Thanks for the question, Ossama.
Asked: October 14, 2020 - 1:25 pm UTC
Answered by: Connor McDonald - Last updated: October 27, 2020 - 2:00 am UTC
Category: Database Administration - Version: - DB 12.1 - Zone O.S is Solaris Sparc : 11.4
Viewed 100+ times
We have a customer, who deployed multiple databases on the same supercluster zone and required a full segergation between each database.
Here let's talk about one of zones which are having 2 databases and required a full network segergation between each other.
We configured for each database a seprate network with different subent on the cluster and for sure different scan IPs and VIPs.
Everything went smootly except the connectivity between the databases in the same zone with each others so we agreed to implment TCP.EXCLUDED_NODES to prevent each database to connect to the other but the problem it is not working and still database A can connect on B and viceversa, we did a test between databases in different zones and this parameter "TCP.EXCLUDED_NODES" is working properly.
My Question is why it is not working with two databases in the same zone?
- DB 12.1
- Zone O.S is Solaris Sparc : 11.4
- (2) Containers with (2) Different databases in the same Zone , we need to stop DB access from one DB to the other
and we said...
I don't have a Supercluster floating around :-) or any Solaris machines for that matter, so the best I can do is give you conjectures. (Support are probably a better option here)
Check your listener.log for those db link connections that are coming through and should not.
- Is it possible they are coming via bequeath thus skipping the TCP restrictions
- The log also tells you what actual host was specified in the connect. Double check that the oracle account (or whatever the database is running as) resolves this correctly to the IP address blocked.
And is this RAC? For RAC, you need a complete stop/start of VIP listeners to modify/set these parameters.
Others (with a supercluster :-)) welcome to add their experiences