Out-of-band network management may sound like a "belt and suspenders" approach to some people, but enterprises...
that demand high availability from a data center network consider it essential. Data center disaster recovery and security concerns can push enterprises to spend the extra money on an overlay management network.
"It's something you will find more commonly in the financial industry or anyplace where you're building networks that require high availability," said Andrew Bach, senior vice president of network services for NYSE Euronext (New York Stock Exchange).
NYSE Euronext, which is in the midst of a $500 million upgrade to its London and New Jersey data centers, announced recently that it chose Force10 Networks to supply a new out-of-band management network for its upgraded data center infrastructure. With Force10's C-Series and S-Series switches, NYSE Euronext will build an overlay network that manages the data centers' production networks, which are built with Juniper Networks 10 gigabit Ethernet gear and Ciena 100 gigabit optical network gear.
"Traditionally, in more conventional data centers, what you do is you buy a vendor's network management tool, you attach it to the network and you manage the network in-band – that is, the management traffic flows over the same pipes as the production traffic," Bach said.
Most enterprises will manage their data center network in-band by setting up a VLAN for management traffic across the infrastructure and dedicating a certain level of quality of service (QoS) to that management traffic so that it can get through when the production traffic is having a problem, said Joe Skorupa, research vice president at Gartner.
"The VLAN approach is OK to a certain extent," Bach said. "But if the production network starts to have a problem, then your ability to manage that network in that instant of time is compromised because you're trying to manage it through the exact line that's in trouble."
"To that end, we build a separate network that surrounds the primary data network to carry nothing but all the management data, the command and control information," he said.
Out-of-band network management requires second networking vendor
Bach said out-of-band network management requires not only a separate network infrastructure but a second networking vendor. NYSE Euronext couldn't simply use its production network vendor, Juniper, to build the overlay network. He described this approach as providing his data center network with genetic diversity.
"This is a generalized comment on network design philosophy and not reflective on any one vendor. Once you buy into a vendor, there is always a possibility that their fundamental operating system could have a very bad day," Bach said. "If you have systemic failure in that code, and if your management platform is of the same breed and generation, then there is a very good chance that you will not only lose the core network but you will also lose your management network. You will wind up with absolutely no way to see what's going on in that network, with no way to effect repairs because everything is dead and everything is suffering from the same failure."
"In that sense, we go for genetic diversity on the assumption that since these products come from two different vendors with two different operating systems, and more importantly two different histories and views of how they build their product line, they will not encounter the same failure on the same day," Bach said.
In general, out-of-band network management requires an overlay network with two to four ports per network device in the data center network. Bach said his overlay network from Force10 has thousands of ports.
But out-of-band network management isn't necessarily the answer for all situations. Skorupa said out-of-band network management in data center networks appeals to the paranoid and to enterprises that have a very low tolerance for data center network downtime.
"It was more common in the old days of telco networks," Skorupa said. "It was very common for AT&T to have a signaling network that ran Signal System 7, and then they had the actual TDM voice network. If you really want to be secure and be sure that a problem in your production network doesn't bleed over, or you want to be sure that a security vulnerability in your production network doesn't compromise your ability to manage that network, then a separate network is certainly one of the belt-and-suspenders, paranoid approaches available." In the case of the stock exchange, the price of failure is so great that out-of-band network management is a feasible option. "When you think of what the penalties might be or what the implication might be of not being able to open up a trading day … the cost of putting in a separate, out-of-band management network … winds up looking pretty small," Skorupa said.
Conduct risk assessment before building out-of-band network management
An enterprise can determine for itself whether an out-of-band network management approach is the way to go. In fact, enterprises should perform a rigorous risk assessment any time it begins to converge critical functions onto a single production network, according to Gartner vice president and distinguished analyst Paul Proctor.
"My basic position is that most organizations don't pay close enough attention to [the risks of convergence]," he said, "and they jump in without thinking it through and doing a formal risk assessment."
if data center disaster recovery requirements are so high that 24/7 uptime is the bare minimum, then an out-of-band management network is probably the way to go. The same might go for networks that are running systems with life-or-death consequences for downtime.
"I know a lot of organizations are exploring the possibilities of running more functions on IP networks -- organizations like hospitals," Proctor said. "They start running medical equipment on the IP network. Do you want to do that on the same network that you're running your email on? What's the chance of a virus contained in an email taking down a heart monitor?"
Let us know what you think about the story; email: Shamus McGillicuddy, News Editor