ipmi access

Brian Dickson brian.peter.dickson at gmail.com
Mon Jun 2 17:20:51 UTC 2014


Here's one useful method, which depends on having appropriate subnet and
VLAN capabilities.

Have all hosts at a given site, have their main interface do dot1q (switch
config trunked port).
The ipmi interfaces will be on one VLAN (put those ports in that VLAN).
The first VLAN is the public routed subnet. The router needs to be
configured with this VLAN.
The second VLAN is the IPMI, and is NOT CONFIGURED ON THE ROUTER.

This second VLAN has only hosts and IMPIs. No connectivity to the world,
period.
(Be sure IP packet forwarding is disabled on the hosts!)

On (some subset of) the hosts' main interface, run suitable remote KVM-ish
protocol.
For instance, use ssh with X forwarding, and/or VNC (or XVNC), and whatever
local IMPI client thing you want (browser).

Connecting to ipmi is by IP on the second VLAN (or by name, left as
exercise for the reader.)

Avoids ACL fiddling, is as secure as your host access method (but no more
secure, obviously).
YMMV.

Brian



More information about the NANOG mailing list