Here's one useful method, which depends on having appropriate subnet and VLAN capabilities. Have all hosts at a given site, have their main interface do dot1q (switch config trunked port). The ipmi interfaces will be on one VLAN (put those ports in that VLAN). The first VLAN is the public routed subnet. The router needs to be configured with this VLAN. The second VLAN is the IPMI, and is NOT CONFIGURED ON THE ROUTER. This second VLAN has only hosts and IMPIs. No connectivity to the world, period. (Be sure IP packet forwarding is disabled on the hosts!) On (some subset of) the hosts' main interface, run suitable remote KVM-ish protocol. For instance, use ssh with X forwarding, and/or VNC (or XVNC), and whatever local IMPI client thing you want (browser). Connecting to ipmi is by IP on the second VLAN (or by name, left as exercise for the reader.) Avoids ACL fiddling, is as secure as your host access method (but no more secure, obviously). YMMV. Brian
participants (1)
-
Brian Dickson