Monday, April 23, 2012

Sharing IPMI IP with the host

以下連結的網頁是針對 IPMI 板子與 host 共用 IP 的問題所作的討論:
http://serverfault.com/questions/259792/how-does-ipmi-sideband-share-the-ethernet-port-with-the-host

我在此稍微作筆記、翻譯

  • Sharing Ethernet means that LAN1 appears to have 2 MAC addresses(the IPMI interface, the standard Broadcom NIC)
    • 公用同一條網路線表示LAN1會有兩個對應到的MAC位址(IPMI和原本的網路卡)
  • Traffic to the IPMI interface is magically intercepted below the operating system level and never seen by whatever OS is running.
    • 原本到 IPMI 介面的流量會跑到作業系統底下,而不論使用什麼作業系統都將無法看到

Downsides for sharing the IP for IPMI and OS host
  • It's particularly difficult to partition the IPMI interface onto a separate subnet in a secure manner.
    • 很難做到將兩者分開成不同子網路以保證安全
  • The latest IPMI cards now support assigning a VLAN to the IPMI NIC, so you can get some semblance of separation - but the underlying OS could always sniff the traffic for that VLAN.
    • 最新的IPMI卡可以支持把VLAN轉到IPMI NIC的功能,所以你可以得到一個「看似」兩者區分開來的樣子,但是OS仍然可以監視到該通訊流
  • Older BMC controllers don't allow changing the VLAN at all, although tools like ipmitool or ipmicfg will ostensibly let you change it, it just doesn't work.
    • 比較舊的BMC控制器不允許你更便VLAN,雖然有像是ipmitool或ipmicfg等工具,但是就是辦不到
  • You're centralizing your failure points on the system. Doing configuration on a switch and manage to cut yourself off somehow? And, you've now cut off the primary network connection to your server AND the backup via IPMI. NIC hardware fail? Same problem,
    • 你把所有可能失敗的地方都集中在系統,要怎麼設定一個開關,然後要他關掉自己?你關掉最重要的到伺服器的網路連線和透過IPMI備份的機制。至於NIC硬體問題也會遇到一樣的狀況
照這份文章的解釋,不建議我們設法把 IPMI 和 host IP共用。