Shulou(Shulou.com)06/01 Report--

In real life, whether it is the traditional large-scale campus network, operators. Or today's popular data center, virtualization and other technologies, often in the final analysis are a large number of network devices and servers stacked. Naturally, when the network or server is down due to software failure or human error, how to log in to the faulty equipment and restore the business quickly has become a difficult problem for operation and maintenance personnel.

In fact, if there is a perfect OOB out-of-band network in the network, when a failure occurs, the network control center can log in to the out-of-band management interface or Console interface of the network device or server through this network. Thus, the fault information can be obtained and corrected as soon as possible, or the log files can be collected and reported to the manufacturer. Isn't it beautiful?

Definition of OOB Network and Analysis of current Network problems

Before describing the solution in detail, make it clear what an OOB out-of-band network is.

The full name of OOB is Out Of Band, while OOB out-of-band network means that through an independent network that is not associated with any business data network, the network control center can connect to the management interface or console of each server or network device. This management traffic will not be affected by a major failure of the business data network, so it is called an out-of-band network. In contrast, it is the in-band network.

Why do I need an OOB network?

For many enterprises or operators, when carrying out planned remote network or system maintenance, remote duty personnel or temporary resident engineers are often arranged in advance. If the system cannot be started because of the software Bug, the resident engineer arrives at the site and connects the out-of-band interface or console to assist the remote operation engineer in troubleshooting and business recovery.

There are two disadvantages to this approach:

On the one hand, the experience qualification of the resident engineer may be lower than that of the engineer who remotely performs the planned transaction, which leads to the slow progress of troubleshooting and the prolongation of the failure time. The most total impact on the network KPI as well as a very bad customer experience.

On the other hand, both the staff on duty and the resident engineer have the problem of project cost. In the long run, every planned maintenance needs a resident on standby. But in fact, most maintenance work does not necessarily cause serious failures, but for the sake of the word "in case", it also needs the support of resident engineers.

For large enterprises and even operators with large network scale and business nodes distributed across the country, these problems will continue to be magnified. Imagine that the headquarters of an enterprise in Beijing in order to manage the company's national network nodes, there is no OOB network and through a large number of resident engineers to assist in maintenance will be a time-consuming and laborious task.

Solution

If the OOB network is introduced at this time, whether it is the engineer who carries out the planned maintenance or the daily operation and maintenance engineer, OOB is like a reassurance. In the event of any accident, the engineer can immediately log in to the remote faulty equipment through the OOB network to immediately troubleshoot the fault and restore the business in time. So OOB network can be regarded as the lifesaver of IT equipment to some extent.

The real OOB? Fake OOB?

Maybe some friends will ask that all the out-of-band interfaces and console interfaces of our equipment are also interconnected through network devices, and we can log in to the device anytime and anywhere through the out-of-band interface or console interface.

However, according to my years of experience, I have found that many enterprises in order to save management costs. Simply connect the out-of-band interface and console- Ethernet conversion device directly to the service switch or router.

When the corporate network is working properly, everything is fine. Imagine that if there is any network failure, it is very likely to affect this "out-of-band management" and console interface devices, resulting in these "out-of-band devices" in vain.

This is a fake OOB network!

How to construct OOB Network correctly

In order to build the OOB network correctly, we need to follow the following requirements:

1)。 This OOB network needs to be completely independent of the business network.

How to achieve complete independence from the business network?

For enterprises, if you buy the business network of operator A. By purchasing the wide area network access service of operator B, you can access the OOB network of the important network nodes in the country, and connect to the OOB core node of the company headquarters.

For operators, it is possible to re-deploy independent OOB optical networks. Or lease the wide area network of other operators to build their own independent OOB network.

2)。 The network needs to cover all the important network nodes of enterprises or operators, whether domestic or international nodes.

The so-called important network nodes refer to those that will cause serious service interruption in the region if a failure occurs, such as a core switch or router in the computer room of a remote node in an enterprise. For operators, it may be a PE router, P router or BNG and so on.

So what is an international node? As more and more Chinese companies go abroad. It is not uncommon for companies to set up branches overseas. Therefore, for the domestic headquarters, the remote OOB network management of overseas nodes is particularly important. Similarly, for operators, there are many overseas PE routers and so on. These are all objects that need to be protected by the OOB network.

Unlike domestic OOB nodes, it is difficult to find an independent operator to help build an OOB network covering both domestic and international nodes. At this time, we need to use Internet to connect overseas OOB nodes. The headquarters OOB network site can connect to the Internet of the local operator. Overseas OOB sites can get Internet access by connecting with local operators.

3)。 When connecting international nodes, a secure communication mechanism is needed to ensure the privacy of the OOB network.

It is mentioned above that Internet is needed to ensure the communication of international nodes. Internet itself is not trusted, and in daily work, most of the network management data are plaintext data. in order to solve this problem, we need a set of security mechanism to ensure that the communication between domestic headquarters OOB network and foreign branch OOB equipment is safe and reliable.

4) .7x24 high availability.

5.) Through the OOB network, you can connect to the out-of-band interface of the network equipment, the iLO port of the system equipment, and the most important console port and other management interfaces.

6)。 It has the function of monitoring the node environment, such as but not limited to the switch monitoring of the front and back door of the cabinet, the temperature monitoring of the cabinet and so on.

It is equally important to monitor the environment of nodes and the health of monitoring equipment software. Only by ensuring the physical security of the equipment can there be software equipment monitoring. For example, we need to monitor whether the cabinet door is opened or closed without authorization. if this happens, the head office administrator will receive the relevant alarm and so on.

