Hey everyone! I've got a setup where the PDUs are connected to a management L3 switch, but the iDRAC is situated on a L3 core switch, which is dual, and it's been VLAN'd and subnetted away from production. For our small system, is this arrangement reasonable? Am I overthinking it by considering that the iDRAC should be on the dedicated management switch?
5 Answers
It really depends on how secure your whole setup is. If you’re dealing with sensitive data, you may want to tighten up security. The more critical the systems are, the more precautions are necessary. Keeping management interfaces like iDRAC on a dedicated management network is often best practice. It helps you avoid potential vulnerabilities from external or other internal systems.
Ultimately, what truly matters is how reliably you can access the iDRAC and monitor its status. Some organizations require totally isolated out-of-band management networks, while others are fine with in-band setups. If you can access it consistently, that’s the main goal!
You should be alright. If it’s a small environment, having the iDRAC on a logically segregated management VLAN works well, especially for recovery in case of issues like a broadcast storm. But yes, best practice is to have iDRAC on a separate management switch for that essential backup access. If possible, it’s even better to have this management switch reachable externally as an out-of-band option, but that could involve more setup with firewalls.
I'm not fully grasping your question. Are you asking whether you should keep your server and IPMI interfaces separate, like on different VLANs or physical switches? The answer is definitely yes! We have our hypervisors and VMs on a server VLAN, but the IPMI is securely on a management VLAN.
I think having it on a separate VLAN and subnet is totally fine, especially for a smaller network. Ideally, your core switch should be reserved for production and leave management on its own hardware. Just make sure to label everything clearly, or future admins (like me) might end up confused!
I was surprised to see a setup with a separate management switch, yet the iDRACs were still on the core switch for easier management software access. Now I’m debating if it’s worth suggesting a physical separation, but I think logically segmenting it might be good enough for now.