TechLibrary

Table of Contents

Guide That Contains This Content

[+] Expand All

[-] Collapse All

Example: Configuring Logical Systems in an Active/Passive Chassis Cluster

This example shows how to configure logical systems in a basic active/passive chassis cluster.

Note: The master administrator configures the chassis cluster and creates logical systems (including an optional interconnect logical system), administrators, and security profiles. Either the master administrator or the user logical system administrator configures a user logical system. The configuration is synchronized between nodes in the cluster.

Requirements

Before you begin:

Obtain two high-end SRX Series Services Gateways with identical hardware configurations. See Example: Configuring an SRX Series Services Gateway for the High End as a Chassis Cluster in the Junos OS Security Configuration Guide . This chassis cluster deployment scenario includes the configuration of the SRX Series device for connections to an MX240 edge router and an EX8208 Ethernet Switch.
Physically connect the two devices (back-to-back for the fabric and control ports) and ensure that they are the same models. You can configure both the fabric and control ports on the SRX5000 line. For the SRX1400 devices and the SRX3000 line, you can configure the fabric ports only. See Connecting SRX Series Devices to Create a Chassis Cluster Overview in the Junos OS Security Configuration Guide .
Set the chassis cluster ID and node ID on each device and reboot the devices to enable clustering. See Example: Setting the Chassis Cluster Node ID and Cluster ID in the Junos OS Security Configuration Guide .

Note: For this example, chassis cluster and logical system configuration is performed on the primary (node 0) device at the root level by the master administrator. Log in to the device as the master administrator. See Understanding the Master Logical System and the Master Administrator Role.

Note: When you use SRX Series devices running logical systems in a chassis cluster, you must purchase and install the same number of logical system licenses for each node in the chassis cluster. Logical system licenses pertain to a single chassis or node within a chassis cluster and not to the cluster collectively. See Understanding Licenses for Logical Systems on SRX Series Devices.

Overview

In this example, the basic active/passive chassis cluster consists of two devices:

One device actively provides logical systems, along with maintaining control of the chassis cluster.
The other device passively maintains its state for cluster failover capabilities should the active device become inactive.

Note: Logical systems in an active/active chassis cluster are configured in a similar manner as for logical systems in an active/passive chassis cluster. For active/active chassis clusters, there can be multiple redundancy groups that can be primary on different nodes.

The master administrator configures the following logical systems on the primary device (node 0):

Master logical system—The master administrator configures a security profile to provision portions of the system’s security resources to the master logical system and configures the resources of the master logical system.
User logical systems LSYS1 and LSYS2 and their administrators—The master administrator also configures security profiles to provision portions of the system’s security resources to user logical systems. The user logical system administrator can then configure interfaces, routing, and security resources allocated to his or her logical system.
Interconnect logical system LSYS0 that connects logical systems on the device—The master administrator configures logical tunnel interfaces between the interconnect logical system and each logical system. These peer interfaces effectively allow for the establishment of tunnels.

Note: This example does not describe configuring features such as NAT, IDP, or VPNs for a logical system. See SRX Series Logical System Master Administrator Configuration Tasks Overview and User Logical System Configuration Overview for more information about features that can be configured for logical systems.

If you are performing proxy ARP in a chassis cluster configuration, you must apply the proxy ARP configuration to the reth interfaces rather than the member interfaces because the reth interfaces contain the logical configurations. See Configuring Proxy ARP (CLI Procedure) in the Junos OS Security Configuration Guide .

Topology

Figure 1 shows the topology used in this example.

Figure 1: Logical Systems in a Chassis Cluster

Configuration

Chassis Cluster Configuration (Master Administrator)

CLI Quick Configuration

To quickly create logical systems and user logical system administrators and configure the master and interconnect logical systems, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

On {primary:node0}

set chassis cluster control-ports fpc 0 port 0set chassis cluster control-ports fpc 6 port 0set interfaces fab0 fabric-options member-interfaces ge-1/1/0set interfaces fab1 fabric-options member-interfaces ge-7/1/0set groups node0 system host-name SRX5800-1set groups node0 interfaces fxp0 unit 0 family inet address 10.157.90.24/9set groups node0 system backup-router 10.157.64.1 destination 0.0.0.0/0set groups node1 system host-name SRX5800-2set groups node1 interfaces fxp0 unit 0 family inet address 10.157.90.23/19set groups node1 system backup-router 10.157.64.1 destination 0.0.0.0/0set apply-groups “${node}”set chassis cluster reth-count 5set chassis cluster redundancy-group 0 node 0 priority 200set chassis cluster redundancy-group 0 node 1 priority 100set chassis cluster redundancy-group 1 node 0 priority 200set chassis cluster redundancy-group 1 node 1 priority 100set interfaces ge-1/0/0 gigether-options redundant-parent reth0 set interfaces ge-1/0/1 gigether-options redundant-parent reth1 set interfaces ge-1/0/2 gigether-options redundant-parent reth2 set interfaces ge-1/0/3 gigether-options redundant-parent reth3 set interfaces ge-7/0/0 gigether-options redundant-parent reth0 set interfaces ge-7/0/1 gigether-options redundant-parent reth1 set interfaces ge-7/0/2 gigether-options redundant-parent reth2 set interfaces ge-7/0/3 gigether-options redundant-parent reth3 set interfaces reth0 redundant-ether-options redundancy-group 1 set interfaces reth0 unit 0 family inet address 95.99.99.1/8 set interfaces reth1 redundant-ether-options redundancy-group 1 set interfaces reth2 redundant-ether-options redundancy-group 1 set interfaces reth3 redundant-ether-options redundancy-group 1

