HMC

 View Only
Expand all | Collapse all

HMC RMC and NAT IP address

  • 1.  HMC RMC and NAT IP address

    Posted Tue January 24, 2023 08:25 AM
    Edited by Per Hillerström Tue January 24, 2023 09:42 AM

    So, regarding HMC and RMC …

    I know HMC do not support NAT with RMC but have anyone here found a work-around for this and perhaps solved it anyway without remove NAT?

    https://www.ibm.com/support/pages/fixing-no-rmc-connection-error "Network Address Translation (NAT) is not supported in HMC RMC domains and NAT would need to be disabled on the network".

    Just to explain about the network traffic:

    LPAR can successfully send RMC 657 traffic via NAT IP address to the HMC server but the HMC respond to the actual LPAR IP address instead of NAT IP address and that is not allowed.



    ------------------------------
    Per Hillerström
    ------------------------------


  • 2.  RE: HMC RMC and NAT IP address

    Posted Wed January 25, 2023 04:34 AM
    I would expect HMC to get info on RMC partner address from the RMC protocol data, not from the TCP/IP headers. That means NAT would not be successful unless the device doing NAT understands RMC protocol and performs necessary "fixups" in PDU (on RMC protocol level).

    ------------------------------
    Lech Szychowski
    ------------------------------

    Original Message


  • 3.  RE: HMC RMC and NAT IP address

    Posted Wed January 25, 2023 06:01 AM
    If the issue is an IPv4 collision, you can configure IPv6 which is big enough to never need NAT.

    ------------------------------
    José Pina Coelho
    IT Specialist at Kyndryl
    ------------------------------

    Original Message


  • 4.  RE: HMC RMC and NAT IP address

    Posted Wed January 25, 2023 06:59 AM
    Nice idea, but I think that would affect many more nodes since the end customer have +200 nodes with that subnet.

    ------------------------------
    Per Hillerström
    ------------------------------

    Original Message


  • 5.  RE: HMC RMC and NAT IP address

    Posted Wed January 25, 2023 08:52 AM
    Hi Per,

    I have good news for you. It is officially supported now and was delivered last month:

    https://ibm-power-systems.ideas.ibm.com/ideas/AIX-I-232

    Unfortunately I can't provide more information right now because I still didn't test it. But may be @HARIGANESH MURALIDHARAN can help with it?


    ------------------------------
    Andrey Klyachkin

    https://www.power-devops.com
    ------------------------------

    Original Message


  • 6.  RE: HMC RMC and NAT IP address

    Posted Wed January 25, 2023 09:10 AM
    Awesome! Then I "just need to upgrade" customer AIX ... that shouldn't be that difficult to get approved. :D

    ------------------------------
    Per Hillerström
    ------------------------------

    Original Message


  • 7.  RE: HMC RMC and NAT IP address

    Posted Thu January 26, 2023 01:05 PM
    Hi Per

    Note that according to what is written in the comments in https://ibm-power-systems.ideas.ibm.com/ideas/AIX-I-232 , you also need HMC level 1040 - that is not available yet.

    -----------------------------
    Janus Hertz
    Consulting IT Specialist
    IBM Technology Services
    -----------------------------

    ------------------------------
    Janus Hertz
    Consulting IT Specialist - Power Systems / IBM i - Virtualization, Security, HA
    IBM
    ------------------------------

    Original Message


  • 8.  RE: HMC RMC and NAT IP address

    Posted Wed September 25, 2024 02:29 AM

    Hello everyone,
    Is there an official documentation that confirms the NAT support with RMC and HMC ?  
    According to this, it should be supported

    https://ibm-power-systems.ideas.ibm.com/ideas/AIX-I-232

    but I do not find evidence in the IBM documentation.  Is there somewhere an official documentation with pre-reqs and confirmation ?  
    Thanks a lot



    ------------------------------
    Gregory Vanbout
    ------------------------------

    Original Message


  • 9.  RE: HMC RMC and NAT IP address

    Posted Mon September 30, 2024 04:48 AM

    Apparently there's a new RMC method and port, but the man page is a bit on the light side.


    From the MF71420.readme:

     

    Support for RMC communication using TLS over port 12601:  Two new RMC communication modes have been added:

    • tls_preferred: use TLS over port 12601 if supported by the partition or HMC being communicated with, otherwise use legacy TCP/UDP over port 657.  Note that selecting this mode can impact performance if the partition or HMC being communicated with does not support TLS.
    • tls_exclusive: use TLS over port 12601 only

    Related commands: chpsm (requires a reboot), lspsm (default: lpar_rmc_comm_ifs=all,rmc_comm_mode=legacy,rmc_conn_priority=default)

     

    rmc_comm_mode (legacy | tls_preferred | tls_exclusive) <= Haven't found minimum AIX/Linux levels for RMC/TLS.

    rmc_conn_priority (default | direct | indirect) <= apparently possible to use a proxy for the RMC+TLS connection, but haven't found how/where to configure that proxy.  This would be great to reduce the exposure of the HMC to less-secure LPARs.

     

     



    ------------------------------
    José Pina Coelho
    IT Specialist at Kyndryl
    ------------------------------

    Original Message