How to segment traffic in a DMZ scenario
I had two customers looking for this. In other blades, they have the ability to hook up to 8 NIC's to a switch and then that switch(s) can be in DMZ1, DMZ2, internal etc. So basically they are able to do physical segmentation of their vhosts on ESX via physical NICS. Since UCS has only one NIC we have to trunk multiple vlans down and logically segment or use PALO but its still not a physical segementation. The only way i can think this would work is to use a UCS uplink port into say the DMZ as a access port. Then configure the vNICS on the server as access ports in the DMZ vlan. Finally pin the server to a FEX and traffic should enter the FI on the uplink in that vlan, hit the DMZ vlan on UCS and go down the pinned FEX to the server. Obviously there is a whole lot of issues such as ESX management traffic, vmotion traffic, and really only one link can be used so scaling is a huge issue. With a small customer with a couple of servers in a DMZ that could work.
The other way is using the 1000v in conjunction with the PALO and VN-link to tag traffic. Then you could use the 1000v to setup ACL's to segment traffic in a sort of SMT fashion or possibly use vShield. I really dont have any hands on with vShield or worked with VN-link wondering if anyone else has tried a similar scenario.
Hi
With the M81KR (VIC) adapter you could create multiple vNICs and assign it to different vSwitches/uplink port profiles etc to provide segmentation.
Going out of the UCS system, you could use pinning (as long as your upstream is not a disjoint Layer 2 in EHM) to deterministically route traffic.
When one looks at DMZ isolation etc, a lot of it comes depends on the environment one is looking at.
Nexus 1000v has a guide published at http://www.cisco.com/en/US/prod/collateral/switches/ps9441/ps9902/dmz_virtualization_vsphere4_nexus1000V.pdf (not UCS specific) on hot to achieve this using diff portgroups (VLANs essentially) /uplink port profiles/ACLs/PVLANs etc and you could apply it to a UCS environment with the M81KR.
The various vNICs presented to the hypervisor or bare metal OS are distinct PCI entities but as you correctly mentioned they are not physically segmented going out to the fabric - for example you create 4 vNICs on Side A. They all will go on the same IOM-FI link as in UCS, HIF (the interfaces downwards from the IOM) and not vNIC to FI link pinning is followed. The full width blades (with 2 adapters) give you more choices though as the number of HIFs is more.
Hope it helps.
Thanks
--Manish
Similar Messages
-
Possible to segment traffic between 2 interfaces? And other questions...
I would like to set my G5 up as a server utilizing a second connection and to keep traffic seperated between this server connection and my regular internet connection (would be wireless). I'm pretty sure this alone is fairly straightforward and can be accomplished by setting up the new interface and moving it down to the bottom of the connection list with wireless at the top. That should keep all non-specific traffic from flowing out the ethernet/server connection - I think.
If the above works the way I stated then I would also want to firewall ONLY the ethernet/server connection (the wireless has it's own hardware firewall). AND - this is the tricky part - I also want to add a fake interface that has a fake IP and bind that to the "real" ethernet/server connection. The reason for that is because I need a static IP to bind the service to. I know if the connection list thing works to flow the traffic that if I had an external router on the server connection, this wouldn't be needed. I'd already have a fake IP to bind to and I wouldn't have to run the firewall on the Mac. But I don't and I'd rather not have to buy one.
So can this be done through the network/sharing preferance panes? If so, are there any "gotchas" I should be aware of? If not, is there any software tool out there that would make setting this up easier/faster? I'm not opposed to doing it all via command line, but I'm a bit rusty with my linux/unix admin knowledge. Plus I'm not 100% certain how to set all that up command line wise without screwing up OS X!
Thanks.I'm not sure I fully understand what you are attempting to accomplish. Lets see if I have the general idea.
You have a single G5, that you want to use as both your desktop machine and also to provided specific services, such as web, email, etc.
You have some type of hardware firewall/security appliance.
You have some type of wireless access point.
You don't seem to have any type of router or switch in your configuration.
You want all of your server based traffic to be sent and received on it's own Ethernet port. You want your personal Internet traffic to be sent and received on your wireless connection.
So my questions are:
Where is the server traffic going to, coming from? Who is accessing the server, is it users on the Internet, or just computers on your own LAN (which you didn't mention).
If your server is to allow data from or send to the Internet, then you need to have a way to route the traffic there. Do you have more then one method to access the Internet, or will all traffic, both personal and server being going though the same Internet access pipe?