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

To configure a chassis cluster:

Note: Perform the following steps on the primary device (node 0). They are automatically copied over to the secondary device (node 1) when you execute a commit command.

Configure control ports for the clusters.
[edit chass cluster]user@host# set control-ports fpc 0 port 0user@host# set control-ports fpc 6 port 0
Configure the fabric (data) ports of the cluster that are used to pass RTOs in active/passive mode.
[edit interfaces]user@host# set fab0 fabric-options member-interfaces ge-1/1/0user@host# set fab1 fabric-options member-interfaces ge-7/1/0
Assign some elements of the configuration to a specific member. Configure out-of-band management on the fxp0 interface of the SRX Services Gateway using separate IP addresses for the individual control planes of the cluster.
[edit]user@host# set groups node0 system host-name SRX5800-1user@host# set groups node0 interfaces fxp0 unit 0 family inet address 10.157.90.24/9user@host# set groups node0 system backup-router 10.157.64.1 destination 0.0.0.0/0user@host# set groups node1 system host-name SRX5800-2user@host# set groups node1 interfaces fxp0 unit 0 family inet address 10.157.90.23/19user@host# set groups node1 system backup-router 10.157.64.1 destination 0.0.0.0/0user@host# set apply-groups “${node}”
Configure redundancy groups for chassis clustering.
[edit chassis cluster]user@host# set reth-count 5user@host# set redundancy-group 0 node 0 priority 200user@host# set redundancy-group 0 node 1 priority 100user@host# set redundancy-group 1 node 0 priority 200user@host# set redundancy-group 1 node 1 priority 100
Configure the data interfaces on the platform so that in the event of a data plane failover, the other chassis cluster member can take over the connection seamlessly.
[edit interfaces]user@host# set ge-1/0/0 gigether-options redundant-parent reth0 user@host# set ge-1/0/1 gigether-options redundant-parent reth1 user@host# set ge-1/0/2 gigether-options redundant-parent reth2 user@host# set ge-1/0/3 gigether-options redundant-parent reth3 user@host# set ge-7/0/0 gigether-options redundant-parent reth0 user@host# set ge-7/0/1 gigether-options redundant-parent reth1 user@host# set ge-7/0/2 gigether-options redundant-parent reth2 user@host# set ge-7/0/3 gigether-options redundant-parent reth3 user@host# set reth0 redundant-ether-options redundancy-group 1user@host# set reth0 unit 0 family inet address 95.99.99.1/8 user@host# set reth1 redundant-ether-options redundancy-group 1 user@host# set reth2 redundant-ether-options redundancy-group 1 user@host# set reth3 redundant-ether-options redundancy-group 1

Results

From operational mode, confirm your configuration by entering the show configuration command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

user@host> show configuration

version ;
groups { 
    node0 { 
        system { 
            host-name SRX58001; 
            backup-router 10.157.64.1 destination 0.0.0.0/0; 

        } 
        interfaces { 
            fxp0 { 
                unit 0 { 
                    family inet { 
                        address 10.157.90.24/9;
                    } 
                } 
            }
        }
    }
    node1 { 
        system { 
            host-name SRX58002; 
            backup-router 10.157.64.1 destination 0.0.0.0/0; 

        } 
        interfaces { 
            fxp0 { 
                unit 0 { 
                    family inet { 
                        address 10.157.90.23/19;
                    } 
                } 
            }
        }
    }
}
apply-groups "${node}";
chassis {
    cluster {
        control-link-recovery;
        reth-count 5;
        control-ports {
            fpc 0 port 0;
            fpc 6 port 0;
        }
        redundancy-group 0 {
            node 0 priority 200;
            node 1 priority 100;
        }
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
        } 
    }
}
interfaces { 
    ge-1/0/0 {
        gigether–options {
            redundant–parent reth0; 
        } 
    } 
    ge-1/0/1 { 
        gigether–options {
            redundant–parent reth1; 
        } 
    } 
    ge-1/0/2 { 
        gigether–options {
            redundant–parent reth2; 
        } 
    } 
    ge-1/0/3 { 
        gigether–options {
            redundant–parent reth3; 
        } 
    } 
    ge-7/0/0 {
        gigether–options {
            redundant–parent reth0; 
        } 
    } 
    ge-7/0/1 { 
        gigether–options {
            redundant–parent reth1; 
        } 
    } 
    ge-7/0/2 { 
        gigether–options {
            redundant–parent reth2; 
        } 
    } 
    ge-7/0/3 { 
        gigether–options {
            redundant–parent reth3; 
        } 
    } 
    fab0 { 
        fabric–options {
            member–interfaces {
                ge-1/1/0;
            } 
        } 
    } 
    fab1 { 
        fabric–options {
            member–interfaces {
                ge-7/1/0;
            } 
        } 
    } 
    reth0 { 
        redundant–ether–options { 
            redundancy–group 1;
        }
        unit 0 { 
            family inet {
                address 95.99.99.1/8;
            } 
        } 
    } 
    reth1 { 
        redundant–ether–options { 
            redundancy–group 1;
        }
    }
    reth2 { 
        redundant–ether–options { 
            redundancy–group 1;
        } 
    }
    reth3 { 
        redundant–ether–options { 
            redundancy–group 1;
        } 
    }
}

