[c-nsp] Giving customers access to your gear.

Justin Shore justin at justinshore.com
Wed Jun 4 12:36:00 EDT 2008 

Richey wrote:
> I've got a customer with a T1.  They have been bought out by a large hotel
> chain.  They are pretty much demanding that they have SNMP full read access
> to our router that is at their location as well as a copy of the config for
> the router.   This is not their router, it is ours and we fully manage our
> router and hand them  Ethernet.     This seems a little odd that they want
> access to our gear, and I am not too keen on giving them access unless they
> are willing to accept some responsibility.   They don't want to accept any
> responsibility for the access they would have to this box.     They say that
> Verizion and AT&T don't have any problems giving them this kind of access to
> their gear.   

I have one situation where we lease a router to the customer and let 
their outsourced IT company manage it.  We still have full access to it 
but they officially manage it.  I gave it a basic, hardened config and 
gave their IT folks enable access to it.  I pull down the config hourly 
with RANCID.  Other than that we are hands-off with that router.  We 
pull down the config for 2 reasons: 1) to be able to quickly deploy a 
spare router in the event of a hardware failure, and 2) to cover our own 
asses in case their outsourced IT folks screw it up.  So far we haven't 
had any problems.  The customer in this particular case wanted to 
maintain a VPN tunnel to their outsourced IT company.  The router would 
also be a router on a stick for their LAN.  Neither task is something 
that we were willing to take on.  By letting the outsourced IT company 
take on the responsibility we can effectively wash our hands of any 
future problems that may arise, short of actual connectivity issues.

If the router served more than one customer then none of the customers 
would have any level of access to the device.  If they want to graph I/O 
then they can do it with their own hardware on their side of the demarc, 
no exceptions.  We're more than happy to sell a customer a router if 
they want to manage it themselves.  We'll even set it up for them at our 
hourly rate.  However if they want ongoing managed services then they 
will 1) have restricted access to the device and 2) will be purchasing 
an analog modem on a expansion card for us to get in remotely.

Sometimes is better to simplify your operations and not get drug into a 
lose/lose situation with a customer.  You have to have clear lines of 
division between the customer and the provider.

Justin

More information about the cisco-nsp mailing list