Junos OS

Hi All,

I was wondering, 

Is there a way in JUNOS that we can create a management VRF or something similar on FXP or ME interfaces?

With Cisco there is a way you can create a MGMT VRF and then have a default route in your VRF for all services such as syslog,radius and just general access to the device.

I wanted to achieve something similar in JUNOS but everytime i go to create a vrf on my SRX i get 

"

[edit routing-instances MGMT]
'interface fxp0.0'
RT Instance: Interface fxp0.0 not supported under routing-instances.
error: configuration check-out failed

"

Basically i have a lot of remote servers, that need individual static routes, it is just easier to manage with one default for all MGMT servers.

Any help or best practices on doing this would be great

Thanks

Hello,

On SRX devices, fxp0.0 can not be configured under routing-instance by design.

What you can do is keep fxp0.0 in default routing instance while configuring routing-instances for other production traffic.

Regards,

Rushi

Hi, 

Unfortunately fxp0 interface cannot be added to RIs but you can create a logical-system for MGT and add fxp0 to it.

The possible caveat is things like snmp polling etc which may require some tweaks.

Cheers,

Ashvin

you can put all other interfaces to a routing instance and make fxp0 the only interface on inet.0. Are you trying to avoid multiple /32 routes via fxp0 or any other goals?

Hi Folks,

      That is true, there is no options to tag a fxp into a routing-instance other than the default routing-instance. You can restrict the users with different privileges while using the Out-of-Band Management ON NECCESITY.

  The router should not be configured to route traffic from network and services interfaces over fxp0.

Starting in Junos 17.1 on the MX platform we can move mgmt to a routing instance.

http://www.juniper.net/techpubs/en_US/junos/topics/task/configuration/mgmt_junos-routing-instance-configuring.html

Hopefully, it will not take too long for the feature to migrate over the the SRX and other platforms.

This functionality was finally added in Junos 18.3R1:

Management Ethernet interface (fxp0) is confined in a non-default virtual routing and forwarding table (SRX Series)—Starting in Junos OS Release 18.3R1, you can confine the management interface in a dedicated management instance by setting a new CLI configuration statement, management-instance, at the [edit system] hierarchy level. By doing so, operators will ensure that management traffic no longer has to share a routing table (that is, the default.inet.0 table) with other control or protocol traffic in the system. Instead, there is a mgmt_junos routing instance introduced for management traffic.

ref: https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-notes/18.3/jd0e16617.html#jd0e17112

Does this also allow for SNMP or telemetry?

In the past I have seen that this allows for management but when polling with SNMP you get NO interfaces.

thanks

I would expect at least SNMP, authentication, syslog and similar with mgmt_junos. Telemetry depends if it's generated from the RE or the line card so it will be very platform dependant.

Hi, 

When polling towards an interface within an RI, the community can be preceeded with '@' or '<ri-name>@community' to access from within the RI, plus snmp configured with the RI.

Example:

root> show configuration snmp
community snmp_public {
    routing-instance mgmt_junos;
}
routing-instance-access;

root> show interfaces terse routing-instance mgmt_junos
Interface Admin Link Proto Local Remote
fxp0.0 up up inet 192.168.1.118/24

$ snmpwalk -v 2c -c snmp_public 192.168.1.118 | head -n 2
Timeout: No Response from 192.168.1.118

$ snmpwalk -v 2c -c @snmp_public 192.168.1.118 | head -n 2
iso.3.6.1.2.1.1.1.0 = STRING: "Juniper Networks, Inc. vmx internet router, kernel JUNOS 17.1R1.8, Build date: 2017-02-27 22:48:02 UTC Copyright (c) 1996-2017 Juniper Networks, Inc."
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.2636.1.1.1.2.108

$ snmpwalk -v 2c -c mgmt_junos@snmp_public 192.168.1.118 | head -n 2
iso.3.6.1.2.1.1.1.0 = STRING: "Juniper Networks, Inc. vmx internet router, kernel JUNOS 17.1R1.8, Build date: 2017-02-27 22:48:02 UTC Copyright (c) 1996-2017 Juniper Networks, Inc."
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.2636.1.1.1.2.108

Cheers,

Ashvin

When using the fixed built in mgmt port on a junos device snmp has full access to all the interfaces.

You need the RI syntax when you have snmp configured on other ports inside a routing instance.

Hello,

I have a VC with QFX5110 configured with vme for OOB traffic, I'm not able to configure the RI mgmt_junos or logical system, any suggestion to separate this traffic? Thanks