Logical System Configuration (Master Administrator)

CLI Quick Configuration

Note: You are prompted to enter and then reenter plain-text passwords.

On {primary:node0}

set logical-systems LSYS1set logical-systems LSYS2set logical-systems LSYS0set system login class lsys1 logical-system LSYS1 set system login class lsys1 permissions all set system login user lsys1admin full-name lsys1-admin set system login user lsys1admin class lsys1 set user lsys1admin authentication plain-text-password set system login class lsys2 logical-system LSYS2 set system login class lsys2 permissions all set system login user lsys2admin full-name lsys2-admin set system login user lsys2admin class lsys2 set system login user lsys2admin authentication plain-text-password set system security-profile SP-root policy maximum 200 set system security-profile SP-root policy reserved 100 set system security-profile SP-root zone maximum 200 set system security-profile SP-root zone reserved 100 set system security-profile SP-root flow-session maximum 200 set system security-profile SP-root flow-session reserved 100 set system security-profile SP-root root-logical-system set system security-profile SP0 logical-system LSYS0 set system security-profile SP1 policy maximum 100 set system security-profile SP1 policy reserved 50 set system security-profile SP1 zone maximum 100 set system security-profile SP1 zone reserved 50 set system security-profile SP1 flow-session maximum 100 set system security-profile SP1 flow-session reserved 50 set system security-profile SP1 logical-system LSYS1 set system security-profile SP2 policy maximum 100 set system security-profile SP2 policy reserved 50 set system security-profile SP2 zone maximum 100 set system security-profile SP2 zone reserved 50 set system security-profile SP2 flow-session maximum 100 set system security-profile SP2 flow-session reserved 50 set system security-profile SP2 logical-system LSYS2 set interfaces lt-0/0/0 unit 1 encapsulation ethernet set interfaces lt-0/0/0 unit 1 peer-unit 0 set interfaces lt-0/0/0 unit 1 family inet address 2.1.1.1/24 set routing-instances vr0 instance-type virtual-router set routing-instances vr0 interface lt-0/0/0.1 set routing-instances vr0 interface reth0.0 set routing-instances vr0 routing-options static route 85.0.0.0/8 next-hop 2.1.1.3 set routing-instances vr0 routing-options static route 75.0.0.0/8 next-hop 2.1.1.3 set routing-instances vr0 routing-options static route 65.0.0.0/8 next-hop 2.1.1.5 set security zones security-zone root-trust host-inbound-traffic system-services all set security zones security-zone root-trust host-inbound-traffic protocols all set security zones security-zone root-trust interfaces reth0.0 set security zones security-zone root-untrust host-inbound-traffic system-services all set security zones security-zone root-untrust host-inbound-traffic protocols all set security zones security-zone root-untrust interfaces lt-0/0/0.1 set security policies from-zone root-trust to-zone root-untrust policy root-Trust_to_root-Untrust match source-address any set security policies from-zone root-trust to-zone root-untrust policy root-Trust_to_root-Untrust match destination-address any set security policies from-zone root-trust to-zone root-untrust policy root-Trust_to_root-Untrust match application any set security policies from-zone root-trust to-zone root-untrust policy root-Trust_to_root-Untrust then permit set security policies from-zone root-untrust to-zone root-trust policy root-Untrust_to_root-Trust match source-address any set security policies from-zone root-untrust to-zone root-trust policy root-Untrust_to_root-Trust match destination-address any set security policies from-zone root-untrust to-zone root-trust policy root-Untrust_to_root-Trust match application any set security policies from-zone root-untrust to-zone root-trust policy root-Untrust_to_root-Trust then permit set security policies from-zone root-untrust to-zone root-untrust policy root-Untrust_to_root-Untrust match source-address any set security policies from-zone root-untrust to-zone root-untrust policy root-Untrust_to_root-Untrust match destination-address any set security policies from-zone root-untrust to-zone root-untrust policy root-Untrust_to_root-Untrust match application any set security policies from-zone root-untrust to-zone root-untrust policy root-Untrust_to_root-Untrust then permit set security policies from-zone root-trust to-zone root-trust policy root-Trust_to_root-Trust match source-address any set security policies from-zone root-trust to-zone root-trust policy root-Trust_to_root-Trust match destination-address any set security policies from-zone root-trust to-zone root-trust policy root-Trust_to_root-Trust match application any set security policies from-zone root-trust to-zone root-trust policy root-Trust_to_root-Trust then permit set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 encapsulation ethernet-vpls set logical-systems LSYS0 interfaces lt-0/0/0 unit 0 peer-unit 1 set logical-systems LSYS0 interfaces lt-0/0/0 unit 2 encapsulation ethernet-vpls set logical-systems LSYS0 interfaces lt-0/0/0 unit 2 peer-unit 3 set logical-systems LSYS0 interfaces lt-0/0/0 unit 4 encapsulation ethernet-vpls set logical-systems LSYS0 interfaces lt-0/0/0 unit 4 peer-unit 5 set logical-systems LSYS0 routing-instances vr instance-type vpls set logical-systems LSYS0 routing-instances vr interface lt-0/0/0.0 set logical-systems LSYS0 routing-instances vr interface lt-0/0/0.2 set logical-systems LSYS0 routing-instances vr interface lt-0/0/0.4 set logical-systems LSYS1 interfaces lt-0/0/0 unit 3 encapsulation ethernet set logical-systems LSYS1 interfaces lt-0/0/0 unit 3 peer-unit 2 set logical-systems LSYS1 interfaces lt-0/0/0 unit 3 family inet address 2.1.1.3/24set logical-systems LSYS2 interfaces lt-0/0/0 unit 5 encapsulation ethernet set logical-systems LSYS2 interfaces lt-0/0/0 unit 5 peer-unit 4 set logical-systems LSYS2 interfaces lt-0/0/0 unit 5 family inet address 2.1.1.5/24

