Page MenuHomePhabricator
Create Task
Maniphest T269340

Junos changes for management-instance support on QFX
Closed, ResolvedPublic
Actions

Description

support matrix in https://www.juniper.net/documentation/en_US/junos/topics/topic-map/management-interface-in-non-default-instance.html#tabel-support-management-vrf

SNMP

cloudsw hosts, QFX running Junos 18.4, with management-instance configured and being pulled through em0, were full of those logs:

Dec 3 07:00:39 cloudsw1-c8-eqiad snmpd[2335]: SNMPD_AUTH_RESTRICTED_ADDRESS: nsa_initial_callback: request from address 208.80.154.88 not allowed

Even though everything seems to be pulled correctly.

The fix (or workaround) is to add routing-instance mgmt_junos to the relevant matching community.

# show snmp 
location eqiad;
community [redacted] {
    authorization read-only;
    routing-instance mgmt_junos;
}
routing-instance-access;

NTP

Dec 3 10:00:03 cloudsw1-c8-eqiad xntpd[19552]: NTP Server 208.80.153.77 is Unreachable

[edit system ntp server 208.80.153.77]
+    routing-instance mgmt_junos;

DNS

Starting in Junos OS Release 19.2R1, you can route traffic between a management routing instance and DNS name server. Configure a routing instance at the [edit system name-server server-ip-address] hierarchy level and the name server becomes reachable through this routing instance.

It is possible to configure it though, but it doesn't work:

[edit system name-server 10.3.0.1]
+   routing-instance mgmt_junos;

Syslog

[edit system syslog]
+   routing-instance mgmt_junos;

But as we use FQDNs for syslog targets, it won't work. Need to replace it with IPs for now on.
Relevant: T268806#6663995

Related Objects
Search...

Event Timeline

ayounsi created this task.Dec 3 2020, 10:03 AM
ayounsi triaged this task as Low priority.
Restricted Application added a project: SRE. · View Herald TranscriptDec 3 2020, 10:03 AM
Restricted Application added a subscriber: Aklapper. · View Herald Transcript
ayounsi closed this task as Resolved.Dec 3 2020, 10:05 AM
ayounsi renamed this task from SNMPD_AUTH_RESTRICTED_ADDRESS through management-instance to Junos changes for management-instance support on QFX.Dec 3 2020, 10:41 AM
ayounsi updated the task description. (Show Details)
ayounsi added a comment.Dec 3 2020, 10:55 AM

Unrelated, but to document it somewhere:

Dec 3 10:03:00 cloudsw1-c8-eqiad /kernel: tcp_timer_keep:Local(0x80000010:53122) Foreign(0x80000001:6997)

Harmless according to https://prsearch.juniper.net/InfoCenter/index?page=prcontent&id=PR1363186

ayounsi mentioned this in T295690: Upgrade core routers to Junos 21+.Nov 15 2021, 2:50 PM
ayounsi mentioned this in T316532: Upgrade POPs asw to Junos 21.Aug 29 2022, 1:03 PM
ayounsi mentioned this in T317175: Junos: resolve DNS through mgmt_junos.Sep 7 2022, 7:49 AM
ayounsi added a parent task: T317175: Junos: resolve DNS through mgmt_junos.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits