VMware Cloud Community
sandroalvesbras
Enthusiast
Enthusiast

Suggestions for setting up Traffic Filtering and Marking Policy

Hi,

We want to configure some locks, but we are unsure what the best setting would be.

Example:

Network LAN Datacenter: 192.168.1.1 (Public NAT Routing)

Network A: 10.10.1.0 - VMware Host Servers

Network B: 10.10.2.0 - Infra-Basic Servers (AD, DNS, etc.)

Network C: 10.10.3.0 - Web Applications Servers A

Network E: 10.10.4.0 - Web Applications Servers B

Network F: 10.10.5.0 - Database Servers

Port Group A: 10.10.1.0 - VMware Host Servers

Port Group B: 10.10.2.0 - Infra-Basic Servers (AD, DNS, etc.)

Port Group C: 10.10.3.0 - Web Applications Servers A

Port Group E: 10.10.4.0 - Web Applications Servers B

Port Group F: 10.10.5.0 - Database Servers

We want to apply the following blocks:

- No Port Group will have outbound restriction, will only have communication receive restriction for some ports and other Port Groups.

- All Port Groups need to receive Port Groups B connections for DNS, Active Directory, NTP, and so on.

a) Port Group F may only allow access to port 1433 for Port Groups C and E;

b) Port Group C and E can only allow access to ports 80 and 443 for the Datacenter LAN Network (NAT Public Routing).

Abstract:

- Database servers can only accept connections from application servers on port 1433;

- Web application servers can only accept connections on port 80 and 443 of the datacenter network that will have public access to the internet;

- DNS, AD, and NTP servers must have connectivity to all existing servers.

Doubt:

- Should we create the release rules first and then a block rule all or vmware as soon as we create the release rules it automatically blocks the other connections automatically?

Thank you.

Reply
0 Kudos
1 Reply
scott28tt
VMware Employee
VMware Employee

Moderator: Moved to vSphere vNetwork


-------------------------------------------------------------------------------------------------------------------------------------------------------------

Although I am a VMware employee I contribute to VMware Communities voluntarily (ie. not in any official capacity)
VMware Training & Certification blog
Reply
0 Kudos