the normal authentication and permission securities built into the appliance. It is recommended that such a security bypass
only be implemented for select few situations.
For example, an SPmanagement tool (HP SIM) residing on the production network could be allowed to directly
communicate with SPs (iLO)connected to the private ports of the appliance for the purpose of monitoring, configuration
and firmware updates. But user sessions would not be permitted to bypass the appliance's securities and SP interaction
would be governed by appliance-based permissions. This could be achieved through a simple NAT or IPforward policy rule
allowing the management tool access to the SP. In addition, a firewall filter rule would prevent users from exploiting the
NAT/forwardrule used by the management tool.
The following criteria should be used to make the determination between a NATrule or an IPforward rule for providing
bypass access to private hosts. An IP forward rule requires that the private IPnetwork/subnet is unique with regard to other
production networks and even other appliance private networks. If two appliances have the exact same IPnetwork
associated with their private ports/hosts, an external host would be unable to properly make a routing decision between the
appliances when trying to send traffic to a private host behind one of them. The benefit of a NATrule is that the same
IPnetwork/subnet can be repeated for private ports/hosts on multiple appliances without the same routing conflict. The
appliance supports two forms of NAT: 1-to-1 NAT (IPmasquerading)and port address translation (PAT/NAToverload).
For successful end-to-end communication leveraging an IPforward policy rule, the private host must treat the nearest
appliance IPas its gateway and all external hosts must have routes (static or dynamic)that reference the private
network/subnet and nearest appliance IP.
NOTE: In this context, the nearest IPis the one belonging to the same network or the closest routable IPon a different
network.
Network configuration changes made to eth0, eth1, bond0, br0, priv, kvm, spm, and any other bridge groups and virtual
private interfaces could affect the applicability of NATand firewall rules. All firewall rules that reference interface names or
addresses that were replaced during the network configuration change should be edited within the NATand/or firewall rules
to ensure proper network communication. For example, eth0/eth1 must be replaced with br0 or bond0 where applicable.
NATflow
Traffic entering an interface (incoming)is translated according to a NATrule before any filtering rules and before any
routing decisions. Traffic exiting an interface (outgoing)is translated according to a NATrule after filter rules and routing
decisions have been made.
Vertiv | Avocent® Universal Management Gateway Appliance Installer/User Guide | 78
To Next Page
Loading...
