node and cluster management network architecture, proxy, port forwarding

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

node and cluster management network architecture, proxy, port forwarding

Brian Parent-2
I'm running into some problems with the network layout on our AFF8020
running CDOT 8.2.3.

It seems that using a private layer 2 vlan for node management provides the
significant benefit of reducing potential attack sources to servers on that
private vlan (where such vlan has a small number of hosts, all with lots
of access restrictions, none of which run DNS, ntp, SMTP services).  

I was hoping to use port forwarding from a server in that vlan to
enable things like https, DNS, ntp, and smtp, but have not been
successful yet.  Before I spend too much more time on it, I thought
I should check to see whether others have had success with similar
network topology.

--
Brian Parent
Information Technology Services Department
IT Infrastructure Operations Group
Workplace, Internal, Research, and Educational Platforms (WIRE) team
UC San Diego
(858) 534-6090
_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters
Reply | Threaded
Open this post in threaded view
|

Re: node and cluster management network architecture, proxy, port forwarding

Brian Parent-2
I haven't heard any responses to this request.  I've spent a bit more time
attempting to get netcat, and/or ssh to help the AFF8020's node management
IPs to traverse the private layer 2 network to get to a DNS server and an
NTP server in the local campus RFC1918 IPs, without success.

Instead, I've configured the node management IPs to use RFC1918 IPs,
where they can see DNS, NTP, and web proxy servers without any special
network translations.  This has allowed autosupport to work.

Re:

> From: Brian Parent <[hidden email]>
> Date: Mon, 4 Apr 2016 14:20:48 -0700
> Subject: node and cluster management network architecture, proxy, port
>  forwarding
> To: [hidden email]
> Cc: Andreas Epple <[hidden email]>, "Kennedy, Jeffrey"
>  <[hidden email]>
>
> I'm running into some problems with the network layout on our AFF8020
> running CDOT 8.2.3.
>
> It seems that using a private layer 2 vlan for node management provides the
> significant benefit of reducing potential attack sources to servers on that
> private vlan (where such vlan has a small number of hosts, all with lots
> of access restrictions, none of which run DNS, ntp, SMTP services).  
>
> I was hoping to use port forwarding from a server in that vlan to
> enable things like https, DNS, ntp, and smtp, but have not been
> successful yet.  Before I spend too much more time on it, I thought
> I should check to see whether others have had success with similar
> network topology.
>
> --
> Brian Parent
> Information Technology Services Department
> IT Infrastructure Operations Group
> Workplace, Internal, Research, and Educational Platforms (WIRE) team
> UC San Diego
> (858) 534-6090
> _______________________________________________
> Toasters mailing list
> [hidden email]
> http://www.teaparty.net/mailman/listinfo/toasters

--
Brian Parent
Information Technology Services Department
IT Infrastructure Operations Group
Workplace, Internal, Research, and Educational Platforms (WIRE) team
UC San Diego
(858) 534-6090
_______________________________________________
Toasters mailing list
[hidden email]
http://www.teaparty.net/mailman/listinfo/toasters