On Mon, Sep 19, 2011 at 2:16 PM, Pavel Lunin <[email protected]> wrote:
> > >> I see two ways one can go about this. Either programmatically tunnel into >> an OOB L2 segment via a "bastion" host in an on-demand fashion, or point >> some routes (dynamically, or otherwise) into your internal network for >> management use. >> >> The risk of pointing routes into your internal network, IMO, is that >> very-specific ACLs for management access can begin to have a blurred >> distinction. RFC-1918 space can overlap, and public IPs within an internal >> network can sometimes overlap with an active transit path. >> >> > Why not just use a normal port/vlan, plug it where you would've plug fxp0 > to, and than put it to a vrf/whatever? > On the internal side? This is one way about going about it. The question is, what would the routing table on the device-to-be-managed look like? Just one directly-connected route for the network segment it touches? --j _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