If it is all going through the same pipe, and you only have the single computer, I don't understand why you wish to segment the traffic.
If on the other hand you have multiple computers on your LAN. then segmenting traffic may make sense. This would allow access to your server and keep your LAN well secure.
Anyway, to get to specifics, you'll need to use the terminal app to bind specific services to specific IP's and ports on your Mac. You will also need to manually configure the firewall to be able to select specific connection ports and bindings. However, while I think it can be done, I'm not sure it makes a great deal of sense.
I would be more inclined to suggest a router or switch that can provide VLAN support, or a router that provides true DMZ support, would be a good way to go.
Anyway, a little more info would be helpful.
Oh and if I have this totally worng in what I think your doing.. My mistake.
Tom N. -
How to route traffic across subnets when one NIC is a hyper-V virtual switch?
Having a bit of a problem with a hyper-V environment which does not seem to route network traffic on two different subnets between each other.
If it were a purely physical server with two NICs and a gateway set traffic would automatically be forwarded between the two different subnets.
However when one of those NICs is a hyper-V virtual switch this simple routing no-longer seems to work and no traffic gets forwarded between subnets?
Situation is:
Hyper-V server with two NICs
NIC 1 = 192.168.0/24 - main Internal company network.
NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router
Virtualized Domain Controller.
One or two virtualiszed NICs as necessary
How then does traffic get routed between these two subnets? If RRAS has to be configured to do this where is the best place to do it, on the hyper-V host or on the virtualized domain controller?
Thanks,Hi ,
You can create an internal virtual switch and configure an IP for it (I assume it is 192.168.1.2/24) .
After you enable RRAS in hyper-v host there will be two gateways for different subnets .
" NIC 2 (hyper-V virtual switch.) = 192.168.1/24 - connects to ADSL internet router "
The problem is here ,if these VMs need to access internet .
So , these VMs can not configure their gateway same as the IP of internal virtual switch , you may set VM's gateway as the ADSL internet router's IP meanwhile add a static route entry for every VM .
Please refer to the Syntax :
route add -p 192.168.0.0 mask 255.255.255.0 192.168.1.2
Hope this helps
Best Regards
Elton Ji
We
are trying to better understand customer views on social support experience, so your participation in this
interview project would be greatly appreciated if you have time.
Thanks for helping make community forums a great place. -
How to print traffic lights in ALV reports
hi how to print traffic lights on selection screen in alv reports
HI,
check below code
TYPE-POOLS : icon.
types: BEGIN OF ty_display,
status TYPE icon-id,
bukrs TYPE bseg-bukrs,
gjahr TYPE bseg-gjahr,
monat TYPE monat,
work_order TYPE z_work_order,
glaccount TYPE saknr,
message TYPE string,
END OF ty_display.
data : it_display TYPE TABLE OF ty_display,
wa_display TYPE ty_display.
WRITE icon_led_green AS ICON TO wa_display-status.
wa_display-gjahr = p_year.
wa_display-bukrs = p_cc.
wa_display-monat = p_period.
wa_display-work_order = v_aufnr.
wa_display-glaccount = wa_bseg-hkont.
APPEND wa_display TO it_display.
WRITE icon_led_red AS ICON TO wa_display-status.
wa_display-gjahr = p_year.
wa_display-bukrs = p_cc.
wa_display-monat = p_period.
wa_display-work_order = v_aufnr.
wa_display-glaccount = wa_bseg-hkont.
wa_display-message = text-010.
APPEND wa_display TO it_display.
change the icon color based on your requirement and append it to the internal table which you have to display in ALV.
reward points if it is helpful.
Regards,
Srilatha -
How to do Mapping for the following Scenario
Hi All,
I am doing File 2 File Multimapping Scenario with out using BPM Concept but, My result was Struck at Message Mapping.
Source Target
Message Message1 Details Details
Name Name
ID ID
Message2
Details
Name
ID
I am getting Runtime Exception at Message Transfermation error if i do the one 2 one direct mapping....
so, How to do the Mapping for thei Scenario?
WIth Regards,
MaheshHi Farooq,
I am using Split and Merge.
