In my experience having your management run over product via VPN is not a great idea. If possible separate the two. Having been in Ops for many many years and having worked on both a well built nationwide network with a dedicated management/oob infrastructure that is completely separate from the CDN and working on a not so well built nationwide network that is built as cheap as possible with VPN's running over the production CDN.. I would highly recommend separating the two. No amount of policies or procedures will prevent your management network from going down during critical times. In my experience both MTTR and the over all sanity of anyone working on that network starts to go down the drain as they are always worried about impacting management and isolating themselves, or during an outage unable to fix the problems at hand in a reasonable amount of time. I understand not everyone can spend the money to have a dedicated management infrastructure, but it's well worth every penny when done correctly. Just my 2 copper. -Tim Eberhard On Tue, Jul 26, 2011 at 8:57 AM, harbor235 <harbor235@gmail.com> wrote:
My question is, is it best practice to extend an inband VPN throughout for device management functions as well? And are all management services performed OOB, e.g network management, some monitoring, logging, authentication, flowdata, etc ..... If a management VPN is used is it also extended to managed customer devices?