Security

last person joined: yesterday 

Enterprise security using ClearPass Policy Management, ClearPass Security Exchange, IntroSpect, VIA, 360 Security Exchange, Extensions and Policy Enforcement Firewall (PEF).
Expand all | Collapse all

Clearpass C2000 appliance

  • 1.  Clearpass C2000 appliance

    Posted Dec 16, 2020 08:21 PM

    This is more of a hardware question than a security question. On the C2000 hardware appliance, eth0 is both the ilo port and the management port. The customer uses ilo and it is not on the same subnet as management network. Can we use both ip addresses on eth0, and then make the switch port that it's connected to a trunk port with both vlans in it. If so, which vlan would be untagged? The management vlan, or the ilo vlan? I'm assuming the management vlan.

    Thanks,

    Steve



    ------------------------------
    Steve
    ------------------------------


  • 2.  RE: Clearpass C2000 appliance

    Posted Dec 17, 2020 06:33 AM

    ClearPass management IP and ILO IP can be in different subnets, but will be on the same port. You can configure a secondary IP subnet on the VLAN where the appliance is connected and then make both reachable. Alternatively, I haven't tried but it seems possible, configure the ILO to use a tagged VLAN. In that case, the switch port connecting to the ClearPass eth0 will have the ClearPass management network untagged and the ILO vlan tagged; but you will need to configure the ILO to use a VLAN tag first.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 3.  RE: Clearpass C2000 appliance

    Posted Dec 18, 2020 04:20 AM

    Hi Herman,

    Is this (Mgmt/ILO on the same port) documented somewhere publicly available, or is it just general knowledge amongst engineers?



    ------------------------------
    [NesaM - ACMP|ACCP|ACDP]
    ------------------------------



  • 4.  RE: Clearpass C2000 appliance

    Posted Dec 18, 2020 04:37 AM

    I combined some generic knowledge about ClearPass with generic knowledge about ILO.

    From here you can learn that the ILO and management port are on the same physical network interface. Another similar reference here.

    Then you can see as well that the C2000 is based on HPE DL20 gen 9 hardware and that means that the ILO is just the ILO that is on these servers.

    Then I know that if you have that, that the ILO and the server itself (so ClearPass) from a networking perspective are like two devices on a switch, so two MAC addresses.

    From there I searched for 'HP ILO tagged VLAN' in a search engine and that popped up the information on how to enable VLAN tagging on the ILO port.

    I didn't see an actual document combining all the same. I could not test it either as I don't have the appliance, but based on the documentation it should work as described. Please let us know if you were successful, and possibly document the steps on how to get there.



    ------------------------------
    Herman Robers
    ------------------------
    If you have urgent issues, always contact your Aruba partner, distributor, or Aruba TAC Support. Check https://www.arubanetworks.com/support-services/contact-support/ for how to contact Aruba TAC. Any opinions expressed here are solely my own and not necessarily that of Hewlett Packard Enterprise or Aruba Networks.
    ------------------------------



  • 5.  RE: Clearpass C2000 appliance

    Posted Dec 18, 2020 04:54 AM

    Thanks :-)

    We plan to test this early in 2021, and hopefully, I should be able to update you if it worked as expected.



    ------------------------------
    [NesaM - ACMP|ACCP|ACDP]
    ------------------------------



  • 6.  RE: Clearpass C2000 appliance

    Posted Dec 29, 2020 09:49 AM

    Herman,

    Thank you you for your prompt response. I generally haven't had to deal with ILO before so the info is helpful. We ended up using a secondary IP on the VLAN, but we are also going to test configuring ILO as the tagged VLAN. I'll send an update as soon as I have one.

    Regards,

    Steve



    ------------------------------
    Steve
    ------------------------------