Ethernet Port Usage
- Panna .
The Ethernet ports on the appliance perform different functions, which vary depending on deployment and configuration choices. The Ethernet ports that transmit and receive traffic to the appliance are as follows:
- LAN1 port – This is the default port for single appliances and passive nodes in HA pairs. All deployments use the LAN port for management services if the MGMT port is disabled.
- LAN2 port – The LAN2 port is not enabled by default. By default, the appliance uses the LAN1 port (and HA port when deployed in an HA pair). To enable and configure the LAN2 port, you must have read/write permission to the appliance on which you want to enable the port. The LAN2 port is available on Infoblox-250-A, 550-A,-1050-A, -1550-A, -1552-A, -1852-A, -2000-A, and -4010 appliances. For information about how to use the LAN2 port, see /wiki/spaces/mgmadminguide/pages/911183809
- HA port – This is the default port for the active node of an HA pair.
- MGMT port – If the MGMT port is enabled, the appliance uses it for many types of management services (see19282746 for specific types).
19282746 displays the type of traffic per port for both Multi-Grid Master and members. For a more detailed list of the different types of traffic, see 19282746.
Table 8.1 Appliance Roles and Configuration, Communication Types, and Port Usage
Appliance Role | HA Pair | HA Status | MGMT Port | Database Synchronization | Core Network Services | Management Services | GUI |
|---|---|---|---|---|---|---|---|
HA Multi-Grid Master | Yes | Active | Disabled | VIP on HA | VIP on HA | LAN1 | VIP on HA |
HA Multi-Grid Master | Yes | Passive | Disabled | LAN1 | – | LAN1 | – |
Single Multi-Grid Master | No | – | Disabled | LAN1 | LAN1 | LAN1 | LAN1 |
HA Master Grid Member | Yes | Active | Disabled | LAN1 | VIP on HA | LAN1 | – |
HA Master Grid Member | Yes | Passive | Disabled | LAN1 | – | LAN1 | – |
Single Master Grid Member | No | – | Disabled | LAN1 | LAN1 | LAN1 | – |
HA Multi-Grid Master | Yes | Active | Enabled | VIP on HA | VIP on HA | MGMT | MGMT |
HA Multi-Grid Master | Yes | Passive | Enabled | LAN1 | – | MGMT | – |
Single Multi-Grid Master | No | – | Enabled | LAN1 | LAN1 or MGMT | MGMT | MGMT |
HA Master Grid Member | Yes | Active | Enabled | LAN1 or MGMT | VIP on HA | MGMT | – |
HA Master Grid Member | Yes | Passive | Enabled | LAN1 or MGMT | – | MGMT | – |
Single Master Grid Member | No | – | Enabled | LAN1 or MGMT | LAN1 or MGMT | MGMT | – |
Table 8.2 Appliance Roles and Configuration, Communication Types, and Port Usage for Appliances with LAN2 Ports
Appliance Role | HA | MGMT Port | LAN2 Port | Database Synchronization | Core Network Services | Management Services | GUI |
HA Multi-Grid Master | Active | Disabled | Enabled | VIP on HA | VIP on HA | LAN1 or LAN2 | VIP on HA |
HA Multi-Grid Master | Passive | Disabled | Enabled | LAN1 | – | LAN1 or LAN2 | – |
Single Multi-Grid Master | – | Disabled | Enabled | LAN1 | LAN1 and/or LAN2 | LAN1 or LAN2 | LAN1 |
HA Master Grid Member | Active | Disabled | Enabled | LAN1 | VIP on HA | LAN1 or LAN2 | – |
HA Master Grid Member | Passive | Disabled | Enabled | LAN1 | – | LAN1 or LAN2 | – |
Single Master Grid Member | – | Disabled | Enabled | LAN1 | LAN1 and/or LAN2 | LAN1 or LAN2 | – |
HA Multi-Grid Master | Active | Enabled | Enabled | VIP on HA | VIP on HA | MGMT | MGMT |
HA Multi-Grid Master | Passive | Enabled | Enabled | LAN1 | – | MGMT | – |
Single Multi-Grid Master | – | Enabled | Enabled | LAN1 | LAN1, LAN2 | MGMT | MGMT |
HA Master Grid Member | Active | Enabled | Enabled | LAN1 or MGMT | VIP on HA | MGMT | – |
HA Master Grid Member | Passive | Enabled | Enabled | LAN1 or MGMT | – | MGMT | – |
Single Master Grid Member | – | Enabled | Enabled | LAN1 or MGMT | LAN1, LAN2 | MGMT | – |
To see the service port numbers and the source and destination locations for traffic that can go to and from the appliance, see 19282746. This information is particularly useful for firewall administrators so that they can set policies to allow traffic to pass through the firewall as required.
Note: The colors in both tables represent a particular type of traffic and correlate with each other.
