[142998] in North American Network Operators' Group
Re: OOB
daemon@ATHENA.MIT.EDU (Tim Eberhard)
Tue Jul 26 10:31:13 2011
In-Reply-To: <CAB_zYd+Dswo=+YXSDz9qW4EKXX0LZE8i66rYDjFH+hXmhDpH5g@mail.gmail.com>
Date: Tue, 26 Jul 2011 09:30:43 -0500
From: Tim Eberhard <xmin0s@gmail.com>
To: harbor235 <harbor235@gmail.com>
Cc: NANOG list <nanog@nanog.org>
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
In my experience having your management run over product via VPN is
not a great idea. If possible separate the two.
Having been in Ops for many many years and having worked on both a
well built nationwide network with a dedicated management/oob
infrastructure that is completely separate from the CDN and working on
a not so well built nationwide network that is built as cheap as
possible with VPN's running over the production CDN.. I would highly
recommend separating the two.
No amount of policies or procedures will prevent your management
network from going down during critical times. In my experience both
MTTR and the over all sanity of anyone working on that network starts
to go down the drain as they are always worried about impacting
management and isolating themselves, or during an outage unable to fix
the problems at hand in a reasonable amount of time.
I understand not everyone can spend the money to have a dedicated
management infrastructure, but it's well worth every penny when done
correctly.
Just my 2 copper.
-Tim Eberhard
On Tue, Jul 26, 2011 at 8:57 AM, harbor235 <harbor235@gmail.com> wrote:
> My question is, is it best practice to extend an inband VPN throughout for
> device management functions as well?
> And are all management services performed OOB, e.g network management, some
> monitoring, logging,
> authentication, flowdata, etc ..... If a management VPN is used is it also
> extended to managed customer devices?
>
