Understanding Logical Systems for Routers and Switches
Logical Systems enable you to partition a single router into multiple logical devices that perform independent routing tasks. It offers an effective way to maximize the use of a single routing or switching platform. For more information, see the following topics:
Comparing Junos OS Device Virtualization Technologies
The Junos OS supports multiple device virtualization technologies. The technologies have similar names, which can lead to confusion.
The Junos OS device virtualization technologies are:
Logical systems—Offer routing and management separation. Management separation means multiple user access. Each logical system has its own routing tables.
Logical routers is the old name for logical systems. Beginning with Junos OS Release 9.3, the logical router feature has been renamed logical system. All configuration statements, operational commands, show command output, error messages, log messages, and SNMP MIB objects that contain the string logical-router have been changed to logical-system.
Virtual routers—Offer separate routing tables and scalable routing separation. Virtual routers are similar to VPN routing and forwarding instance types except that they are used for non-VPN-related applications. Virtual routers typically consist of the routing tables, the interfaces assigned to the routing tables, routing protocol configurations, and routing option configurations. There are no virtual routing and forwarding (VRF) import, VRF export, VRF target, or route distinguisher requirements for the virtual router instance-type.
You can use virtual router routing instance types on a single device to segment your network, for example, as opposed to configuring multiple devices to achieve the same result.. Virtual router instances can isolate traffic by separating the device into multiple, independent virtual routers, each with its own routing table.
VRF-Lite—Offers routing separation. The functionality of VRF-Lite is similar to virtual routers, but VRF-Lite is for smaller environments.
Virtual switches—Offer scalable switching separation.
Junos node slicing—Junos node slicing allows a single MX Series router to be partitioned to appear as multiple, independent routers. Each partition has its own Junos OS control plane, which runs as a virtual machine (VM), and a dedicated set of line cards. Each partition is called a guest network function (GNF). You can configure logical systems inside a GNF. For more information on Junos node slicing, see Understanding Junos Node Slicing.
Table 1 summarizes the benefits of virtual routers, VRF-Lite, and logical systems.
Table 1: Benefits of Virtual Routers, VRF-Lite, and Logical Systems
Logical platform partitioning
Fault isolation on the routing plane
Multiple user access (management separation)
Scalable routing separation
Introduction to Logical Systems
For many years, engineers have combined power supplies, routing hardware and software, forwarding hardware and software, and physical interfaces into a networking device known as a router. Networking vendors have created large routers and small routers, but all routers have been placed into service as individual devices. As a result, the router has been considered a single physical device for most of its history.
The concept of logical systems breaks with this tradition. With the Junos® operating system (Junos OS), you can partition a single router into multiple logical devices that perform independent routing tasks. Because logical systems perform a subset of the tasks once handled by the main router, logical systems offer an effective way to maximize the use of a single routing or switching platform.
Beginning with Junos OS Release 9.3, the logical router feature has been renamed logical system.
All configuration statements, operational commands, show command output, error messages, log messages, and SNMP MIB objects that contain the string logical-router have been changed to logical-system.
Traditionally, service provider network design requires multiple layers of switches and routers. These devices transport packet traffic between customers. As seen on the left side of Figure 1, access devices are connected to edge devices, which are in turn connected to core devices.
However, this complexity can lead to challenges in maintenance, configuration, and operation. To reduce such complexity, Juniper Networks supports logical systems. Logical systems perform a subset of the actions of the main router and have their own unique routing tables, interfaces, policies, and routing instances. As shown on the right side of Figure 1, a set of logical systems within a single router can handle the functions previously performed by several small routers.
Logical Systems Applications
Logical systems are discrete contexts that virtually divide a supported device into multiple devices, isolating one from another and protecting them from faulty conditions outside their own contexts.
The logical systems functionality enables you to partition the device and assign private logical systems to groups or organizations. Logical systems are defined largely by the resources allocated to them, features enabled for the logical context, their routing configurations, and their logical interface assignments. Logical systems segment a physical routing device to be configured and operated as multiple independent routers within a platform. This isolates routing protocols and interfaces among up to 16 logical systems (including the master logical system). User permissions and access are defined separately for each logical system, enabling different groups to manage the same physical device. Logical systems enable the use of large routing devices in small routing device roles and provide flexible segmentation of routing by service type. Multiple service capabilities bring improved asset optimization by consolidating services into one device.
For example, logical systems enable the following services on a single routing device platform:
Internet BGP peering
Edge aggregation and dedicated access
MPLS provider edge (PE) and provider (P) VPN label-switched routing routers (LSRs)
Figure 2 shows how logical systems can be used for horizontal consolidation, vertical consolidation, and managed services. Horizontal consolidation occurs when you combine routing device functions of the same layer into a single routing device. Vertical consolidation occurs when you collapse routing device functions of different layers into a single routing device. With managed services, each logical system is a customer routing device.
