2

where do you recommend to situate IP addresses of iLo(remote consoles etc.) of the corporate servers? To create some internal LAN subnet behind NAT, or to choose IP addresses and protect them with ACLs ?

Thank you.

John
  • 1,493
  • 3
  • 26
  • 46

2 Answers2

2

While it's tempting to have a completely separate network that unreachable to put your iLO(etc) on, I personally think that the benefits of having it accessible outweigh the security concerns.

I think the best practice would be to put it on a separate vlan and restrict access to that vlan. The key here is to not forget about remote access. You want to be able to get to your stuff at 3am.

The other thing here, if we're talking about iLO specifically, is monitoring. If you're using iLO, I'd highly recommend getting HP SIM. If it can talk to both the iLO and the box, it can get a ton of info and do things like file support calls with HP for you.

Hyppy mentions oob management, which makes complete sense for your networking equipment, but has much less benefit for the servers themselves (imho).

Chris
  • 414
  • 2
  • 2
1

You should probably create an Out-Of-Band Management network. Best practices generally state to create a physically AND logically separate network for all management access like iLO, infrastructure monitoring, etc. Old 100Mbit switches will do just fine.

Hyppy
  • 15,608
  • 1
  • 38
  • 59
  • There's really no reason that this can't be done with VLANs on your production network hardware. "Old switches" just sound like a failure waiting to happen, and you might not even know it happened until you try to use it (which might be when you really need it.) Unless you also install a production-grade monitoring system on this physically-separate network? And if you do a lot of remote-media installations over iLO, you may want the GBit connections. – mfinni Mar 23 '11 at 13:27
  • The reason to have your management completely physically out-of-band is to be able to access your gear through management ports when the production network goes down. If the switch with the VLAN that contains your management network goes TU, then you're SOL. If the management network is separate and dies as you describe, then production isn't affected. – Hyppy Mar 23 '11 at 13:30
  • We've definitely got different philosophies on this, then. If the prod network goes down, who cares if you can get to the servers iLo cards? Build the necessary redundancy into your prod LAN, too. Now, a separate management network *for your network gear itself* I can totally get on board with. Console servers, async connections for dial-in if needed, etc - sure. – mfinni Mar 23 '11 at 13:32
  • 1
    If my production network goes down, I would be supremely grateful to be able to access my core switch's console port. Out of band management saved me quite a few convoys for this very reason. Here's a writeup of the basic idea: http://en.wikipedia.org/wiki/Out-of-band_management – Hyppy Mar 23 '11 at 13:33
  • Entirely agreed. – mfinni Mar 23 '11 at 13:34