You are browsing a read-only backup copy of Wikitech. The live site can be found at

Out-of-band network

From Wikitech-static
(Redirected from Out-of-band management)
Jump to navigation Jump to search

All of our sites have a dedicated Out Of Band (OOB) network, consisting of internet access (DIA), routers and switches physically separated from our production network.

This OOB access is our last resort solution in case of a site becoming partially (eg. bastions) or fully (eg. transport/transits) unreachable by normal means.

Note that in the event of a site losing connectivity to the internet, it's still reachable through its transport links from any other bastion host.


To use our OOB network you need to have:

  1. An account on the network devices, see this list
  2. The password store checked out on your local machine

Step by step

The entry points to SSH to our management routers over their DIA are:

Sites OOB
site hostname

NOTE: You should make sure that your SSH config does not have any entries that will try to connect to the above hostnames via one of our bastion hosts. To ensure your connection cannot be affected by any in-band changes to the network you need to ensure it goes directly from your machine to the OOB link over the internet.

From there you can SSH directly to relevant devices on the OOB network, for example a console server, eg:

mr1-eqiad> ssh root@scs-a8-eqiad.mgmt.eqiad.wmnet

Where you will need the matching password from the password store.

Note that it's also possible do to agent forwarding and port forwarding on the management routers to reach devices with password authentication turned off.

SSH Algorithms

On some of the more recent JunOS versions you may find the management router cannot connect to older devices, due to the support algorithms/ciphers supported on the destination device not being allowed by default:

cmooney@mr1-eqiad> ssh root@scs-f8-eqiad.mgmt.eqiad.wmnet 
Unable to negotiate with port 22: no matching MAC found. Their offer:,,

To work around this you can drop to a csh shell and use the regular ssh client, specifying the correct parameters manually:

cmooney@mr1-eqiad> start shell 
% ssh -m root@scs-f8-eqiad.mgmt.eqiad.wmnet


If DNS resolution doesn't work (for internal or external hosts), you can replace the FQDNs with the IPs listed in our Puppet configuration (OOB, scs, routers, etc)

To protect against the eventuality of being unable to resolve to reach this page, you can save a copy of this page locally or look it up in the Wayback Machine. In both cases, there is of course a risk that the last saved version is outdated; also, you would have to know about these workarounds on your own, being unable to look them up here on Wikitech.

See also