[j-nsp] SNMP on logical-system fxp0

Alex Arseniev alex.arseniev at gmail.com
Thu Apr 25 11:04:20 EDT 2013

From: "Saku Ytti" <saku at ytti.fi>
> There is nothing stopping vendors from implementing netflow and SNMP in 
> HW,
> allowing instant refresh of octet counters.

SNMPv3 would require encryption capabilities in HW making Your idea (a) 
potentially too expensive and (b) prone to export restrictions==>must 
develop && maintain 2 separate HW sets, same as for JUNOS software.

> Netflow often is already implemented in HW.

Netflow does NOT require encryption as standard (SNMPv3 does).

> And as Jeff mentioned, you cannot do CoPP to protect your RE from being
> congested by fxp0 traffic. Something simple and easy mistake to do as L2
> loop in FXP0 could be disaster, and no way to protect.

(a) lo0.0 filter copy is applied to fxp0 as well
(b) only if You build OOB network as flat L2 I would expect L2 BUM storms 
affecting fxp0.
The providers I worked with build their OOB networks using same design 
principles as their production networks - never flat L2, routed hops, every 
site has at least 1 (often 2 or multi-staged) firewall(s) protecting the 
rest of the OOB domain from "rogue elements".


More information about the juniper-nsp mailing list