20.04.2013 01:45, Chip Marshall write: > So, I have an MX5 with it's fxp0 management interface connect to > one network, which I've placed in a logical-system so it can have > it's own default route for out-of-band management.
This is what I never understood. Why people want to use fxp0 (or any other "dedicated management") iface for real production management? Well, of course we need some sort of special management VLAN or routed infrastructure to separate management from the payload-carrying network, but what is the reason to bypass data plane and plug it right into the RR? Even leaving apart all the troubles like discussed in this thread, implied by impossibility to use a lot of forwarding features (you can't even connect it to two switches for backup), this deprives you to protect the RE using hardware filters and policers. Say, I saw a couple quite serious cases when a crazy "trusted" NMS DoSed routers with lots of ICMP probes and SNMP. In my opinion fxp0 is a thing much like console port, which is useful when you intentionally need to access the control plane directly (and this is why you better thing in advance of where it's plugged into and which subnet it belongs), but as a full-time management interface it seems to bring more troubles than benefits. _______________________________________________ juniper-nsp mailing list [email protected] https://puck.nether.net/mailman/listinfo/juniper-nsp