Step-by-Step Procedure

To create logical systems and user logical system administrators and configure the master and interconnect logical systems:

Create the interconnect and user logical systems.
[edit logical-systems]user@host# set LSYS0user@host# set LSYS1user@host# set LSYS2
Configure user logical system administrators.
Step-by-Step Procedure
1. Configure the user logical system administrator for LSYS1.
  [edit system login]user@host# set class lsys1 logical-system LSYS1user@host# set class lsys1 permissions alluser@host# set user lsys1admin full-name lsys1-adminuser@host# set user lsys1admin class lsys1user@host# set user lsys1admin authentication plain-text-password
2. Configure the user logical system administrator for LSYS2.
  [edit system login]user@host# set class lsys2 logical-system LSYS2user@host# set class lsys2 permissions alluser@host# set user lsys2admin full-name lsys2-adminuser@host# set user lsys2admin class lsys2user@host# set user lsys2admin authentication plain-text-password
Configure security profiles and assign them to logical systems.
Step-by-Step Procedure
1. Configure a security profile and assign it to the root logical system.
  [edit system security-profile]user@host# set SP-root policy maximum 200user@host# set SP-root policy reserved 100user@host# set SP-root zone maximum 200user@host# set SP-root zone reserved 100user@host# set SP-root flow-session maximum 200user@host# set SP-root flow-session reserved 100user@host# set SP-root root-logical-system
2. Assign a dummy security profile containing no resources to the interconnect logical system LSYS0.
  [edit system security-profile]user@host# set SP0 logical-system LSYS0
3. Configure a security profile and assign it to LSYS1.
  [edit system security-profile]user@host# set SP1 policy maximum 100user@host# set SP1 policy reserved 50user@host# set SP1 zone maximum 100user@host# set SP1 zone reserved 50user@host# set SP1 flow-session maximum 100user@host# set SP1 flow-session reserved 50user@host# set SP1 logical-system LSYS1
4. Configure a security profile and assign it to LSYS2.
  [edit system security-profile]user@host# set SP2 policy maximum 100user@host# set SP2 policy reserved 50user@host# set SP2 zone maximum 100user@host# set SP2 zone reserved 50user@host# set SP2 flow-session maximum 100user@host# set SP2 flow-session reserved 50user@host# set SP2 logical-system LSYS2
Configure the master logical system.
Step-by-Step Procedure
1. Configure logical tunnel interfaces.
  [edit interfaces]user@host# set lt-0/0/0 unit 1 encapsulation ethernetuser@host# set lt-0/0/0 unit 1 peer-unit 0user@host# set lt-0/0/0 unit 1 family inet address 2.1.1.1/24
2. Configure a routing instance.
  [edit routing-instances]user@host# set vr0 instance-type virtual-routeruser@host# set vr0 interface lt-0/0/0.1user@host# set vr0 interface reth0.0user@host# set vr0 routing-options static route 85.0.0.0/8 next-hop 2.1.1.3user@host# set vr0 routing-options static route 75.0.0.0/8 next-hop 2.1.1.3user@host# set vr0 routing-options static route 65.0.0.0/8 next-hop 2.1.1.5
3. Configure zones.
  [edit security zones]user@host# set security-zone root-trust host-inbound-traffic system-services alluser@host# set security-zone root-trust host-inbound-traffic protocols alluser@host# set security-zone root-trust interfaces reth0.0user@host# set security-zone root-untrust host-inbound-traffic system-services alluser@host# set security-zone root-untrust host-inbound-traffic protocols alluser@host# set security-zone root-untrust interfaces lt-0/0/0.1
