[172165] in North American Network Operators' Group
Re: ipmi access
daemon@ATHENA.MIT.EDU (Chris Adams)
Mon Jun 2 09:28:42 2014
X-Original-To: nanog@nanog.org
Date: Mon, 2 Jun 2014 08:28:33 -0500
From: Chris Adams <cma@cmadams.net>
To: nanog@nanog.org
Mail-Followup-To: nanog@nanog.org
In-Reply-To: <CAH_OBieKsbZ73jruwL9f3THNH2KwU7L7p0tfvy6qfKdFkpg53Q@mail.gmail.com>
Errors-To: nanog-bounces@nanog.org
Once upon a time, shawn wilson <ag4ve.us@gmail.com> said:
> So, kinda the same idea - just put IPMI on another network and use ssh
> forwards to it. You can have multiple boxes connected in this fashion
> but the point is to keep it simple and as secure as possible (and IPMI
> security doesn't really count here :) ).
For basic IPMI, SSH forwards will work, but some of the web/Java based
KVM-over-IP on IPMI BMCs tend to not work well with that.
For IPMI things like power control and serial-over-LAN, I put the IPMI
on a separate VLAN (most semi-recent BMCs can handle a VLAN tag) and
then just use "ipmitool" on a Linux system connected to the same VLAN
(no port-forwarding or VPN required). I only use a VPN-type setup when
I need to use a KVM console.
--
Chris Adams <cma@cmadams.net>
