Management Interface in a Dedicated Instance
SUMMARY Use a dedicated management instance to separate management traffic from the rest of your network.
Why Use a Non-Default VRF Instance?
By default, the management Ethernet interface (usually named fxp0 or em0 for Junos OS, or re0:mgmt-* or re1:mgmt-* for Junos OS Evolved) provides the out-of-band management network for the device. Out-of-band management traffic is not clearly separated from in-band protocol control traffic. Instead, all traffic passes through the default routing instance and shares the default inet.0 routing table. This system of traffic handling gives rise to concerns over security, performance, and troubleshooting. You (the network administrator) can solve these problems by confining the management interface to a dedicated, non-default virtual routing and forwarding (VRF) instance.
Benefits of a Dedicated Management Instance
-
Improved security
-
Management traffic no longer has to share a routing table with other control traffic or protocol traffic
-
Easier to use the management interface to troubleshoot
-
For Junos OS, the non-default management VRF instance supports only the em0 and fxp0 interfaces. The non-default management VRF instance doesn't support other management interfaces such as em1.
-
The non-default management VRF instance supports the virtual management Ethernet (VME) interface on EX Series devices. The VME interface is used to manage Virtual Chassis. For more information, see Understanding Global Management of a Virtual Chassis
Management Instance Overview
The name of the dedicated management VRF instance is
reserved and hardcoded as
mgmt_junos
; you cannot configure
any other routing instance by the name
mgmt_junos
. Because some
applications assume that the management interface
is always present in the default inet.0 routing
table, the dedicated management VRF instance is
not instantiated by default. You need to configure
it for it to take effect.
Once you deploy the mgmt_junos
VRF
instance, management traffic no longer shares a
routing table (that is, the default routing table)
with other control traffic or protocol traffic in
the system. Traffic in the
mgmt_junos
VRF instance uses
private IPv4 and IPv6 routing tables. After you
configure mgmt_junos
, you cannot
configure dynamic protocols on the management
interface.
Configure the Management Instance
You must add any static routes that have a next hop over the
management interface to the mgmt_junos
VRF
instance. If needed, you must also configure the appropriate
processes or applications to use
mgmt_junos
. All of these changes must be
done in a single commit. Otherwise, the existing sessions
might be lost and need to be renegotiated.
Before You Begin: Determine Static Routes
Some static routes have a next hop through the
management interface. As part of configuring the
mgmt_junos
VRF instance, you must
add all these static routes to
mgmt_junos
so they can reach the
management interface. Each setup is different.
First, you need to identify the static routes that
have a next hop through the management interface.
Use the
show interfaces interface-name terse
command to find the IP address of the default management interface. The default management interface is fxp0 or em0 for Junos OS, or re0:mgmt-0 or re1:mgmt-0 for Junos OS Evolved.user@host> show interfaces fxp0 terse Interface Admin Link Proto Local Remote fxp0 up up fxp0.0 up up inet 10.102.183.152/20
Use the
show route forwarding-table
command to look at the forwarding table for next-hop information for static routes. Static routes show up as typeuser
