When implementing IPMI sideband networking on Supermicro platforms, the system employs a clever hardware-level packet filtering mechanism. The BMC (Baseboard Management Controller) and host OS share the same physical NIC but operate as logically separate network interfaces.

// Example of how packets might be routed differently
if (packet.dmac == bmc_mac) {
    redirect_to_bmc(packet);
} else if (packet.dmac == host_mac) {
    forward_to_os(packet);
} else {
    drop_packet();
}

Contrary to initial assumptions, the IPMI system actually uses a different MAC address from the host OS, despite what some documentation might suggest. The confusion stems from:

• Base MAC being assigned to the physical NIC
• BMC using MAC+1 offset (common implementation)
• Virtual MAC addresses for sideband traffic

The network controller hardware includes special filtering logic:

# Linux kernel module handling NIC sharing (simplified)
static int nic_filter(struct sk_buff *skb) {
    if (skb->protocol == IPMI_ETH_TYPE) {
        return BPF_REDIRECT_BMC;
    }
    return BPF_PROCEED;
}

Key security considerations for sideband implementations:

For Supermicro X11 systems using ipmitool:

# Set shared NIC mode
ipmitool raw 0x0c 0x01 0x08 0x00

# Verify BMC network settings
ipmitool lan print 1

# Configure separate IP (important!)
ipmitool lan set 1 ipsrc static
ipmitool lan set 1 ipaddr 192.168.1.100
ipmitool lan set 1 netmask 255.255.255.0

The hardware filtering occurs before packets reach the CPU:

• BMC packets never hit host interrupts
• No CPU overhead for IPMI traffic
• NIC hardware queues maintain separation

Network traffic shaping example:

# tc qdisc for NIC sharing (Linux)
tc qdisc add dev eth0 root handle 1: htb default 1
tc class add dev eth0 parent 1: classid 1:1 htb rate 900mbit
tc class add dev eth0 parent 1: classid 1:2 htb rate 100mbit
tc filter add dev eth0 protocol ip parent 1:0 prio 1 u32 \
    match ip dst 192.168.1.100/32 flowid 1:2

Common diagnostic commands:

# Check NIC sharing status
ethtool --show-features eth0 | grep -i shared

# Monitor BMC network activity
ipmitool sel elist

# Verify MAC address assignment
ipmitool lan print 1 | grep "MAC Address"
ip link show eth0

When using IPMI sideband networking on Supermicro systems, the physical NIC becomes a shared resource between two logical endpoints:

1. The host operating system's network stack
2. The Baseboard Management Controller (BMC)

This sharing occurs at the hardware level through specialized NIC capabilities. Modern server NICs (particularly those from Intel and Broadcom) include packet filtering logic in their firmware to implement this separation.

The apparent MAC address conflict mentioned in Supermicro documentation is resolved through VLAN tagging. Here's the technical breakdown:

# Typical configuration showing separate VLANs
ipmitool lan set 1 ipsrc static
ipmitool lan set 1 ipaddr 192.168.1.100
ipmitool lan set 1 netmask 255.255.255.0
ipmitool lan set 1 vlan id 4090
ipmitool lan set 1 defgw ipaddr 192.168.1.1

The NIC's firmware performs this decision tree for incoming packets:

1. Check VLAN tag (if present)
   • VLAN 4090 → BMC processing
   • Untagged or other VLAN → Host OS
2. For untagged packets, inspect destination IP against BMC's IP range

The BMC traffic bypasses the host CPU through these mechanisms:

Here's how to properly configure both ends on a Linux system:

# On the host OS (Ubuntu example):
sudo ip link add link eth0 name eth0.4090 type vlan id 4090
sudo ip addr add 192.168.1.101/24 dev eth0.4090
sudo ip link set dev eth0.4090 up

# For IPMI access (requires ipmitool):
sudo ipmitool -I lanplus -H 192.168.1.100 -U admin -P password chassis status

The key advantage is that all BMC traffic remains isolated at the hardware level, while maintaining a single physical connection.