Table 8.3 Sources and Destinations for Services
Service | SRC IP | DST IP | Proto | SRC | DST | Notes |
|---|---|---|---|---|---|---|
| Key Exchange | LAN1 or MGMT on M aster Grid member | VIP on HA Multi-Grid Master, or LAN1 on single master | 17 UDP | 2114 | 2114 | Initial key exchange for establishing VPN tunnels Required for Master Grid |
VPN | LAN1 or MGMT on Master Grid member | VIP on HA Multi-Grid Master, or LAN1 on single master | 17 UDP | 1194 or 5002, or 1024 → 63999 | 1194 or 5002, or 1024 → 63999 | Default VPN port 1194 for Master Grids with new DNSone 3.2 installations and 5002 for Master Grids upgraded to DNSone 3.2; the port number is configurable Required for Master Grid |
RADIUS Authentication | NAS (network access server) | LAN1 or VIP | 17 UDP | 1024 – 65535 | 1812 | For proxying RADIUS Authentication-Requests. The default destination port number is 1812, and can be changed to 1024 – 63997. When configuring an HA pair, ensure that you provision both LAN IP addresses on the RADIUS server. |
RADIUS Accounting | NAS (network access server) | LAN1 or VIP | 17 UDP | 1024 – 65535 | 1813 | For proxying RADIUS Accounting-Requests. The default destination port number is 1813, and can be changed to 1024 – 63998. |
RADIUS | LAN1 or VIP | RADIUS home server | 17 UDP | 1814 | 1024 -> | Required to proxy requests from RADIUS clients to servers. The default source port number is 1814, and although it is not configurable, it is always two greater than the port number for RADIUS authentication. |
ICMP Dst Port Unreachable | VIP, LAN1, LAN2, or MGMT, or UNIX-based client | LAN1, LAN2, or UNIX-based client | 1 ICMP Type 3 | – | – | Required to respond to the UNIX-based traceroute tool to determine if a destination has been reached |
ICMP Echo Reply | VIP, LAN1, LAN2, or MGMT, or client | VIP, LAN1, LAN2, or MGMT, or client | 1 ICMP Type 0 | – | – | Required for response from ICMP echo request (ping) |
ICMP Echo Request | VIP, LAN1, LAN2, or MGMT, or client | VIP, LAN1, LAN2, or MGMT, or client | 1 ICMP Type 8 | – | – | Required to send pings and respond to the Windows-based traceroute tool |
ICMP TTL | Gateway device (router or firewall) | Windows client | 1 ICMP | – | – | Gateway sends an ICMP TTL exceeded message to a Windows client, which then records router hops along a data path |
NTP | LAN1 on active node of Multi-Grid Master or LAN1 of a single appliance | NTP server | 17 UDP | 1024 → 65535 | 123 | Required to synchronize Master Grid and TSIG authentication Optional for synchronizing logs among multiple appliances |
SMTP | LAN1, LAN2, or VIP | Mail server | 6 TCP | 1024 → 65535 | 25 | Required if SMTP alerts are enabled |
SNMP | NMS (network management system) server | VIP, LAN1, LAN2, or MGMT | 17 UDP | 1024 → 65535 | 161 | Required for SNMP management |
SNMP Traps | MGMT or VIP on Multi-Grid Master or HA pair | NMS server | 17 UDP | 1024 -> | 162 | Required for SNMP trap management. |
SSHv2 | Client | LAN1, LAN2, VIP, | 6 TCP | 1024 -> | 22 | Administrators can make an SSHv2 connection to the LAN1, LAN2, VIP, or MGMT |
Syslog | LAN1, LAN2, or MGMT of the appliance | syslog server | 17 UDP | 1024 → 65535 | 514 | Required for remote syslog logging |
Traceroute | LAN1, LAN2, or UNIX-based appliance | VIP, LAN1, LAN2, or MGMT, or client | 17 UDP | 1024 → 65535 | 33000 → 65535 | The appliance responds with ICMP type code 3 (port unreachable) |
TFTP Data | LAN1 or MGMT | TFTP server | 17 UDP | 1024 → 65535 | 69, then 1024 → 63999 | For contacting a TFTP server during database and configuration backup and restore operations |
HTTP | Management System | VIP, LAN1, or MGMT | 6 TCP | 1024 → 65535 | 80 | Required if the HTTP-redirect option is set on the Master |
HTTPS/SSL | Management System | VIP, LAN1, or MGMT | 6 TCP | 1024 → 65535 | 443 | Required for administration through the GUI |
Modifying Ethernet Port Settings
By default, the appliance automatically negotiates the optimal connection speed and transmission type (full or half duplex) on the physical links between the 10/100Base-T and 10/100/1000Base-T ports on the appliance and the Ethernet ports on a connecting switch. It is usually unnecessary to change the default auto-negotiation setting; however, you can manually configure connection settings for a port if necessary.
Occasionally, for example, even though both the appliance and the connecting switch support 1000-Mbps (megabits per second) full-duplex connections, they might fail to auto-negotiate that speed and type, and instead connect at lower speeds of either 100 or 10 Mbps using potentially mismatched full- and half-duplex transmissions. If this occurs, first determine if there is a firmware upgrade available for the switch. If so, apply the firmware upgrade and test the connection. If that does not resolve the issue, manually set the ports on the appliance and on the switch to make 1000-Mbps full-duplex connections.
To change Ethernet port settings:
- From the Master Grid tab, select the Members tab -> master_grid_member checkbox, and then click the Edit icon.
Note: You must enable the MGMT port before modifying its port settings. See /wiki/spaces/mgmadminguide/pages/911184031. - In the Network tab of the Master Grid Member Properties editor, the Required Ports and Addresses table lists the network settings that were configured.
- Port Settings: Choose the connection speed that you want the port to use. You can also choose the duplex setting. Choose Full for concurrent bidirectional data transmission or Half for data transmission in one direction at a time. You cannot configure port settings for vNIOS appliances.
- Save the configuration.
Note: The port settings on the connecting switch must be identical to those you set on the appliance.