vSphere vNetwork

 View Only
Expand all | Collapse all

Suggestions for setting up Traffic Filtering and Marking Policy

  • 1.  Suggestions for setting up Traffic Filtering and Marking Policy

    Posted Dec 17, 2019 02:40 PM

    Hi,

    We want to configure some locks, but we are unsure what the best setting would be.

    Example:

    Network LAN Datacenter: 192.168.1.1 (Public NAT Routing)

    Network A: 10.10.1.0 - VMware Host Servers

    Network B: 10.10.2.0 - Infra-Basic Servers (AD, DNS, etc.)

    Network C: 10.10.3.0 - Web Applications Servers A

    Network E: 10.10.4.0 - Web Applications Servers B

    Network F: 10.10.5.0 - Database Servers

    Port Group A: 10.10.1.0 - VMware Host Servers

    Port Group B: 10.10.2.0 - Infra-Basic Servers (AD, DNS, etc.)

    Port Group C: 10.10.3.0 - Web Applications Servers A

    Port Group E: 10.10.4.0 - Web Applications Servers B

    Port Group F: 10.10.5.0 - Database Servers

    We want to apply the following blocks:

    - No Port Group will have outbound restriction, will only have communication receive restriction for some ports and other Port Groups.

    - All Port Groups need to receive Port Groups B connections for DNS, Active Directory, NTP, and so on.

    a) Port Group F may only allow access to port 1433 for Port Groups C and E;

    b) Port Group C and E can only allow access to ports 80 and 443 for the Datacenter LAN Network (NAT Public Routing).

    Abstract:

    - Database servers can only accept connections from application servers on port 1433;

    - Web application servers can only accept connections on port 80 and 443 of the datacenter network that will have public access to the internet;

    - DNS, AD, and NTP servers must have connectivity to all existing servers.

    Doubt:

    - Should we create the release rules first and then a block rule all or vmware as soon as we create the release rules it automatically blocks the other connections automatically?

    Thank you.



  • 2.  RE: Suggestions for setting up Traffic Filtering and Marking Policy

    Broadcom Employee
    Posted Dec 17, 2019 03:26 PM

    Moderator: Moved to vSphere vNetwork