This article demonstrates how to configure DNS, NTP, syslog, RADIUS, and TACACS+ protocols under a management instance in SRX Series devices with the help of an example.
By default, in SRX devices, the management Ethernet interface (usually named fxp0) provides out-of-band management network for the device. However, there is no clear demarcation between out-of-band management traffic and in-band protocol control traffic, that is, user traffic at the routing-instance level or at the routing-table level.
Starting with Junos OS Release 17.3R1, you can confine the fxp0 management interfaces in a non-default routing instance known as the Management Routing Instance.
Although the management instance is introduced in Junos OS Release 17.3R1, certain features such as DNS and NTP are supported only in later Junos OS releases. For more information, refer to Management Interface in a Nondefault Instance.
To configure and verify DNS, NTP, syslog, RADIUS and TACACS+ configurations under the management instance, follow the bare minimum procedure detailed below.
Management Instance Configuration
set system management-instance
set routing-instances mgmt_junos description MANAGEMENT-INSTANCE
Verification
root@SRX# run show route
mgmt_junos.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both
10.219.17.128/26 *[Direct/0] 00:53:53
> via fxp0.0
10.219.17.134/32 *[Local/0] 00:53:53
Local via fxp0.0
Note: By default, the management instance uses instance-type as forwarding. You can also configure instance-type as forwarding explicitly but keep in mind that only instance-type forwarding is supported. If you configure instance-type other than forwarding, an error will be thrown while committing the change as shown below:
root@SRX# set routing-instances mgmt_junos instance-type virtual-router
root@SRX# commit check
[edit routing-instances]
'mgmt_junos'
RT Instance: management instance may not have instance type other than forwarding
error: configuration check-out failed
DNS Configuration
set system name-server 8.8.8.8 routing-instance mgmt_junos
Note: There is a limitation where DNS queries via fxp0 are not supported on SRX branch devices when fxp0 is part of a management instance.
Verification
root@SRX# run ping yahoo.com routing-instance mgmt_junos inet
PING yahoo.com (98.137.246.7): 56 data bytes
64 bytes from 98.137.246.7: icmp_seq=0 ttl=44 time=266.930 ms
64 bytes from 98.137.246.7: icmp_seq=1 ttl=44 time=267.030 ms
64 bytes from 98.137.246.7: icmp_seq=2 ttl=44 time=267.034 ms
^C
--- yahoo.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 266.930/266.998/267.034/0.048 ms
NTP Configuration
set system time-zone Asia/Kolkata
set system ntp server 10.219.0.35 routing-instance mgmt_junos
set interfaces lo0 unit 0 family inet address 127.0.0.1/32
Note: In order to make NTP work under a management-instance, you need to configure the loopback interface explicitly. Without the loopback interface, the NTP Query (ntpq) cannot find the local hostname and cannot create a socket for NTP.
Verification
root@SRX# run show ntp status
status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Fri Jun 21 20:39:33 2019 (1)", processor="amd64",
system="FreeBSDJNPR-11.0-20190517.f0321c3_buil", leap=00, stratum=5,
precision=-23, rootdelay=248.081, rootdispersion=45.865, peer=2260,
refid=10.219.0.35,
reftime=e2b9cdb9.2fca592e Thu, Jul 16 2020 0:17:21.186, poll=6,
clock=e2b9cdda.6c5af1ac Thu, Jul 16 2020 0:17:54.423, state=4,
offset=-1.472, frequency=35.416, jitter=0.254, stability=0.035
root@SRX# run show ntp associations no-resolve
remote refid st t when poll reach delay offset jitter
===============================================================================
*10.219.0.35 66.129.233.81 4 - 49 64 377 0.690 -1.472 0.395
root@SRX# run show system uptime
Current time: 2020-07-15 14:01:22 IST
Time Source: NTP CLOCK
System booted: 2020-07-15 12:47:58 IST (01:13:24 ago)
Protocols started: 2020-07-15 12:50:00 IST (01:11:22 ago)
Last configured: 2020-07-15 13:56:11 IST (00:05:11 ago) by root
2:01PM up 1:13, 1 users, load averages: 0.47, 0.29, 0.26
Syslog Configuration
set system syslog host 10.219.17.129 any any
set system syslog host 10.219.17.129 routing-instance mgmt_junos
Verification
root@SRX# run monitor traffic interface fxp0 no-resolve size 1500 matching "port 514"
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on fxp0, capture size 1500 bytes
14:18:47.493136 Out IP 10.219.17.134.50758 > 10.219.17.129.514: SYSLOG kernel.info, length: 76
14:18:58.553358 Out IP 10.219.17.134.50758 > 10.219.17.129.514: SYSLOG kernel.debug, length: 111
14:19:00.004565 Out IP 10.219.17.134.50758 > 10.219.17.129.514: SYSLOG kernel.debug, length: 111
14:19:00.004755 Out IP 10.219.17.134.50758 > 10.219.17.129.514: SYSLOG cron.info, length: 94
^C
33 packets received by filter
0 packets dropped by kernel
RADIUS Configuration
set system authentication-order [ radius password ]
set system radius-server 192.168.72.10 secret Juniper routing-instance mgmt_junos
Verification
root@jtac-srx4100-r2005# run monitor traffic interface fxp0 no-resolve size 1500 matching "port 1812"
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on fxp0, capture size 1500 bytes
22:01:27.079433 Out IP 192.168.72.1.50967 > 192.168.72.10.1812: RADIUS, Access Request (1), id: 0x4b length: 146
22:01:27.100322 In IP 192.168.72.10.1812 > 192.168.72.1.50967: RADIUS, Access Accept (2), id: 0x4b length: 260
^C
10 packets received by filter
0 packets dropped by kernel
TACACS+ Configuration
set system authentication-order [ tacplus password ]
set system tacplus-server 192.168.72.10 secret Juniper routing-instance mgmt_junos
Verification
root@jtac-srx4100-r2005# run monitor traffic interface fxp0 no-resolve size 1500 matching "port 49"
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on fxp0, capture size 1500 bytes
00:17:25.394567 Out IP 192.168.72.1.53601 > 192.168.72.10.49: S 4077897627:4077897627(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 2275857121 0,sackOK,eol>
00:17:25.395306 In IP 192.168.72.10.49 > 192.168.72.1.53601: S 1841175851:1841175851(0) ack 4077897628 win 28960 <mss 1460,sackOK,timestamp 5140167 2275857121,nop,wscale 7>
00:17:25.395327 Out IP 192.168.72.1.53601 > 192.168.72.10.49: . ack 1 win 33304 <nop,nop,timestamp 2275857122 5140167>
00:17:25.395429 Out IP 192.168.72.1.53601 > 192.168.72.10.49: P 1:34(33) ack 1 win 33304 <nop,nop,timestamp 2275857122 5140167>
00:17:25.395814 In IP 192.168.72.10.49 > 192.168.72.1.53601: . ack 34 win 227 <nop,nop,timestamp 5140167 2275857122>
00:17:25.400354 In IP 192.168.72.10.49 > 192.168.72.1.53601: P 1:74(73) ack 34 win 227 <nop,nop,timestamp 5140168 2275857122>
^C
22 packets received by filter
0 packets dropped by kernel