We have the requirement in our company that all Mgmt interfaces/IP’s must be protected by a firewall. For HSX this includes the IP where sshd, http Admin GUI is running. But this seems not to be possible in our setup.
We can not protect the DP network with firewall as there will also be backup traffic. So we decided to used 2 different VLAN’s on one of the two LACP channels.
Overall we have 3 VLANs/networks configured on 2 LACP channels. 2 VLANs are configured on a trunk.
- Storage-Pool: not routed - no problem - on LACP 1 with 2 x 25G
- Data-Protection: should be used for communication with other Commvault servers and clients to back up - on LACP 2 with 2 x 25G
- Mgmt: used for sshd / http - on LACP 2 with 2 x 25G
But according to documentation for Reference Architecture only one network can be routable. In our case both Mgmt and DP must be routable. I added some Linux policy routing rules and they worked perfectly fine until the GUI installer was started (via browser after basic network configuration was done). Something was changed and it ended always with an error.
I’m very surprised that there is no out of the box solution for that. I was even more surprised to see that the default Mgmt Web GUI where one logs in with root is not encrypted, its http not https.
From a security perspective the whole default setup is a nightmare and will probably not be accepted by our security team….
Best answer by pirxView original