1. Installation Guide
  2. Configuring Oracle Private Cloud Appliance
  3. Optional Bastion Host Uplink

Optional Bastion Host Uplink

In addition to the public Ethernet connection, you may connect the management switch to a management or machine administration network at your installation site. If you choose to use such an uplink, consider it as a long-term alternative to the temporary workstation connection described in Connect a Workstation to the Appliance. Configure the administration uplink after the initialization of the appliance, when the appliance network settings have been applied.

A connection to the appliance internal management network, either directly into the management switch or through an additional Ethernet switch in the data center, is not required to access the appliance management functionality of the Oracle Private Cloud Appliance user interfaces. The primary role of the appliance internal management network is to allow the controller software on the management nodes to interact with the compute nodes and other rack components. Connecting to this network from outside the appliance allows you to gain direct administrator access to each component, for example to control the ILOMs.

Caution:

Do not make any changes to anything on this network unless directed to do so by Oracle Support.

Bastion Host Configuration

Follow these guidelines when configuring a bastion host.

Caution:

Connect port 2 on the management switch.

Make sure that the data center Ethernet switch used in this connection is configured to prevent DHCP leakage to the 100.96.0.0/22 subnet used by Oracle Private Cloud Appliance. Do not connect to any network with any kind of broadcast services in addition to DHCP.

For the bastion host, which is the name used to describe the machine that is permanently connected to the data center administration network, use the IP address 100.96.3.254/23 and assign it statically to its network interface. Make sure there is no other machine on the same subnet using the same IP address and causing IP conflicts.

Both the ILOM and internal management network are configured on the same management switch. In order to communcate with both networks, you must configure the bastion host with two paths to the switch. You can choose one of two configuration options:
  • Configure two IP addresses on the bastion host.

    For example, add 100.96.1.254/23 as a second IP address.

    # cat ifcfg-eth1
NAME=eth1
DEVICE=eth1
BOOTPROTO=static
ONBOOT=yes
NM_CONTROLLED=no
USERCTL=no
DEFROUTE=no
IPV6INIT=no
IPADDR1=100.96.3.254
PREFIX1=23
IPADDR2=100.96.1.254
PREFIX2=23
  • Or, add a route to the existing networks.

    On the 100.96.0.0/23 network, if the bastion host is configured with the IP 100.96.3.254 for subnet 100.96.2.0/23, add this route:

    ip route add 100.96.0.0/23 via 100.96.2.1 dev eth1

    and on the 100.96.2.0/23 network, if the bastion host is configured with the IP 100.96.1.254 for subnet 100.96.0.0/23, add this route:

    ip route add 100.96.2.0/23 via 100.96.0.1 dev eth1