4. Configure security policies.
  [edit security policies from-zone root-trust to-zone root-untrust]user@host# set policy root-Trust_to_root-Untrust match source-address anyuser@host# set policy root-Trust_to_root-Untrust match destination-address anyuser@host# set policy root-Trust_to_root-Untrust match application anyuser@host# set policy root-Trust_to_root-Untrust then permit
  [edit security policies from-zone root-untrust to-zone root-trust]user@host# set policy root-Untrust_to_root-Trust match source-address anyuser@host# set policy root-Untrust_to_root-Trust match destination-address anyuser@host# set policy root-Untrust_to_root-Trust match application anyuser@host# set policy root-Untrust_to_root-Trust then permit
  [edit security policies from-zone root-untrust to-zone root-untrust]user@host# set policy root-Untrust_to_root-Untrust match source-address anyuser@host# set policy root-Untrust_to_root-Untrust match destination-address anyuser@host# set policy root-Untrust_to_root-Untrust match application anyuser@host# set policy root-Untrust_to_root-Untrust then permit
  [edit security policies from-zone root-trust to-zone root-trust]user@host# set policy root-Trust_to_root-Trust match source-address anyuser@host# set policy root-Trust_to_root-Trust match destination-address anyuser@host# set policy root-Trust_to_root-Trust match application anyuser@host# set policy root-Trust_to_root-Trust then permit
Configure the interconnect logical system.
Step-by-Step Procedure
1. Configure logical tunnel interfaces.
  [edit logical-systems LSYS0 interfaces]user@host# set lt-0/0/0 unit 0 encapsulation ethernet-vplsuser@host# set lt-0/0/0 unit 0 peer-unit 1user@host# set lt-0/0/0 unit 2 encapsulation ethernet-vplsuser@host# set lt-0/0/0 unit 2 peer-unit 3user@host# set lt-0/0/0 unit 4 encapsulation ethernet-vplsuser@host# set lt-0/0/0 unit 4 peer-unit 5
2. Configure the VPLS routing instance.
  [edit logical-systems LSYS0 routing-instances]user@host# set vr instance-type vplsuser@host# set vr interface lt-0/0/0.0user@host# set vr interface lt-0/0/0.2user@host# set vr interface lt-0/0/0.4
Configure logical tunnel interfaces for the user logical systems.
Step-by-Step Procedure
1. Configure logical tunnel interfaces for LSYS1.
  [edit logical-systems LSYS1 interfaces ]user@host# set lt-0/0/0 unit 3 encapsulation ethernetuser@host# set lt-0/0/0 unit 3 peer-unit 2user@host# set lt-0/0/0 unit 3 family inet address 2.1.1.3/24
2. Configure logical tunnel interfaces for LSYS2.
  [edit logical-systems LSYS2 interfaces ]user@host# set lt-0/0/0 unit 5 encapsulation ethernetuser@host# set lt-0/0/0 unit 5 peer-unit 4user@host# set lt-0/0/0 unit 5 family inet address 2.1.1.5/24

Results

From configuration mode, confirm the configuration for LSYS0 by entering the show logical-systems LSYS0 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show logical-systems LSYS0interfaces {lt-0/0/0 {unit 0 {encapsulation ethernet-vpls;peer-unit 1;}unit 2 {encapsulation ethernet-vpls;peer-unit 3;}unit 4 {encapsulation ethernet-vpls;peer-unit 5;}}}routing-instances {vr {instance-type vpls;interface lt-0/0/0.0;interface lt-0/0/0.2;interface lt-0/0/0.4;}}