Source XML
<?xml version="1.0" encoding="ISO-8859-1"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://sap.com/xi/XI/SplitAndMerge" targetNamespace="http://sap.com/xi/XI/SplitAndMerge">
<xsd:import namespace="http://tcs.com/Demo" />
<xsd:element xmlns:p0="http://tcs.com/Demo" name="Messages">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="Message1" form="qualified">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="p0:BPM_In_MT" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>
Target XML
<?xml version="1.0" encoding="ISO-8859-1"?>
<xsd:schema xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns="http://sap.com/xi/XI/SplitAndMerge" targetNamespace="http://sap.com/xi/XI/SplitAndMerge">
<xsd:import namespace="http://tcs.com/Demo" />
<xsd:element xmlns:p0="http://tcs.com/Demo" name="Messages">
<xsd:complexType>
<xsd:sequence>
<xsd:element name="Message1" form="qualified">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="p0:BPM_Out_MT" minOccurs="0" maxOccurs="unbounded" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
<xsd:element name="Message2" form="qualified">
<xsd:complexType>
<xsd:sequence>
<xsd:element ref="p0:BPM_Out1_MT" minOccurs="0" maxOccurs="unbounded" />
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:sequence>
</xsd:complexType>
</xsd:element>
</xsd:schema>
Thanks
Mahesh -
How to use traffic lights concept in alv in webdynpro abap
Hai ,
How to use traffic lights concept for alv in webdynpro abap. If possible give me some code.Hi Ravi,
You can create ICON to get traffic light.
Go through this step by step.. in this example
http://www.sdn.sap.com/irj/scn/go/portal/prtroot/docs/library/uuid/1190424a-0801-0010-84b5-ef03fd2d33d9?quicklink=index&overridelayout=true
Please go through this...
Re: Display ICON in the ALV table column
Re: Image in ALV
cheers,
Kris. -
How do I log onto airport, how do I get to the DMZ on the router?
How do I log onto airport, how do I get to the DMZ on the router?
Open the airport utility.
Bobby Pearce wrote:
How do I log onto airport, how do I get to the DMZ on the router?
If you mean how to set the DMZ..
Click on the Airport in airport utility.. click on the edit that shows on the summary..
Go to the Network tab.. and go to network options on the bottom of that page.
Enable Default Host.. is DMZ..
Tick the box and type in the IP of the computer or device you are placing in the DMZ. -
How to segment red target in a image and caculate the L*a*b* value
hello,
Anyone can tell me how to segment a color image? This image contains red、white and black background.
I want the red and white parts, and caculate each parts' L*a*b* value.
Thank you very much.
rexSounds like maybe you don't have Image Toolbox?
Attached is a VI to convert RGB to Lab. IIRC, I think there is no one correct answer for conversion to Lab so check the formula.
To do your segmentation without the toolbox, unflatten the image cluster and decompose the RGB array into separate 2D arrays (R, G, B). Threshold your red areas by finding pixels with high R and low G and B. Find white by finding pixels with R, G, and B values all high.
Attachments:
RGB2Lab.vi 9 KB -
How is PR created in Extended Classic Scenario
Hai friends
How is PR created in Extended classic Scenario
Please let me know
Regards
KrishnaHi krishna,
Shopping cart in SRM is equal to PR in R/3.If it is Classic scenario we can customise to create PR in backend for the shopping cart in EBP , but in ECS directly PO will be created against the shopping cart in EBP and it will replicate to R/3 system.
Regards,
Baparao. -
How to manage traffic of livestreams or youtube
Hi all,
at the moment we are discussing about how to control or limit traffic used by livestreams. At the moment there are many web pages with livestreams of the olympic winter games and customers facing very high traffic by hd videostreams.
So we are now thinking about managing this videostreams by implementing some policies on the proxies.
And we alternatively think about how to restrict traffic of videostreams or youtube video using asa.
Did not find anything in the knowledgebase. Do you have any hints how to manage this?
thank you in advance and best regards
VincentJust go trough Manage application and Modify application and use reindex and full process.
This normally should fix your issue.
Regards
Sorin Radulescu -
How to snoop traffic on PGW 2200 with Wireshark
How to snoop traffic between PGW 2200 & MGX 8880 with Wireshark?
I hope to have understood correctly your question.
1) enable the snoop on PGW using ./snoop_scrip in /opt/snoop/ path
2) collect the trace of the call and so stop the snoop usinf CTRL C
3) open wireshark
4) drag and drop the files generated from the snoop in wireshark
5) wireshark will ask to merge the file
P.S. PGW uses RUDP to communicate with the media gateway. Set the wireshark RUDP port (in Edit - Preferences - Protocols menu) according to PGW configuration.
