Management Interface in a Non-Default Instance
Why Use a Non-Default VRF Instance?
By default, the management Ethernet interface (usually named fxp0 or em0 for Junos OS, or re0:mgmt-* or re1:mgmt-* for Junos OS Evolved) provides the out-of-band management network for the device. Out-of-band management traffic is not clearly separated from in-band protocol control traffic. Instead, all traffic passes through the default routing instance and shares the default inet.0 routing table. This system of traffic handling gives rise to concerns over security, performance, and troubleshooting.
You (the network administrator) can confine the management interface to a non-default virtual routing and forwarding (VRF) instances. After you configure the non-default management VRF instance, management traffic no longer has to share a routing table with other control traffic or protocol traffic. This configuration improves security and makes it easier to use the management interface to troubleshoot.
Configure the mgmt_junos VRF Instance
The name of the dedicated management VRF instance is reserved and hardcoded as mgmt_junos
; you cannot configure any other routing instance by the name mgmt_junos
. Because some applications assume that the management interface is always present in the default inet.0 routing table, the dedicated management VRF instance is not instantiated by default.
You must add any static routes that have a next hop over the management interface to the mgmt_junos
VRF instance. If needed, you must also configure the appropriate processes or applications to use mgmt_junos
. All of these changes must be done in a single commit. Otherwise, the existing sessions might be lost and need to be renegotiated.
Once you deploy the mgmt_junos
VRF instance, management traffic no longer shares a routing table (that is, the default routing table) with other control traffic or protocol traffic in the system. Traffic in the mgmt_junos
VRF instance uses private IPv4 and IPv6 routing tables. After you configure mgmt_junos
, you cannot configure dynamic protocols on the management interface.
Before You Begin: Determine Static Routes
Some static routes have a next hop through the management interface. As part of configuring the mgmt_junos
VRF instance, you must add all these static routes to mgmt_junos
so they can reach the management interface. Each setup is different. First, you need to identify the static routes that have a next hop through the management interface.
Use the
show interfaces interface-name terse
command to find the IP address of the default management interface. The default management interface is fxp0 or em0 for Junos OS, or re0:mgmt-0 or re1:mgmt-0 for Junos OS Evolved.Use the
show route forwarding-table
command to look at the forwarding table for next-hop information for static routes. Static routes show up as typeuser
. The next hop for any static route that is affected has an IP address that falls under the subnet of the IP address configured for the management interface.Another way to find the static routes associated with your management network is to use the
Alternatively, simply display the static route portion of the device's configuration. Use the CLIshow route protocol static next-hop <management-network-gateway-address>
command.match
function to quickly locate all static routes that point to the management network's default gateway.
Enable the mgmt_junos VRF Instance
We recommend using the device console port for these operations. If you use SSH or Telnet, the connection to the device will be dropped when you commit the configuration, and you will have to reestablish it. If you do use SSH or Telnet, use commit confirm
.
To enable the dedicated management VRF instance:
Configure Processes to Use mgmt_junos
Many
processes communicate through the management
interface. A process must support a management VRF
instance to be able to use
mgmt_junos
. Not all of these
processes use mgmt_junos
by
default unless the management-instance is
enabled. You must configure these processes
to use mgmt_junos
.
The following processes require this additional configuration:
Automation scripts
BGP Monitoring Protocol (BMP)
Network Time Protocol (NTP)
Outbound SSH
RADIUS
Representational State Transfer (REST) API
TACACS+
In Junos OS Evolved, system logging uses the mgmt_junos
VRF instance by default as soon as you configure the management-instance
statement. You do not need to configure the mgmt_junos
VRF instance for system logging.
Configuring these processes to use the mgmt_junos
VRF instance is optional. If you skip this step, these processes continue to send packets using the default routing instance only.
How to Disable the mgmt_junos VRF Instance
When you disable the mgmt_junos
VRF instance, you must also remove the other configuration changes you made.