[j-nsp] out of band management - real OOB
Jonathan Lassoff
jof at thejof.com
Mon Sep 19 18:38:13 EDT 2011
On Mon, Sep 19, 2011 at 2:16 PM, Pavel Lunin <plunin at senetsy.ru> wrote:
>
>
>> I see two ways one can go about this. Either programmatically tunnel into
>> an OOB L2 segment via a "bastion" host in an on-demand fashion, or point
>> some routes (dynamically, or otherwise) into your internal network for
>> management use.
>>
>> The risk of pointing routes into your internal network, IMO, is that
>> very-specific ACLs for management access can begin to have a blurred
>> distinction. RFC-1918 space can overlap, and public IPs within an internal
>> network can sometimes overlap with an active transit path.
>>
>>
> Why not just use a normal port/vlan, plug it where you would've plug fxp0
> to, and than put it to a vrf/whatever?
>
On the internal side? This is one way about going about it. The question is,
what would the routing table on the device-to-be-managed look like? Just one
directly-connected route for the network segment it touches?
--j
More information about the juniper-nsp
mailing list