. The next hop for any static route that is affected has an IP address that falls under the subnet of the IP address configured for the management interface.user@host> show route forwarding-table Routing table: default.inet Internet: Enabled protocols: Bridging, Destination Type RtRef Next hop Type Index NhRef Netif default perm 0 rjct 36 1 0.0.0.0/32 perm 0 dscd 34 1 10.0.0.0/8 user 0 0:0:5e:0:1:d0 ucst 341 6 fxp0.0 10.0.1.0/24 intf 0 rslv 584 1 ge-0/0/0.0 10.0.1.0/32 dest 0 10.0.1.0 recv 582 1 ge-0/0/0.0 10.0.1.1/32 intf 0 10.0.1.1 locl 583 2 10.0.1.1/32 dest 0 10.0.1.1 locl 583 2 10.0.1.255/32 dest 0 10.0.1.255 bcst 581 1 ge-0/0/0.0 10.102.176.0/20 intf 0 rslv 340 1 fxp0.0 10.102.176.0/32 dest 0 10.102.176.0 recv 338 1 fxp0.0 10.102.176.3/32 dest 1 0:50:56:9f:1b:2e ucst 350 2 fxp0.0 10.102.183.152/32 intf 0 10.102.183.152 locl 339 2 10.102.183.152/32 dest 0 10.102.183.152 locl 339 2 10.102.191.253/32 dest 0 10:e:7e:b1:b0:80 ucst 348 1 fxp0.0 10.102.191.254/32 dest 0 0:0:5e:0:1:d0 ucst 341 6 fxp0.0 10.102.191.255/32 dest 0 10.102.191.255 bcst 337 1 fxp0.0 172.16.0.0/12 user 0 10.102.191.254 ucst 341 6 fxp0.0 192.168.0.0/16 user 0 10.102.191.254 ucst 341 6 fxp0.0 224.0.0.0/4 perm 0 mdsc 35 1 224.0.0.1/32 perm 0 224.0.0.1 mcst 31 1 255.255.255.255/32 perm 0 bcst 32 1
Another way to find the static routes associated with your management network is to use the
show route protocol static next-hop <management-network-gateway-address>
command. Alternatively, simply display the static route portion of the device's configuration. Use the CLIuser@host> show route protocol static next-hop 10.102.191.254 inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.0.0.0/8 *[Static/5] 2d 21:48:36 > to 10.102.191.254 via fxp0.0 172.16.0.0/12 *[Static/5] 2d 21:48:36 > to 10.102.191.254 via fxp0.0 192.168.0.0/16 *[Static/5] 2d 21:48:36 > to 10.102.191.254 via fxp0.0
match
function to quickly locate all static routes that point to the management network's default gateway.user@host> show configuration routing-options static | match 10.102.191.254 route 10.0.0.0/8 next-hop 10.102.191.254; route 172.16.0.0/12 next-hop 10.102.191.254; route 192.168.0.0/16 next-hop 10.102.191.254;
Enable the Management Instance
We recommend using the device console port for these operations.
Changing the management instance changes the underlying VRF instance for the management port. If you use SSH, Telnet, or NETCONF, the connection to the device will be dropped when you commit the configuration, and you will have to reestablish it.
If you do use SSH, Telnet, or NETCONF, use
commit confirm
.
To enable the dedicated management VRF instance:
Configure Processes to Use the Management Instance
Many
processes communicate through the management interface. A
process must support a management VRF instance to be able to
use mgmt_junos
. Not all of these processes
use mgmt_junos
by default unless the
management-instance is enabled. You must
configure these processes to use
mgmt_junos
.
The following processes require this additional configuration:
Process |
First Release to Support Management VRF |
For More Information |
---|---|---|
Automation scripts |
Junos OS Release 18.1R1 |
|
BGP Monitoring Protocol (BMP) |
Junos OS Release 18.3R1 |
Configuring BGP Monitoring Protocol to Run Over a Different Routing Instance |
NTP |
Junos OS Release 18.1R1 |
|
Outbound SSH |
Junos OS Release 19.3R1 |
Configure Outbound SSH Service |
RADIUS |
Junos OS Release 18.1R1 |
|
REST API |
Junos OS Release 20.3R1 |
|
System Logging ( |
Junos OS Release 18.1R1 (by default) Junos OS Release 24.2R1 (when configured) |
|
TACACS+ |
Junos OS Release 17.4R1 |
|
Junos OS Release 18.2R1 |
Configuring these processes to use the mgmt_junos
VRF instance is optional. If you skip this step, these
processes continue to send packets using the default routing
instance only.
How to Disable the Management Instance
When you disable the mgmt_junos
VRF
instance, you must also remove the other
configuration changes you made.
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.
management-instance
statement is
configured. You must configure the
mgmt_junos
VRF instance for
system logging to enable it.management-instance
statement is
configured. mgmt_junos
VRF
instance.management-instance
statement is
configured.