IPMI & Gratuitous ARP
by bram
Here’s a odd one,
on one of my networks, I discovered this flowing around:
09:56:02.660795 arp who-has 192.168.30.32 (ff:ff:ff:ff:ff:ff) tell 192.168.30.32
(even though i’m not in this subnet)
For those of you who have seen this,
it’s called a Gratuitous ARP and originates from an IPMI enabled nic (Intel’s IPMI = Intelligent Platform Management Interface)
IPMI basically allows for sysadmins to monitor and administrate a machine without having to go through the OS.
I found some info here:
NaoiMarch 26th, 2008, 06:37 PMThis issue cropped up for me just recently so even though this is an old thread I thought I’d use it to document how I turned off the gratuitous arps on my Intel SE7221BK1-E server board.Just FYI I’m in no way a network expert, so please forgive any mistakes as I am relying on various threads I came by in Googling this issue. ;)This link (http://buttersideup.com/docs/howto/IPMI_on_Debian.html ) describes the hardware and software involved, which is called IPMI and stands for Intelligent Platform Management Interface. Although the HOWTO part didn’t apply directly to my particular solution it cleared up a lot of my confusion over where these arps were coming from and why.
To quote the link above
IPMI stands for Intelligent Platform Management Interface and is an open standard for machine health, and control (including remote control), and is implemented by many hardware vendors – Intel is one of the originators, and early adopters of the standard. Here are some useful things that IPMI can do on the SR2300 with Linux:
* Check on hardware health, and report on problems (via the OS, or autonomously via the network)
* Provide a watchdog timer (in case the OS goes away, or programs can otherwise not run, the machine will be reset)
* Provide remote “lights out” access to both the Linux console, and the BIOS via ethernet (no serial concentrators, multi-port serial cards, or extra cabling required)
* Provide remote, OS independent control over the reset, and power buttons via ethernet (no funny remote control power sockets, relays, or other hacks required)
* Provide remote control of a server over a modem connection
* Make emergency remote management possible from a variety of simple devices (e.g. PDAs)
…It is useful to know a bit about how IPMI does its stuff – so I’ll give an overview, and try to bust some weird IPMI/Intel jargon. There is a second autonomous computer on the motherboard (or baseboard, in IPMI’s politically correct / obfusicated language), this is a very simple, low power-consumption device, which should operate as long as power is connected to the machine (including when the majority of the server is powered down) – in IPMI speak, this computer is called the BMC – the Baseboard Management Controller – it uses its own firmware, which is independent of the system BIOS.
If you have an Intel motherboard it comes with software to control the BMC in various ways, but unfortunately the software only works on Windows or Redhat/Fedora Linux, and after failed tries to get it to work remotely from another Windows machine and reading that the Linux package wouldn’t install properly on other versions of Linux (I didn’t try it on Ubuntu though) I decided to try the open source versions of IPMI.
Freeipmi (http://www.gnu.org/software/freeipmi/) and openipmi are two such programs and freeipmi worked for me in the end.
I couldn’t find a debian/ubuntu version of freeipmi but I did fine this Fedora rpm version (http://rpmfind.net/linux/RPM/fedora/devel/x86_64/freeipmi-0.5.1-3.fc9.i386.html) which I was able to convert to a debian package using alien then install. I wasn’t sure how to compile and install the source version so this was “the path of least resistance” for me. :)
After downloading the .rpm file I did the following to install the package:
sudo alien -d ipmiutil-2.0.9-1.i386.rpm
sudo dpkg -i ipmiutil_2.0.9-2_i386.deb
sudo ln -s /usr/lib/libcrypto.so.0.9.8 /lib/libcrypto.so.4From this long thread (http://www.nabble.com/problem-with-freeipmi-0.5.3-and-intel-SE7221BK1-E-td14865773.html) I found I decided to try and load the three modules below, the third one gave me an error so it apparently wasn’t necessary, and in fact I don’t know if I needed to load any of them manually, but I went ahead and did it anyway.
sudo modprobe i2c-dev
sudo modprobe i2c-core
sudo modprobe i2c-i810Once freeipmi was working (at least in a basic manner, afaik there are problems reading the sensors but I haven’t tried it) I was able to turn off the gratuitous arps by reading this user’s guide (http://gnu.freemirror.de/savannah-checkouts/gnu/freeipmi/freeipmi.pdf) and using the “bmc-config” command (with a change/correction for the –key-pair option based on “bmc-config –help”):
sudo bmc-config –commit –key-pair “Lan_Conf_Misc:Enable_Gratuitous_ARPs=No” -D SSIF
–driver-address=0x42 –driver-device=/dev/i2c-0 –register-spacing=1The options in the command are particular to motherboards using the SSIF driver, for other types of boards I’d suggest reading this general description (http://openipmi.sourceforge.net/IPMI.txt), this Ubuntu thread (https://help.ubuntu.com/community/IPMI) or this other thread (http://wiki.adamsweet.org/doku.php?id=ipmi_on_linux) (they didn’t work for me but helped my understanding).
If anyone has any tips to add here please do, I arrived at this solution after lots of trial and error and I’m sure there’s a better/quicker way but this worked for me.
I’d like to use the ipmi software to monitor the hardware so any information on how to get this to work on my type of server board would be greatly appreciated. :)