[j-nsp] SNMP on logical-system fxp0

Pavel Lunin plunin at senetsy.ru
Thu Apr 25 16:56:08 EDT 2013


2013/4/25 Alex Arseniev <alex.arseniev at gmail.com>

>
> Correct. Do you expect someone to attack fxp0 from within Your OOB network?
> Rogue NMS server perhaps?
>

In a big enough network — anything. Broken NMS (it turns out to happen more
often than I could think), malware on management PC, misconfigured
something (IP address of a syslog server), intentional hack, etc. Also,
routing does not mean that you don't have broadcast domains and BUM storms
are not possible.

In that case You have OOB network design problems, see my point below wrt
> OOB design principles.


Even if you have a firewall behind each fxp0 (and how do you manage that
hell of firewalls, another OOB MGT network for OOB management devices? And
we still consider price of a single port? :) — I bet you don't rate limit
SNMP and even ICMP on the firewalls.

Let's be honest, any big ISP have more than one mgt network and they rarely
resemble the Eden. Just because ISPs merge and split, different BU manage
different parts of the network, sometimes BU merge too, clever folks leave
the company and stupid ones  sometimes come, etc.

This is why I'd prefer to have more tools to be sure.


> It is clearly evident that for every vendor product which has "management"
> built-in interfaces on control modules, these built-in interfaces on
> control modules cannot deliver same features & perf as revenue interfaces.
> Do You have expectations and/or experience/examples to the contrary?
>


Of course I don't :) This is the thesis I started with, so why should I
expect the contrary?

It becomes even worse, when it comes to multi-vendorness. Different
equipment have different limitations for those ports. And all this makes
the MGT network less and less flexible.

I've once been involved in a project of a centralized monitoring system
deployment for a big ISP. They had about 7 different routed OOB mgt
networks (Core, Access, ATM, SDH, etc), I can't even say it was wrongly
done. But just the need to provide connectivity to everything ended up with
GRE over NAT over GRE over NAT salted with NAT and served through GRE sort
of solutions (not everywhere, but partly). I won't say all or even most,
but A LOT of troubles they had, came from the limitations of dedicated mgt
interfaces.

Of course, as a result, this whole interconnected network was not a thing,
with which you could be sure of nothing bad happens ever. Despite some
parts were originally well designed and run.


Even so. Why fxp0? Why not normal interface (given you have it)?
>>
>
Because fxp0 is "free" in a sense that it is included in RE price?


OK, I got it. The main reason is the physical port itself (I should've
asked, what happened to VLANs on normal interfaces, but I won't :).

Well, my point here is just that one must be very conscious and ask himself
twice, whether he knows what he is doing, when choosing "dedicated" mgt
interface for every-day management.

P. S. I also have doubts that the economical assumption really holds (opex
for administration also costs money) but let's leave this alone.


More information about the juniper-nsp mailing list