Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[SRX] Example - Management instance configuration for SRX devices

1

0

Article ID: KB36101 KB Last Updated: 30 Jul 2020Version: 1.0
Summary:

This article demonstrates how to configure DNS, NTP, syslog, RADIUS, and TACACS+ protocols under a management instance in SRX Series devices with the help of an example.

 

Cause:

By default, in SRX devices, the management Ethernet interface (usually named fxp0) provides out-of-band management network for the device. However, there is no clear demarcation between out-of-band management traffic and in-band protocol control traffic, that is, user traffic at the routing-instance level or at the routing-table level.

Starting with Junos OS Release 17.3R1, you can confine the fxp0 management interfaces in a non-default routing instance known as the Management Routing Instance.

Although the management instance is introduced in Junos OS Release 17.3R1, certain features such as DNS and NTP are supported only in later Junos OS releases. For more information, refer to Management Interface in a Nondefault Instance.

 

Solution:

To configure and verify DNS, NTP, syslog, RADIUS and TACACS+ configurations under the management instance, follow the bare minimum procedure detailed below.

Management Instance Configuration

set system management-instance
set routing-instances mgmt_junos description MANAGEMENT-INSTANCE

Verification

root@SRX# run show route
mgmt_junos.inet.0: 3 destinations, 3 routes (3 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

10.219.17.128/26   *[Direct/0] 00:53:53
                    >  via fxp0.0
10.219.17.134/32   *[Local/0] 00:53:53
                       Local via fxp0.0

Note: By default, the management instance uses instance-type as forwarding. You can also configure instance-type as forwarding explicitly but keep in mind that only instance-type forwarding is supported. If you configure instance-type other than forwarding, an error will be thrown while committing the change as shown below:

root@SRX# set routing-instances mgmt_junos instance-type virtual-router
root@SRX# commit check
[edit routing-instances]
  'mgmt_junos'
    RT Instance: management instance may not have instance type other than forwarding
error: configuration check-out failed

DNS Configuration

set system name-server 8.8.8.8 routing-instance mgmt_junos

Note: There is a limitation where DNS queries via fxp0 are not supported on SRX branch devices when fxp0 is part of a management instance.

Verification

root@SRX# run ping yahoo.com routing-instance mgmt_junos inet
PING yahoo.com (98.137.246.7): 56 data bytes
64 bytes from 98.137.246.7: icmp_seq=0 ttl=44 time=266.930 ms
64 bytes from 98.137.246.7: icmp_seq=1 ttl=44 time=267.030 ms
64 bytes from 98.137.246.7: icmp_seq=2 ttl=44 time=267.034 ms
^C
--- yahoo.com ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max/stddev = 266.930/266.998/267.034/0.048 ms

NTP Configuration

set system time-zone Asia/Kolkata
set system ntp server 10.219.0.35 routing-instance mgmt_junos
set interfaces lo0 unit 0 family inet address 127.0.0.1/32

Note: In order to make NTP work under a management-instance, you need to configure the loopback interface explicitly. Without the loopback interface, the NTP Query (ntpq) cannot find the local hostname and cannot create a socket for NTP.

Verification

root@SRX# run show ntp status
status=06f4 leap_none, sync_ntp, 15 events, event_peer/strat_chg,
version="ntpd 4.2.0-a Fri Jun 21 20:39:33  2019 (1)", processor="amd64",
system="FreeBSDJNPR-11.0-20190517.f0321c3_buil", leap=00, stratum=5,
precision=-23, rootdelay=248.081, rootdispersion=45.865, peer=2260,
refid=10.219.0.35,
reftime=e2b9cdb9.2fca592e  Thu, Jul 16 2020  0:17:21.186, poll=6,
clock=e2b9cdda.6c5af1ac  Thu, Jul 16 2020  0:17:54.423, state=4,
offset=-1.472, frequency=35.416, jitter=0.254, stability=0.035

