Knowledge Search


×
 

Configuring a Manage IP Address on Juniper firewall

  [KB4059] Show Article Properties


Summary:
When and how to configure a "Manage IP" address on Juniper firewall.
Symptoms:

Solution:
A "manage-ip" address is used to manage a Juniper/NetScreen firewall device through either a Telnet, SSH, SSL or WebUI (HTTP), or NSM session.  It is also used when communicating via SNMP or to an external authentication server. 

By default, the manage IP address is set to the same address as the IP address assigned to the interface.  Use the command 'get interface <int>' to see the manage IP address assigned to an interface.

The manage IP address can be set or changed to allowed the device to be managed on a different address than the IP address assigned to the interface, which is used for data traffic.

In the case of an NSRP cluster, management access via the interface IP address (the Virtual IP Address) will always reach the current Master device only.  Manage IP addresses allow for direct access to either cluster member regardless of NSRP state; in other words, you can manage either the Master or the Backup device independently.

The restriction for configuring Manage-ip addresses is that it must be in the same subnet as the associated interface address, and it must also be unique. Manage-ip addresses are not synchronized as part of NSRP, so in a cluster configuration the Master and Backup must each have a unique manage-ip address.

To configure a manage IP address, perform the following steps:

CLI:

set interface <interface> manage-ip <ip address>

Note: the associated interface address should be configured before the manage-ip address.

WebUI:

From the ScreenOS options menu, click Network -> Interfaces, click Edit on the selected interface from the table.
Enter the IP address in the "Manage IP" box and click "OK" to accept and save.

Note: A common misconception is to tick the "Manageable" checkbox to enable/disable the manage-ip address. The "manageable" option has no bearing on the status of the manage-ip address, but is used to determine whether the associated interface address is available for management access - in addition to the manage-ip address.  In other words, if the Manageable box is not checked, it can only be managed via the manage-ip address.

 

To remove the manage-ip configuration, perform the following:

CLI:

unset interface <interface> manage-ip

WebUI:

Network -> Interfaces, click Edit on the selected interface from the table.
Set the "Manage IP" address to 0.0.0.0
Apply

 

Sample output from an SSG140 running ScreenOS version 5.4.0:

ssg140_a-> set interface ethernet0/0 ip 1.1.1.1/24
ssg140_a-> set interface ethernet0/0 manage-ip 1.1.1.2

ssg140_a-> get interface e0/0
Interface ethernet0/0:
  description ethernet0/0
  <snip>
  ip 1.1.1.1/24   mac 0017.cb40.4480 
  manage ip 1.1.1.2, mac 0017.cb40.4480 
  route-deny disable
  pmtu-v4 disabled
  ping enabled, telnet enabled, SSH enabled, SNMP enabled
  web enabled, ident-reset disabled, SSL enabled
  <snip>

Note: When NSRP is not configured ('stand-alone'), the same physical MAC address for both the interface and manage addresses is used.


ssg140_a-> set nsrp cluster id 1
ssg140_a(B)-> Unit becomes master of NSRP vsd-group 0
ssg140_a(M)->
ssg140_a(M)-> get int e0/0
Interface ethernet0/0(VSI):
  <snip> 
  ip 1.1.1.1/24 mac 0010.dbff.2000 
  manage ip 1.1.1.2, mac 0017.cb40.4480 
  <snip>

Note: When NSRP is configured ('clustered'), the interface address uses the virtual MAC, but the manage-ip continues to use the physical MAC.

 

Related Links: