----- Original Message -----
From: "Pavel Lunin" <plu...@senetsy.ru>
To: <juniper-nsp@puck.nether.net>
Sent: Thursday, April 25, 2013 5:48 PM
Subject: Re: [j-nsp] SNMP on logical-system fxp0
25.04.2013 19:04, Alex Arseniev wrote:
Netflow does NOT require encryption as standard (SNMPv3 does).
Netflow or stateful log export is very often not supported on fxp0 and
analogues. Even if it is, high rate of those logs can easily overwhelm
RE or the link between RE and data plane.
(a) lo0.0 filter copy is applied to fxp0 as well
It's not in hardware.
Correct. Do you expect someone to attack fxp0 from within Your OOB network?
Rogue NMS server perhaps?
In that case You have OOB network design problems, see my point below wrt
OOB design principles.
The providers I worked with build their OOB networks using same design
principles as their production networks - never flat L2, routed hops,
every site has at least 1 (often 2 or multi-staged) firewall(s)
protecting the rest of the OOB domain from "rogue elements".
Even so. Why fxp0? Why not normal interface (given you have it)?
Because fxp0 is "free" in a sense that it is included in RE price?
Well, at the end it's not that important (though evident) why OOB mgt
interfaces have their limitations, they just do.
It is clearly evident that for every vendor product which has "management"
built-in interfaces on control modules, these built-in interfaces on control
modules cannot deliver same features & perf as revenue interfaces.
Do You have expectations and/or experience/examples to the contrary?
Thanks
Alex
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
