Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Management Interface in a Dedicated Instance

Use a dedicated management instance to separate management traffic from the rest of your network.

Why Use a Non-Default VRF Instance?

By default, the management Ethernet interface (usually named fxp0 or em0 for Junos OS, or re0:mgmt-* or re1:mgmt-* for Junos OS Evolved) provides the out-of-band management network for the device. Out-of-band management traffic is not clearly separated from in-band protocol control traffic. Instead, all traffic passes through the default routing instance and shares the default inet.0 routing table. This system of traffic handling gives rise to concerns over security, performance, and troubleshooting. You (the network administrator) can solve these problems by confining the management interface to a dedicated, non-default virtual routing and forwarding (VRF) instance.

Benefits of a Dedicated Management Instance

  • Improved security

  • Management traffic no longer has to share a routing table with other control traffic or protocol traffic

  • Easier to use the management interface to troubleshoot

Management Instance Overview

The name of the dedicated management VRF instance is reserved and hardcoded as mgmt_junos; you cannot configure any other routing instance by the name mgmt_junos. Because some applications assume that the management interface is always present in the default inet.0 routing table, the dedicated management VRF instance is not instantiated by default. You need to configure it for it to take effect.

Once you deploy the mgmt_junos VRF instance, management traffic no longer shares a routing table (that is, the default routing table) with other control traffic or protocol traffic in the system. Traffic in the mgmt_junos VRF instance uses private IPv4 and IPv6 routing tables. After you configure mgmt_junos, you cannot configure dynamic protocols on the management interface.

Configure the Management Instance

You must add any static routes that have a next hop over the management interface to the mgmt_junos VRF instance. If needed, you must also configure the appropriate processes or applications to use mgmt_junos. All of these changes must be done in a single commit. Otherwise, the existing sessions might be lost and need to be renegotiated.

Before You Begin: Determine Static Routes

Some static routes have a next hop through the management interface. As part of configuring the mgmt_junos VRF instance, you must add all these static routes to mgmt_junos so they can reach the management interface. Each setup is different. First, you need to identify the static routes that have a next hop through the management interface.

  1. Use the show interfaces interface-name terse command to find the IP address of the default management interface. The default management interface is fxp0 or em0 for Junos OS, or re0:mgmt-0 or re1:mgmt-0 for Junos OS Evolved.

  2. Use the show route forwarding-table command to look at the forwarding table for next-hop information for static routes. Static routes show up as type user. The next hop for any static route that is affected has an IP address that falls under the subnet of the IP address configured for the management interface.

  3. Another way to find the static routes associated with your management network is to use the show route protocol static next-hop <management-network-gateway-address> command.

    Alternatively, simply display the static route portion of the device's configuration. Use the CLI match function to quickly locate all static routes that point to the management network's default gateway.

Enable the Management Instance

Note:

We recommend using the device console port for these operations.

Changing the management instance changes the underlying VRF instance for the management port. If you use SSH, Telnet, or NETCONF, the connection to the device will be dropped when you commit the configuration, and you will have to reestablish it.

If you do use SSH, Telnet, or NETCONF, use commit confirm.

To enable the dedicated management VRF instance:

  1. Configure the mgmt_junos VRF instance.
  2. Configure the management-instance statement.
  3. Add the appropriate static routes to the mgmt_junos VRF instance.

    For how to determine the static routes to change, see Before You Begin: Determine Static Routes.

    If you are using configuration groups, you can set these changes as part of a group:

  4. Commit the configuration.
    If you are using SSH, Telnet, or NETCONF, use commit confirm. Expect to lose, and then have to reestablish, the SSH, Telnet, or NETCONF session.

Configure Processes to Use the Management Instance

Many processes communicate through the management interface. A process must support a management VRF instance to be able to use mgmt_junos. Not all of these processes use mgmt_junos by default unless the management-instance is enabled. You must configure these processes to use mgmt_junos.

The following processes require this additional configuration:

Table 1: Processes You Can Configure to Use the Management VRF Instance

Process

First Release to Support Management VRF

For More Information

Automation scripts

Before Junos OS Evolved Release 24.1R1

Using an Alternate Source Location for a Script

Configuring and Using a Master Source Location for a Script

BGP Monitoring Protocol (BMP)

Before Junos OS Evolved Release 24.1R1

Configuring BGP Monitoring Protocol to Run Over a Different Routing Instance

Inline Active Flow Monitoring

Junos OS Evolved Release 24.2R1

Understand Inline Active Flow Monitoring

Network Time Protocol (NTP)

Before Junos OS Evolved Release 24.1R1

ntp

Outbound SSH

Junos OS Evolved Release 24.1R1

Configure Outbound SSH Service

RADIUS

Before Junos OS Evolved Release 24.1R1

Configuring RADIUS Server Authentication

Configuring RADIUS System Accounting

REST API

Before Junos OS Evolved Release 24.1R1

rest

TACACS+

Before Junos OS Evolved Release 24.1R1

Configuring TACACS+ Authentication

Before Junos OS Evolved Release 24.1R1

Configuring TACACS+ System Accounting

In Junos OS Evolved, system logging uses the mgmt_junos VRF instance by default as soon as you configure the management-instance statement. You do not need to configure the mgmt_junos VRF instance for system logging.

Configuring these processes to use the mgmt_junos VRF instance is optional. If you skip this step, these processes continue to send packets using the default routing instance only.

  1. To update automation scripts from a source using mgmt_junos, configure the following:
    1. Commit, op, or SNMP scripts:
    2. Event scripts:
    3. Juniper Extension Toolkit (JET) scripts:
  2. BMP:
    1. BMP in passive connection mode:
    2. BMP in active connection mode:
  3. Inline Active Flow Monitoring:
  4. NTP service:

    You must also configure at least one IP address on a physical or logical interface within the default routing instance. Ensure that this interface is up so that the NTP service can work with the mgmt_junos VRF instance.

  5. RADIUS:
  6. TACACS+:
  7. The REST API:
  8. Outbound SSH:

How to Disable the Management Instance

When you disable the mgmt_junos VRF instance, you must also remove the other configuration changes you made.

  1. Remove the management-instance statement to disable the dedicated management VRF instance.
  2. (Optional) Remove the static routes from the mgmt_junos VRF instance.
  3. (Optional) Remove the configurations for processes that use mgmt_junos. These processes will return to sending packets using the default routing instance. For example, to remove the mgmt_junos configuration for TACACS+ :