Junos OS Features That Are Supported on Logical Systems
The following protocols and functions are supported on logical systems:
Open Shortest Path First (OSPF), Intermediate System-to-Intermediate System (IS-IS), Routing Information Protocol (RIP), RIP next generation (RIPng), Border Gateway Protocol (BGP), Resource Reservation Protocol (RSVP), Label Distribution Protocol (LDP), static routes, and Internet Protocol version 4 (IPv4) and version 6 (IPv6).
Multiprotocol Label Switching (MPLS) provider edge (PE) and core provider router functions, such as Layer 2 virtual private networks (VPNs), Layer 3 VPNs, circuit cross-connect (CCC), Layer 2 circuits, and virtual private LAN service (VPLS).
Ethernet Virtual Private Network (EVPN) has been added for logical systems running on MX devices. Running EVPN in a logical system provides the same options and performance as running EVPN on a physical system, which adheres to the standards described in RFC 7432.
Resource Reservation Protocol (RSVP) point-to-multipoint label-switched paths (LSPs).
Multicast protocols, such as Protocol Independent Multicast (PIM), Distance Vector Multicast Routing Protocol (DVMRP), rendezvous point (RP), and source designated router (DR).
All policy-related statements available at the [edit policy-options] hierarchy level.
Most routing options statements available at the [edit routing-options] hierarchy level.
Graceful Routing Engine switchover (GRES). Configure graceful Routing Engine switchover on the main router with the graceful-switchover statement at the [edit chassis redundancy] hierarchy level.
Graceful restart. Include the graceful-restart statement at the [edit logical-systems logical-system-name routing-options] hierarchy level.
You can assign most interface types to a logical system. For a list of unsupported PICs, see Logical Systems Operations and Restrictions.
Starting in Junos OS Release 11.4, flow aggregation in logical systems is supported. In the logical system, sampling based on the Routing Engine is not supported. Only PIC-based sampling is supported. Logical systems support only cflowd version 9. Currently, cflowd version 5 and cflowd version 8 are not supported in logical systems. Flow aggregation in logical systems is slightly different from flow aggregation on the main router in that when you configure flow aggregation in logical systems, the route-record statement is not required.
Flow aggregation is supported by the Multiservices DPC (MS-DPC). Jflow is not supported on logical systems for by MS-MPC and MS-MICs.
Port mirroring, source class usage, destination class usage, unicast reverse-path forwarding, class of service, firewall filters, class-based forwarding, and policy-based accounting work with logical systems when you configure these features on the main router.
The Simple Network Management Protocol (SNMP) has been extended to support logical systems and routing instances. A network management system receives instance-aware information in the following format:logical-system-name/routing-instance@community
As a result, a network manager can gather statistics for a specific community within a routing instance within a logical system. The SNMP manager for a routing instance can request and manage SNMP data only for that routing instance and other routing instances in the same logical system. By default, the SNMP manager for the default routing instance in the main router (inet.0) can access SNMP data from all routing instances. To restrict that manager’s access to the default routing instance only, include the routing-instance-access statement at the [edit snmp] hierarchy level.
Starting in Junos OS Release 11.4, support for system logging at the [edit logical-system logical-system-name system syslog] hierarchy level is introduced.
Starting in Junos OS Release 13.3R1, the Non Stop Active Routing (NSR) feature is supported on logical systems to preserve interface and kernel information. The nonstop-routing option is introduced at the [edit logical-systems logical-system-name routing-options] hierarchy to enable nonstop active routing for logical systems.
Starting in Junos OS Release 14.1, you can configure multichassis link aggregation (MC-LAG) interfaces on logical systems within a router. On MX Series routers, MC-LAG enables a device to form a logical LAG interface with two or more other devices. MC-LAG provides additional benefits over traditional LAG in terms of node level redundancy, multi- homing support, and loop-free Layer 2 network without running Spanning Tree Protocol (STP). The MC-LAG devices use Inter-Chassis Communication Protocol (ICCP) to exchange the control information between two MC-LAG network devices.
Starting in Junos OS Release 14.2, an MX Series Virtual Chassis configuration supports the use of logical systems on MX Series routers with Modular Port Concentrators (MPCs). A Virtual Chassis enables a collection of member routers to function as a single virtual router, and extends the features available on a single router to the member routers in the Virtual Chassis.
Logical Systems System Requirements
To implement logical systems, your system must meet the minimum requirements listed here.
Junos OS Release 12.1x48 or later for support on PTX Series routers.
