Mailing List Archive

Managing MX480 fxp0
Hello,

I need some ideas/help on a scenario I am sure comes up a lot but having problems with.

I have an MX480. I want to be able to manage this MX from an internal (1918) network through the fxp0 port. The internal network is not flat but routed and there are several subnets which may contact the MX for management/polling. I was thinking/hoping to set up a VRF for this port and set routes/default route for the VRF to connect. It turns out I am not able to put fxp0 into a routing-instance. (errors on config checkout)
So I put everything production in to a logical system leaving the fxp in the master instance and installing a default route for the master instance. This works, but now the MS-DPC will not export flows if it is in a logical system. So the logical system is out b/c the MS-DPC has to be in the master instance. But I can't but the fxp0 into a logical/routing instance.

What is the BCP/recommended method for managing this box if fxp0 is not a "public" routed interface?

Unfortunately, I don't have another port to place into a VRF besides the fxp0 (all other ports are 10G)

Thanks for any help/ideas!
Jim

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
Send a bitch email to juniper. I have been begging for the capability to put
the fxp into a vrf.

On Jul 7, 2010 3:53 PM, "Jim Devane" <jdevane@switchnap.com> wrote:

Hello,

I need some ideas/help on a scenario I am sure comes up a lot but having
problems with.

I have an MX480. I want to be able to manage this MX from an internal (1918)
network through the fxp0 port. The internal network is not flat but routed
and there are several subnets which may contact the MX for
management/polling. I was thinking/hoping to set up a VRF for this port and
set routes/default route for the VRF to connect. It turns out I am not able
to put fxp0 into a routing-instance. (errors on config checkout)
So I put everything production in to a logical system leaving the fxp in the
master instance and installing a default route for the master instance. This
works, but now the MS-DPC will not export flows if it is in a logical
system. So the logical system is out b/c the MS-DPC has to be in the master
instance. But I can't but the fxp0 into a logical/routing instance.

What is the BCP/recommended method for managing this box if fxp0 is not a
"public" routed interface?

Unfortunately, I don't have another port to place into a VRF besides the
fxp0 (all other ports are 10G)

Thanks for any help/ideas!
Jim

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
Answer:

interfaces {
fxp0 {
description "MANAGEMENT";
speed 100m;
link-mode full-duplex;
unit 0 {
family inet {
address 10.2.1.100/24;
}
}
}
}

routing-options {
static {
route 10.0.0.0/8 {
next-hop 10.2.1.1;
no-readvertise;
}
route 172.16.0.0/12 {
next-hop 10.2.1.1;
no-readvertise;
}
route 192.168.0.0/16 {
next-hop 10.2.1.1;
no-readvertise;
}
}
}

.... where 10.2.1.1 is some internal router on your management network, which knows how to get everywhere in your management cloud. RFC1918 stays inside, everything else stays outside. And since you cant go from transit interface to mamagement (fxp0), there's no way to get from public->private and vice versa.

No need for a vrf - assuming that all other IPs in use on the "production" part of the network are real IPs; as JunOS simply wont route from, say, xe-0/0/0.0 to fxp0; but management will be allowed.

Breaks if you tend to use private space on your Production 10G interfaces, tho =)


- Chris.




On 2010-07-07, at 1:16 PM, Jim Devane wrote:

> Hello,
>
> I need some ideas/help on a scenario I am sure comes up a lot but having problems with.
>
> I have an MX480. I want to be able to manage this MX from an internal (1918) network through the fxp0 port. The internal network is not flat but routed and there are several subnets which may contact the MX for management/polling. I was thinking/hoping to set up a VRF for this port and set routes/default route for the VRF to connect. It turns out I am not able to put fxp0 into a routing-instance. (errors on config checkout)
> So I put everything production in to a logical system leaving the fxp in the master instance and installing a default route for the master instance. This works, but now the MS-DPC will not export flows if it is in a logical system. So the logical system is out b/c the MS-DPC has to be in the master instance. But I can't but the fxp0 into a logical/routing instance.
>
> What is the BCP/recommended method for managing this box if fxp0 is not a "public" routed interface?
>
> Unfortunately, I don't have another port to place into a VRF besides the fxp0 (all other ports are 10G)
>
> Thanks for any help/ideas!
> Jim
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
What we did as we have different IP ranges that access via the Fxp0 was
to NAT on the next-hop router connected to the FXP port. So that all
traffic appears to the fxp as if it was directly connected to it.



