1

I am managing a co-located server which has been rebooted and has not turned back on. It is in a data center and difficult to access, as such I am looking at Intel's RMM4 (compatible with the server board) as a solution.

Do I have to run two cables from the ISP's switch OR if there is a way to split a single cable? I assume that IPMI BMC needs to have it's own IP address?

Please note that the server is a computation server which is connected to a shared firewall and has a virtualized network (firewall + a virtual servers) and as such has one Ethernet cable connected to it.

Also, what are the security implications of IPMI BMC and how is it best to secure? I understand that Intel allows to limit access using IP addresses, is there anything else I should be aware of or do?

Greg
  • 1,557
  • 5
  • 24
  • 35
  • Technically, if you only wanted a FastEthernet (100Mbps) connection to each device then you could split the cable, but nobody does this... so don't do this. You need two cables and two switch ports. – joeqwerty Mar 17 '16 at 21:29

1 Answers1

0

Depending on the platform (eg, I've seen this with the Intel S2600GZ and similar systems), you can configure the RMM4 to use one of the first two onboard LAN ports, or the dedicated RMM4 port.

These show up as IPMI LAN channels 1 - 3, the first two being onboard ethernet, the last being the dedicated port.

In short, you will still need a unique IP address for the RMM4 controller, but you can get away with just the one cable.

HOWEVER: you really don't want to run the RMM4 on a public facing IP address if you can avoid it, as a compromise of this can easily result in a complete compromise of your server (they effectively have remote console access). So while this is possible, you'd be much better off running a firewall device in front of your server, and having the IPMI/RMM4 and server connect to that, and then using a VPN to control access to the RMM4 management interfaces

Daniel Lawson
  • 5,426
  • 21
  • 27
  • Would you VPN into the firewall or into a device behind the firewall? Which method is used in the industry / is recommended? – Greg Sep 05 '16 at 08:24
  • You can't VPN direct to the RMM4/IPMI controller; at least not in any I've seen. You could VPN direct to the host OS, however the point of IPMI controllers is that you get out of band access to the host. If you want to maintain out of band access to the host, you need a connection method that's independent of the host OS - so the VPN terminates on the firewall, and from there you can route to the RFC1918 IP you gave your RMM/IPMI/etc controller. – Daniel Lawson Sep 05 '16 at 21:51