Management Interface in a Non-Default Instance
Why Use a Non-Default VRF Instance?
By default, the management Ethernet interface (usually named fxp0 or em0 for Junos OS, or re0:mgmt-* or re1:mgmt-* for Junos OS Evolved) provides the out-of-band management network for the device. Out-of-band management traffic is not clearly separated from in-band protocol control traffic. Instead, all traffic passes through the default routing instance and shares the default inet.0 routing table. This system of traffic handling gives rise to concerns over security, performance, and troubleshooting.
You (the network administrator) can confine the management interface to a non-default virtual routing and forwarding (VRF) instances. After you configure the non-default management VRF instance, management traffic no longer has to share a routing table with other control traffic or protocol traffic. This configuration improves security and makes it easier to use the management interface to troubleshoot.
For Junos OS, the non-default management VRF instance supports only the em0 and fxp0 interfaces. The non-default management VRF instance doesn't support other management interfaces such as em1.
The non-default management VRF instance supports the virtual management Ethernet (VME) interface on EX Series devices. The VME interface is used to manage Virtual Chassis. For more information, see Understanding Global Management of a Virtual Chassis
Configure the mgmt_junos VRF Instance
The name of the dedicated management VRF instance is reserved and hardcoded as mgmt_junos
; you cannot configure any other routing instance by the name mgmt_junos
. Because some applications assume that the management interface is always present in the default inet.0 routing table, the dedicated management VRF instance is not instantiated by default.
You must add any static routes that have a next hop over the management interface to the mgmt_junos
VRF instance. If needed, you must also configure the appropriate processes or applications to use mgmt_junos
. All of these changes must be done in a single commit. Otherwise, the existing sessions might be lost and need to be renegotiated.
Once you deploy the mgmt_junos
VRF instance, management traffic no longer shares a routing table (that is, the default routing table) with other control traffic or protocol traffic in the system. Traffic in the mgmt_junos
VRF instance uses private IPv4 and IPv6 routing tables. After you configure mgmt_junos
, you cannot configure dynamic protocols on the management interface.
Before You Begin: Determine Static Routes
Some static routes have a next hop through the management interface. As part of configuring the mgmt_junos
VRF instance, you must add all these static routes to mgmt_junos
so they can reach the management interface. Each setup is different. First, you need to identify the static routes that have a next hop through the management interface.
Use the
show interfaces interface-name terse
command to find the IP address of the default management interface. The default management interface is fxp0 or em0 for Junos OS, or re0:mgmt-0 or re1:mgmt-0 for Junos OS Evolved.user@host> show interfaces fxp0 terse Interface Admin Link Proto Local Remote fxp0 up up fxp0.0 up up inet 10.102.183.152/20
Use the
show route forwarding-table
command to look at the forwarding table for next-hop information for static routes. Static routes show up as typeuser
. The next hop for any static route that is affected has an IP address that falls under the subnet of the IP address configured for the management interface.user@host> show route forwarding-table Routing table: default.inet Internet: Enabled protocols: Bridging, Destination Type RtRef Next hop Type Index NhRef Netif default perm 0 rjct 36 1 0.0.0.0/32 perm 0 dscd 34 1 10.0.0.0/8 user 0 0:0:5e:0:1:d0 ucst 341 6 fxp0.0 10.0.1.0/24 intf 0 rslv 584 1 ge-0/0/0.0 10.0.1.0/32 dest 0 10.0.1.0 recv 582 1 ge-0/0/0.0 10.0.1.1/32 intf 0 10.0.1.1 locl 583 2 10.0.1.1/32 dest 0 10.0.1.1 locl 583 2 10.0.1.255/32 dest 0 10.0.1.255 bcst 581 1 ge-0/0/0.0 10.102.176.0/20 intf 0 rslv 340 1 fxp0.0 10.102.176.0/32 dest 0 10.102.176.0 recv 338 1 fxp0.0 10.102.176.3/32 dest 1 0:50:56:9f:1b:2e ucst 350 2 fxp0.0 10.102.183.152/32 intf 0 10.102.183.152 locl 339 2 10.102.183.152/32 dest 0 10.102.183.152 locl 339 2 10.102.191.253/32 dest 0 10:e:7e:b1:b0:80 ucst 348 1 fxp0.0 10.102.191.254/32 dest 0 0:0:5e:0:1:d0 ucst 341 6 fxp0.0 10.102.191.255/32 dest 0 10.102.191.255 bcst 337 1 fxp0.0 172.16.0.0/12 user 0 10.102.191.254 ucst 341 6 fxp0.0 192.168.0.0/16 user 0 10.102.191.254 ucst 341 6 fxp0.0 224.0.0.0/4 perm 0 mdsc 35 1 224.0.0.1/32 perm 0 224.0.0.1 mcst 31 1 255.255.255.255/32 perm 0 bcst 32 1
Another way to find the static routes associated with your management network is to use the
show route protocol static next-hop <management-network-gateway-address>
command. Alternatively, simply display the static route portion of the device's configuration. Use the CLIuser@host> show route protocol static next-hop 10.102.191.254 inet.0: 10 destinations, 10 routes (10 active, 0 holddown, 0 hidden) + = Active Route, - = Last Active, * = Both 10.0.0.0/8 *[Static/5] 2d 21:48:36 > to 10.102.191.254 via fxp0.0 172.16.0.0/12 *[Static/5] 2d 21:48:36 > to 10.102.191.254 via fxp0.0 192.168.0.0/16 *[Static/5] 2d 21:48:36 > to 10.102.191.254 via fxp0.0
match
function to quickly locate all static routes that point to the management network's default gateway.user@host> show configuration routing-options static | match 10.102.191.254 route 10.0.0.0/8 next-hop 10.102.191.254; route 172.16.0.0/12 next-hop 10.102.191.254; route 192.168.0.0/16 next-hop 10.102.191.254;
Enable the mgmt_junos VRF Instance
We recommend using the device console port for these operations. If you use SSH or Telnet, the connection to the device will be dropped when you commit the configuration, and you will have to reestablish it. If you do use SSH or Telnet, use commit confirm
.
To enable the dedicated management VRF instance:
Configure Processes to Use mgmt_junos
Many
processes communicate through the management
interface. A process must support a management VRF
instance to be able to use
mgmt_junos
. Not all of these
processes use mgmt_junos
by
default unless the management-instance is
enabled. You must configure these processes
to use mgmt_junos
.
The following processes require this additional configuration:
Process |
First Release to Support Managment VRF |
For More Information |
---|---|---|
Automation scripts |
Junos OS Release 18.1R1 |
|
BGP Monitoring Protocol (BMP) |
Junos OS Release 18.3R1 |
Configuring BGP Monitoring Protocol to Run Over a Different Routing Instance |
NTP |
Junos OS Release 18.1R1 |
|
Outbound SSH |
Junos OS Release 19.3R1 |
Configure Outbound SSH Service |
RADIUS |
Junos OS Release 18.1R1 |
|
REST API |
Junos OS Release 20.3R1 |
|
System Logging |
Junos OS Release 18.1R1 |
|
Junos OS Release 18.4R1 |
||
TACACS+ |
Junos OS Release 17.4R1 |
|
Junos OS Release 18.2R1 |
Configuring these processes to use the mgmt_junos
VRF instance is optional. If you skip this step, these processes continue to send packets using the default routing instance only.
How to Disable the mgmt_junos VRF Instance
When you disable the mgmt_junos
VRF instance, you must also remove the other configuration changes you made.