[j-nsp] in-band management interface vs. re firewall concepts/bcp

Saku Ytti saku at ytti.fi
Fri Jul 8 13:04:36 EDT 2016 

I never understood why people want to do this.

FXP0/EM0 are very dangerous ports, they sit on control-plane without
any HW protection, no port filters, no lo0, no ddos-protection. So if
you have L2 MGMT network there, connecting all Junipers, potentially
L2 loop in your MGMT network breaks whole network.
If it were port which can be protected, you could use normal best
practices to limit this unintentional attack.

For Junipers I'd say on-band + RS232 with debugger-on-break as backup
is the way to go.
For Ciscos if you have CMP, the story is different, as CMP is true
out-of-band interface, not fate-sharing control-plane. I wish all
vendors would ship port like CMP, so we could kiss good bye both RS232
and silly control-plane ethernet ports. Like server guys have been
doing for what, 15 years?

I also don't understand benefit of putting one MGMT interface in VRF,
as you're still going to have tons of ports main instance, what are we
gaining? It makes much more sense to me, to put Internet in VRF, then
all non-VRF ports, like all core ports, are protected by default. And
the actual edge ports, facing customers, will obviously have iACL
anyhow.


On 8 July 2016 at 17:22, Clinton Work <clinton at scripty.com> wrote:
> I don't want to convert a regular port into a routing-instance, I want
> to put fxp0 / em0 into a routing-instance or logical router.   I don't
> want to pollute the main inet.0 routing table with mgmt routes.   There
> are various workarounds, but some features (inline jflow) that only work
> properly via the main inet.0 routing table.
>
> On Fri, Jul 8, 2016, at 05:03 AM, Paul S. wrote:
>> Likewise, it really doesn't make much sense to me.
>>
>> Having to retrofit a normal port to act as management in its own vrf is
>> stupid (and not even always possible).
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp



-- 
  ++ytti

More information about the juniper-nsp mailing list