Single Cisco IOS device in a remote DC, I have an OOB connection delivered into the rack (length of Cat5e into my rack from another onsite providers rack, who have diverse routes from my own, in and out of the building) which is simply a L3 connection to the Internet, a /29 is delivered down it.
VTY access via Telnet or SSH is typically limited by an access list to on-net devices, with IPs local to the network/AS. This remote router is in a PoP with long-haul Ethernet circuits back to the core network. The OOB connection would be used in emergencies by off-net devices (such a broken link, dead IGP, etc), with connections coming from potentially any IP or Autonomous System around the world.
If we theorise that the device is configured as below, with the OOB interface configured with a public IP from the OOB connection provider;
Interface Fa0/2
Descriptioc OOB Connection
ip address 5.5.5.1 255.255.255.248
!
line vty 0 4
access-class 10
!
access-list 10 remark ACL-ON-NET-MANAGEMENT-IPS
access-list 10 permit 10.0.0.0 0.0.0.255
My question is essential two really;
How do I handle a scenario during which the devices has a L3 melt down, and it can't route traffic out of the PoP because IGP has collapsed or similar; the routing table has emptied its self now containing only locally connected routes. If I'm on holiday and connect to the OOB IP from some Hotel Wi-fi, traffic isn't going to have a route back to my remote IP if IGP has collapsed and the devices have lost their peers.
I could put the OOB interface Fa0/2 into a VRF and add a static 0/0 route via the OOB provider gateway address within the /29 they have assigned to me. I could change the vty statement to be:
access-class 10 in vrf-also
To allow management access from the VRF interface, but this will clash with my ACL. I would need to add 0/0 to the ACL, removing the point in having the ACL. Can I keep the ACL as it is, but allow any IP to connect when connecting to the OOB interface specifically?
Perhaps I can use a route-map some how to route any traffic that come in from the OOB interface back out via that gateway? Or don't use a VRF, and add a 0.0.0.0/0 route to the default table with metric 254, and add an ACL outbound on the OOB interface that only allows out traffic coming from TCP 22 from that interface's IP (so SSH management traffic). That way only management traffic would be allowed out? I'm lost for idea's here.
Best Answer
Depending on the hardware you're talking about you should take different considerations.
For instance Cisco provides a dedicated set of port/RAM and flash for OOB access on SUP2T, so you would be able to access to your device even when RP hangs. OTOH, in some Juniper boxes, the management port is attached directly to the RE and so you should easily hang your router from there.
That said, I would recommend you to put a management CPE between your devices and your OOB internet access and set up a GRE tunnel between it and your central management server.