On Mon, Jun 2, 2014 at 8:21 AM, shawn wilson <ag4ve.us@gmail.com> wrote: [snip]
So, kinda the same idea - just put IPMI on another network and use ssh forwards to it. You can have multiple boxes connected in this fashion but the point is to keep it simple and as secure as possible (and IPMI security doesn't really count here :) ).
About that "as secure as possible" bit. If just one server gets compromised that happens to have its IPMI port plugged into this private network; the attacker may be able to pivot into the IPMI network and start unloading IPMI exploits. So caution is definitely advised, about security boundaries: in case a shared IPMI network is used, and this is a case where a Private VLAN (PVLAN-Isolated) could be considered, to ensure devices on the IPMI LAN cannot communicate with one another --- and only devices on a separate dedicated IPMI Management station subnet can interact with the IPMI LAN. -- -JH