From configuration mode, confirm the configuration for the master logical system by entering the show interfaces, show routing-instances, and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]user@host# show interfaceslt-0/0/0 {unit 1 {encapsulation ethernet;peer-unit 0;family inet {address 2.1.1.1/24;}}}ge-1/0/0 {gigether-options {redundant-parent reth0;}}ge-1/0/1 {gigether-options {redundant-parent reth1;}}ge-1/0/2 {gigether-options {redundant-parent reth2;}}ge-1/0/3 {gigether-options {redundant-parent reth3;}}ge-7/0/0 {gigether-options {redundant-parent reth0;}}ge-7/0/1 {gigether-options {redundant-parent reth1;}}ge-7/0/2 {gigether-options {redundant-parent reth2;}}ge-7/0/3 {gigether-options {redundant-parent reth3;}}fab0 {fabric-options {member-interfaces {ge-1/1/0;}}}fab1 {fabric-options {member-interfaces {ge-7/1/0;}}}reth0 {redundant-ether-options {redundancy-group 1;}unit 0 {family inet {address 95.99.99.1/8;}}}reth1 {redundant-ether-options {redundancy-group 1;}}reth2 {redundant-ether-options {redundancy-group 1;}}reth3 {redundant-ether-options {redundancy-group 1;}}[edit]user@host# show routing-instancesvr0 {instance-type virtual-router;interface lt-0/0/0.1;interface reth0.0;routing-options {static {route 85.0.0.0/8 next-hop 2.1.1.3;route 75.0.0.0/8 next-hop 2.1.1.3;route 65.0.0.0/8 next-hop 2.1.1.5;}}}[edit]user@host# show securitypolicies {from-zone root-trust to-zone root-untrust {policy root-Trust_to_root-Untrust {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone root-untrust to-zone root-trust {policy root-Untrust_to_root-Trust {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone root-untrust to-zone root-untrust {policy root-Untrust_to_root-Untrust {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone root-trust to-zone root-trust {policy root-Trust_to_root-Trust {match {source-address any;destination-address any;application any;}then {permit;}}}}zones {security-zone root-trust {host-inbound-traffic {system-services {all;}protocols {all;}}interfaces {reth0.0;}}security-zone root-untrust {host-inbound-traffic {system-services {all;}protocols {all;}}interfaces {lt-0/0/0.1;}}}

If you are done configuring the device, enter commit from configuration mode.

User Logical System Configuration (User Logical System Administrator)

CLI Quick Configuration

To quickly configure user logical systems, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Enter the following commands while logged in as the user logical system administrator for LSYS1:

set interfaces reth1 unit 0 family inet address 85.88.88.1/8 set interfaces reth2 unit 0 family inet address 75.77.77.1/8 set routing-instances vr11 instance-type virtual-router set routing-instances vr11 interface lt-0/0/0.3 set routing-instances vr11 interface reth1.0 set routing-instances vr11 routing-options static route 65.0.0.0/8 next-hop 2.1.1.5 set routing-instances vr11 routing-options static route 95.0.0.0/8 next-hop 2.1.1.1 set routing-instances vr12 instance-type virtual-router set routing-instances vr12 interface reth2.0 set routing-instances vr12 routing-options interface-routes rib-group inet vr11vr12v4 set routing-instances vr12 routing-options static route 85.0.0.0/8 next-table vr11.inet.0 set routing-instances vr12 routing-options static route 95.0.0.0/8 next-table vr11.inet.0 set routing-instances vr12 routing-options static route 65.0.0.0/8 next-table vr11.inet.0 set routing-instances vr12 routing-options static route 2.1.1.0/24 next-table vr11.inet.0 set routing-options rib-groups vr11vr12v4 import-rib vr11.inet.0 set routing-options rib-groups vr11vr12v4 import-rib vr12.inet.0 set security zones security-zone lsys1-trust host-inbound-traffic system-services all set security zones security-zone lsys1-trust host-inbound-traffic protocols all set security zones security-zone lsys1-trust interfaces reth1.0 set security zones security-zone lsys1-trust interfaces lt-0/0/0.3 set security zones security-zone lsys1-untrust host-inbound-traffic system-services all set security zones security-zone lsys1-untrust host-inbound-traffic protocols all set security zones security-zone lsys1-untrust interfaces reth2.0set security policies from-zone lsys1-trust to-zone lsys1-untrust policy lsys1trust-to-lsys1untrust match source-address any set security policies from-zone lsys1-trust to-zone lsys1-untrust policy lsys1trust-to-lsys1untrust match destination-address any set security policies from-zone lsys1-trust to-zone lsys1-untrust policy lsys1trust-to-lsys1untrust match application any set security policies from-zone lsys1-trust to-zone lsys1-untrust policy lsys1trust-to-lsys1untrust then permit set security policies from-zone lsys1-untrust to-zone lsys1-trust policy lsys1untrust-to-lsys1trust match source-address any set security policies from-zone lsys1-untrust to-zone lsys1-trust policy lsys1untrust-to-lsys1trust match destination-address any set security policies from-zone lsys1-untrust to-zone lsys1-trust policy lsys1untrust-to-lsys1trust match application any set security policies from-zone lsys1-untrust to-zone lsys1-trust policy lsys1untrust-to-lsys1trust then permit set security policies from-zone lsys1-untrust to-zone lsys1-untrust policy lsys1untrust-to-lsys1untrust match source-address any set security policies from-zone lsys1-untrust to-zone lsys1-untrust policy lsys1untrust-to-lsys1untrust match destination-address any set security policies from-zone lsys1-untrust to-zone lsys1-untrust policy lsys1untrust-to-lsys1untrust match application any set security policies from-zone lsys1-untrust to-zone lsys1-untrust policy lsys1untrust-to-lsys1untrust then permit set security policies from-zone lsys1-trust to-zone lsys1-trust policy lsys1trust-to-lsys1trust match source-address any set security policies from-zone lsys1-trust to-zone lsys1-trust policy lsys1trust-to-lsys1trust match destination-address any set security policies from-zone lsys1-trust to-zone lsys1-trust policy lsys1trust-to-lsys1trust match application any set security policies from-zone lsys1-trust to-zone lsys1-trust policy lsys1trust-to-lsys1trust then permit

