Installation guide
A Sample VLAN Topology
A Sample VLAN Topology
Chapter 7
83
zhp3: vlan4 = zre22..22
zre13 = untag1
zre12 = untag2
zre0..11, zre14..21 = untag3
zre22..23 = untag4
ifconfig zhp3
zhp3 Link encap:Ethernet HWaddr 00:11:65:09:EC:1B
inet addr:192.168.0.43 Bcast:192.168.0.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:2228912 errors:0 dropped:0 overruns:0 frame:0
TX packets:1488770 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:100
RX bytes:156761552 (149.4 Mb) TX bytes:108022452 (103.0 Mb)
Base address:0xc000
Four VLANs have now been defined in this sample topology: one for the cross-connect to the
opposite-side ShMM, a second for the management LAN external connection, a third for the
remaining base interfaces in the 14-Slot Shelf (representing the control network), and a fourth for
the ISL and connection to the same-side ShMM.
NOTE Make the same set of changes to the redundant, failover Ethernet Switch Blade at
this time in order to maintain High Availability integrity for the 14-Slot Shelf.
Configuring the Switch Blade – Hiding the ShMM and Exposing RMCP and SNMP-TRAP
Now you need to set up some iptable rules that allow us to effectively hide the ShMMs in their own private
network, while still allowing RMCP and IPMI traffic to flow to and from the 14-Slot Shelf over the established
management network. The reason for doing this is to establish better security for the 14-Slot Shelf.
To enhance security, blades or outside devices should not connect directly to the ShMMs. Instead, you want to
expose the interesting management data from the ShMMs through the RMCP protocol. This network traffic
originates from the management network, passes through the Switch Blades, and onto the ShMM’s private
network. Using the sample network topology, the only devices that can directly connect to the ShMM’s console
are serial devices that are in the same physical location as the ShMMs and the Ethernet Switch Blades.
To hide the ShMM and expose the RMCP and SNMP-TRAP, complete the following steps:
Step 1. To gain access to the ShMM using the RMCP protocol and to allow SNMP traffic to flow to agents
running on the ShMMs and other blades, add two lines to the /etc/services configuration file on
each Switch Blade.
Using the base serial port, or the configuration port you set up previously, add the following lines to
the /etc/services file on each Switch Blade:
rmcp623/udp# To allow RMCP traffic to ShMMs.
agentx705/tcp# To allow traffic to off-switch sub-agents.
Step 2. Enter the following command to load the iptables driver into kernel memory:
insmod /lib/modules/2.4.2/kernel/net/ipv4/netfilter/iptable_nat.o