Selection of OOB network equipment

Similar to business network equipment, OOB network also needs network equipment to support it. However, compared with the service network, the OOB network has the following characteristics:

Low bandwidth, ssh/telnet/SNMP and other management traffic take up very low bandwidth. There are occasional cases such as out-of-band FTP or SCP transfer of upgrade files, but overall throughput requirements are not high.

Have certain security requirements, support firewall function, support IPsec*** and so on.

And console to Ethernet equipment, as mentioned in the above OOB requirements, in addition to the basic Ethernet to console function, but also need to detect the ambient temperature, and through the DIO interface with a small trigger switch to detect the switch action of the cabinet door.

# example of selection #

Through analysis, the selection is as follows (take Juniper as an example):

OOB Network Router:

Headquarters: SRX300 x2 consists of Cluster mode, which supports 1Gbps fiber.

Juniper's latest enterprise low-end firewall supports all router protocols (such as RIP, OSPF, BGP, etc.), switching functions, and fine-grained security policies as firewalls themselves. Full 1Gbps Ethernet port and 1Gbps optical port.

Branch office: SRX110 100Mbps Ethernet uplink or ADSL, VDSL uplink.

Similar to SRX300, it supports all routing protocols, switching and firewall functions. At the same time, because of the RJ11 interface, xDSL service is supported. The Ethernet port is 100Mbps.

OOB Console converter: (take Opengear as an example)

Branch: Opengear remote gateway, depending on the number of console ports, different models. Support temperature sensor and DIO programming interface.

(note: the Opengear in the figure below even supports 3G/4G. In some places where there is no wired OOB network connection, such as some outdoor sites, the 3G/4G version of Opengear can be used for remote OOB network management. )

The above are just examples of type selection. Of course, you can use similar products to achieve the same effect according to your own needs and local market conditions.

Network design

After the equipment selection is completed, the next step is the network design stage. According to the analysis of OOB network requirements, the following network framework is obtained, as shown below:

Technical details number of OOB devices

The number of OOB devices includes the number of SRX110 devices and the number of Opengear. The difference between the two is that except for an interface reserved by SRX110 to connect to the Ethernet interface of Opengear, the remaining Ethernet interface will be used to connect to the out-of-band management interface of business devices, such as the FXP0 interface of Juniper devices.

Based on this, engineers need to calculate how many service devices each remote OOB site needs to access, and how many out-of-band management interfaces or iLo interfaces exist in each device, which determines the number of SRX110 interfaces required. If the number of out-of-band management ports of service devices exceeds the number of Ethernet interfaces of SRX110, we can solve the interface shortage by hanging layer 2 switches down.

At the same time, engineers also need to count the number of business devices console that need to be connected to the OOB network at each site. And purchase the corresponding Opengear equipment according to this quantity.

Subnetting

In OOB networks, there are several areas where IP addresses are required:

1. Each remote OOB site (domestic and international) needs a separate subnet for the SRX110 subnet gateway, the Opengear Ethernet interface needs an IP address as the console login address, and the service equipment out-of-band interface IP.

two。 A point-to-point IP address is needed between the domestic remote OOB site SRX110 and the OOB central router SRX300 to achieve interconnection.

3. It is necessary to establish a point-to-point interconnection between the network management center and the OOB central node SRX300. The IP address is also required here.

4. Finally, there is the Internet Internet IP address. SRX300 needs to apply for an Internet Internet peer-to-peer IP address from the local operator. Overseas OOB nodes also need to apply for Internet IP addresses from local operators.

Interconnection

In terms of layer 3 routing interconnection, the implementation details of domestic OOB network and international OOB network are not the same.

Let's start with the domestic OOB network:

Because the wide area network of operator B is used to connect the OOB nodes. Depending on the network services provided by operator B, different routing protocols can be used.

There are two situations:

1. If operator B allocates a VLAN ID according to each OOB site, the VLAN ID is eventually transmitted through layer 2 to the headquarters OOB network SRX300 (L2 broadcast technology in the carrier). In this case, SRX300 is configured as a point-to-multipoint P2MP interface to connect all domestic remote sites. And run the OSPF protocol on point-to-multipoint P2MP, so that headquarters can learn the network segments of all OOB sites. In addition, the headquarters SRX300 publishes a default route to each branch OOB network site via OSPF.

two。 If operator B builds a three-layer VRF for this OOB network internally. All domestic remote OOB nodes learn the default gateway of operator B through PPPoE protocol. As for the central node of OOB network, because it is an optical fiber private line, OOB network SRX300 can run BGP protocol with the PE of operator B to learn the network segment information of all domestic remote OOB sites.

For international OOB sites

Because the data is transmitted through Internet, it is very important to ensure the secure and reliable data communication between overseas OOB sites and central OOB sites. Naturally, IPsec * Site to Site is the best choice. By establishing an IPsec tunnel between the overseas site and the central site. All network management data such as SNMP,FTP,telnet and other plaintext data are well protected.

In order to realize the interconnection between the central OOB network sites and overseas sites, depending on the number of overseas OOB sites, we can use peer-to-peer OSPF dynamic learning, and static routes can also be manually specified to achieve routing interworking when there are few sites.

Summary

This paper summarizes the definition of OOB out-of-band network and the importance of separating service network from out-of-band network. At the same time, it also introduces how to construct a secure and complete OOB network.

After the completion of the OOB network construction, on the one hand, it reduces the unnecessary waste of the company's project resources, but also greatly reduces the pressure on the operation and maintenance engineers. After all, when there are software bug and other failures, we still have a lifesaver.

Thank you for your attention!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.