Junos OS Release 8.5 or later for logical system administrator support
Junos OS Release 8.4 or later for SNMP enhancements and limits
Junos OS Release 8.3 or later for Bidirectional Forwarding Detection (BFD) on logical systems
Junos OS Release 8.2 or later for support on MX Series routers
Junos OS Release 7.5 or later for SNMP support within a logical system
Junos OS Release 7.4 or later for multicast protocol RP and source designated router functionality within a logical system
Junos OS Release 7.0 or later to implement a logical tunnel (lt) interface on an integrated Adaptive Services Module in an M7i router
Junos OS Release 6.1 or later, a Tunnel Services PIC, and an Enhanced FPC on M Series or T Series routers to implement a logical tunnel (lt) interface
Junos OS Release 6.0 or later for basic logical system functionality
One or more M Series, MX Series, PTX Series, or T Series routers
On M Series and T Series routers, a variety of PICs to assign interfaces to each logical system
One or more EX9200 switches
Junos OS Logical Systems Configuration Guide for Security Devices
Logical Systems Operations and Restrictions
Logical systems have the following operations and restrictions:
You can configure a maximum of 15 logical systems plus the master logical system on a routing device. When a configuration session is in use, users who are tied to the same logical system cannot commit configuration changes.
The routing device has only one running configuration database, which contains configuration information for the main routing device and all associated logical systems. When configuring a logical system, a user has his own candidate configuration database, which does not become part of the running configuration database until the user issues the commit command.
The flow routes are not supported in a non-default logical systems.
Configuring the out-of-band management interface, such as em0 or fxp0, in a logical system is not supported.
The following guidelines describe how firewall filters affect the main routing device, logical systems, and virtual routers. The "default loopback interface" refers to lo0.0 (associated with the default routing table), the “loopback interface in a logical system” refers to lo0.n configured in the logical system, and the “loopback interface in the virtual router” refers to lo0.n configured in the virtual router.
If you configure Filter A on the default loopback interface in the main routing device but do not configure a filter on the loopback interface in a logical system, the logical system does not use a filter.
If you configure Filter A on the default loopback interface in the main routing device but do not configure a loopback interface in a logical system, the logical system uses Filter A.
If you configure Filter A on the default loopback interface on the main routing device and Filter B on the loopback interface in a logical system, the logical system uses Filter B. In a special case of this rule, when you also configure a routing instance of type virtual-router on the logical system, the following rules apply:
If you configure Filter C on the loopback interface in the virtual router, traffic belonging to the virtual router uses Filter C.
If you do not configure a filter on the loopback interface in the virtual router, traffic belonging to the virtual router does not use a filter.
If you do not configure a loopback interface in the virtual router, traffic belonging to the virtual router uses Filter A.
If a logical system experiences an interruption of its routing protocol process (rpd), the core dump output is placed in /var/tmp/ in a file called rpd_logical-system-name.core-tarball.number.tgz. Likewise, if you issue the restart routing command in a logical system, only the routing protocol process (rpd) for the logical system is restarted.
If you configure trace options for a logical system, the output log file is stored in the following location: /var/log/logical-system-name. To monitor a log file within a logical system, issue the monitor start logical-system-name/filename command.
The following PICs are not supported with logical systems: Adaptive Services, Multiservices, ES, Monitoring Services, and Monitoring Services II.
Generalized MPLS (GMPLS), IP Security (IPsec), and sampling are not supported.
Ethernet VPN (EVPN) support, including EVPN-MPLS, EVPN + VXLAN, and PBB EVPN, has been extended to logical systems running on MX devices. The same EVPN options and performance that are available in the default EVPN instance are available in a logical system. Note that Graceful Restart, Graceful Routing Engine switchover (GRES), and nonstop active routing (NSR) are not supported. Configure EVPN on a logical system under the [edit logical-systems logical-system-name routing-instances routing-instance-name protocols evpn] hierarchy.
Class of service (CoS) on a logical tunnel (lt) or virtual loopback tunnel (vt) interface in a logical system is not supported.
You cannot include the vrf-table-label statement on multiple logical systems if the core-facing interfaces are channelized or configured with multiple logical interfaces (Frame Relay DLCIs or Ethernet VLANs). However, you can use the vrf-table-label statement on multiple logical systems if the core-facing interface is located on MX Series routers with MPCs.
The master administrator must configure global interface properties and physical interface properties at the [edit interfaces] hierarchy level. Logical system administrators can only configure and verify configurations for the logical systems to which they are assigned.
You can configure only Frame Relay interface encapsulation on a logical tunnel interface (lt-) when it is configured with an IPv6 address.
IPv6 tunneling is not supported with point-to-multipoint label-switched paths (LSPs) configured on logical systems.
IGMP snooping is not supported.
BGP MVPNs and NG MVPNs are supported in logical systems. Draft-rosen multicast VPNs are not supported in a logical system environment even though the configuration statements can be configured under the logical-systems hierarchy.
Inline services are not supported in logical systems.
Carrier support Carrier(CsC) are not supported in logical systems.
If you configure virtual private LAN service (VPLS) for a logical system, the no-tunnel-services statement is visible but not supported on DPC cards.
In a VPLS multihoming scenario in which a logical tunnel interface (lt-) is used for connecting the dual-home VPLS, Junos OS creates a unique static MAC address for every logical tunnel interface configured. This MAC address is not flushed when a CCC down event occurs on the link and when traffic is switched from the primary link to the backup link (or the reverse). As a result, any traffic that is destined for hosts behind the logical tunnel MAC address does not take the new path.