Best Regards

William Jackson
Technical Department
Sapphire Networks


-----Original Message-----
From: juniper-nsp-bounces@puck.nether.net
[mailto:juniper-nsp-bounces@puck.nether.net] On Behalf Of Chris Kawchuk
Sent: 08 July 2010 02:33
To: Jim Devane
Cc: juniper-nsp
Subject: Re: [j-nsp] Managing MX480 fxp0

Answer:

interfaces {
fxp0 {
description "MANAGEMENT";
speed 100m;
link-mode full-duplex;
unit 0 {
family inet {
address 10.2.1.100/24;
}
}
}
}

routing-options {
static {
route 10.0.0.0/8 {
next-hop 10.2.1.1;
no-readvertise;
}
route 172.16.0.0/12 {
next-hop 10.2.1.1;
no-readvertise;
}
route 192.168.0.0/16 {
next-hop 10.2.1.1;
no-readvertise;
}
}
}

.... where 10.2.1.1 is some internal router on your management network,
which knows how to get everywhere in your management cloud. RFC1918
stays inside, everything else stays outside. And since you cant go from
transit interface to mamagement (fxp0), there's no way to get from
public->private and vice versa.

No need for a vrf - assuming that all other IPs in use on the
"production" part of the network are real IPs; as JunOS simply wont
route from, say, xe-0/0/0.0 to fxp0; but management will be allowed.

Breaks if you tend to use private space on your Production 10G
interfaces, tho =)


- Chris.




On 2010-07-07, at 1:16 PM, Jim Devane wrote:

> Hello,
>
> I need some ideas/help on a scenario I am sure comes up a lot but
having problems with.
>
> I have an MX480. I want to be able to manage this MX from an internal
(1918) network through the fxp0 port. The internal network is not flat
but routed and there are several subnets which may contact the MX for
management/polling. I was thinking/hoping to set up a VRF for this port
and set routes/default route for the VRF to connect. It turns out I am
not able to put fxp0 into a routing-instance. (errors on config
checkout)
> So I put everything production in to a logical system leaving the fxp
in the master instance and installing a default route for the master
instance. This works, but now the MS-DPC will not export flows if it is
in a logical system. So the logical system is out b/c the MS-DPC has to
be in the master instance. But I can't but the fxp0 into a
logical/routing instance.
>
> What is the BCP/recommended method for managing this box if fxp0 is
not a "public" routed interface?
>
> Unfortunately, I don't have another port to place into a VRF besides
the fxp0 (all other ports are 10G)
>
> Thanks for any help/ideas!
> Jim
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
Putting fxpX or meX interfaces into a VRF is not a good idea. I understand that you want to have a management VPN, that idea is fine, but the host routing from the routing engine should not have to rely on other features/line cards of the box that may need to be serviced.

I tend to use loopback addresses inside l3vpns that I can reach via my OSS networks, and this works perfectly for basic NMS-type of operations.

Even still, a routing-engine that suffers in booting a line card that provides MPLS uplinks would be out of commission if the VRF routing was not working.

Cheers,
Truman

On 8/07/2010, at 6:22 AM, Chris Evans wrote:

> Send a bitch email to juniper. I have been begging for the capability to put
> the fxp into a vrf.
>
> On Jul 7, 2010 3:53 PM, "Jim Devane" <jdevane@switchnap.com> wrote:
>
> Hello,
>
> I need some ideas/help on a scenario I am sure comes up a lot but having
> problems with.
>
> I have an MX480. I want to be able to manage this MX from an internal (1918)
> network through the fxp0 port. The internal network is not flat but routed
> and there are several subnets which may contact the MX for
> management/polling. I was thinking/hoping to set up a VRF for this port and
> set routes/default route for the VRF to connect. It turns out I am not able
> to put fxp0 into a routing-instance. (errors on config checkout)
> So I put everything production in to a logical system leaving the fxp in the
> master instance and installing a default route for the master instance. This
> works, but now the MS-DPC will not export flows if it is in a logical
> system. So the logical system is out b/c the MS-DPC has to be in the master
> instance. But I can't but the fxp0 into a logical/routing instance.
>
> What is the BCP/recommended method for managing this box if fxp0 is not a
> "public" routed interface?
>
> Unfortunately, I don't have another port to place into a VRF besides the
> fxp0 (all other ports are 10G)
>
> Thanks for any help/ideas!
> Jim
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
You cannot put fxp0 into VRF but could put it into a logical system. And
logical system also have a seperate routing table other than inet.0.



