OOB
Pierre-Yves Maunier
nanog at maunier.org
Tue Jul 26 14:31:18 UTC 2011
Hello,
to administrate our core backbone routers, management is done inband, the
OOB is only for backup solution when the router is not reachable.
Others things (like our DWDM infrastructure which is RFC1918 addressed), we
use the OOB for the administration.
Our OOB is done this way :
Our principal core infrastructure is in Paris and we have our own dark fiber
backbone there, we decided to have a 'core oob infrastructure' : a layer 2
network dedicated for the OOB is built to cover all our pops (with spanning
tree for path protection) on dedicated dark fibers. On all pops we have
console servers (Opengear) that allow to access our routers console ports
remotely.
We also have 2 smalls Juniper firewalls in cluster to connect the 'outside
Paris' remote sites with VPNs.
On the pops outside Paris we have a basic layer 2 switch, a firewall, a
console server and we take IP connectivity from somebody onsite, the
firewall has a VPN to the 'core oob infranstructure' in Paris which allow us
to access everything.
The IP connectivity on the core oob infrastructure is provided by our
network with a backup IP connectivity from another provider which allow us
to access everything in our backbone in case of a total blackout on our AS.
Pierre-Yves
2011/7/26 harbor235 <harbor235 at gmail.com>
> I am curious what is the best practice for OOB for a core
> infrastructure environment. Obviously, there is
> an OOB kit for customer managed devices via POTS, Ethernet, etc ... And
> there is OOB for core infrastructure
> typically a separate basic network that utilizes diverse carrier and
> diverse
> path when available.
>
> My question is, is it best practice to extend an inband VPN throughout for
> device management functions as well?
> And are all management services performed OOB, e.g network management, some
> monitoring, logging,
> authentication, flowdata, etc ..... If a management VPN is used is it also
> extended to managed customer devices?
>
> What else is can be done for remote management and troubleshooting
> capabilities?
>
> Mike
>
More information about the NANOG
mailing list