Re: [j-nsp] Managing MX480 fxp0
Hi, How wrong we where doing that with our MX960, QFX5100, and a few MX104 =D. One of our OOB is a bunch of EX2300 switches using STP, on a different set of dark fiber linking a few Metro data centers together... but as usual with JNP... one went nuts and started spewing packets from the other link while shifting left a few bytes. When those packets hit our fpx0s, dos protect did all and killed their CPU dropping everything BGP and MPLS (thx JNP) on most routers connected to the OOB network. Now, at each site, we have a mini putter (Lenovo/Zotac/etc) with SSD, Sealink serial ports, Consumer xDSL/Coax, MFA encrypted VPN. We enable fxp0 *if* needed... Other things to think about: 1. We're even looking at swapping to Cisco L2 switches instead of JNPs, since this type of event never happened, in our collective experience, with that brand. 2. Using OSPF3 (or IS-IS to limit OSPF injection) would have limit the fpx0 DoS to the local OOB switch... Which is still too risky for our taste. 3. You could use Serial->Ethernet devices instead of the Sealink but if the OOB switch goes down again, you cannot access the serials. PS: In our case it is our fiber bundles and we didn't need to invest in DWDM ... but its the same idea. For years an associate of mine implemented a very large deployment of OOB over DWDM and Cisco L2 switches with 0 downtime. Have fun and good luck. - Alain Hebertaheb...@pubnix.net PubNIX Inc. 50 boul. St-Charles P.O. Box 26770 Beaconsfield, Quebec H9W 6G7 Tel: 514-990-5911 http://www.pubnix.netFax: 514-990-9443 On 2019-11-26 06:09, Sander Steffann wrote: Hi, I would personally not wire or use fxp0 unless I'm out of options. Some other vendors today have real out-of-band ethernet for MGMT, meaning own CPU, own memory, own OS not fate-sharing the control-plane, which is the correct solution for OOB, but not something we as a community are actively asking vendors to deliver. We built an OOB network exactly like that. Cheap L3 switches talking OSPF to each other over their own 1G DWDM channels, completely independent of the production network. A separate OOB network used to be crazy expensive, but with cheap DWDM gear suddenly all you need is a free DWDM channel and some cheap second hand L3 switches. And that's what we connect our fxp0 ports to. Cheers, Sander ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
Hi, > I would personally not wire or use fxp0 unless I'm out of options. > Some other vendors today have real out-of-band ethernet for MGMT, > meaning own CPU, own memory, own OS not fate-sharing the > control-plane, which is the correct solution for OOB, but not > something we as a community are actively asking vendors to deliver. We built an OOB network exactly like that. Cheap L3 switches talking OSPF to each other over their own 1G DWDM channels, completely independent of the production network. A separate OOB network used to be crazy expensive, but with cheap DWDM gear suddenly all you need is a free DWDM channel and some cheap second hand L3 switches. And that's what we connect our fxp0 ports to. Cheers, Sander signature.asc Description: Message signed with OpenPGP ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
gwe On Mon, 25 Nov 2019 at 21:41, Aaron Gould wrote: > Thanks, but I just moved the fxp0 ip address to a revenue interface to get > the pfe forwarding I needed. +1. I think 'management' ethernet is misnomer and massive risk. It's interface with direct access to control-plane, so if your MGMT LAN has L2 loop or such, you could break your entire network and there is really nothing you can configure to protect yourself at the device. I would personally not wire or use fxp0 unless I'm out of options. Some other vendors today have real out-of-band ethernet for MGMT, meaning own CPU, own memory, own OS not fate-sharing the control-plane, which is the correct solution for OOB, but not something we as a community are actively asking vendors to deliver. Kudos to Cisco insisting on putting this on newer platforms too, even when we, the customers, have not woken up on its utility. -- ++ytti ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
Thanks, but I just moved the fxp0 ip address to a revenue interface to get the pfe forwarding I needed. -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
This used to be possible by setting the "net.pfe.transit_re" (or similar) value using sysctl, but I'm not sure if it still works on newer Junos versions: https://www.kumari.net/index.php/networking/tips-and-tricks/14- I would not do this on production router, though. If you need to reach your fxp0 from locations outside of your OOB subnet, I think the practice is to either use source NAT on a device that has connectivity to your OOB or you should put fxp0 into a routing-instance using 'management-instance' on Junos 17.x and above (I believe). One caveat to doing the latter is that if you use TACACS (and possibly RADIUS) for authentication and your source address is the router loopback IP in inet.0, your 'mgmt_junos' instance needs to have static routes for the TACACS servers installed: routing-options { static { route 0.0.0.0/0 next-hop 172.16.14.1; # Default route for fxp0 network route 192.0.2.55/32 next-table inet.0; # Public lo0.0 IP route 10.55.234.90/32 next-table inet.0; # TACACS server } } In my environment, this was necessary, but YMMV. -evt On 11/22/19, 12:02 PM, "juniper-nsp on behalf of Aaron Gould" wrote: Thanks again (Chris) for solving my vpls/irb/tagging combination problem yesterday. we can bridge successfully now. Taking this one step further, we now are trying to route via fxp0 and *through* it to the irb.100 interface and are unable to. Is it possible to route traffic *through* an fxp0 interface ? (MX204) I'm asking since it seems that someone mentioned that it is in fact possible with some sort of static routes. but I'm unsure what they meant exactly. If it's definitely not possible to transit an fxp0 interface, I just need to know that, and I will seek solutions using a revenue interface instead. Resurrecting an old thread(s).. https://www.mail-archive.com/juniper-nsp@puck.nether.net/msg09809.html https://puck.nether.net/pipermail/juniper-nsp/2010-August/017545.html subnet A-fxp0/mx204/irb.100subnet B <---is bi-dir comms possible?--> -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
Hi, On 22.11.2019 19:48, Dave Bell wrote: This is definitely not possible. You can’t jump from the data plane out of the fxp port. This is why things like jflow are only possible inband The official statement is that it is neither possible nor supported. It was even highly marketed as separation in the earlier days. But i have seen a couple of occurrences (including a network crippling looping and therefore amplification of traffic e.g. back in the M5i days) where some traffic leaked from fxp0 to data plane and/or vice versa. Even if it would work you would not want it as the CP/DP link is pretty "slow" and already tasked with lots of other things which it struggles with at times ;) -- regards Tobias Heister ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
Thanks -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
Hi Aaron. This is definitely not possible. You can’t jump from the data plane out of the fxp port. This is why things like jflow are only possible inband Regards Dave On Fri, 22 Nov 2019 at 17:01, Aaron Gould wrote: > Thanks again (Chris) for solving my vpls/irb/tagging combination problem > yesterday. we can bridge successfully now. > > > > Taking this one step further, we now are trying to route via fxp0 and > *through* it to the irb.100 interface and are unable to. > > > > Is it possible to route traffic *through* an fxp0 interface ? (MX204) > > > > I'm asking since it seems that someone mentioned that it is in fact > possible > with some sort of static routes. but I'm unsure what they meant exactly. > > > > If it's definitely not possible to transit an fxp0 interface, I just need > to > know that, and I will seek solutions using a revenue interface instead. > > > > Resurrecting an old thread(s).. > > https://www.mail-archive.com/juniper-nsp@puck.nether.net/msg09809.html > > https://puck.nether.net/pipermail/juniper-nsp/2010-August/017545.html > > > > subnet A-fxp0/mx204/irb.100subnet B > > > > <---is bi-dir comms possible?--> > > > > > > -Aaron > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
Thanks again (Chris) for solving my vpls/irb/tagging combination problem yesterday. we can bridge successfully now. Taking this one step further, we now are trying to route via fxp0 and *through* it to the irb.100 interface and are unable to. Is it possible to route traffic *through* an fxp0 interface ? (MX204) I'm asking since it seems that someone mentioned that it is in fact possible with some sort of static routes. but I'm unsure what they meant exactly. If it's definitely not possible to transit an fxp0 interface, I just need to know that, and I will seek solutions using a revenue interface instead. Resurrecting an old thread(s).. https://www.mail-archive.com/juniper-nsp@puck.nether.net/msg09809.html https://puck.nether.net/pipermail/juniper-nsp/2010-August/017545.html subnet A-fxp0/mx204/irb.100subnet B <---is bi-dir comms possible?--> -Aaron ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
We put a router in place to do NAT for the local subnet of the fxp. Alternately, you can just put static routes in for specific management subnets pointing out the fxp port... From: Serge Vautour To: Chen Jiang ; Jim Devane Cc: "juniper-nsp@puck.nether.net" Sent: Thu, July 8, 2010 10:26:24 AM Subject: Re: [j-nsp] Managing MX480 fxp0 Putting fxp0 in a LS works from a routing perspective but it breaks NSR & GRES - at least it does in 10.0R2. I have a JTAC case pending. Serge - Original Message From: Chen Jiang To: Jim Devane Cc: "juniper-nsp@puck.nether.net" Sent: Thu, July 8, 2010 4:54:15 AM Subject: Re: [j-nsp] Managing MX480 fxp0 You cannot put fxp0 into VRF but could put it into a logical system. And logical system also have a seperate routing table other than inet.0. On Thu, Jul 8, 2010 at 3:16 AM, Jim Devane wrote: > Hello, > > I need some ideas/help on a scenario I am sure comes up a lot but having > problems with. > > I have an MX480. I want to be able to manage this MX from an internal > (1918) network through the fxp0 port. The internal network is not flat but > routed and there are several subnets which may contact the MX for > management/polling. I was thinking/hoping to set up a VRF for this port and > set routes/default route for the VRF to connect. It turns out I am not able > to put fxp0 into a routing-instance. (errors on config checkout) > So I put everything production in to a logical system leaving the fxp in > the master instance and installing a default route for the master instance. > This works, but now the MS-DPC will not export flows if it is in a logical > system. So the logical system is out b/c the MS-DPC has to be in the master > instance. But I can't but the fxp0 into a logical/routing instance. > > What is the BCP/recommended method for managing this box if fxp0 is not a > "public" routed interface? > > Unfortunately, I don't have another port to place into a VRF besides the > fxp0 (all other ports are 10G) > > Thanks for any help/ideas! > Jim > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- BR! James Chen ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
Putting fxp0 in a LS works from a routing perspective but it breaks NSR & GRES - at least it does in 10.0R2. I have a JTAC case pending. Serge - Original Message From: Chen Jiang To: Jim Devane Cc: "juniper-nsp@puck.nether.net" Sent: Thu, July 8, 2010 4:54:15 AM Subject: Re: [j-nsp] Managing MX480 fxp0 You cannot put fxp0 into VRF but could put it into a logical system. And logical system also have a seperate routing table other than inet.0. On Thu, Jul 8, 2010 at 3:16 AM, Jim Devane wrote: > Hello, > > I need some ideas/help on a scenario I am sure comes up a lot but having > problems with. > > I have an MX480. I want to be able to manage this MX from an internal > (1918) network through the fxp0 port. The internal network is not flat but > routed and there are several subnets which may contact the MX for > management/polling. I was thinking/hoping to set up a VRF for this port and > set routes/default route for the VRF to connect. It turns out I am not able > to put fxp0 into a routing-instance. (errors on config checkout) > So I put everything production in to a logical system leaving the fxp in > the master instance and installing a default route for the master instance. > This works, but now the MS-DPC will not export flows if it is in a logical > system. So the logical system is out b/c the MS-DPC has to be in the master > instance. But I can't but the fxp0 into a logical/routing instance. > > What is the BCP/recommended method for managing this box if fxp0 is not a > "public" routed interface? > > Unfortunately, I don't have another port to place into a VRF besides the > fxp0 (all other ports are 10G) > > Thanks for any help/ideas! > Jim > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- BR! James Chen ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
I do this in my network. It works well. David On 7 July 2010 18:33, Chris Kawchuk wrote: > Answer: > > interfaces { >fxp0 { >description "MANAGEMENT"; >speed 100m; >link-mode full-duplex; >unit 0 { >family inet { >address 10.2.1.100/24; >} >} >} > } > > routing-options { >static { >route 10.0.0.0/8 { >next-hop 10.2.1.1; >no-readvertise; >} >route 172.16.0.0/12 { >next-hop 10.2.1.1; >no-readvertise; >} >route 192.168.0.0/16 { >next-hop 10.2.1.1; >no-readvertise; >} >} > } > > where 10.2.1.1 is some internal router on your management network, which > knows how to get everywhere in your management cloud. RFC1918 stays inside, > everything else stays outside. And since you cant go from transit interface > to mamagement (fxp0), there's no way to get from public->private and vice > versa. > > No need for a vrf - assuming that all other IPs in use on the "production" > part of the network are real IPs; as JunOS simply wont route from, say, > xe-0/0/0.0 to fxp0; but management will be allowed. > > Breaks if you tend to use private space on your Production 10G interfaces, > tho =) > > > - Chris. > > > > > On 2010-07-07, at 1:16 PM, Jim Devane wrote: > >> Hello, >> >> I need some ideas/help on a scenario I am sure comes up a lot but having >> problems with. >> >> I have an MX480. I want to be able to manage this MX from an internal (1918) >> network through the fxp0 port. The internal network is not flat but routed >> and there are several subnets which may contact the MX for >> management/polling. I was thinking/hoping to set up a VRF for this port and >> set routes/default route for the VRF to connect. It turns out I am not able >> to put fxp0 into a routing-instance. (errors on config checkout) >> So I put everything production in to a logical system leaving the fxp in the >> master instance and installing a default route for the master instance. This >> works, but now the MS-DPC will not export flows if it is in a logical >> system. So the logical system is out b/c the MS-DPC has to be in the master >> instance. But I can't but the fxp0 into a logical/routing instance. >> >> What is the BCP/recommended method for managing this box if fxp0 is not a >> "public" routed interface? >> >> Unfortunately, I don't have another port to place into a VRF besides the >> fxp0 (all other ports are 10G) >> >> Thanks for any help/ideas! >> Jim >> >> ___ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
It's not about using the line cards. It's about keeping the fxp0 routes separate and isolated from the production routes. If you happen to have overlapping address ranges between your production and management subnets, you will have a problem that fxp0 routes will interfere with production traffic and vice versa unless you can put one or the other into a VRF. On Thu, Jul 08, 2010 at 05:33:18PM +1000, Truman Boyes wrote: > Putting fxpX or meX interfaces into a VRF is not a good idea. I > understand that you want to have a management VPN, that idea is > fine, but the host routing from the routing engine should not have > to rely on other features/line cards of the box that may need to be > serviced. > > I tend to use loopback addresses inside l3vpns that I can reach via > my OSS networks, and this works perfectly for basic NMS-type of > operations. > > Even still, a routing-engine that suffers in booting a line card > that provides MPLS uplinks would be out of commission if the VRF > routing was not working. > > Cheers, > Truman > > On 8/07/2010, at 6:22 AM, Chris Evans wrote: > > > Send a bitch email to juniper. I have been begging for the capability to put > > the fxp into a vrf. > > > > On Jul 7, 2010 3:53 PM, "Jim Devane" wrote: > > > > Hello, > > > > I need some ideas/help on a scenario I am sure comes up a lot but having > > problems with. > > > > I have an MX480. I want to be able to manage this MX from an internal (1918) > > network through the fxp0 port. The internal network is not flat but routed > > and there are several subnets which may contact the MX for > > management/polling. I was thinking/hoping to set up a VRF for this port and > > set routes/default route for the VRF to connect. It turns out I am not able > > to put fxp0 into a routing-instance. (errors on config checkout) > > So I put everything production in to a logical system leaving the fxp in the > > master instance and installing a default route for the master instance. This > > works, but now the MS-DPC will not export flows if it is in a logical > > system. So the logical system is out b/c the MS-DPC has to be in the master > > instance. But I can't but the fxp0 into a logical/routing instance. > > > > What is the BCP/recommended method for managing this box if fxp0 is not a > > "public" routed interface? > > > > Unfortunately, I don't have another port to place into a VRF besides the > > fxp0 (all other ports are 10G) > > > > Thanks for any help/ideas! > > Jim ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
You could also put your production traffic into a VRF (not a logical system). Not sure if MS-DPC will work for VRFs (routing-instances). On Thu, Jul 08, 2010 at 03:54:15PM +0800, Chen Jiang wrote: > You cannot put fxp0 into VRF but could put it into a logical system. And > logical system also have a seperate routing table other than inet.0. > > > > On Thu, Jul 8, 2010 at 3:16 AM, Jim Devane wrote: > > > Hello, > > > > I need some ideas/help on a scenario I am sure comes up a lot but having > > problems with. > > > > I have an MX480. I want to be able to manage this MX from an internal > > (1918) network through the fxp0 port. The internal network is not flat but > > routed and there are several subnets which may contact the MX for > > management/polling. I was thinking/hoping to set up a VRF for this port and > > set routes/default route for the VRF to connect. It turns out I am not able > > to put fxp0 into a routing-instance. (errors on config checkout) > > So I put everything production in to a logical system leaving the fxp in > > the master instance and installing a default route for the master instance. > > This works, but now the MS-DPC will not export flows if it is in a logical > > system. So the logical system is out b/c the MS-DPC has to be in the master > > instance. But I can't but the fxp0 into a logical/routing instance. > > > > What is the BCP/recommended method for managing this box if fxp0 is not a > > "public" routed interface? > > > > Unfortunately, I don't have another port to place into a VRF besides the > > fxp0 (all other ports are 10G) > > > > Thanks for any help/ideas! > > Jim ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
What we did as we have different IP ranges that access via the Fxp0 was to NAT on the next-hop router connected to the FXP port. So that all traffic appears to the fxp as if it was directly connected to it. Best Regards William Jackson Technical Department Sapphire Networks -Original Message- From: juniper-nsp-boun...@puck.nether.net [mailto:juniper-nsp-boun...@puck.nether.net] On Behalf Of Chris Kawchuk Sent: 08 July 2010 02:33 To: Jim Devane Cc: juniper-nsp Subject: Re: [j-nsp] Managing MX480 fxp0 Answer: interfaces { fxp0 { description "MANAGEMENT"; speed 100m; link-mode full-duplex; unit 0 { family inet { address 10.2.1.100/24; } } } } routing-options { static { route 10.0.0.0/8 { next-hop 10.2.1.1; no-readvertise; } route 172.16.0.0/12 { next-hop 10.2.1.1; no-readvertise; } route 192.168.0.0/16 { next-hop 10.2.1.1; no-readvertise; } } } where 10.2.1.1 is some internal router on your management network, which knows how to get everywhere in your management cloud. RFC1918 stays inside, everything else stays outside. And since you cant go from transit interface to mamagement (fxp0), there's no way to get from public->private and vice versa. No need for a vrf - assuming that all other IPs in use on the "production" part of the network are real IPs; as JunOS simply wont route from, say, xe-0/0/0.0 to fxp0; but management will be allowed. Breaks if you tend to use private space on your Production 10G interfaces, tho =) - Chris. On 2010-07-07, at 1:16 PM, Jim Devane wrote: > Hello, > > I need some ideas/help on a scenario I am sure comes up a lot but having problems with. > > I have an MX480. I want to be able to manage this MX from an internal (1918) network through the fxp0 port. The internal network is not flat but routed and there are several subnets which may contact the MX for management/polling. I was thinking/hoping to set up a VRF for this port and set routes/default route for the VRF to connect. It turns out I am not able to put fxp0 into a routing-instance. (errors on config checkout) > So I put everything production in to a logical system leaving the fxp in the master instance and installing a default route for the master instance. This works, but now the MS-DPC will not export flows if it is in a logical system. So the logical system is out b/c the MS-DPC has to be in the master instance. But I can't but the fxp0 into a logical/routing instance. > > What is the BCP/recommended method for managing this box if fxp0 is not a "public" routed interface? > > Unfortunately, I don't have another port to place into a VRF besides the fxp0 (all other ports are 10G) > > Thanks for any help/ideas! > Jim > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
You cannot put fxp0 into VRF but could put it into a logical system. And logical system also have a seperate routing table other than inet.0. On Thu, Jul 8, 2010 at 3:16 AM, Jim Devane wrote: > Hello, > > I need some ideas/help on a scenario I am sure comes up a lot but having > problems with. > > I have an MX480. I want to be able to manage this MX from an internal > (1918) network through the fxp0 port. The internal network is not flat but > routed and there are several subnets which may contact the MX for > management/polling. I was thinking/hoping to set up a VRF for this port and > set routes/default route for the VRF to connect. It turns out I am not able > to put fxp0 into a routing-instance. (errors on config checkout) > So I put everything production in to a logical system leaving the fxp in > the master instance and installing a default route for the master instance. > This works, but now the MS-DPC will not export flows if it is in a logical > system. So the logical system is out b/c the MS-DPC has to be in the master > instance. But I can't but the fxp0 into a logical/routing instance. > > What is the BCP/recommended method for managing this box if fxp0 is not a > "public" routed interface? > > Unfortunately, I don't have another port to place into a VRF besides the > fxp0 (all other ports are 10G) > > Thanks for any help/ideas! > Jim > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > -- BR! James Chen ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
Putting fxpX or meX interfaces into a VRF is not a good idea. I understand that you want to have a management VPN, that idea is fine, but the host routing from the routing engine should not have to rely on other features/line cards of the box that may need to be serviced. I tend to use loopback addresses inside l3vpns that I can reach via my OSS networks, and this works perfectly for basic NMS-type of operations. Even still, a routing-engine that suffers in booting a line card that provides MPLS uplinks would be out of commission if the VRF routing was not working. Cheers, Truman On 8/07/2010, at 6:22 AM, Chris Evans wrote: > Send a bitch email to juniper. I have been begging for the capability to put > the fxp into a vrf. > > On Jul 7, 2010 3:53 PM, "Jim Devane" wrote: > > Hello, > > I need some ideas/help on a scenario I am sure comes up a lot but having > problems with. > > I have an MX480. I want to be able to manage this MX from an internal (1918) > network through the fxp0 port. The internal network is not flat but routed > and there are several subnets which may contact the MX for > management/polling. I was thinking/hoping to set up a VRF for this port and > set routes/default route for the VRF to connect. It turns out I am not able > to put fxp0 into a routing-instance. (errors on config checkout) > So I put everything production in to a logical system leaving the fxp in the > master instance and installing a default route for the master instance. This > works, but now the MS-DPC will not export flows if it is in a logical > system. So the logical system is out b/c the MS-DPC has to be in the master > instance. But I can't but the fxp0 into a logical/routing instance. > > What is the BCP/recommended method for managing this box if fxp0 is not a > "public" routed interface? > > Unfortunately, I don't have another port to place into a VRF besides the > fxp0 (all other ports are 10G) > > Thanks for any help/ideas! > Jim > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp > ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
