Required Ports and Addresses table lists the network settings that were configured. This table lists the network settings of LAN1(IPv4) interface for an IPv4 member and LAN1(IPv6) interface for an IPv6 member. For a dual mode Grid member, this table lists the settings for both LAN1(IPv4) and LAN1(IPv6) interfaces. Complete the following to modify port settings:
- Interface: Displays the name of the interface. You cannot modify this.
- Address: Click the field and modify the IP address for the LAN1 port, which must be in a different subnet from that of the LAN2 and HA ports.
- Subnet Mask (IPv4) or Prefix Length (IPv6): For IPv4 address, click the field and specify an appropriate subnet mask and for IPv6 address, specify the prefix length.
- Gateway: Click the field and modify the default gateway for the LAN1 port.
- VLAN Tag: Click the field and enter the VLAN tag ID if the port is configured for VLANs. You can enter a number from 1 to 4095. For information about VLAN, see About Virtual LANs .
NIOS 8.1NIOS Administrator Guide (Rev. A)465
Managing Appliance Operations
-
- Port Settings: From the drop-down list, choose the connection speed that you want the port to use. You can also choose the duplex setting. Choose Full for concurrent bidirectional data transmission or Half for data transmission in one direction at a time. Select Automatic to instruct the NIOS appliance to negotiate the optimum port connection type (full or half duplex) and speed with the connecting switch automatically. This is the default setting. You cannot configure port settings for vNIOS appliances.
- DSCP Value: Displays the Grid DSCP value. To modify, click Override and enter the DSCP value. You can enter a value from 0 to 63. For information about DSCP, see Implementing Quality of Service Using DSCP on page 455.
- Save the configuration and click Restart if it appears at the top of the screen.
Note: The port settings on the connecting switch must be identical to those you set on the NIOS appliance.