Regards. -
How can I permit all traffic from inside-dmz-outside on asa5505
Scenario :
Servers are in DMZ, Internal LAN Users should access ports Specified (5000 & 2048). Router 2801 is facing Leased line; from there it’s connected to firewall.
Router LAN IP: 83.111.X.X - 255.255.255.X
ASA Version 7.2(4)
hostname ciscoasa
domain-name default.domain.invalid
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
interface Vlan1
nameif inside
security-level 100
ip address 192.168.X.X 255.255.255.0
interface Vlan2
nameif outside
security-level 0
ip address 83.111.X.X 255.255.255.240
interface Vlan3
nameif dmz
security-level 100
ip address 192.168.100.1 255.255.255.0
interface Ethernet0/0
switchport access vlan 2
interface Ethernet0/1
interface Ethernet0/2
switchport access vlan 3
interface Ethernet0/3
interface Ethernet0/4
interface Ethernet0/5
interface Ethernet0/6
switchport access vlan 3
interface Ethernet0/7
ftp mode passive
dns server-group DefaultDNS
domain-name default.domain.invalid
same-security-traffic permit inter-interface
same-security-traffic permit intra-interface
pager lines 24
logging asdm informational
mtu inside 1500
mtu outside 1500
mtu dmz 1500
no failover
icmp unreachable rate-limit 1 burst-size 1
asdm image disk0:/asdm-524.bin
no asdm history enable
arp timeout 14400
global (outside) 1 interface
nat (inside) 1 0.0.0.0 0.0.0.0
route outside 0.0.0.0 0.0.0.0 83.111.x.x
timeout xlate 3:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
http server enable
http 192.168.1.0 255.255.255.0 inside
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart
telnet timeout 5
ssh timeout 5
console timeout 0
dhcpd auto_config outside
dhcpd address 192.168.1.2-192.168.1.254 inside
dhcpd enable inside
class-map inspection_default
match default-inspection-traffic
policy-map type inspect dns preset_dns_map
parameters
message-length maximum 512
policy-map global_policy
class inspection_default
inspect dns preset_dns_map
inspect ftp
inspect h323 h225
inspect h323 ras
inspect rsh
inspect rtsp
inspect esmtp
inspect sqlnet
inspect skinny
inspect sunrpc
inspect xdmcp
inspect sip
inspect netbios
inspect tftp
service-policy global_policy global
prompt hostname context
Cryptochecksum:5663409d6ba3ad0bcd163e691f032f76
: endHi Ben,
Thank you for the response. I followed the link and tried reading everything you posted on AEs but I'm afraid that I didn't understand it all. It seems that each AE example had a single input and a single output (e.g. a double). Is this the case?
What I have is a couple of front panel clusters containing (approximately) 18 control doubles, 8 indicator doubles, 5 boolean radio button constructs and 26 boolean control discretes. I clusterized it to make it readable. In addition I'll eventually have a cluster of task references for hardware handles.
All I want to do is update the front panel values like I would do in a C, VB or any other language. I've tried referencing the cluster and using the reference from inside the loops. I've tied using local variables. Neither works. I'm experimenting with globals but it seems that I have to construct the front panel in the gloabal and then I wouldn't know how to repoduce that on the front panel of the main VI. Sometimes it seems that more time is spent getting around Labview constructs than benefitting from them.
I hope the 'Add Attachment' function actuals puts a copy of the VI here and not a link to it.
Thanks again for the suggestion,
Frank
Attachments:
Front Panel Reference.vi 33 KB -
Client looking to segment traffic via SSID using 2504
I have a client with a WLC 2504 that wants to route "guest" users through a gateway appliance "radiusgateway.com" and all others through the network. It appears to me this would require the use of two fa ports on the WLC. One directly connected to the radiusgateway (which is connected to a switchport) and the other fa interface connected directly to a switchport bypassing the proxy server.
My issue is, "how do you segment the ssid traffic via the WLC". The interfaces cia the gui aren't that intelligent, there's an enable and logging drop down. Via the command line, I didn't see any methods of routing traffic.
Please assist, Thanks in advance.The controller doesn't 'route' traffic, it will just send it out the VLAN/Port the interface is configured for.
So if you tell interface 'guest' to be linked to port 4, any WLAN that uses guest will be sent out port 4.
HTH,
Steve
Please remember to rate useful posts, and mark questions as answered -
Multiple Public IP's on single ASA 5510 - "Segment Traffic"
Hello,
I was told this is not possible on Cisco ASA, just wondering if its true.
