Re: Private IPs for Intersight Appliance

mdrudge · ‎08-10-2023

Ok, we're taking the plunge, and setting up new X-series hardware with Intersight. I'm getting the Intersight connected appliance set up, and doing some research beforehand. I see that you need to reserve a "/20 subnet within the 172.16.0.0/12 range". This makes me kind of nervous, since that's the range we use for a lot of our subnets, including the management VLAN for UCS. Does anyone know if this is a conflict? Or if I just need to stay away from the routed range for our management VLAN? Does this range even leave the appliance? I just want to make sure there aren't any issues. Thanks!

fdeleonn · ‎08-11-2023

Hello mate,

It's understandable that you have concerns about potential conflicts with the IP range you're using for your existing subnets and management VLAN. Let's break down your questions:

1. Conflict with Existing Subnets: Reserving a /20 subnet within the 172.16.0.0/12 range should not directly conflict with your existing subnets, including the management VLAN for UCS, as long as the specific /20 subnet you reserve doesn't overlap with your existing subnets. However, it's crucial to ensure that there's no overlap in the IP addresses you allocate for the new subnet and your existing ones.

2. Routed Range for Management VLAN: If the 172.16.0.0/12 range is used for your management VLAN, you should indeed avoid overlapping with the range you're reserving for the Intersight connected appliance. To prevent any issues, make sure the /20 subnet you allocate for the Intersight appliance does not overlap with the IP addresses used in your management VLAN.

3. IP Range Leaving the Appliance: Typically, the IP range you reserve for the Intersight connected appliance would be used for communication between the appliance and the managed devices. This range might be used for various purposes like device discovery, monitoring, and management. However, this range should not leave the appliance and interfere with your existing network infrastructure as long as it's properly isolated and configured within the appliance's settings.

In order to avoid any potential issues or conflicts, it's recommended to:

- Verify that the /20 subnet you plan to reserve for the Intersight connected appliance doesn't overlap with your existing subnets, including the management VLAN.
- Double-check the documentation provided by Cisco or the vendor for the specific requirements and guidelines related to IP addressing and subnet reservation for the Intersight appliance.
- Plan the IP addressing carefully and consider involving your network administrator to ensure proper isolation and no IP conflicts.

Remember that network configuration can be complex and specific to your environment, so it's always a good practice to consult with relevant experts and thoroughly test any changes before implementing them in a production environment.

mdrudge · ‎08-14-2023

Thanks for the prompt reply. I definitely would not reserve this subnet without the involvement of our network team, but requesting a /20 subnet is a big ask and I'm trying to come up with the best information to justify it. The impression I'm getting from what you said is that these IPs are internal to the appliance, but there is a risk that they could be leaked out if not configured correctly on the appliance. Also, if they are used to communicate with devices (like FIs) then they would have to be used over the network, correct? So then if I have an FI in another site, I would either need another appliance in that site, or to allow traffic over the firewall for this, when I was just expecting requests for the management IP. I am hoping to find some documentation about the design or architecture with this, and so far have just found one bullet point about it at Cisco Intersight Virtual Appliance and Intersight Assist Getting Started Guide, 1.0.9 - Overview [Cisco Intersight] - Cisco. Is there another document with more in-depth information that I can take a look at? Thanks!