Skip to content

MÓDULO RELAY.Art — primer

Help Center primer for RELAY.Art — the bridge between OOBI and customer MGMT. Pairs with ADR 0020.

What it does

RELAY.Art is the only path between the bench's OOBI overlay (trusted) and customer-side management interfaces on the DUT, switches, and routers (untrusted). DUTs and customer-side gear never join the OOBI overlay — RELAY bridges to them via dedicated MGMT NICs.

Slot: OOBI .240 (primary) / .241 (HA standby).

When you'll see RELAY in action

  • NetFlow / IPFIX ingestion from DUT to bench — RELAY is the ingress
  • Syslog ingestion from DUT — RELAY normalizes + PII-strips
  • SNMP polls from bench to DUT — RELAY is the egress proxy
  • REST / NETCONF push to DUT under operator authorization — RELAY enforces the read-only / write-mode toggle
  • Discovery probe for VALIDATOR ML cortex — RELAY samples passive observations on customer MGMT

Hard rules (the things RELAY refuses to do)

  1. MGMT-only — RELAY never bridges data plane. OSPF / BGP / SDWAN routers peer with the bench via their own data-plane VLANs (e.g. VLAN 2809 for BGP), NEVER via MGMT.
  2. Read-only default — write commands require operator unlock window (per SSH-6 pattern). Even then, DOM production mode forces read-only regardless of operator intent.
  3. PII strip on ingress — every NetFlow / Syslog / SNMP-trap record passes through a redactor:
  4. K-anonymity ≥ 10 enforced on src_ip / dst_ip
  5. User-Agent + email-like patterns scrubbed
  6. Per-record audit hash for compliance
  7. Cross-customer isolation — RELAY's vault namespaces credentials per customer DUT; cross-customer leak surface = 0.

Topology

┌─ Bench OOBI (TRUSTED) ─┐         ┌─ Customer MGMT (UNTRUSTED) ─┐
│                        │         │                              │
│  Infra VIP .100        │         │  NGFW MGMT NIC               │
│  Other MÓDULOs         │         │  Customer switch MGMT        │
│        │               │         │  Customer router MGMT        │
│        ▼ vxlan0        │         │        ▼ eth1+              │
│  ┌──────────────────┐  │         │  ┌──────────────────┐       │
│  │ RELAY .240/.241  ├──┼─────────┼──┤ relay-mgmt iface │       │
│  │   (HA pair)      │  │         │  │                  │       │
│  └──────────────────┘  │         │  └──────────────────┘       │
└────────────────────────┘         └──────────────────────────────┘

HA failover

Active-passive. Slot .240 is primary; .241 standby. Failover < 5s via leader election on OOBI. State replicates via VALIDATOR's ML cortex shared store.

You typically don't notice failover — telemetry has a 5s gap during the cutover.

What gets logged

Every request through RELAY produces an audit record: - Direction (ingress / egress) - Source MÓDULO (or operator identity for egress) - Destination customer DUT - Operation (e.g. snmpget OID, show version SSH command) - READ / WRITE classification - Result code - Bytes in / out - Timestamp + audit hash

Audit log encrypted at rest, 90-day retention default.

Common questions

Can RELAY decrypt traffic from the DUT? Only at the application layer (SSH session, REST response). It cannot decrypt arbitrary TLS-encrypted DUT traffic.

What if the customer DUT MGMT cert is self-signed? Per-target trust anchor in the RELAY vault. Operator pins the cert at credential-add time (per SSH-4 hostkey pattern).

Can I bypass RELAY for a quick SSH troubleshoot? Strongly discouraged — bypassing breaks the audit trail. If you genuinely need direct SSH, use the operator's ssh client + manually capture the session.

Does RELAY support Telnet? Yes (legacy). Strongly recommended to migrate to SSH where possible.

What's the discovery-probe doing? RELAY samples ingress traffic passively, zone-tags it as CUSTOMER, and forwards to VALIDATOR ML cortex for fleet topology graph. Anonymized + privacy-stripped.