Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Management Interface in a Non-Default Instance

Why Use a Non-Default VRF Instance?

By default, the management Ethernet interface (usually named fxp0 or em0 for Junos OS, or re0:mgmt-* or re1:mgmt-* for Junos OS Evolved) provides the out-of-band management network for the device. Out-of-band management traffic is not clearly separated from in-band protocol control traffic. Instead, all traffic passes through the default routing instance and shares the default inet.0 routing table. This system of traffic handling gives rise to concerns over security, performance, and troubleshooting.

You (the network administrator) can confine the management interface to a non-default virtual routing and forwarding (VRF) instances. After you configure the non-default management VRF instance, management traffic no longer has to share a routing table with other control traffic or protocol traffic. This configuration improves security and makes it easier to use the management interface to troubleshoot.

Note:

For Junos OS, the non-default management VRF instance supports only the em0 and fxp0 interfaces. The non-default management VRF instance doesn't support other management interfaces such as em1.

Configure the mgmt_junos VRF Instance

The name of the dedicated management VRF instance is reserved and hardcoded as mgmt_junos; you cannot configure any other routing instance by the name mgmt_junos. Because some applications assume that the management interface is always present in the default inet.0 routing table, the dedicated management VRF instance is not instantiated by default.

You must add any static routes that have a next hop over the management interface to the mgmt_junos VRF instance. If needed, you must also configure the appropriate processes or applications to use mgmt_junos. All of these changes must be done in a single commit. Otherwise, the existing sessions might be lost and need to be renegotiated.

Once you deploy the mgmt_junos VRF instance, management traffic no longer shares a routing table (that is, the default routing table) with other control traffic or protocol traffic in the system. Traffic in the mgmt_junos VRF instance uses private IPv4 and IPv6 routing tables. After you configure mgmt_junos, you cannot configure dynamic protocols on the management interface.

Before You Begin: Determine Static Routes

Some static routes have a next hop through the management interface. As part of configuring the mgmt_junos VRF instance, you must add all these static routes to mgmt_junos so they can reach the management interface. Each setup is different. First, you need to identify the static routes that have a next hop through the management interface.

  1. Use the show interfaces interface-name terse command to find the IP address of the default management interface. The default management interface is fxp0 or em0 for Junos OS, or re0:mgmt-0 or re1:mgmt-0 for Junos OS Evolved.

  2. Use the show route forwarding-table command to look at the forwarding table for next-hop information for static routes. Static routes show up as type user. The next hop for any static route that is affected has an IP address that falls under the subnet of the IP address configured for the management interface.

  3. Another way to find your static routes is to use the show route protocol static command.

Enable the mgmt_junos VRF Instance

Note:

We recommend using the device console port for these operations. If you use SSH or Telnet, the connection to the device will be dropped when you commit the configuration, and you will have to reestablish it. If you do use SSH or Telnet, use commit confirm.

To enable the dedicated management VRF instance:

  1. Configure the mgmt_junos VRF instance.
  2. Configure the management-instance statement.
  3. Add the appropriate static routes to the mgmt_junos VRF instance.

    For how to determine static routes to change, see Before You Begin: Determine Static Routes.

    If you are using configuration groups, you can set these changes as part of a group:

  4. Commit the configuration.
    If you are using SSH or Telnet, use commit confirm. If you are using SSH or Telnet, expect to lose, and then have to reestablish, the SSH or Telnet session.

Configure Processes to Use mgmt_junos

Many processes communicate through the management interface. A process must support a management VRF instance to be able to use mgmt_junos. Not all of these processes use mgmt_junos by default. You must configure these processes to use mgmt_junos.

The following processes require this additional configuration:

Table 1: Processes You Can Configure to Use the Management VRF Instance

Process

First Release to Support Managment VRF

For More Information

Automation scripts

Junos OS Release 18.1R1

Using an Alternate Source Location for a Script

Configuring and Using a Master Source Location for a Script

BGP Monitoring Protocol (BMP)

Junos OS Release 18.3R1

Configuring BGP Monitoring Protocol to Run Over a Different Routing Instance

NTP

Junos OS Release 18.1R1

ntp

RADIUS

Junos OS Release 18.1R1

Configuring RADIUS Server Authentication

Configuring RADIUS System Accounting

REST API

Junos OS Release 20.3R1

rest

System Logging

Junos OS Release 18.1R1

syslog (System)

Junos OS Release 18.4R1

routing-instance (Syslog)

TACACS+

Junos OS Release 17.4R1

Configuring TACACS+ Authentication

Junos OS Release 18.2R1

Configuring TACACS+ System Accounting

Configuring these processes to use the mgmt_junos VRF instance is optional. If you skip this step, these processes continue to send packets using the default routing instance only.

  1. To update automation scripts from a source using mgmt_junos, configure the following:
    1. Commit, op, or SNMP scripts:
    2. Event scripts:
    3. Juniper Extension Toolkit (JET) scripts:
  2. BMP:
    1. BMP in passive connection mode:
    2. BMP in active connection mode:
  3. NTP service:

    You must also configure at least one IP address on a physical or logical interface within the default routing instance. Ensure that this interface is up so that the NTP service can work with the mgmt_junos VRF instance.

  4. RADIUS:
  5. TACACS+:
  6. The REST API:
  7. System logging:

How to Disable the mgmt_junos VRF Instance

When you disable the mgmt_junos VRF instance, you must also remove the other configuration changes you made.

  1. Remove the management-instance statement to disable the dedicated management VRF instance.
  2. (Optional) Remove the static routes from the mgmt_junos VRF instance.
  3. (Optional) Remove the configurations for processes that use mgmt_junos. These processes will return to sending packets using the default routing instance. For example, to remove the mgmt_junos configuration for TACACS+ :
Release History Table
Release
Description
17.3R1
Starting with Junos OS Release 17.3R1, you can confine the em0 and fxp0 management interfaces to a non-default virtual routing and forwarding (VRF) instance, the mgmt_junos VRF instance.