Enter the following commands while logged in as the user logical system administrator for LSYS2:

set interfaces reth3 unit 0 family inet address 65.66.66.1/8 set routing-instances vr2 instance-type virtual-router set routing-instances vr2 interface lt-0/0/0.5 set routing-instances vr2 interface reth3.0 set routing-instances vr2 routing-options static route 75.0.0.0/8 next-hop 2.1.1.3 set routing-instances vr2 routing-options static route 85.0.0.0/8 next-hop 2.1.1.3 set routing-instances vr2 routing-options static route 95.0.0.0/8 next-hop 2.1.1.1 set security zones security-zone lsys2-trust host-inbound-traffic system-services all set security zones security-zone lsys2-trust host-inbound-traffic protocols all set security zones security-zone lsys2-trust interfaces reth3.0 set security zones security-zone lsys2-untrust host-inbound-traffic system-services all set security zones security-zone lsys2-untrust host-inbound-traffic protocols all set security zones security-zone lsys2-untrust interfaces lt-0/0/0.5set security policies from-zone lsys2-trust to-zone lsys2-untrust policy lsys2trust-to-lsys2untrust match source-address any set security policies from-zone lsys2-trust to-zone lsys2-untrust policy lsys2trust-to-lsys2untrust match destination-address any set security policies from-zone lsys2-trust to-zone lsys2-untrust policy lsys2trust-to-lsys2untrust match application any set security policies from-zone lsys2-trust to-zone lsys2-untrust policy lsys2trust-to-lsys2untrust then permit set security policies from-zone lsys2-untrust to-zone lsys2-trust policy lsys2untrust-to-lsys2trust match source-address any set security policies from-zone lsys2-untrust to-zone lsys2-trust policy lsys2untrust-to-lsys2trust match destination-address any set security policies from-zone lsys2-untrust to-zone lsys2-trust policy lsys2untrust-to-lsys2trust match application any set security policies from-zone lsys2-untrust to-zone lsys2-trust policy lsys2untrust-to-lsys2trust then permit set security policies from-zone lsys2-untrust to-zone lsys2-untrust policy lsys2untrust-to-lsys2untrust match source-address any set security policies from-zone lsys2-untrust to-zone lsys2-untrust policy lsys2untrust-to-lsys2untrust match destination-address any set security policies from-zone lsys2-untrust to-zone lsys2-untrust policy lsys2untrust-to-lsys2untrust match application any set security policies from-zone lsys2-untrust to-zone lsys2-untrust policy lsys2untrust-to-lsys2untrust then permit set security policies from-zone lsys2-trust to-zone lsys2-trust policy lsys2trust-to-lsys2trust match source-address any set security policies from-zone lsys2-trust to-zone lsys2-trust policy lsys2trust-to-lsys2trust match destination-address any set security policies from-zone lsys2-trust to-zone lsys2-trust policy lsys2trust-to-lsys2trust match application any set security policies from-zone lsys2-trust to-zone lsys2-trust policy lsys2trust-to-lsys2trust then permit

Step-by-Step Procedure

Note: The user logical system administrator performs the following configuration while logged into his or her user logical system. The master administrator can also configure a user logical system at the [edit logical-systems logical-system] hierarchy level.

To configure the LSYS1 user logical system:

