For OOBM: best use decicated management port or console port?

JLaay · ‎01-25-2020

Hi all,

At work we are discussing the implementation of a OOBM network.

This will be a completely seperated network with its own firewalls to connect to from the Internet or seperate inhouse network.

On the firewalls (we have two sites) a OOBM switch will be connected. This OOBM switch will be connected through fiber with OOBM switches in e.g. the serverroom. From that OOBM switch a connection will be made to a production swith on the management IP port.

That's where a discussion followed because a collegue says that in case of a breakdown of the production network/switches it is best to use a serial console switch that connects to the console port of the dataswitch in stead of the management IP port.

My questions:

- Is the usage of the console or management IP port better suited in case of a calamity on the dataplane of network devices

- And of course why is that :) ? Better seperation from the dataplane, Better/more functionality?

- I just want to be sure, because in case it is best to use the serial consle port we 'll also have to implement/buy serial consle switches.

Thanks Jaap

marce1000 · ‎01-25-2020

- In my opinion , but others may differ , I tend to believe that the serial console port(-access) must not belong to the OOBM spectrum and or infrastructure. It comes in to play on 'fundamental' device failure when in that case the term OOBM has lost it's meaning already. I would stick to separate networking for the management-ports.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

JLaay · ‎01-26-2020

Hello Marce(l)?,

First, thanks for your reply.

I can agree with you in terms of concept/theory that a serial console port should not be a part of a OOBM network.

From a practical point of view I do not ….. right away :)

If there is a problem on the network, be it because of e.g. a broadcast storm or software problem on a network device after an upgrade, I want to be able to reach it, solve the problem and avoid loss of time to get on site.

Personally I think that the best option is the management IP interface in respect to functionality.

However I have to convince my collegues and there is not much info on OOBM networks.

Besides just being able to reach to reach the devices I, for instance, would like to put the monitoring server on the OOBM network instead on the production network to be able to better pinpoint where a problem might be. But then I must know that it is possible to send e.g. SNMP traps through the management IP interface.

Greetz Jaap

marce1000 · ‎01-26-2020

>...

>If there is a problem on the network, be it because of e.g. a broadcast storm or software problem on a network >device after an upgrade, I want to be able to reach it, solve the problem and avoid loss of time to get on site.

- That also applies to the local Intranet; in that case you need a physically separated management network (and or a Vlan that is not part of the 'user-Intranet'). As far as monitoring servers/services is concerned, that all depends on requirements, sometimes it 'really' needs to monitor vital Intranet components too which could for instance not be done from an isolated management network. It all depends.

- snmp traps can indeed be forwarded to the management interface. Depending on switch type some a kind of special 'construct' of IOS-command is needed.

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !