Answer:
interfaces {
fxp0 {
description "MANAGEMENT";
speed 100m;
link-mode full-duplex;
unit 0 {
family inet {
address 10.2.1.100/24;
}
}
}
}
routing-options {
static {
route 10.0.0.0/8 {
next-hop 10.2.1.1;
no-readvertise;
}
route 172.16.0.0/12 {
next-hop 10.2.1.1;
no-readvertise;
}
route 192.168.0.0/16 {
next-hop 10.2.1.1;
no-readvertise;
}
}
}
.... where 10.2.1.1 is some internal router on your management network, which
knows how to get everywhere in your management cloud. RFC1918 stays inside,
everything else stays outside. And since you cant go from transit interface to
mamagement (fxp0), there's no way to get from public->private and vice versa.
No need for a vrf - assuming that all other IPs in use on the "production" part
of the network are real IPs; as JunOS simply wont route from, say, xe-0/0/0.0
to fxp0; but management will be allowed.
Breaks if you tend to use private space on your Production 10G interfaces, tho
=)
- Chris.
On 2010-07-07, at 1:16 PM, Jim Devane wrote:
> Hello,
>
> I need some ideas/help on a scenario I am sure comes up a lot but having
> problems with.
>
> I have an MX480. I want to be able to manage this MX from an internal (1918)
> network through the fxp0 port. The internal network is not flat but routed
> and there are several subnets which may contact the MX for
> management/polling. I was thinking/hoping to set up a VRF for this port and
> set routes/default route for the VRF to connect. It turns out I am not able
> to put fxp0 into a routing-instance. (errors on config checkout)
> So I put everything production in to a logical system leaving the fxp in the
> master instance and installing a default route for the master instance. This
> works, but now the MS-DPC will not export flows if it is in a logical system.
> So the logical system is out b/c the MS-DPC has to be in the master instance.
> But I can't but the fxp0 into a logical/routing instance.
>
> What is the BCP/recommended method for managing this box if fxp0 is not a
> "public" routed interface?
>
> Unfortunately, I don't have another port to place into a VRF besides the fxp0
> (all other ports are 10G)
>
> Thanks for any help/ideas!
> Jim
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
