Introducing SOC Insights for BloxOne Threat Defense: Boost your SOC efficiency with AI-driven insights to eliminate manual work and accelerate investigation and response times. Read the blog announcement here.

NIOS DNS DHCP IPAM

Reply

Can we use "EA Ruleset" with "EAs" configured over Network Containers?

New Member
Posts: 6
2853     0

We are deploying DTC service to forward DNS request to appropiate destination according to source network so that we are using EA to differentiate several regions and countries like source.

 

Our problem is when we configure AE over Network Containers to be used in EA Rulesets to take decision to forward traffic. Let me explain that in detail:

 

When we use EA over IPv4 Network it works properly so in the EA Ruleset appear the values stablished over this object to be selected but If we establish these same EA to a Network Container it doesn't work because on EA ruleset doesn't appear the values stablished on EA Network container to be selected. It is a problem because we have several countries that have assigned networks with /8 or /16 sizes and all both existings and new networks in the network container have to inherit the EA selected for the parent network container. In the other hand, we have too Network Containers with /16 size who don't have any IPv4 network but they have to be used by DTC Rulesets to forward traffic.

 

I am going to describe all the configuration process:

 

- We have several network containers /16 without any network into them.

 

- Every network containers belong to a continent, country and Region/City.

 

- Then we created three list type EAs, DTC_Continent, DTC_Country and DTC_Region-City.

 

- Now we add this EAs in "Grid DNS Properies" / "Traffic Control" / "Extensible Attributes Source Types for Topology Rules" to get using these into Topology Rulesets.

 

- To continue we are going to go to the IPAM tab and click over /16 network container and add the three EA decribed above selecting the corresponding values. Look! we want to highlight we only add these EAs over the network container /16 and not over some of their IPv4 networks because there are network container that not have IPv4 network.

 

- Now we are going to go to Traffic Control in DNS tab and first we "Rebuild EA Database".

 

- After of that we click in "Manage Topology Rulesets", now we add new "Ruleset" and inside create "Exttensible Attribute Rule". This section show the three EAs commented above, to configure the rule, but ,here is where our problem is, in the EA drop-down lists only appear the values that were added over IPv4 networks but not appear the EAs values that we have added over the network container.

 

Please, could you tell us if its possible to use "EA ruleset" with EAs configured over Network container? and what is the way to use it?

 

Please, if you need more information don't doubt to ask me?

 

Thank you in advance.
Regards.

Re: Can we use "EA Ruleset" with "EAs" configured over Network Containers?

Adviser
Posts: 321
2854     0

One of our DTC Principal Solutions Architects tested the DTC EA Ruleset with EAs configured over network containers and confirmed that EAs applied to network ‘containers’ cannot be used with DTC. The EAs need to be applied to networks within the container. If you still have questions, please contact your Infoblox Solutions Architect or SE to setup a call to discuss this matter in further detail. Thank you for your question.

Re: Can we use "EA Ruleset" with "EAs" configured over Network Containers?

Adviser
Posts: 321
2854     0

As a further note, NIOS 8.0 introduced the ability to create DTC Topology Rulesets based on the value of specific EAs. While EAs for network containers is not currently supported in DTC, this feature is on the roadmap for our next major release targeted in the first half of 2022.

Re: Can we use "EA Ruleset" with "EAs" configured over Network Containers?

New Member
Posts: 6
2854     0

Hello samanna,

 

Really thank you for your answer.

 

I believe that it is a great functionality limitation compared with other manufacturers where exist functionalities like the Regions where an administrator can include networks of any size without them have to be defined in the devices directly.

 

Do you know the way that we can apply as workaround while we wait for infoblox to launch this functionality?

 

Thank you again.
Regards.

Showing results for 
Search instead for 
Did you mean: 

Recommended for You