Description: We are setting up 2 new exchange servers, they need to go out the same ASA on different interfaces to seperate Public IP's. We also have a 3rd Public IP for our Staff.
Basically we want our Staff to use the 10x5 slow internet connection (Public 3). We want Server 1 to use Public IP 1 and Server 2 Public IP 2.
Server 1 -----> Public IP 1
Server 2 -----> Public IP 2
Staff ------> Public IP 3
I was told PBR (Policy Based Routing) is not supported on Cisco ASA, which I understand. But is there a work around with the ASA, or will I HAVE to implement a layer 3 device infront of the ASA?
We also have a DMZ in the mix, I dont know if that changes anything.
I hope this makes sense, if not I can try and explain more, but any advice would be greatly appreciated! I dont want to expense another layer 3 device if possible!Hi,
Here is a link to another discussion where a user wanted to direct a certain DMZ network traffic through another ISP
https://supportforums.cisco.com/thread/2209874
Naturally the NAT setup doesnt exactly match with your need but essentially in your case it would just slightly modifying the NAT configurations.
Naturally this is not something that is really suggestable for a production environment but it should work. Then again as Cisco doesnt officially support it there is no knowing what future updates might do to this or what would happen if you ran into problem with NAT related operation of the firewall.
Because of this way of NAT configuration the configurations would naturally come more complex and the ordering of NAT rules might need more close look when modifying them.
- Jouni -
How to force traffic though a chosen interface in Windows 8.1?
Windows 8.1 seems to be able to detect dead routes and picks up the default gateway or next best route for routing.
I have a requirement where I want traffic for specific destinations to "always" go through the Interface that I pick and if that interface is not providing a path from some reason then I want the communication to fail instead of switching to the
next best interface.
How do I achieve this? I already tried EnableICMPRedirect and DeadGWDetectDefault registry settings and disabling Auto Metric on the interface through which I want to route this traffic.
Any clues would help.
Thanks
GWWith PowerShell you should be able to view the applicable routes and modify them accordingly to alter this behavior:
# you can determine your adapters with
Get-NetAdapter
-IncludeHidden
# then you can see what routes are associated with what adapter interface (lets assume your wifi interface is 4 and your loopback is 1)
Get-NetRoute
-AddressFamily IPv4
# you will get your specific interface index, destination prefix, nexthop and the routemetric
# you can then set a specific route policy using:
New-NetRoute
-DestinationPrefix "200.200.200.200/32"
-InterfaceIndex 1
-RouteMetric 256
New-NetRoute
-DestinationPrefix "200.200.200.200/32"
-InterfaceIndex 4
-NextHop 10.1.1.1
-RouteMetric 0
# you can modify the configuration with:
Set-NetRoute
-DestinationPrefix "200.200.200.200/32"
-InterfaceIndex 4
-NextHop 192.168.10.1
-RouteMetric 0
# finally, you can remove the specific route or all the routes with:
Remove-NetRoute
-DestinationPrefix "200.200.200.200/32"
-InterfaceIndex 1
-Confirm:$false
Remove-NetRoute
-DestinationPrefix "200.200.200.200/32"
-Confirm:$false
Maybe you are looking for
-
I have a trigger that is supposed to insert when a button is pressed and update when a different button is pressed. When inserting, everything works but when updating, UPDATED_ON and UPDATED_BY is put in the database but VOIDED_BY,VOIDED_ON,ARCHIVED_
-
There were no results for What is the difference between Adobe Connect PRO and connectivity as SCORM within Presenter? Does it impact an LMS system in anyway if you select Adobe Connect Pro?
-
I have a 3750 cluster and I want to know what are the recommended snmp traps to be sent. We definitely want to know when one of the switches in the cluster fails. I've read about snmp-server enable traps stackwise and snmp-server enable traps cluste
-
[JMS-JCA] Design/Implementation problem
Hello, I would like some advices on a little issue I have. I explain. My company needed a messaging tool for some very specific use. So some people created a C library for Linux and Win32. With this library you can create some message queues, send an
-
RE: Scheduling agreements VS PIR: Scheduling agreements
G'day Team, Client is embarking on collaboration for Comp products. Client uses SCM 7.0. The root identifier for validity period is in the ECC6 Source list (SL); and the SL identifies relevant Sched Agmt. Question is what is recommended best practi