HPE Community
Operating System - HP-UX
1826333 Members
3559 Online
109692 Solutions
New Discussion

APA LAN_MONITOR without an IP address for a vswitch

 
SOLVED
Go to solution
Olivier Masse
Honored Contributor

‎10-27-2008 08:03 AM

‎10-27-2008 08:03 AM

APA LAN_MONITOR without an IP address for a vswitch

Is there a way to set up a LAN_MONITOR APA interface without being required to assign an IP address to it?

Let me explain: Under Integrity VM, I put LAN_MONITOR trunks behind my vswitches to increase their reliability. But APA needs to associate an IP address with the trunk. This is a security issue, as I want my VM host to be accessible _only_ from a specific management network and not through the interfaces dedicated to the vswitches. I can of course use IP Filter to block off that IP, but that's not elegant.

The Integrity VM security whitepaper shows off the merits of not putting an IP address on the logical interfaces. But unless I'm mistaken, I think I can't do this when I trunk them using APA. ESX is able to do this, I would expect no less from IVM.

Any suggestions?

Thanks

0 Kudos
6 REPLIES 6
Eric SAUBIGNAC
Honored Contributor

‎10-28-2008 12:52 AM

‎10-28-2008 12:52 AM

Solution

Re: APA LAN_MONITOR without an IP address for a vswitch

Bonjour Olivier,


As far as I know you must configure an IP address in LAN_MONITOR mode. You don't need an IP address in other modes : FEC_AUTO, LACP_AUTO, MANUAL. One advantage of LAN_MONITOR is that you don't need to configure anything at physical network switch side.

If you don't want any IP address on vswitch at host level, and if you can work with a network administrator, I do suggest that you create an aggregation on ethernet switch then the corresponding configuration (manual, lacp_auto or manual) in APA.

Regards

Eric
0 Kudos
Eric SAUBIGNAC
Honored Contributor

‎10-28-2008 01:33 AM

‎10-28-2008 01:33 AM

Re: APA LAN_MONITOR without an IP address for a vswitch

... something else.

I had to create some vswitchs in LAN_MONITOR mode, on hosts with multiple NIC cards. I had no problem with security, so I gave to those aggregates, and in fact to the corresponding virtual switches, IP addresses in the same network than the official IP of the host.

Then, I encountered some side effects on the host. I don't remember exactly, but troubles around ignite, sw, etc ...

The final configuration was to give IP adresses in "random" IP networks to the aggregates dedicated to the virtual switches. What I call a "random" IP network, is a subnet that doesn't exist in the addressing plan and in fact that is not routable.

I know there is still a security hole since the host will be accessible on the local network through virtual switches. What I wanted to underline is that if you can't use manual, fec or lacp mode, and can use only lan_monitor, avoid using IP adresses in the same IP network than the host.

Don't know if I am clear enough ? Poor english ... ;-(
0 Kudos
likid0
Honored Contributor

‎10-28-2008 02:54 AM

‎10-28-2008 02:54 AM

Re: APA LAN_MONITOR without an IP address for a vswitch

Hy,

Like Eric says, I had to create some vswitchs in LAN_MONITOR mode, and I used a Dummy ip with a 10.10.10.253.

Bye
Windows?, no thanks
0 Kudos
Olivier Masse
Honored Contributor

‎10-28-2008 04:41 AM

‎10-28-2008 04:41 AM

Re: APA LAN_MONITOR without an IP address for a vswitch

Eric and orange_adm, you're right! I haven't thought of that. I just have to put an RFC1918-compliant private address on the physical interface such as 192.168.x.x, no matter what vlan that interface is set to, and packets will never be routed to this address. This doesn't prevent me from assigning the valid IP addresses to the virtual interfaces.

I'll try this out. Thanks for your help!

On a side note, I prefer using LAN_MONITOR since each interface is plugged on different switches for increased reliability. I don't think I can make an LACP trunk in that scenario.

Thanks
0 Kudos
Olivier Masse
Honored Contributor

‎10-28-2008 04:42 AM

‎10-28-2008 04:42 AM

Re: APA LAN_MONITOR without an IP address for a vswitch

Closed
0 Kudos
Olivier Masse
Honored Contributor

‎10-28-2008 07:00 PM

‎10-28-2008 07:00 PM

Re: APA LAN_MONITOR without an IP address for a vswitch

Correction:

I used a "link local" address in the 169.254.0.0/24 address range instead of a private address, as this range is not allowed at all to be routed. Works great.
0 Kudos
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.