Answer: interfaces { fxp0 { description "MANAGEMENT"; speed 100m; link-mode full-duplex; unit 0 { family inet { address 10.2.1.100/24; } } } } routing-options { static { route 10.0.0.0/8 { next-hop 10.2.1.1; no-readvertise; } route 172.16.0.0/12 { next-hop 10.2.1.1; no-readvertise; } route 192.168.0.0/16 { next-hop 10.2.1.1; no-readvertise; } } } where 10.2.1.1 is some internal router on your management network, which knows how to get everywhere in your management cloud. RFC1918 stays inside, everything else stays outside. And since you cant go from transit interface to mamagement (fxp0), there's no way to get from public->private and vice versa. No need for a vrf - assuming that all other IPs in use on the "production" part of the network are real IPs; as JunOS simply wont route from, say, xe-0/0/0.0 to fxp0; but management will be allowed. Breaks if you tend to use private space on your Production 10G interfaces, tho =) - Chris. On 2010-07-07, at 1:16 PM, Jim Devane wrote: > Hello, > > I need some ideas/help on a scenario I am sure comes up a lot but having > problems with. > > I have an MX480. I want to be able to manage this MX from an internal (1918) > network through the fxp0 port. The internal network is not flat but routed > and there are several subnets which may contact the MX for > management/polling. I was thinking/hoping to set up a VRF for this port and > set routes/default route for the VRF to connect. It turns out I am not able > to put fxp0 into a routing-instance. (errors on config checkout) > So I put everything production in to a logical system leaving the fxp in the > master instance and installing a default route for the master instance. This > works, but now the MS-DPC will not export flows if it is in a logical system. > So the logical system is out b/c the MS-DPC has to be in the master instance. > But I can't but the fxp0 into a logical/routing instance. > > What is the BCP/recommended method for managing this box if fxp0 is not a > "public" routed interface? > > Unfortunately, I don't have another port to place into a VRF besides the fxp0 > (all other ports are 10G) > > Thanks for any help/ideas! > Jim > > ___ > juniper-nsp mailing list juniper-nsp@puck.nether.net > https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: [j-nsp] Managing MX480 fxp0
Send a bitch email to juniper. I have been begging for the capability to put the fxp into a vrf. On Jul 7, 2010 3:53 PM, "Jim Devane" wrote: Hello, I need some ideas/help on a scenario I am sure comes up a lot but having problems with. I have an MX480. I want to be able to manage this MX from an internal (1918) network through the fxp0 port. The internal network is not flat but routed and there are several subnets which may contact the MX for management/polling. I was thinking/hoping to set up a VRF for this port and set routes/default route for the VRF to connect. It turns out I am not able to put fxp0 into a routing-instance. (errors on config checkout) So I put everything production in to a logical system leaving the fxp in the master instance and installing a default route for the master instance. This works, but now the MS-DPC will not export flows if it is in a logical system. So the logical system is out b/c the MS-DPC has to be in the master instance. But I can't but the fxp0 into a logical/routing instance. What is the BCP/recommended method for managing this box if fxp0 is not a "public" routed interface? Unfortunately, I don't have another port to place into a VRF besides the fxp0 (all other ports are 10G) Thanks for any help/ideas! Jim ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp
[j-nsp] Managing MX480 fxp0
Hello, I need some ideas/help on a scenario I am sure comes up a lot but having problems with. I have an MX480. I want to be able to manage this MX from an internal (1918) network through the fxp0 port. The internal network is not flat but routed and there are several subnets which may contact the MX for management/polling. I was thinking/hoping to set up a VRF for this port and set routes/default route for the VRF to connect. It turns out I am not able to put fxp0 into a routing-instance. (errors on config checkout) So I put everything production in to a logical system leaving the fxp in the master instance and installing a default route for the master instance. This works, but now the MS-DPC will not export flows if it is in a logical system. So the logical system is out b/c the MS-DPC has to be in the master instance. But I can't but the fxp0 into a logical/routing instance. What is the BCP/recommended method for managing this box if fxp0 is not a "public" routed interface? Unfortunately, I don't have another port to place into a VRF besides the fxp0 (all other ports are 10G) Thanks for any help/ideas! Jim ___ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp