close

keyboard_arrow_left

Table of Contents Expand all

play_arrow Understanding Junos OS Evolved
- About the Getting Started Guide
- Operating System Infrastructure and Processes
play_arrow Access a Juniper Networks Device
play_arrow Root Password
- Root Password Overview
- Protect Network Security by Configuring the Root Password
play_arrow Device Hostname
- Hostnames Overview
play_arrow DNS, Server Caching, and Device Identity
- Understanding and Configuring DNS
- Example: Configure a Device’s Unique Identity for the Network
play_arrow Management Ethernet and Loopback Interfaces
play_arrow Initial User Accounts

list Table of Contents

English

Management Interface in a Dedicated Instance

date_range 29-Jan-25

arrow_backward

arrow_forward

Use a dedicated management instance to separate management traffic from the rest of your network.

Why Use a Non-Default VRF Instance?

By default, the management Ethernet interface (usually named fxp0 or em0 for Junos OS, or re0:mgmt-* or re1:mgmt-* for Junos OS Evolved) provides the out-of-band management network for the device. Out-of-band management traffic is not clearly separated from in-band protocol control traffic. Instead, all traffic passes through the default routing instance and shares the default inet.0 routing table. This system of traffic handling gives rise to concerns over security, performance, and troubleshooting. You (the network administrator) can solve these problems by confining the management interface to a dedicated, non-default virtual routing and forwarding (VRF) instance.

Benefits of a Dedicated Management Instance
Management Instance Overview

Benefits of a Dedicated Management Instance

Improved security
Management traffic no longer has to share a routing table with other control traffic or protocol traffic
Easier to use the management interface to troubleshoot

Management Instance Overview

The name of the dedicated management VRF instance is reserved and hardcoded as mgmt_junos; you cannot configure any other routing instance by the name mgmt_junos. Because some applications assume that the management interface is always present in the default inet.0 routing table, the dedicated management VRF instance is not instantiated by default. You need to configure it for it to take effect.

Once you deploy the mgmt_junos VRF instance, management traffic no longer shares a routing table (that is, the default routing table) with other control traffic or protocol traffic in the system. Traffic in the mgmt_junos VRF instance uses private IPv4 and IPv6 routing tables. After you configure mgmt_junos, you cannot configure dynamic protocols on the management interface.

Configure the Management Instance

You must add any static routes that have a next hop over the management interface to the mgmt_junos VRF instance. If needed, you must also configure the appropriate processes or applications to use mgmt_junos. All of these changes must be done in a single commit. Otherwise, the existing sessions might be lost and need to be renegotiated.

Before You Begin: Determine Static Routes
Enable the Management Instance

Before You Begin: Determine Static Routes

Some static routes have a next hop through the management interface. As part of configuring the mgmt_junos VRF instance, you must add all these static routes to mgmt_junos so they can reach the management interface. Each setup is different. First, you need to identify the static routes that have a next hop through the management interface.

Use the show interfaces interface-name terse command to find the IP address of the default management interface. The default management interface is fxp0 or em0 for Junos OS, or re0:mgmt-0 or re1:mgmt-0 for Junos OS Evolved.
Use the show route forwarding-table command to look at the forwarding table for next-hop information for static routes. Static routes show up as type user. The next hop for any static route that is affected has an IP address that falls under the subnet of the IP address configured for the management interface.
Another way to find the static routes associated with your management network is to use the show route protocol static next-hop <management-network-gateway-address> command.
Alternatively, simply display the static route portion of the device's configuration. Use the CLI match function to quickly locate all static routes that point to the management network's default gateway.

Enable the Management Instance

Note:

We recommend using the device console port for these operations.

Changing the management instance changes the underlying VRF instance for the management port. If you use SSH, Telnet, or NETCONF, the connection to the device will be dropped when you commit the configuration, and you will have to reestablish it.

If you do use SSH, Telnet, or NETCONF, use commit confirm.

To enable the dedicated management VRF instance:

Configure the mgmt_junos VRF instance.
```
[edit]
user@host# set routing-instances mgmt_junos description description 
```
Configure the management-instance statement.
```
[edit]
user@host# set system management-instance
```

Add the appropriate static routes to the mgmt_junos VRF instance.

For how to determine the static routes to change, see Before You Begin: Determine Static Routes.

content_copy zoom_out_map
[edit routing-instances mgmt_junos routing-option static route]
user@host# set 10.0.0.0/8 next-hop 10.102.191.254
user@host# set 172.16.0.0/12 next-hop 10.102.191.254
user@host# set 192.168.0.0/16 next-hop 10.102.191.254

If you are using configuration groups, you can set these changes as part of a group:

content_copy zoom_out_map
[edit groups global routing-instances mgmt_junos routing-options static route]
user@host# set 10.0.0.0/8 next-hop 10.102.191.254
user@host# set 172.16.0.0/12 next-hop 10.102.191.254
user@host# set 192.168.0.0/16 next-hop 10.102.191.254

Commit the configuration.
If you are using SSH, Telnet, or NETCONF, use commit confirm. Expect to lose, and then have to reestablish, the SSH, Telnet, or NETCONF session.

Configure Processes to Use the Management Instance

Many processes communicate through the management interface. A process must support a management VRF instance to be able to use mgmt_junos. Not all of these processes use mgmt_junos by default unless the management-instance is enabled. You must configure these processes to use mgmt_junos.

The following processes require this additional configuration:

Table 1: Processes You Can Configure to Use the Management VRF Instance
Process	First Release to Support Management VRF	For More Information
Automation scripts	Before Junos OS Evolved Release 24.1R1	Using an Alternate Source Location for a Script Configuring and Using a Master Source Location for a Script
BGP Monitoring Protocol (BMP)	Before Junos OS Evolved Release 24.1R1	Configuring BGP Monitoring Protocol to Run Over a Different Routing Instance
Inline Active Flow Monitoring	Junos OS Evolved Release 24.2R1	Understand Inline Active Flow Monitoring
Network Time Protocol (NTP)	Before Junos OS Evolved Release 24.1R1	ntp
Outbound SSH	Junos OS Evolved Release 24.1R1	Configure Outbound SSH Service
RADIUS	Before Junos OS Evolved Release 24.1R1	Configuring RADIUS Server Authentication Configuring RADIUS System Accounting
REST API	Before Junos OS Evolved Release 24.1R1	rest
TACACS+	Before Junos OS Evolved Release 24.1R1	Configuring TACACS+ Authentication
TACACS+	Before Junos OS Evolved Release 24.1R1	Configuring TACACS+ System Accounting

In Junos OS Evolved, system logging uses the mgmt_junos VRF instance by default as soon as you configure the management-instance statement. You do not need to configure the mgmt_junos VRF instance for system logging.

Configuring these processes to use the mgmt_junos VRF instance is optional. If you skip this step, these processes continue to send packets using the default routing instance only.

To update automation scripts including commit, op, SNMP, and event scripts from a source using mgmt_junos, configure the following:
1. Commit, op, or SNMP scripts:
  [edit] user@host# set system scripts (commit | op | snmp) file filename routing-instance mgmt_junos
2. Event scripts:
  [edit] user@host# set event-options event-script file filename routing-instance mgmt_junos
For automation scripts and applications that use Remote Procedure Calls developed by Google (gRPCs), such as:
- gRPC Network Management Interface (gNMI)
- gRPC Network Operations Interface (gNOI)
- gRPC Routing Information Base Interface (gRIBI)
- Juniper Extension Toolkit (JET)
1. Configure:
  [edit] user@host# set system services extension-service request-response grpc routing-instance mgmt_junos
1. For JET applications, also configure:
  [edit] user@host# set system extensions extension-service application file filename routing-instance mgmt_junos

BMP:

BMP in passive connection mode:

content_copy zoom_out_map
[edit]
user@host# set routing-options bmp station station-name routing-instance mgmt_junos
user@host# set routing-options bmp station station-name connection-mode passive
user@host# set routing-options bmp station station-name local-address ip-address
user@host# set routing-options bmp station station-name local-port port-number
user@host# set routing-options bmp station station-name station-address ip-address

BMP in active connection mode:

content_copy zoom_out_map
[edit]
user@host# set routing-options bmp station station-name routing-instance mgmt_junos
user@host# set routing-options bmp station station-name connection-mode active
user@host# set routing-options bmp station station-name station-address ip-address
user@host# set routing-options bmp station station-name station-port port-number

Inline Active Flow Monitoring:

content_copy zoom_out_map
[edit]
user@host# set forwarding-options sampling instance name family type ouput flow-server IP-address routing-instance mgmt_junos

NTP service:
```
[edit]
user@host# set system ntp server server-address routing-instance mgmt_junos
```
You must also configure at least one IP address on a physical or logical interface within the default routing instance. Ensure that this interface is up so that the NTP service can work with the mgmt_junos VRF instance.

RADIUS:

content_copy zoom_out_map
[edit]
user@host# set system radius-server server-address routing-instance mgmt_junos
user@host# set system accounting destination radius server server-address routing-instance mgmt_junos

TACACS+:

content_copy zoom_out_map
[edit]
user@host# set system tacplus-server server-address routing-instance mgmt_junos
user@host# set system accounting destination tacplus server server-address routing-instance mgmt_junos

The REST API:

content_copy zoom_out_map
[edit]
user@host# set system services rest routing-instance mgmt_junos

Outbound SSH:

content_copy zoom_out_map
[edit]
user@host# set system services outbound-ssh routing-instance mgmt_junos 

How to Disable the Management Instance

When you disable the mgmt_junos VRF instance, you must also remove the other configuration changes you made.

Remove the management-instance statement to disable the dedicated management VRF instance.
```
[edit]
user@host# delete system management-instance
```

(Optional) Remove the static routes from the mgmt_junos VRF instance.

content_copy zoom_out_map
[edit routing-instances mgmt_junos routing-option static route]
user@host# delete 10.0.0.0/8 next-hop 10.102.191.254
user@host# delete 172.16.0.0/12 next-hop 10.102.191.254
user@host# delete 192.168.0.0/16 next-hop 10.102.191.254

(Optional) Remove the configurations for processes that use mgmt_junos. These processes will return to sending packets using the default routing instance. For example, to remove the mgmt_junos configuration for TACACS+ :
```
[edit]
user@host# delete system tacplus-server server-address routing-instance mgmt_junos
```

arrow_backward PREVIOUS Management Ethernet Interfaces Overview

NEXT arrow_forward Loopback Interface Overview

Getting Started with Junos OS Evolved

ON THIS PAGE