root@SRX# run show ntp associations no-resolve
   remote         refid           st t when poll reach   delay   offset  jitter
===============================================================================
*10.219.0.35      66.129.233.81    4 -   49   64  377    0.690   -1.472   0.395

root@SRX# run show system uptime
Current time: 2020-07-15 14:01:22 IST
Time Source:  NTP CLOCK
System booted: 2020-07-15 12:47:58 IST (01:13:24 ago)
Protocols started: 2020-07-15 12:50:00 IST (01:11:22 ago)
Last configured: 2020-07-15 13:56:11 IST (00:05:11 ago) by root
 2:01PM  up 1:13, 1 users, load averages: 0.47, 0.29, 0.26

Syslog Configuration

set system syslog host 10.219.17.129 any any
set system syslog host 10.219.17.129 routing-instance mgmt_junos

Verification

root@SRX# run monitor traffic interface fxp0 no-resolve size 1500 matching "port 514"
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on fxp0, capture size 1500 bytes

14:18:47.493136 Out IP 10.219.17.134.50758 > 10.219.17.129.514: SYSLOG kernel.info, length: 76
14:18:58.553358 Out IP 10.219.17.134.50758 > 10.219.17.129.514: SYSLOG kernel.debug, length: 111
14:19:00.004565 Out IP 10.219.17.134.50758 > 10.219.17.129.514: SYSLOG kernel.debug, length: 111
14:19:00.004755 Out IP 10.219.17.134.50758 > 10.219.17.129.514: SYSLOG cron.info, length: 94
^C
33 packets received by filter
0 packets dropped by kernel

RADIUS Configuration

set system authentication-order [ radius password ]
set system radius-server 192.168.72.10 secret Juniper routing-instance mgmt_junos

Verification

root@jtac-srx4100-r2005# run monitor traffic interface fxp0 no-resolve size 1500 matching "port 1812"
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on fxp0, capture size 1500 bytes

22:01:27.079433 Out IP 192.168.72.1.50967 > 192.168.72.10.1812: RADIUS, Access Request (1), id: 0x4b length: 146
22:01:27.100322  In IP 192.168.72.10.1812 > 192.168.72.1.50967: RADIUS, Access Accept (2), id: 0x4b length: 260
^C
10 packets received by filter
0 packets dropped by kernel

TACACS+ Configuration

set system authentication-order [ tacplus password ]
set system tacplus-server 192.168.72.10 secret Juniper routing-instance mgmt_junos

Verification

root@jtac-srx4100-r2005# run monitor traffic interface fxp0 no-resolve size 1500 matching "port 49"
verbose output suppressed, use <detail> or <extensive> for full protocol decode
Address resolution is OFF.
Listening on fxp0, capture size 1500 bytes

00:17:25.394567 Out IP 192.168.72.1.53601 > 192.168.72.10.49: S 4077897627:4077897627(0) win 65535 <mss 1460,nop,wscale 1,nop,nop,timestamp 2275857121 0,sackOK,eol>
00:17:25.395306  In IP 192.168.72.10.49 > 192.168.72.1.53601: S 1841175851:1841175851(0) ack 4077897628 win 28960 <mss 1460,sackOK,timestamp 5140167 2275857121,nop,wscale 7>
00:17:25.395327 Out IP 192.168.72.1.53601 > 192.168.72.10.49: . ack 1 win 33304 <nop,nop,timestamp 2275857122 5140167>
00:17:25.395429 Out IP 192.168.72.1.53601 > 192.168.72.10.49: P 1:34(33) ack 1 win 33304 <nop,nop,timestamp 2275857122 5140167>
00:17:25.395814  In IP 192.168.72.10.49 > 192.168.72.1.53601: . ack 34 win 227 <nop,nop,timestamp 5140167 2275857122>
00:17:25.400354  In IP 192.168.72.10.49 > 192.168.72.1.53601: P 1:74(73) ack 34 win 227 <nop,nop,timestamp 5140168 2275857122>
^C
22 packets received by filter
0 packets dropped by kernel

 

Related Links

Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search