This is more of a hardware question than a security question. On the C2000 hardware appliance, eth0 is both the ilo port and the management port. The customer uses ilo and it is not on the same subnet as management network. Can we use both ip addresses on eth0, and then make the switch port that it's connected to a trunk port with both vlans in it. If so, which vlan would be untagged? The management vlan, or the ilo vlan? I'm assuming the management vlan.
ClearPass management IP and ILO IP can be in different subnets, but will be on the same port. You can configure a secondary IP subnet on the VLAN where the appliance is connected and then make both reachable. Alternatively, I haven't tried but it seems possible, configure the ILO to use a tagged VLAN. In that case, the switch port connecting to the ClearPass eth0 will have the ClearPass management network untagged and the ILO vlan tagged; but you will need to configure the ILO to use a VLAN tag first.
Is this (Mgmt/ILO on the same port) documented somewhere publicly available, or is it just general knowledge amongst engineers?
I combined some generic knowledge about ClearPass with generic knowledge about ILO.
From here you can learn that the ILO and management port are on the same physical network interface. Another similar reference here.
Then you can see as well that the C2000 is based on HPE DL20 gen 9 hardware and that means that the ILO is just the ILO that is on these servers.
Then I know that if you have that, that the ILO and the server itself (so ClearPass) from a networking perspective are like two devices on a switch, so two MAC addresses.
From there I searched for 'HP ILO tagged VLAN' in a search engine and that popped up the information on how to enable VLAN tagging on the ILO port.
I didn't see an actual document combining all the same. I could not test it either as I don't have the appliance, but based on the documentation it should work as described. Please let us know if you were successful, and possibly document the steps on how to get there.
We plan to test this early in 2021, and hopefully, I should be able to update you if it worked as expected.
Thank you you for your prompt response. I generally haven't had to deal with ILO before so the info is helpful. We ended up using a secondary IP on the VLAN, but we are also going to test configuring ILO as the tagged VLAN. I'll send an update as soon as I have one.
At Aruba, we believe that the most dynamic customer experiences happen at the Edge. Our mission is to deliver innovative solutions that harness data at the Edge to drive powerful business outcomes.
© Copyright 2021 Hewlett Packard Enterprise Development LPAll Rights Reserved.