On Thu, Jul 8, 2010 at 3:16 AM, Jim Devane <jdevane@switchnap.com> wrote:

> Hello,
>
> I need some ideas/help on a scenario I am sure comes up a lot but having
> problems with.
>
> I have an MX480. I want to be able to manage this MX from an internal
> (1918) network through the fxp0 port. The internal network is not flat but
> routed and there are several subnets which may contact the MX for
> management/polling. I was thinking/hoping to set up a VRF for this port and
> set routes/default route for the VRF to connect. It turns out I am not able
> to put fxp0 into a routing-instance. (errors on config checkout)
> So I put everything production in to a logical system leaving the fxp in
> the master instance and installing a default route for the master instance.
> This works, but now the MS-DPC will not export flows if it is in a logical
> system. So the logical system is out b/c the MS-DPC has to be in the master
> instance. But I can't but the fxp0 into a logical/routing instance.
>
> What is the BCP/recommended method for managing this box if fxp0 is not a
> "public" routed interface?
>
> Unfortunately, I don't have another port to place into a VRF besides the
> fxp0 (all other ports are 10G)
>
> Thanks for any help/ideas!
> Jim
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



--
BR!



James Chen
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
You could also put your production traffic into a VRF (not a logical
system). Not sure if MS-DPC will work for VRFs (routing-instances).

On Thu, Jul 08, 2010 at 03:54:15PM +0800, Chen Jiang wrote:
> You cannot put fxp0 into VRF but could put it into a logical system. And
> logical system also have a seperate routing table other than inet.0.
>
>
>
> On Thu, Jul 8, 2010 at 3:16 AM, Jim Devane <jdevane@switchnap.com> wrote:
>
> > Hello,
> >
> > I need some ideas/help on a scenario I am sure comes up a lot but having
> > problems with.
> >
> > I have an MX480. I want to be able to manage this MX from an internal
> > (1918) network through the fxp0 port. The internal network is not flat but
> > routed and there are several subnets which may contact the MX for
> > management/polling. I was thinking/hoping to set up a VRF for this port and
> > set routes/default route for the VRF to connect. It turns out I am not able
> > to put fxp0 into a routing-instance. (errors on config checkout)
> > So I put everything production in to a logical system leaving the fxp in
> > the master instance and installing a default route for the master instance.
> > This works, but now the MS-DPC will not export flows if it is in a logical
> > system. So the logical system is out b/c the MS-DPC has to be in the master
> > instance. But I can't but the fxp0 into a logical/routing instance.
> >
> > What is the BCP/recommended method for managing this box if fxp0 is not a
> > "public" routed interface?
> >
> > Unfortunately, I don't have another port to place into a VRF besides the
> > fxp0 (all other ports are 10G)
> >
> > Thanks for any help/ideas!
> > Jim
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
It's not about using the line cards. It's about keeping the fxp0
routes separate and isolated from the production routes. If you
happen to have overlapping address ranges between your production and
management subnets, you will have a problem that fxp0 routes will
interfere with production traffic and vice versa unless you can put
one or the other into a VRF.

