2 Replies Latest reply: Jan 29, 2012 7:07 AM by DanyC RSS

    Restrict acces to Exadata instances

    DanyC
      Hi,

      In case you are running multiple instances on a EXADATA machine serving different departments, what is the best way to restrict the access based on a subnet?

      although i will have different service names there will be no vlans in place.

      Cheers,
      Dani
        • 1. Re: Restrict acces to Exadata instances
          Marc Fielding
          Hi Dani,

          Since you're running completely separate database instances, I can think of a few ways to do this:

          - Separate listeners, using sqlnet.ora TCP.VALIDNODE_CHECKING and TCP.INVITED_NODES to restrict who can connect
          - Separate listeners for each database and instance, combined with network-level firewalling (although I wouldn't recommend host-based firewalling on Exadata database servers)
          - DB login trigger to disconnect sessions who are using the wrong subnet/service combination
          - Implement Oracle Database Firewall, or a comparable third-party product, and create IP- and service-name-based policies

          Marc
          • 2. Re: Restrict acces to Exadata instances
            DanyC
            Hi Mark,

            Thank you very much for your reply.

            I did more research and i guess Oracle database firewall can be replaced with Connection manager.

            For you and others who might cross this thread let me share my findings - hope will be useful.

            https://sites.google.com/site/connectassysdba/oracle-rac-11-2-multiple-listener

            http://arup.blogspot.com/2011/08/setting-up-oracle-connection-manager.html

            http://levipereira.wordpress.com/2011/10/22/how-configure-multiples-public-network-an-grid-infrastructure-11g-r2-11-2-environment/

            Dani