cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8347
Views
15
Helpful
14
Replies

OOB mgmt, inband mgmt and infrastructure best practice

apache_le
Beginner
Beginner

Hi all,

I am looking for best practice concerning out-of-band mgmt, inband mgmt, and infrastructure mgmt (Vcenter, ESxi mgmt, ACS, Prime, etc..). 

For out-of-band and inband mgmt:

.  Do you connect oob connections to a separate external switch such as 2960 or directly into the fabric?

.  Do you usually configure both inband and out-of-band mgmt or either?

For the infrastructure like Vcenter, ESxi mgmt, ACS appliances, do you connect these to an external switches which has L3 connection into the fabric or directly into the fabric.  If directly into the fabric, do you place these services into the default "mgmt" tenant?  

Thanks.

14 Replies 14

Philip D'Ath
Advisor
Advisor

This is a question with a lot of right answers.  It depends hugely on your security posture, perceived risks, and role separation of teams inside of your company.

For example, if you have one IT team, where everyone does everything (so their is no role separation), and a single site, then out of band management seems overkill.  Simple in-band management would be preferred.  Your IT team just want to get on the kit and do their job.

Lets say you have multiple dark data centres.  You are probably more interested in OOB, so that when something goes badly wrong you can still get in via an independent network and fix the issue.

Lets say you have a large IT team, with role separation.  You have a team of ESX engineers.  A team of switching engineers.  A security team.  A storage team.  You are going to want multiple separate management networks not connected to the primary routing plane.

Hi d.path,

Thanks for your response.  So I understand that in the case of a large IT team with role separation, the best is to have to OOB connections in a separate external switch with firewall.  That way, via firewall, I can control what individual team can manage.  What happen if because of cost, the external switch and firewall is not an option, how can you achieve the same objective?  I assume the OOB connections will be connected to the fabric?  Can you elaborate on "multiple separate management networks not connected to the primary routing plane"?  Thanks.

If there is a large team then the cost of an extra switch would be equal to 1 days pay of the large IT team.  I would be discussing the relative costs with the person making a purchasing decision.  It would be silly to skimp no this area for what is a trivial cost for a company of this size.

Failing that, yes, just create an extra VLAN and put all of the management into that.  However it is now only partially out of band.

Multiple networks.  Lets say you have 1000 physical servers running VMWare and a team of VMWare specialists running all sorts of VMWare products.

Lets say you have 100 physical firewalls and a team of firewall specialists running that.

Is there really any need for the firewall management team and VMWare management team to share the management plane?  Their is a far greater chance a human accident in one team will affect the other teams service.