On Thu, Jul 08, 2010 at 05:33:18PM +1000, Truman Boyes wrote:
> Putting fxpX or meX interfaces into a VRF is not a good idea. I
> understand that you want to have a management VPN, that idea is
> fine, but the host routing from the routing engine should not have
> to rely on other features/line cards of the box that may need to be
> serviced.
>
> I tend to use loopback addresses inside l3vpns that I can reach via
> my OSS networks, and this works perfectly for basic NMS-type of
> operations.
>
> Even still, a routing-engine that suffers in booting a line card
> that provides MPLS uplinks would be out of commission if the VRF
> routing was not working.
>
> Cheers,
> Truman
>
> On 8/07/2010, at 6:22 AM, Chris Evans wrote:
>
> > Send a bitch email to juniper. I have been begging for the capability to put
> > the fxp into a vrf.
> >
> > On Jul 7, 2010 3:53 PM, "Jim Devane" <jdevane@switchnap.com> wrote:
> >
> > Hello,
> >
> > I need some ideas/help on a scenario I am sure comes up a lot but having
> > problems with.
> >
> > I have an MX480. I want to be able to manage this MX from an internal (1918)
> > network through the fxp0 port. The internal network is not flat but routed
> > and there are several subnets which may contact the MX for
> > management/polling. I was thinking/hoping to set up a VRF for this port and
> > set routes/default route for the VRF to connect. It turns out I am not able
> > to put fxp0 into a routing-instance. (errors on config checkout)
> > So I put everything production in to a logical system leaving the fxp in the
> > master instance and installing a default route for the master instance. This
> > works, but now the MS-DPC will not export flows if it is in a logical
> > system. So the logical system is out b/c the MS-DPC has to be in the master
> > instance. But I can't but the fxp0 into a logical/routing instance.
> >
> > What is the BCP/recommended method for managing this box if fxp0 is not a
> > "public" routed interface?
> >
> > Unfortunately, I don't have another port to place into a VRF besides the
> > fxp0 (all other ports are 10G)
> >
> > Thanks for any help/ideas!
> > Jim
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
I do this in my network. It works well.

David


On 7 July 2010 18:33, Chris Kawchuk <juniperdude@gmail.com> wrote:
> Answer:
>
> interfaces {
> fxp0 {
> description "MANAGEMENT";
> speed 100m;
> link-mode full-duplex;
> unit 0 {
> family inet {
> address 10.2.1.100/24;
> }
> }
> }
> }
>
> routing-options {
> static {
> route 10.0.0.0/8 {
> next-hop 10.2.1.1;
> no-readvertise;
> }
> route 172.16.0.0/12 {
> next-hop 10.2.1.1;
> no-readvertise;
> }
> route 192.168.0.0/16 {
> next-hop 10.2.1.1;
> no-readvertise;
> }
> }
> }
>
> .... where 10.2.1.1 is some internal router on your management network, which knows how to get everywhere in your management cloud. RFC1918 stays inside, everything else stays outside. And since you cant go from transit interface to mamagement (fxp0), there's no way to get from public->private and vice versa.
>
> No need for a vrf - assuming that all other IPs in use on the "production" part of the network are real IPs; as JunOS simply wont route from, say, xe-0/0/0.0 to fxp0; but management will be allowed.
>
> Breaks if you tend to use private space on your Production 10G interfaces, tho =)
>
>
> - Chris.
>
>
>
>
> On 2010-07-07, at 1:16 PM, Jim Devane wrote:
>
>> Hello,
>>
>> I need some ideas/help on a scenario I am sure comes up a lot but having problems with.
>>
>> I have an MX480. I want to be able to manage this MX from an internal (1918) network through the fxp0 port. The internal network is not flat but routed and there are several subnets which may contact the MX for management/polling. I was thinking/hoping to set up a VRF for this port and set routes/default route for the VRF to connect. It turns out I am not able to put fxp0 into a routing-instance. (errors on config checkout)
>> So I put everything production in to a logical system leaving the fxp in the master instance and installing a default route for the master instance. This works, but now the MS-DPC will not export flows if it is in a logical system. So the logical system is out b/c the MS-DPC has to be in the master instance. But I can't but the fxp0 into a logical/routing instance.
>>
>> What is the BCP/recommended method for managing this box if fxp0 is not a "public" routed interface?
>>
>> Unfortunately, I don't have another port to place into a VRF besides the fxp0 (all other ports are 10G)
>>
>> Thanks for any help/ideas!
>> Jim
>>
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp@puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
Putting fxp0 in a LS works from a routing perspective but it breaks NSR & GRES -
at least it does in 10.0R2. I have a JTAC case pending.

Serge



----- Original Message ----
From: Chen Jiang <ilovebgp4@gmail.com>
To: Jim Devane <jdevane@switchnap.com>
Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net>
Sent: Thu, July 8, 2010 4:54:15 AM
Subject: Re: [j-nsp] Managing MX480 fxp0

You cannot put fxp0 into VRF but could put it into a logical system. And
logical system also have a seperate routing table other than inet.0.



On Thu, Jul 8, 2010 at 3:16 AM, Jim Devane <jdevane@switchnap.com> wrote:

> Hello,
>
> I need some ideas/help on a scenario I am sure comes up a lot but having
> problems with.
>
> I have an MX480. I want to be able to manage this MX from an internal
> (1918) network through the fxp0 port. The internal network is not flat but
> routed and there are several subnets which may contact the MX for
> management/polling. I was thinking/hoping to set up a VRF for this port and
> set routes/default route for the VRF to connect. It turns out I am not able
> to put fxp0 into a routing-instance. (errors on config checkout)
> So I put everything production in to a logical system leaving the fxp in
> the master instance and installing a default route for the master instance.
> This works, but now the MS-DPC will not export flows if it is in a logical
> system. So the logical system is out b/c the MS-DPC has to be in the master
> instance. But I can't but the fxp0 into a logical/routing instance.
>
> What is the BCP/recommended method for managing this box if fxp0 is not a
> "public" routed interface?
>
> Unfortunately, I don't have another port to place into a VRF besides the
> fxp0 (all other ports are 10G)
>
> Thanks for any help/ideas!
> Jim
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



--
BR!



James Chen
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
We put a router in place to do NAT for the local subnet of the fxp.

Alternately, you can just put static routes in for specific management subnets
pointing out the fxp port...




________________________________
From: Serge Vautour <sergevautour@yahoo.ca>
To: Chen Jiang <ilovebgp4@gmail.com>; Jim Devane <jdevane@switchnap.com>
Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net>
Sent: Thu, July 8, 2010 10:26:24 AM
Subject: Re: [j-nsp] Managing MX480 fxp0

Putting fxp0 in a LS works from a routing perspective but it breaks NSR & GRES -

at least it does in 10.0R2. I have a JTAC case pending.

Serge



----- Original Message ----
From: Chen Jiang <ilovebgp4@gmail.com>
To: Jim Devane <jdevane@switchnap.com>
Cc: "juniper-nsp@puck.nether.net" <juniper-nsp@puck.nether.net>
Sent: Thu, July 8, 2010 4:54:15 AM
Subject: Re: [j-nsp] Managing MX480 fxp0

You cannot put fxp0 into VRF but could put it into a logical system. And
logical system also have a seperate routing table other than inet.0.



On Thu, Jul 8, 2010 at 3:16 AM, Jim Devane <jdevane@switchnap.com> wrote:

> Hello,
>
> I need some ideas/help on a scenario I am sure comes up a lot but having
> problems with.
>
> I have an MX480. I want to be able to manage this MX from an internal
> (1918) network through the fxp0 port. The internal network is not flat but
> routed and there are several subnets which may contact the MX for
> management/polling. I was thinking/hoping to set up a VRF for this port and
> set routes/default route for the VRF to connect. It turns out I am not able
> to put fxp0 into a routing-instance. (errors on config checkout)
> So I put everything production in to a logical system leaving the fxp in
> the master instance and installing a default route for the master instance.
> This works, but now the MS-DPC will not export flows if it is in a logical
> system. So the logical system is out b/c the MS-DPC has to be in the master
> instance. But I can't but the fxp0 into a logical/routing instance.
>
> What is the BCP/recommended method for managing this box if fxp0 is not a
> "public" routed interface?
>
> Unfortunately, I don't have another port to place into a VRF besides the
> fxp0 (all other ports are 10G)
>
> Thanks for any help/ideas!
> Jim
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



--
BR!



James Chen
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp



_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
Thanks again (Chris) for solving my vpls/irb/tagging combination problem
yesterday. we can bridge successfully now.



Taking this one step further, we now are trying to route via fxp0 and
*through* it to the irb.100 interface and are unable to.



Is it possible to route traffic *through* an fxp0 interface ? (MX204)



I'm asking since it seems that someone mentioned that it is in fact possible
with some sort of static routes. but I'm unsure what they meant exactly.



If it's definitely not possible to transit an fxp0 interface, I just need to
know that, and I will seek solutions using a revenue interface instead.



Resurrecting an old thread(s)..

https://www.mail-archive.com/juniper-nsp@puck.nether.net/msg09809.html

https://puck.nether.net/pipermail/juniper-nsp/2010-August/017545.html



subnet A---------fxp0/mx204/irb.100------------subnet B



<-------------------is bi-dir comms possible?-------------->





-Aaron

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
Hi Aaron.

This is definitely not possible. You can’t jump from the data plane out of
the fxp port. This is why things like jflow are only possible inband

Regards
Dave

On Fri, 22 Nov 2019 at 17:01, Aaron Gould <aaron1@gvtc.com> wrote:

> Thanks again (Chris) for solving my vpls/irb/tagging combination problem
> yesterday. we can bridge successfully now.
>
>
>
> Taking this one step further, we now are trying to route via fxp0 and
> *through* it to the irb.100 interface and are unable to.
>
>
>
> Is it possible to route traffic *through* an fxp0 interface ? (MX204)
>
>
>
> I'm asking since it seems that someone mentioned that it is in fact
> possible
> with some sort of static routes. but I'm unsure what they meant exactly.
>
>
>
> If it's definitely not possible to transit an fxp0 interface, I just need
> to
> know that, and I will seek solutions using a revenue interface instead.
>
>
>
> Resurrecting an old thread(s)..
>
> https://www.mail-archive.com/juniper-nsp@puck.nether.net/msg09809.html
>
> https://puck.nether.net/pipermail/juniper-nsp/2010-August/017545.html
>
>
>
> subnet A---------fxp0/mx204/irb.100------------subnet B
>
>
>
> <-------------------is bi-dir comms possible?-------------->
>
>
>
>
>
> -Aaron
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
Thanks



-Aaron

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
Hi,

On 22.11.2019 19:48, Dave Bell wrote:
> This is definitely not possible. You can’t jump from the data plane out of
> the fxp port. This is why things like jflow are only possible inband

The official statement is that it is neither possible nor supported. It was even highly marketed as separation in the earlier days.
But i have seen a couple of occurrences (including a network crippling looping and therefore amplification of traffic e.g. back in the M5i days) where some traffic leaked from fxp0 to data plane and/or vice versa.

Even if it would work you would not want it as the CP/DP link is pretty "slow" and already tasked with lots of other things which it struggles with at times ;)

--
regards
Tobias Heister
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
This used to be possible by setting the "net.pfe.transit_re" (or similar) value using sysctl, but I'm not sure if it still works on newer Junos versions:

https://www.kumari.net/index.php/networking/tips-and-tricks/14-

I would not do this on production router, though. If you need to reach your fxp0 from locations outside of your OOB subnet, I think the practice is to either use source NAT on a device that has connectivity to your OOB or you should put fxp0 into a routing-instance using 'management-instance' on Junos 17.x and above (I believe). One caveat to doing the latter is that if you use TACACS (and possibly RADIUS) for authentication and your source address is the router loopback IP in inet.0, your 'mgmt_junos' instance needs to have static routes for the TACACS servers installed:

routing-options {
static {
route 0.0.0.0/0 next-hop 172.16.14.1; # Default route for fxp0 network
route 192.0.2.55/32 next-table inet.0; # Public lo0.0 IP
route 10.55.234.90/32 next-table inet.0; # TACACS server
}
}

In my environment, this was necessary, but YMMV.

-evt

?On 11/22/19, 12:02 PM, "juniper-nsp on behalf of Aaron Gould" <juniper-nsp-bounces@puck.nether.net on behalf of aaron1@gvtc.com> wrote:

Thanks again (Chris) for solving my vpls/irb/tagging combination problem
yesterday. we can bridge successfully now.



Taking this one step further, we now are trying to route via fxp0 and
*through* it to the irb.100 interface and are unable to.



Is it possible to route traffic *through* an fxp0 interface ? (MX204)



I'm asking since it seems that someone mentioned that it is in fact possible
with some sort of static routes. but I'm unsure what they meant exactly.



If it's definitely not possible to transit an fxp0 interface, I just need to
know that, and I will seek solutions using a revenue interface instead.



Resurrecting an old thread(s)..

https://www.mail-archive.com/juniper-nsp@puck.nether.net/msg09809.html

https://puck.nether.net/pipermail/juniper-nsp/2010-August/017545.html



subnet A---------fxp0/mx204/irb.100------------subnet B



<-------------------is bi-dir comms possible?-------------->





-Aaron

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp


_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
Thanks, but I just moved the fxp0 ip address to a revenue interface to get the pfe forwarding I needed.

