Best practice on IPMI/iDRAC/ILO?
-
Have been using Avocent IP KVM switches for a long time but am looking to transition to IPMI/iDRAC/ILO. What is best practice for setting this up?
Most servers have a dedicated LAN port for this. Should I build a separate LAN and hook up the machines to that? Or a VLAN?
How about the machines that doesn't have a dedicated port?
How should I handle login/password for the machines? How about SSL certificates? And how about the security when accessing off site?
Also just as with KVM switches, a lot of the remote console software is java-based and sometimes require older version and different security settings. Should I have a dedicated machine on location so I can have local access (similar to a KVM switch) and also remote into with the correct software already setup?
Supermicro comes with fully functional IPMI but HP and Dell comes with crippled ILO/iDRAC. How much is it to license each server from HP/Dell so you get remote console & remote media capability?
I'd really like to get some input on this. I have three locations where I'm thinking about this. One has maybe 25 servers and another with 5-6 servers and also 2 servers at a colocation datacenter.
-
@pete-s said in Best practice on IPMI/iDRAC/ILO?:
Most servers have a dedicated LAN port for this. Should I build a separate LAN and hook up the machines to that? Or a VLAN?
Their own network is fine, but often overkill. VLAN is plenty, low traffic so zero need for a separate physical.
This is one of those cases where a VLAN is totally acceptable. Just weight the pros and cons of the extra effort, and the little security it provides. And the effort to manage access to that VLAN. But as it is a pure management OOB VLAN, it's definitely one of the better use cases for that.
-
@pete-s said in Best practice on IPMI/iDRAC/ILO?:
How about the machines that doesn't have a dedicated port?
This CAN be VLAN'd but makes doing so much more of a pain and defeats much of the purpose. This is one of the many reasons that people rarely do this today.
-
@pete-s said in Best practice on IPMI/iDRAC/ILO?:
How should I handle login/password for the machines? How about SSL certificates? And how about the security when accessing off site?
Login / password in Keepass or whatever tool you want. make them HARD.
SSL certs aren't needed, it's all internal and only for the IT department.
What is the off site scenario in question?
-
@pete-s said in Best practice on IPMI/iDRAC/ILO?:
Also just as with KVM switches, a lot of the remote console software is java-based and sometimes require older version and different security settings. Should I have a dedicated machine on location so I can have local access (similar to a KVM switch) and also remote into with the correct software already setup?
At most, just a VM.
-
@pete-s said in Best practice on IPMI/iDRAC/ILO?:
Supermicro comes with fully functional IPMI but HP and Dell comes with crippled ILO/iDRAC. How much is it to license each server from HP/Dell so you get remote console & remote media capability?
Few hundred. More than it should, but not terrible. Major benefit to SuperMicro, though.
-
@scottalanmiller said in Best practice on IPMI/iDRAC/ILO?:
@pete-s said in Best practice on IPMI/iDRAC/ILO?:
How about the machines that doesn't have a dedicated port?
This CAN be VLAN'd but makes doing so much more of a pain and defeats much of the purpose. This is one of the many reasons that people rarely do this today.
Usually shared ports can be tagged from within the OOB interface. ILO definitively lets you apply a vlan tag.
-
@scottalanmiller Speaking of SuperMicro, where is a good source to buy their stuff?
-
You can also look here: https://supermicro.com/wheretobuy/namerica.cfm
For small accessories/misc parts https://store.supermicro.com/
-
@fateknollogee Thanks a lot!
-
We set up our Intel RMM and Dell iDRAC Enterprise KVM/IP setups on the internal LAN with a static IP address. Self-issued SSL is fine for this.
Older RMM/iDRAC units may need a legacy Win7 VM with IE9 around for those moments when they need to be managed (we keep one turned off but around for this exact reason). This is especially true with the certificate structure changes that have come through recently. Modern browsers refuse to connect to legacy web management consoles.
Rules are set up on the edge to allow both inbound and outbound packets for their services to our office IP address. VPN is another method to gain access if the edge supports it.
Username and password are set up with both settings being custom with info kept in KeePass here. Make sure to change the Dell default setting! Intel gets set up in the BIOS before it allows site authentication and access.
Cost wise Dell is $300 to $450 here in Canada to license while the Intel RMM module is sub $150.
A blog post on what we do: http://blog.mpecsinc.ca/2017/06/disaster-preparedness-kvmip-usb-flash.html
We don't do SuperMicro.
