[j-nsp] SNMP on logical-system fxp0
Pavel Lunin
plunin at senetsy.ru
Thu Apr 25 12:48:30 EDT 2013
25.04.2013 19:04, Alex Arseniev wrote:
> Netflow does NOT require encryption as standard (SNMPv3 does).
Netflow or stateful log export is very often not supported on fxp0 and
analogues. Even if it is, high rate of those logs can easily overwhelm
RE or the link between RE and data plane.
> (a) lo0.0 filter copy is applied to fxp0 as well
It's not in hardware. So, say, the new multistage DoS-protection feature
of MX won't work. BTW, do policers work at all on fxp0? I think they
should but it's a good example of a special need to care, spend time,
etc. Moreover, it can be easily poorly documented or not documented at all.
> The providers I worked with build their OOB networks using same design
> principles as their production networks - never flat L2, routed hops,
> every site has at least 1 (often 2 or multi-staged) firewall(s)
> protecting the rest of the OOB domain from "rogue elements".
Even so. Why fxp0? Why not normal interface (given you have it)?
Well, at the end it's not that important (though evident) why OOB mgt
interfaces have their limitations, they just do. And while there are
very few benefits (except some corner cases), there are lots of
drawbacks, which, of course, can be worked around, but what for?
More information about the juniper-nsp
mailing list