Manualshelf

HP Integrated Lights-Out Security, 7th edition

ManualsBrandsHP ManualsSoftwareInsight Software
12345678910
6
Network and management ports
iLO’s firewall and bridge logic prevent any connection between the iLO management port and the
server Ethernet port (Figure 1). Even by using the shared network port (SNP), iLO cannot bridge traffic
between its 10/100 Ethernet port and the server Ethernet port. Therefore, attacks on the server
network cannot compromise iLO and vice-versa.
Shared network port
Most G4 and later ProLiant ML and DL servers with iLO support SNP. Consult the server
documentation to determine whether your ProLiant server supports SNP. HP does not plan to support
SNP on HP BladeSystem server blades.
The SNP lets iLO management traffic use a sideband connection on the server NIC rather than
dedicating a second port to iLO management traffic (Figure 2). Although the iLO traffic shares a port
with the server OS traffic, both iLO and the server NIC have their own MAC and IP address. This
ensures that other devices can independently address iLO. This is an advantage if you want to install
and maintain a single network infrastructure for handling both management and productivity traffic.
Figure 2. Traffic paths of shared and dedicated networks
Shared network port with Virtual LAN
Implementing Virtual LAN (VLAN) tags enhances iLO SNP security. When you enable VLAN Tags, the
iLO SNP becomes part of a Virtual LAN. The VLAN is a logical network that isolates network traffic to
segments. It increases security because established rules keep traffic on one segment from entering
another segment. All network devices with the same Virtual LAN tag appear to be on a separate LAN
even if they are physically connected to the same LAN. The SNP NIC checks the Ethernet frame for a
VLAN ID and compares it against its configured value. If they match, then the SNP strips the frame of
the VLAN tag and forwards it to iLO. If they do not match, the SNP forwards the frame to the server.
The SNP NIC inserts a VLAN tag into any outgoing Ethernet frames.
This feature is available with iLO v1.80, iLO 2 v1.10 (and later), and iLO 3.