25.04.2013 19:04, Alex Arseniev wrote: > Netflow does NOT require encryption as standard (SNMPv3 does). Netflow or stateful log export is very often not supported on fxp0 and analogues. Even if it is, high rate of those logs can easily overwhelm RE or the link between RE and data plane. > (a) lo0.0 filter copy is applied to fxp0 as well It's not in hardware. So, say, the new multistage DoS-protection feature of MX won't work. BTW, do policers work at all on fxp0? I think they should but it's a good example of a special need to care, spend time, etc. Moreover, it can be easily poorly documented or not documented at all. > The providers I worked with build their OOB networks using same design > principles as their production networks - never flat L2, routed hops, > every site has at least 1 (often 2 or multi-staged) firewall(s) > protecting the rest of the OOB domain from "rogue elements". Even so. Why fxp0? Why not normal interface (given you have it)?
Well, at the end it's not that important (though evident) why OOB mgt interfaces have their limitations, they just do. And while there are very few benefits (except some corner cases), there are lots of drawbacks, which, of course, can be worked around, but what for? _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp