I work at a data center, we need to setup a completely separate OOB network, I know about OOB using access server/terminal server, I mean how to setup something like Cisco 2511 with SCSI-2 ports and octal cable, but what the heck do they mean OOB network? I mean am i supposed to create a whole new subnet and connect each and every router, switch, firewall, server… to that? I'm a bit lost, I read this doc on Cisco but can't get it right, please don't talk about configuration, just the positioning of devices, and the main concept of having an OOB management network/subnet, any kinda document in simple words will do good thank you
Cisco – How to design/build a separate network to carry the management-related traffic or so-called “out of band” (OOB) management network/subnet
ciscooob
Related Solutions
I'm making some assumptions on your setup and how exactly your ISP is giving you these IPs, so if any of this is wrong I apologize and will happily change my answer
For your internal network I would suggest you setup a DHCP pool for your workstations and statically assign IPs to your servers. I'll leave the DHCP pool setup for you, as I think you're mainly aiming to make sure both public IPs are utilized by the proper networks.
i.e.
172.16.1.0/24 for your workstations, with DHCP, assigned to VLAN10
172.16.2.0/29 for your servers, statically assigned, on VLAN20
That all being said here is what I personally would try and setup to get your gear online.
int g0/0
ip address dhcp
This will pull an IP from your modem and give it to your external port. I suspect it will be an ISP internal IP because I doubt they'd give your modem a publicly routable IP. That'd be weird.
In this scenario, you should not be manually inputting any default routes on your router as it should all be supplied from the DHCP pull.
int g0/1.10
ip address 172.16.1.1 255.255.255.0
int g0/1.20
ip address 172.16.2.1 255.255.255.248
This setups the internal gateways for your two networks. So all your workstations will be pointing to 172.16.1.1 and your servers to 172.16.2.1
After that you'll need to setup NAT rules on the router to handle passing of traffic outwards for your workstations.
int g0/0
ip nat outside
This setups your external facing interface as your outside nat interface.
int g0/1.10
ip nat inside
This setups your internal facing interface as an inside nat interface.
Router(config)# ip nat pool internet 128.66.0.2 128.66.0.2 prefix 24
Creates a NAT pool named internet being translated to one of your public IPs.
Router(config)# ip nat inside source list 7 pool name internet overload
This says to NAT all IPs in list 7 to the NAT pool you just created and that you can overload it. Which is to say more than one internal IP can use the same external IP.
Router(config)# access-list 7 172.16.1.0 0.0.0.255
Creates the list referenced in the previous command. Now onto NAT for your servers, which I suggest be statically assigned if you want them publicly available.
int g0/1.20
ip nat inside
Same as before, this setups your internal interface as an inside NAT interface.
Router(config)# ip nat inside source static 172.16.2.(2-6) 128.66.1.(2-6)
A new line for each static assignment is needed. This creates a static translation between your internal IP and your external IP that was assigned to you.
As for your switch; all you would need to do is properly tag your ports depending on what is plugged in and make sure your trunk is passing both VLANs.
At this point both subnets should hitting your router, and your router should know where to pass the traffic, be it internally (your workstations getting to your servers) or externally (internet). Access control can either be setup with ACLs on the router, a stand-alone firewall, or firewalls on your servers.
Now this all hinges on how your ISP has your modem setup. If it works the way I think it works, when your external interface pulls it's information through DHCP, your router should populate both your public IP ranges so that when your router NATs it knows where to send your traffic.
I suspect someone will give a better written answer, but hopefully this points you in the correct direction.
I also referenced the following link for help on the NAT parts as they are definitely not something I play with very often.
http://www.cisco.com/c/en/us/support/docs/ip/network-address-translation-nat/13772-12.html
Untagged (native) VLANs don't really offer you any benefit over tagged VLANs, and they present a certain level of security risk. There is no real reason to use untagged VLANs when tagged VLANs are available.
Some people prefer to use a network-wide VLAN for management, one for printers, etc. This scenario presents both security and operational risks. Cisco has been recommending one access switch per VLAN (an access swtich can have multiple VLANs, but those VLANs don't extend to any other access switch), and, if you can, use layer-3 connections to the access switches instead of trunks.
There is a book published by Cisco Press, "LAN Switch Security: What Hackers Know About Your Switches" by Eric Vyncke and Christopher Paggen that explains a lot of these sorts of things.
Best Answer
Basically, yes.
The OOB network is whatever you need to recover the network without relying on the network (Out Of Band). The form it takes will depend on the devices you could need to access out of band.
In many cases having remote access to a terminal server attached to console ports is sufficient for recovering from configuration mistakes but that's limited to devices with CLI and doesn't really help with recovering erased firmware, etc.
What I've done is take a router with dual-WAN and use my network for one WAN and the other WAN to a separate provider. Then I set up VPN access to the router. Then plug in every management port, server management card, console server, IP KVM, etc into the LAN side of the router. The idea being you VPN into the OOB router and have access to all devices that you'd need to fix to restore the network.