Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Management Interface in a Non-Default Instance

 

Why Use a Non-Default Management Interface?

By default, in Junos OS, the management Ethernet interface (usually named fxp0 or em0) provides the out-of-band management network for the device. There is no clear separation between either out-of-band management traffic and in-band protocol control traffic, that is, user traffic at the routing-instance or routing-table level. Instead, all traffic is handled through the default routing instance, giving rise to concerns over security, performance, and how to troubleshoot.

Starting with Junos OS Release 17.3R1, you can confine the em0 and fxp0 management interfaces in a non-default virtual routing and forwarding (VRF) instance, the mgmt_junos routing instance. After you configure this management routing instance, management traffic no longer has to share a routing table (that is, the default inet.0 table) with other control or protocol traffic in the system. This improves security and makes it easier to use the management interface to troubleshoot.

Note

Only the em0 and fxp0 interfaces are supported in the non-default management VRF. Other management interfaces such as em1 are not supported in the non-default management VRF.

Applications and Processes That Are VRF Aware

Many processes communicate through the management interface. In order for the non-default management instance to support these processes, they must support a management VRF. To make many of these processes work with the non-default VRF instance, you must configure the name of the new management routing instance (mgmt_junos) for these processes. These processes have been enhanced to be able to use the management routing instance.

For the processes that require this additional configuration and where to find more information for those processes, see Table 1.

Table 1: Junos Processes You Can Configure to Use the Management VRF

Process

First Release to Support Managment VRF

For More Information

Automation scripts

Junos OS Release 18.1R1

Using an Alternate Source Location for a Script

Configuring and Using a Master Source Location for a Script

BGP Monitoring Protocol (BMP)

Junos OS Release 18.3R1

Configuring BGP Monitoring Protocol to Run Over a Different Routing Instance

NTP

Junos OS Release 18.1R1

ntp

RADIUS

Junos OS Release 18.1R1

Configuring RADIUS Server Authentication

Configuring RADIUS System Accounting

REST API

Junos OS Release 20.3R1

rest

syslog

Junos OS Release 18.1R1

syslog (System)

 

Junos OS Release 18.4R1

routing-instance (Syslog)

TACACS+

Junos OS Release 17.4R1

Configuring TACACS+ Authentication

Junos OS Release 18.2R1

Configuring TACACS+ System Accounting

Configuring the mgmt_junos Routing Instance

You can confine the management interface in a dedicated management instance by configuring the management-instance configuration statement at the [edit system] hierarchy level. The name of the dedicated management instance is reserved and hardcoded as mgmt_junos; you are prevented from configuring any other routing instance by the name mgmt_junos. Once the mgmt_junos routing instance is deployed, management traffic no longer shares a routing table (that is, the default inet.0 table) with other control or protocol traffic in the system, nor is configuring dynamic protocols on the management interface supported.

Because there are FreeBSD and Junos OS applications that assume that the management interface is always present in the default inet.0 routing table, the mgmt_junos routing instance is not instantiated by default.

As part of configuring the mgmt_junos routing instance, you must also move static routes that have a next hop over the default management interface to the mgmt_junos routing instance. If needed, you must also configure the appropriate daemons or applications to use the mgmt_junos routing instance. All of these changes must be done in a single commit. Otherwise, the transition to mgmt_junos will not be smooth and you will have to repair the system later by logging in from the console.

After you commit the configuration, expect to lose, and then have to reestablish, the Telnet session.

For an example of using this feature, see the following sections.

Determining Static Routes

As part of configuring the mgmt_junos routing instance, you must move all the static routes that have a next hop through the default management interface from the default routing instance to mgmt_junos. Each setup is different. In these examples, you need to identify the static routes that have a next hop through the fxp0 interface. The next hop for any static route that is affected will have an IP address that falls under the subnet of the IP address configured for fxp0.

You can use the following commands to determine static routes that need to be changed.

  • Use the show interfaces command to find the IP address of the default management interface:

    In this case the default management interface is fxp0, But it could be em0 or re0:mgmt-*.

  • Use the show route forwarding-table command to look at the forwarding table for next-hop information for static routes (static routes show up as type user):

  • Another way to find your static routes is to use the show route protocol static command.

Enabling the mgmt_junos Routing Instance

Note

We recommend using the device console port for these operations, because at the point where you commit the configuration, if you are using SSH or telnet, the connection to the device will be dropped and you will have to reestablish it. If using SSH or telnet anyway, use commit confirm.

To enable the mgmt_junos routing instance:

  1. Configure the mgmt_junos routing instance at the [edit routing-instances hierarchy level:
  2. Configure the management-instance statement.
  3. Move the appropriate static routes to the mgmt_junos routing instance.

    For how to determine static routes to change, see Determining Static Routes.

    If you are using configuration groups, you might want to set these changes as part of a group:

  4. Commit the configuration.
  5. At this point you have configured the management-instance statement. Tables for the mgmt_junos table are set up for inet and inet6 and marked as private tables. The management interface is moved to the mgmt_junos routing table. Static routes with a next hop to the management interface are moved from the default routing table and added to the mgmt_junos routing instance.

    However, if you have not configured the management routing-instance option in the tacplus server statement, the TACACS+ packets continue to be sent using the default routing instance only.

Removing the mgmt_junos Routing Instance

When you remove the mgmt_junos routing instance, you must also move the static routes back to the default routing instance and delete the TACACS+ settings for mgmt_junos.

To remove the dedicated management interface:

  1. Delete or deactivate the management routing-instance statement.
  2. (Optional) Delete the TACACS+ settings for mgmt_junos.
  3. Move the static routes back to the default routing instance.

Related Documentation