bevan at slattery.net.au
Sat Nov 21 06:43:07 UTC 2015
Well I¹m happy to provide my experience. When I decided to build a new
data centre business back in 2010, I started with a simple premise. That
the core data centre experience must be controlled by browser and phone.
That system was (and still is called) ONEDC.
A key component of this is for the ability for our customers to:
* Remotely lock and unlock racks from their phone (great for remote hands)
* Use Facility Prox swipe cards to lock/unlock racks in facility at swipe
points at end of aisle (did that back in 2008)
* Needed to provide users/customers the ability to add/remove their staff
(and their customers) access to racks including time of day, time of week
access as well as a per rack access granular level (handy if you have 10
racks in a row with 5 different customers so you can limit their access,
or a contractor with time of day access such as a tape swap out service)
* Full data output allowing me to provide real time audit logs (yes audit
logs for security).
We did some pretty cool stuff with power management/measurement etc. and
made a little video 3 years ago (my kids are playing soccer in the
https://www.youtube.com/watch?v=58vvIJOfBcE The product has come on a lot
since it launched (I left the company 2 years ago now).
So what did we do. I used to use a relay type system in 2007-10 in my
previous data centre life. It¹s pretty good but a bit ³industrial². It¹s
also so 2007 (even 1990) and doesn¹t scale well when you are trying to do
3,000 racks and 6,000 doors per facility. I looked at the APC electronic
locking system, but the big issue is that some fool in product decided to
remove radius authentication, allowing a decent independent
The product I went with was TZ rack locking because:
* Solid product with background in remote post office/delivery locking
* Use ³Shape Memory Alloy² system in which the lock mechanism is a fluid
type alloy that changes shape with voltage, rather than old school
* They look really cool, fit most racks and have some great features
(like delayed lock for 5 seconds in case you realise you left your screw
driver in the rack :))
* Provided API Access so I can integrate it into our rack management
* Full log interface
They will try to ship you the entire product suite, but if you can commit
to decent scale they are flexible (API access, support etc.) and let you
integrate into the locks. I think NEXTDC has probably deployed about
10,000 doors and one of the old team at NEXTDC is now working for TZ and
he eats this stuff for breakfast. I can pass on his details if you wish.
Anyway I can definitely recommend TZ http://ixp.tz.net . In looking at
their website their product set and locking systems have expanded in the
last 2 years or so. Hope this helps.
On 21/11/2015 11:55 am, "NANOG on behalf of Jimmy Hess"
<nanog-bounces at nanog.org on behalf of mysidia at gmail.com> wrote:
>On Fri, Nov 20, 2015 at 2:37 PM, Kevin Burke
><kburke at burlingtontelecom.com> wrote:
>> What kind of experience do people have with rack access control systems
>> (electronic locks)? Anything I should pay attention to with the
>Overpriced, overkill for most real-world uses?
>High-Tech technology for technology's sake?
>Avoid them if you can. Within six months or so, at least once, there
>probably be some glitch delaying or denying required prompt access.
>> We have half a dozen racks, mostly ours. Mostly I want something to log
>> who opened what door when. Cooling overhaul is next on the list but one
>It probably makes sense if there are more than a handful of people with
>unobserved physical access, and high frequency of access, or there's a
>trust issue, high-risk consideration. Or you have to satisfy a
>You're not going to be able to look at a log and see Joe opened it at
>12 months ago, and ever since then, the servers are not quite right.
>Consider manual procedures
>Example: Electronic access control to the actual rooms.
>A Robo-Key system (RKS), Keyvault, or Realtor lockboxes on
>each server rack ^_^
>Physical locks on cabinets. Key vault that supports multiple
>Then you don't need exotic hardware, just a good lock, and sound key
>I am imaging if you need to automate control of individual keys;
>that there will be more competing solutions for this than specialty rack
>Logging procedures for key access...
>Send an e-mail when someone opens the vault.
>Simple magnetic reed switches on all cabinet doors.
>Send an e-mail when a cabinet door is opened.
>Quite a few standard alarm panels can do those types of things.
>Assign someone to periodically check handwritten logs and check for
>> at a time. Even with cameras those janky make nobody happy.
More information about the NANOG