Configuring Logical System Administrators (Master Administrator)
The master administrator can assign one or more logical system
administrators to each logical system. Logical system administrators
are confined to the context of the logical system(s) to which they
are assigned. This means that any global configuration statements
are restricted from them. This also means that command output is restricted
to the context to which the logical system administrators are assigned.
To configure logical system administrators, include the logical-system logical-system-name statement
at the [edit system login class class name] hierarchy level:
[edit]
system {
login {
class admin1 {
permissions all;
logical-system-1;
}
class admin2 {
permissions view; # Gives users assigned to class admin2
the ability to view # but not to change the configuration.
logical-system-2;
}
user user1 {
class logical-system-1;
}
user user2 {
class logical-system-2;
}
}
}
Configuring Interfaces (Master Administrator)
Before adding interfaces to a logical system, the
master administrator must configure physical interface properties
on the main router. Common physical interface properties include encapsulation
types and interface-related options.
To configure physical interface properties, the master administrator
must include the statements at the [edit interfaces interface-name] hierarchy level.
Assigning Logical Interfaces to the Logical System (Master
or Logical System Administrator)
After the interfaces are configured, the master
administrator can assign logical interfaces to a logical system. To
configure, include the unit statement at the [edit logical-systems logical-system-name interfaces interface-name] hierarchy level. Once you assign logical interfaces to a logical
system, they are considered part of the logical system. Any logical
interface can only be assigned one logical system, including the main
router.
[edit]
logical-systems logical-system-name {
interfaces {
interface-name {
logical-interface-statements;
unit unit-number {
family inet {
address ip-address;
}
}
}
}
interfaces {
interface-name {
physical-interface-statements;
}
}
}
Configuring Protocols, Routing, and Policy Statements for the
Logical System (Master or Logical System Administrator)
You can configure routing protocols (such as OSPF,
BGP, and MPLS), policies (such as next-hop or load-balancing), routing
options, and routing instances for a logical system.
To configure routing protocols, include the protocols statement at the [edit logical-systems logical-system-name] hierarchy level. To configure
policies, include the policy-options statement at the [edit logical-systems logical-system-name] hierarchy level. To configure routing options, include the routing-options statement at the [edit logical-systems logical-system-name] hierarchy level. To configure routing instances, include the routing-instances statement at the [edit logical-systems logical-system-name] hierarchy level.
[edit]
logical-systems logical-system-name {
protocols {
...
}
policy-options {
...
}
routing-options {
...
}
routing-instances {
...
}
}
Configuring Other Logical System Statements
You can configure a variety of additional statements
in conjunction with a logical system:
Logical tunnel (lt) interface—You can connect
different logical systems together within the same router with an lt interface. On M-series and T-series routing platforms, you
can create an lt interface if you have a Tunnel Services
PIC installed on an Enhanced FPC in your routing platform. On an M7i
router, logical tunnel interfaces can be created by using the integrated
Adaptive Services Module. On an MX-series router, the master administrator
must configure logical tunnel interfaces by including the tunnel-services statement at the [edit chassis fpc slot-number pic number] hierarchy level. For more information
about configuring tunnel interfaces on MX-series routers, see the JUNOS System Basics Configuration Guide.
You must treat each interface like a point-to-point
connection because you can only connect one logical tunnel interface
to another at any given time. Also, you must select an interface encapsulation
type, specify a DLCI number or VLAN identifier, configure a corresponding
protocol family, and set the logical interface unit number of the
peering lt interface. To configure, include the dlci, encapsulation, family, peer-unit,and vlan-id statements at the following hierarchy levels:
M-series, MX-series, or T-series router (master administrator
only)—[edit interfaces lt-fpc/pic/0
unit unit-number]
Logical system—[edit logical-systems logical-system-name interfaces lt-fpc/pic/0 unit unit-number]
peer-unit number; # The logical unit number of the peering lt interface.
dlci dlci-number;
vlan-id vlan-number;
family (ccc | inet | inet6 | iso | mpls | tcc);
}
}
}
}
Note:
When you configure IPv6 addresses on a logical
tunnel interface, you must configure unique IPv6 link local addresses
for any logical interfaces that peer with one another. To configure
a link local address, you must be the master administrator. To configure,
include a second IPv6 address with the address statement
at the [edit interfaces lt-fpc/pic/port unit unit-number family inet6] hierarchy level. Link local addresses typically
begin with the numbers fe80 (such as fe80::1111:1/64).
Dynamic Host Control Protocol (DHCP) relay (master administrator
only)—In a logical system, you can configure a DHCP or BOOTP
server, and allow TFTP and DNS packets to be forwarded. To configure
a DHCP or BOOTP server in a logical system, include the logical-system statement at the [edit forwarding-options helpers bootp interface interface-name server ip-address] hierarchy level. To configure TFTP packet forwarding in a logical
system, include the logical-system statement at the [edit forwarding-options helpers tftp interface interface-name server ip-address] hierarchy level. To
configure DNS packet forwarding in a logical system, include the logical-system statement at the [edit forwarding-options
helpers domain interface interface-name server ip-address] hierarchy level. For more information
about DHCP relay, BOOTP, TFTP, or DNS, see the JUNOS Policy
Framework Configuration Guide.
Filter-based forwarding (master administrator only)—You
can configure filter-based forwarding for a logical system or a routing
instance within a logical system. To configure filter-based forwarding
for a logical system, include the logical-system statement
at the [edit firewall filter filter-name term term-name then] hierarchy level. To configure filter-based
forwarding for a routing instance within a logical system, include
the routing-instance option at the [edit firewall filter filter-name term term-name then logical-system logical-system-name] hierarchy level.
For more information, see the JUNOS Policy Framework Configuration
Guide.
Bidirectional forwarding—You can configure Bidirectional
Forwarding Detection Protocol (BFD) for a logical system or a routing
instance within a logical system. To configure BFD for a logical system,
include the bfd-liveness-detection statement at the [edit logical-systems logical-system-name protocols] hierarchy level. To configure BFD for a routing
instance within a logical system, include the bfd-liveness-detection statement at the [edit logical-systemslogical-system-name routing-instancesrouting-instance-nameprotocols] hierarchy level. This feature is supported
for the following protocols: RIP, BGP, OSPF, and IS-IS. For more information,
see the JUNOS Routing Protocols Configuration Guide.
You can place yourself into the context of a specific
logical system. To configure a logical system context, issue the set cli logical-system logical-system-name command.
When you enter logical system context mode and
enter an operational mode command, the output of the command displays
information related to the logical system only. For example, when
you issue the show route command, the output shows only the
routes that are assigned to the logical system.
user@P0> set cli logical-system ls1
Logical system: ls1
user@P0:ls1># Note that the
user is now restricted to a logical system context.
To clear the logical system context and
return to a full router (master router) context, issue the clear
cli logical-system command.
user@P0:ls1> clear cli logical-system
Cleared default logical system
user@P0># Note that the user
can now view the entire router again.
To achieve the same effect when using
a JUNOScript client application, include the <set-logical-system> tag:
<rpc>
<set-logical-system>
<logical-system>ls1</logical-system>
</set-logical-system>
</rpc>
For more information about JUNOScript,
see the JUNOScript API Guide.
Enhanced SNMP support for logical systems (master administrator
only)—By default, the SNMP manager can access SNMP data from
all routing instances. To restrict the SNMP manager to data from the
default routing instance only, include the routing-instance-access statement at the [edit snmp] hierarchy level. For more
information about configuring SNMP, see the JUNOS Network Management Configuration Guide.
SNMP community strings for routing instances and logical
systems—To specify a routing instance when you add a client
to an SNMP community, include the routing-instance routing-instance-name statement at the [edit snmp community community-name] hierarchy level. To specify a routing instance that is defined
within a logical system, include the routing-instance routing-instance-name statement at the [edit snmp community community-name logical-system
logical-system-name] hierarchy level.
SNMPv3 trap targets for routing instances and logical
systems—To specify a routing instance when you add a client
to an SNMPv3 trap target, include the routing-instance routing-instance-name statement at the [edit
snmp v3 target-address target-address] hierarchy
level. To specify a logical system when you add a client in an SNMPv3
trap target, include the logical-system logical-system-name statement at the [edit snmp v3 target-address target-address] hierarchy level. For more information
about configuring SNMP, see the JUNOS Network Management Configuration Guide.
SNMP trap packets for routing instances—To specify
a routing instance for SNMP trap packets sent by the router, include
the routing-instance routing-instance-name statement at the [edit snmp trap-options] hierarchy
level. To specify a routing instance that is defined within a logical
system, include the routing-instance routing-instance-name statement at the [edit snmp trap-options logical-system logical-system-name] hierarchy level. For more information
about configuring SNMP, see the JUNOS Network Management Configuration Guide.
SNMP trap groups for routing instances and logical systems—To
specify a routing instance of an SNMP trap group, include the routing-instance routing-instance-name statement
at the [edit snmp trap-group trap-group-name] hierarchy level. To specify a logical system for an SNMP trap
group, include the logical-system logical-system-name statement at the [edit snmp trap-group trap-group-name] hierarchy level. For more information about configuring SNMP,
see the JUNOS Network Management Configuration Guide.
In addition, you can configure only Frame Relay
interface encapsulation on a logical tunnel interface when it is configured
with an IPv6 address.
