Configuring the network isolation
To support the AIR for IRE, network communication from the IRE MSDP storage server to the production MSDP storage server is required. IRE MSDP storage server initiates the network connection. IRE with AIR works even when the production MSDP server does not have network access to the IRE MSDP server.
Configure the firewall at the IRE domain to deny all the inbound and the outbound connections. It helps to protect all the hosts in IRE domain from the cyberattacks. You must allow the IRE MSDP server outbound connection. For IRE replication, the IRE MSDP server must have network access to the production MSDP server through the ports 10082 and 10102. The IRE MSDP server also must have network access to the production primary server using the port 1556.
If you cannot allow unidirectional network access (allow only outbound connection) on the firewall, you can allow bidirectional network for the IRE MSDP server. IRE air gap in the IRE MSDP server still denies all the inbound connections.
Air gap in IRE MSDP server does the following:
Allows the network connections from servers in IRE domain. Connectivity between MSDP server and NetBackup primary or media servers is required to make the MSDP server functional.
Add the subnets or IP addresses of the IRE domain to the allowed subnet list. The IP addresses in the subnet list have direct network access to the MSDP server.
For example, for Flex WORM use the following command:
setting ire-network-control allow-subnets subnets=<subnet1>,<subnet2>,<ip address>,etc
Note:
The list must have at least the primary server, the media servers, and the DNS server in IRE domain.
Do not add subnets or IP addresses from the domains outside the IRE domain.
Enables a unidirectional network access (allow outbound connection from IRE MSDP server to the other domains) in IRE air gap window. By default, the window is 24 hours per day.
All the inbound connections that are not in the allowed subnet list are denied.