-Aaron

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
gwe

On Mon, 25 Nov 2019 at 21:41, Aaron Gould <aaron1@gvtc.com> wrote:

> Thanks, but I just moved the fxp0 ip address to a revenue interface to get the pfe forwarding I needed.

+1. I think 'management' ethernet is misnomer and massive risk. It's
interface with direct access to control-plane, so if your MGMT LAN has
L2 loop or such, you could break your entire network and there is
really nothing you can configure to protect yourself at the device.

I would personally not wire or use fxp0 unless I'm out of options.
Some other vendors today have real out-of-band ethernet for MGMT,
meaning own CPU, own memory, own OS not fate-sharing the
control-plane, which is the correct solution for OOB, but not
something we as a community are actively asking vendors to deliver.

Kudos to Cisco insisting on putting this on newer platforms too, even
when we, the customers, have not woken up on its utility.

--
++ytti
_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp
Re: Managing MX480 fxp0 [ In reply to ]
Hi,

> I would personally not wire or use fxp0 unless I'm out of options.
> Some other vendors today have real out-of-band ethernet for MGMT,
> meaning own CPU, own memory, own OS not fate-sharing the
> control-plane, which is the correct solution for OOB, but not
> something we as a community are actively asking vendors to deliver.

We built an OOB network exactly like that. Cheap L3 switches talking OSPF to each other over their own 1G DWDM channels, completely independent of the production network. A separate OOB network used to be crazy expensive, but with cheap DWDM gear suddenly all you need is a free DWDM channel and some cheap second hand L3 switches. And that's what we connect our fxp0 ports to.

Cheers,
Sander
Re: Managing MX480 fxp0 [ In reply to ]
??? Hi,

??? How wrong we where doing that with our MX960, QFX5100, and a few
MX104 =D.

??? One of our OOB is a bunch of EX2300 switches using STP, on a
different set of dark fiber linking a few Metro data centers together...
but as usual with JNP...? one went nuts and started spewing packets from
the other link while shifting left a few bytes.? When those packets hit
our fpx0s, dos protect did <beep> all and killed their CPU dropping
everything BGP and MPLS (thx JNP) on most routers connected to the OOB
network.

??? Now, at each site, we have a mini putter (Lenovo/Zotac/etc) with
SSD, Sealink serial ports, Consumer xDSL/Coax, MFA encrypted VPN. We
enable fxp0 *if* needed...


Other things to think about:

??? 1. We're even looking at swapping to Cisco L2 switches instead of
JNPs, since this type of event never happened, in our collective
experience, with that brand.

??? 2. Using OSPF3 (or IS-IS to limit OSPF injection) would have limit
the fpx0 DoS to the local OOB switch...? Which is still too risky for
our taste.

??? 3. You could use Serial->Ethernet devices instead of the Sealink
but if the OOB switch goes down again, you cannot access the serials.


??? PS: In our case it is our fiber bundles and we didn't need to
invest in DWDM ... but its the same idea.? For years an associate of
mine implemented a very large deployment of OOB over DWDM and Cisco L2
switches with 0 downtime.

??? Have fun and good luck.

-----
Alain Hebert ahebert@pubnix.net
PubNIX Inc.
50 boul. St-Charles
P.O. Box 26770 Beaconsfield, Quebec H9W 6G7
Tel: 514-990-5911 http://www.pubnix.net Fax: 514-990-9443

On 2019-11-26 06:09, Sander Steffann wrote:
> Hi,
>
>> I would personally not wire or use fxp0 unless I'm out of options.
>> Some other vendors today have real out-of-band ethernet for MGMT,
>> meaning own CPU, own memory, own OS not fate-sharing the
>> control-plane, which is the correct solution for OOB, but not
>> something we as a community are actively asking vendors to deliver.
> We built an OOB network exactly like that. Cheap L3 switches talking OSPF to each other over their own 1G DWDM channels, completely independent of the production network. A separate OOB network used to be crazy expensive, but with cheap DWDM gear suddenly all you need is a free DWDM channel and some cheap second hand L3 switches. And that's what we connect our fxp0 ports to.
>
> Cheers,
> Sander
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp@puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

_______________________________________________
juniper-nsp mailing list juniper-nsp@puck.nether.net
https://puck.nether.net/mailman/listinfo/juniper-nsp