Connecting a Bastion Host to Private Cloud Appliance (Optional)
In addition to the public Ethernet connection, it is allowed to connect the Private Cloud Appliance management switch to a management or machine administration network at your installation site. From this network, a bastion host provides direct administrator access to the appliance components.
If you choose to use such an uplink, consider it as a long-term alternative to the temporary workstation connection described in Connecting a Workstation to the System. Configure the administration uplink after the initialization of the appliance, when the appliance network settings have been applied.
A connection to the appliance internal management network, either directly into the management switch or through an additional Ethernet switch in the data center, is not required to access the appliance management functionality of the Private Cloud Appliance user interfaces. The primary role of the appliance internal management network is to allow the controller software on the management nodes to interact with the compute nodes and other rack components. Connecting to this network from outside the appliance allows you to gain direct administrator access to each component, for example to control the ILOMs.
Do not make any changes to anything on this network unless directed to do so by Oracle Support.
Bastion Host Configuration
Follow these guidelines when configuring a bastion host.
Connect port 2 on the management switch.
Ensure that the data center Ethernet switch used in this connection is configured to prevent DHCP leakage to the 100.96.0.0/22 subnet used by the Private Cloud Appliance. Do not connect to any network with any kind of broadcast services in addition to DHCP.
For the bastion host, which is the name used to describe the machine that is permanently connected to the data center administration network, use the IP address 100.96.3.254/23 and assign it statically to its network interface. Ensure there is no other machine on the same subnet using the same IP address and causing IP conflicts.
Both the ILOM and internal management network are configured on the same management switch. In order to communicate with both networks, you must configure the bastion host with two paths to the switch. You can choose one of two configuration options:
- Configure two IP addresses on the bastion host.
For example, add
100.96.1.254/23as a second IP address.# cat ifcfg-eth1 NAME=eth1 DEVICE=eth1 BOOTPROTO=static ONBOOT=yes NM_CONTROLLED=no USERCTL=no DEFROUTE=no IPV6INIT=no IPADDR1=100.96.3.254 PREFIX1=23 IPADDR2=100.96.1.254 PREFIX2=23
- Or, add a route to the existing networks.
On the
100.96.0.0/23network, if the bastion host is configured with the IP100.96.3.254for subnet100.96.2.0/23, add this route:ip route add 100.96.0.0/23 via 100.96.2.1 dev eth1
and on the
100.96.2.0/23network, if the bastion host is configured with the IP100.96.1.254for subnet 100.96.0.0/23, add this route:ip route add 100.96.2.0/23 via 100.96.0.1 dev eth1