Configuring the Management Interface

Core Knowledge

When you examine your typical Juniper EX Series switch or high level Juniper Router such as an M, MX or T Series router you’ll notice that these devices have management ethernet interfaces. These interfaces by most engineers definition would be used as an Out-of-Band (OOB) Management interface.

First off lets talk about what it means to be out of band. The simple definition is to have a network dedicated purely to the management and completely isolated so that any issues in the production network could not affect the management network. This sounds pretty good right?

First off im going to talk about Cisco’s MGMT interface. For example the Cisco 4948E has a FastEthernet Mgmt interface that is dedicated to management and cannot participate in the forwarding plane as this interface attaches only to the control plane. Also from a configuration perspective this interface belongs into a virtual routing table to prevent this interface from interfering with routing decisions in the global table. This gives you the ability to have a default route for the Mgmt interface and a default route for the global table and not have them screw each other up. This is a typical OOB mgmt interface configuration.

Now lets talk about Juniper. We’re going to talk specifically about the EX3200 Juniper switch. This switch has a single Mgmt interface on the back of the switch next to the Console port that is used for management. The only downside to this interface is that it CANNOT be placed into a virtual routing table known as a virtual-router.

So what does this mean?

This means that your OOB Mgmt interface is not really a OOB mgmt interface. Its just another interface labeled as Mgmt. On the EX Series switches though this is considered a routed interface and cannot participate in switching but this has been an ongoing issue with Juniper devices for years and there are countless engineers disappointed in Juniper’s failure to resolve this issue. But the management ethernet interface on a Juniper EX Series switch also known as interface me0 cannot be placed into a virtual-router virtual routing instance, commonly known as VRF-Lite.

so what problem does this cause? Because the me0 interface cannot have its own virtual routing table, It cannot have its own default route therefore the management ethernet interface MUST be a part of production and therefor cannot be a true isolated OOB management network. I can imagine people saying okay okay what is the big deal? Well lets say you have a broadcast storm on your layer2 network that the management ethernet interface connected to. Now you have effectively prevented yourself from accessing the Juniper device from any method other than console.

This limitation also extends to Virtual Chassis for the EX4200 Series with vme0 (Virtual management ethernet) and FXP interfaces, found on high end M, MX and T Series routers.

As of now there has been no fixed announced nor have there been any hint as to when this issue would be resolved but we felt that this should be tought so you can plan your network architecture accordingly until this issue can be resolved by Juniper.

With all that said lets take a look at the management ethernet interface. We’re going to concentrate on the EX3200. The Mgmt interface on the EX3200 is right beside the Console port on the backside of the Switch. This interface is represented as interface me0 within Junos. The interface does not support DHCP client functionality so a static IP Address MUST be assigned to it. This interface can also participate in the forwarding plane and is bound to the global routing table as the interface does not support being placed into a virtual-instance.

Based on your network architecture and your OOB architecture, you can however create an complete layer 2 OOB network which would require the use of a jump box. This functionality is supported however routing between the forwarding plane and the OOB interface would be allowed without specific security parameters to prevent such communications.

Configuring the IP address of the me0 interface is no different than setting the IP address of a general routed interface which is done by executing the set interface em0 unit 0 family inet address 192.168.255.10/24 command in config mode.

By default, SSH and J-Web management web GUI is not configured to operate on the me0 interface and must be configured manually which however will be discussed in a later lab that bit of information should be known.

Lab Prerequisites

This lab can be performed only be performed on EX Series Juniper Switches or High end routers such as the M, MX and T Series.

You need to establish a console session to SW1 and log into the device using the root account or a user account with super-user privileges.

Lab Objectives

To complete this lab you will perform the following objectives;

Before you Continue

It is recommended that you attempt to complete these lab objectives the first time without looking at the Lab Instruction section.

If you are a student preparing for the Juniper JNCIA Certification Exam than you are more likely to remember how to complete these objectives if you attempt to complete them the first time on your own with the use of the core knowledge section found in this lab. You should only resort to the Lab Instruction section to verify your work.

Lab Instruction

The following Lab Instruction is demonstrated on a Juniper EX3200 Series Switch.

• Set the IP Address on the management ethernet interface to 10.240.255.22/24

root@SW1> configure
Entering configuration mode

[edit]
root@SW1# set interfaces me0 unit 0 family inet address 10.240.255.22/24

[edit]
root@SW1# commit and-quit
commit complete
Exiting configuration mode

root@SW1>

• Set the IP Address on the management ethernet interface to 10.240.255.22/24

root@SW1> show configuration interfaces me0
unit 0 {
    family inet {
        address 10.240.255.22/24;
    }
}

root@SW1>