From: "Saku Ytti" <s...@ytti.fi>
There is nothing stopping vendors from implementing netflow and SNMP in
HW,
allowing instant refresh of octet counters.
SNMPv3 would require encryption capabilities in HW making Your idea (a)
potentially too expensive and (b) prone to export restrictions==>must
develop && maintain 2 separate HW sets, same as for JUNOS software.
Netflow often is already implemented in HW.
Netflow does NOT require encryption as standard (SNMPv3 does).
And as Jeff mentioned, you cannot do CoPP to protect your RE from being
congested by fxp0 traffic. Something simple and easy mistake to do as L2
loop in FXP0 could be disaster, and no way to protect.
(a) lo0.0 filter copy is applied to fxp0 as well
(b) only if You build OOB network as flat L2 I would expect L2 BUM storms
affecting fxp0.
The providers I worked with build their OOB networks using same design
principles as their production networks - never flat L2, routed hops, every
site has at least 1 (often 2 or multi-staged) firewall(s) protecting the
rest of the OOB domain from "rogue elements".
HTH
Thanks
Alex
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
