Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[EOL/EOE] Creating an Out of Band Management Interface

0

0

Article ID: KB3907 KB Last Updated: 05 Apr 2021Version: 5.0
Summary:

Note: A product listed in this article has either reached hardware End of Life (EOL) OR software End of Engineering (EOE).  Refer to End of Life Products & Milestones for the EOL, EOE, and End of Support (EOS) dates.



How to create an interface that is only used for managing the firewall.
Symptoms:

Goals:

  • Ports specifically for management only
  • Configure a port for out of band traffic
  • No traffic will traverse from the management port to the other in-band ports
Solution:

If your firewall does not have a dedicated MGT port (see NOTE below), you can configure one of the ethernet firewall ports for management (out-of-band) traffic only.
To do so, perform the following:

  • Check if MGT zone exists on your platform.  If it does not exist, create a custom MGT zone.
  • Assign a firewall ethernet port/interface to the MGT zone
  • Configure the interface with an IP address on a unique subnet, different from the other traffic traversing ports.


Example:

Assume interfaces eth1/1, eth1/2, and eth1/3 are used for in-band traffic.  Dedicate eth1/4 for out of band management, so that any traffic to eth1/4 will not affect performance going between the other ports.  Assume e1 and e2 are bound to the trust zone, and e3 is bound to the untrust zone.  Create a new custom zone called MGT. 

get zone
If the MGT zone does not exist:   set zone name MGT
set interface eth1/4 zone MGT
set interface eth1/4 ip 10.10.10.1 255.255.255
.0

Interface eth1/4 should be on a different subnet than eth1/1, eth1/2, and eth1/3.   This way, management traffic to eth1/4 will not affect any other interfaces.


NOTE:  The following Juniper firewalls have a dedicated/physical MGT port:
  • NS-5200/NS-5400
  • ISG-1000/ISG-2000

For these devices, the MGT port is reserved for out of band management.  To set this up, from the command line interface (CLI):

set interface mgt ip 10.1.1.1 255.255.255.0
Modification History:
2021-04-05: Tagged for EOL/EOE.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search