Security – Restrict IPMI access on Dell BMC and iDRAC to an allowed IP range

I'm trying to secure the iDRAC's and BMC's on some of my Dell servers (R210, R410, R510). I want to restrict access to IPMI commands to only a few IP addresses. I've successfully restricted access to the iDrac using the instructions from http://support.dell.com/support/edocs/software/smdrac3/idrac/idrac10mono/en/ug/html/racugc2d.htm#wp1181529 , but the IP restrictions do not affect IPMI. A separate management network is not practical at this time because of lack or ports and some Dell BMC's don't offer a separate port. I'm told by my networking group that our switches don't support trunking, so using the vlan tagging is not an option either.

Is there a way restrict the IPMI access to a list of allowed addresses?

FYI, for various reasons, I have a mix of Dell servers with BMC's, iDrac Express and iDrac enterprise management features.

Update: All out my boxes are in a switched environment. There is no NAT going on between my servers or my work desktop. I'm using ipmitool -I lanplus -H myhost -u root -p password -K sol activate" to talk to the serial console over IPMI.

Update2: While I'm in a switched environment, I don't have access to change the network switches, which are managed by a different department. The networking department doesn't like setting ACL's on routers and can't/won't use vlan tagging on our ports.

#Allow Broadcast From Any To ff:ff:ff:ff:ff:ff Permit #Allow Multicast From Any To 224.0.0.0/4 Permit #Anti-spoofing rules From 192.168.110.0/24 to 0.0.0.0/0 VLAN1 Permit From 0.0.0.0/0 to 192.168.110.0/24 VLAN1 Permit From 10.0.0.0/24 to 0.0.0.0/0 VLAN2 Permit From 0.0.0.0/0 to 10.0.0.0/24 VLAN2 Permit From 10.0.1.0/24 to 0.0.0.0/0 VLAN3 Permit From 0.0.0.0/0 to 10.0.1.0/24 VLAN3 Permit #Permit IPMI from VLAN2 #You can narrow this rule to allow IPMI only From 10.0.0.0/24 to 192.168.110.0/24 Permit From 192.168.110.0/24 to 10.0.0.0/24 Permit #Allow VLAN3 to VLAN1 From 10.0.1.0/24 to 10.0.0.0/24 Permit From 10.0.0.0/24 to 10.0.1.0/24 Permit #Block any other VLAN to VLAN communication, and allow internet browsing for VLAN3 (destination 0.0.0.0/0) From 10.0.0.0/8 to 10.0.0.0/8 Deny From 192.168.0.0/16 to 192.168.0.0/16 Deny From 10.0.0.0/8 to 192.168.0.0/16 Deny From 192.168.0.0/16 to 10.0.0.0/8 Deny From 10.0.1.0/24 to 0.0.0.0/0 Permit From 0.0.0.0/0 to 10.0.1.0/24 Permit From 0.0.0.0/0 to 0.0.0.0/0 Deny

Best Answer

If you have switched environment and you need to restrict access to IPMI, the way to do it is to make ACL policy on the core switch, so this way you can restrict access from particular networks to this subnet or service. You can use only INPUT chain to do this, for example, if your IPMI is on 192.168.110.0/24 VLAN1 and your Desktop is on 10.0.0.0/24 VLAN2 and isolated LAN on 10.0.1.0/24 VLAN3, you can setup rule as on below example. However, if you want to restrict it on the same subnet, it is not done and cannot be done this way, the restricted client must be on different LAN (routable ip range).

So simply, on the core switch you can load the policy and specify

ps. Your core switch (router forwarding between VLANs) definitely supports this kind of ACL.

Best Answer

Related Solutions

Dell PowerConnect 2824 VLAN isolation question

Access Ports

Hybrid Trunking/Access port

Trunking all around

Cant access Dell BMC IPMI Over IP

Related Topic