Unsolved
This post is more than 5 years old
3 Posts
0
3719
How do I disable management on an interface of a DD2500?
Good afternoon,
I have a new DD2500 using ddos 5.4.2.1. I have 3 nic's currently enabled, (2) 10 gig, (1) 1gig. Per the Data Domain/Networker best practices guide, it says that you should segregate Backup traffic, management traffic, and replication traffic. But it doesn't tell you how. I thought by adding my (2) 10 gig Nics to a ddboost ifgroup, that disabled management on those nics, but I am still able to SSH to them and open up the web gui using those IP's. What I would like to have as a my final config is:
(1) 1 gig nic - Management traffic only (ssh, web gui, networker front end configuration).
(2) 10 gig nic - DDBoost backup traffic only using Networker.
I assume this is possible as this is what EMC recommends in their guide, they just don't tell you how to do it. Any help you could pass along would be greatly appreciated! Hopefully that makes sense, if not, let me know and I can add some more detail!
Thanks in advance!
Jeff
Anonymous
5 Practitioner
5 Practitioner
•
274.2K Posts
0
February 27th, 2015 14:00
Jeff,
There is not a way to disable management 'ssh' or 'gui' per specific ethernet port.
I believe the important part of the recommendation is to try to segregate 'active' management traffic to a separate port from backup and replication traffic. If you are using a tool like EMC DPA, or third party tool, to monitor the Data Domain you would want to configure it to use a 1 gig port designated for management. For ssh, and web gui I'd suggest setting the DNS naming convention for the management port to indicate its purpose to other admins.
You want to be able to ssh or connect via the GUI to a second ethernet port as an alternate, in case there is a network issue that prevents connecting via the primary ethernet port.
Regards,
Steve
ble1
14.3K Posts
0
February 27th, 2015 14:00
It might be recommended, but I haven't seen any issue. I use same interface for backup traffic and replication as there is no way I can fill up 10Gbps line even with both. And ssh is certainly not an issue.
Jeffrey_Burdzel
3 Posts
0
February 27th, 2015 21:00
Thanks for the replies, but what I am looking for is a way to disable ssh and web gui on nics for security. We would like to put a nic into a dmz, but the security team wants me to disable management capabilities to lock it down. Backup times going through a firewall so far are too long, so we are looking at alternatives.
ble1
14.3K Posts
0
February 28th, 2015 03:00
If you have DMZ, you should have dedicated DMZ solution - at least I prefer it that way. You mentioned firewall - disable ssh and web ports on firewall for network destination in which you wish to have this disabled and you are done. As far as I know, you do not have iptables user configurable to do it yourself on DD box.
Jeffrey_Burdzel
3 Posts
0
February 28th, 2015 06:00
Exactly dynamox, which is why I am trying to disable management on an interface.
dynamox
1 Rookie
1 Rookie
•
20.4K Posts
0
February 28th, 2015 06:00
typically DMZ is the network where you keep services that need to be exposed to the "outside" world. I would not want to expose my DD management interfaces to the outside world, would you ?
ble1
14.3K Posts
0
February 28th, 2015 08:00
At this stage, at least in 5.4 via adminaccess you do not have such control, but in engineering mode I suspect you might be able to configure it just as if any other system, but for that I suspect ticket to DD folks would be needed.