Configure interfaces.
[edit interfaces]lsys1-admin@host:LSYS1# set reth1 unit 0 family inet address 85.88.88.1/8lsys1-admin@host:LSYS1# set reth2 unit 0 family inet address 75.77.77.1/8
Configure routing.
[edit routing-instances]lsys1-admin@host:LSYS1# set vr11 instance-type virtual-routerlsys1-admin@host:LSYS1# set vr11 interface lt-0/0/0.3lsys1-admin@host:LSYS1# set vr11 interface reth1.0lsys1-admin@host:LSYS1# set vr11 routing-options static route 65.0.0.0/8 next-hop 2.1.1.5lsys1-admin@host:LSYS1# set vr11 routing-options static route 95.0.0.0/8 next-hop 2.1.1.1lsys1-admin@host:LSYS1# set vr12 instance-type virtual-routerlsys1-admin@host:LSYS1# set vr12 interface reth2.0lsys1-admin@host:LSYS1# set vr12 routing-options interface-routes rib-group inet vr11vr12v4lsys1-admin@host:LSYS1# set vr12 routing-options static route 85.0.0.0/8 next-table vr11.inet.0lsys1-admin@host:LSYS1# set vr12 routing-options static route 95.0.0.0/8 next-table vr11.inet.0lsys1-admin@host:LSYS1# set vr12 routing-options static route 65.0.0.0/8 next-table vr11.inet.0lsys1-admin@host:LSYS1# set vr12 routing-options static route 2.1.1.0/24 next-table vr11.inet.0
[edit routing-options]lsys1-admin@host:LSYS1# set rib-groups vr11vr12v4 import-rib vr11.inet.0lsys1-admin@host:LSYS1# set rib-groups vr11vr12v4 import-rib vr12.inet.0
Configure zones and security policies.
[edit security zones]lsys1-admin@host:LSYS1# set security-zone lsys1-trust host-inbound-traffic system-services alllsys1-admin@host:LSYS1# set security-zone lsys1-trust host-inbound-traffic protocols alllsys1-admin@host:LSYS1# set security-zone lsys1-trust interfaces reth1.0lsys1-admin@host:LSYS1# set security-zone lsys1-trust interfaces lt-0/0/0.3lsys1-admin@host:LSYS1# set security-zone lsys1-untrust host-inbound-traffic system-services alllsys1-admin@host:LSYS1# set security-zone lsys1-untrust host-inbound-traffic protocols alllsys1-admin@host:LSYS1# set security-zone lsys1-untrust interfaces reth2.0
[edit security policies from-zone lsys1-trust to-zone lsys1-untrust]lsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1untrust match source-address anylsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1untrust match destination-address anylsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1untrust match application anylsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1untrust then permit
[edit security policies from-zone lsys1-untrust to-zone lsys1-trust]lsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1trust match source-address anylsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1trust match destination-address anylsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1trust match application anylsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1trust then permit
[edit security policies from-zone lsys1-untrust to-zone lsys1-untrust]lsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1untrust match source-address anylsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1untrust match destination-address anylsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1untrust match application anylsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1untrust then permit
[edit security policies from-zone lsys1-trust to-zone lsys1-trust]lsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1trust match source-address anylsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1trust match destination-address anylsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1trust match application anylsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1trust then permit

Step-by-Step Procedure

To configure the LSYS2 user logical system:

Configure interfaces.
[edit interfaces]lsys2-admin@host:LSYS2# set reth3 unit 0 family inet address 65.66.66.1/8
Configure routing.
[edit routing-instances]lsys2-admin@host:LSYS2# set vr2 instance-type virtual-routerlsys2-admin@host:LSYS2# set vr2 interface lt-0/0/0.5lsys2-admin@host:LSYS2# set vr2 interface reth3.0lsys2-admin@host:LSYS2# set vr2 routing-options static route 75.0.0.0/8 next-hop 2.1.1.3lsys2-admin@host:LSYS2# set vr2 routing-options static route 85.0.0.0/8 next-hop 2.1.1.3lsys2-admin@host:LSYS2# set vr2 routing-options static route 95.0.0.0/8 next-hop 2.1.1.1
Configure zones and security policies.
[edit security zones]lsys2-admin@host:LSYS2# set security-zone lsys2-trust host-inbound-traffic system-services alllsys2-admin@host:LSYS2# set security-zone lsys2-trust host-inbound-traffic protocols alllsys2-admin@host:LSYS2# set security-zone lsys2-trust interfaces reth3.0lsys2-admin@host:LSYS2# set security zones security-zone lsys2-untrust host-inbound-traffic system-services alllsys2-admin@host:LSYS2# set security-zone lsys2-untrust host-inbound-traffic protocols alllsys2-admin@host:LSYS2# set security-zone lsys2-untrust interfaces lt-0/0/0.5
[edit security policies from-zone lsys2-trust to-zone lsys2-untrust]lsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2untrust match source-address anylsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2untrust match destination-address anylsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2untrust match application anylsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2untrust then permit
[edit security policies from-zone from-zone lsys2-untrust to-zone lsys2-trust]lsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2trust match source-address anylsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2trust match destination-address anylsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2trust match application anylsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2trust then permit
[edit security policies from-zone lsys2-untrust to-zone lsys2-untrust]lsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2untrust match source-address anylsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2untrust match destination-address anylsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2untrust match application anylsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2untrust then permit
[edit security policies from-zone lsys2-trust to-zone lsys2-trust]lsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2trust match source-address anylsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2trust match destination-address anylsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2trust match application anylsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2trust then permit

Results

From configuration mode, confirm the configuration for LSYS1 by entering the show interfaces, show routing-instances, show routing-options, and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

[edit]lsys1-admin@host:LSYS1# show interfacesinterfaces {lt-0/0/0 {unit 3 {encapsulation ethernet;peer-unit 2;family inet {address 2.1.1.3/24;}}}reth1 {unit 0 {family inet {address 85.88.88.1/8;}}}reth2 {unit 0 {family inet {address 75.77.77.1/8;}}}}[edit]lsys1-admin@host:LSYS1# show routing-instancesrouting-instances {vr11 {instance-type virtual-router;interface lt-0/0/0.3;interface reth1.0;routing-options {static {route 65.0.0.0/8 next-hop 2.1.1.5;route 95.0.0.0/8 next-hop 2.1.1.1;}}}vr12 {instance-type virtual-router;interface reth2.0;routing-options {interface-routes {rib-group inet vr11vr12v4;}static {route 85.0.0.0/8 next-table vr11.inet.0;route 95.0.0.0/8 next-table vr11.inet.0;route 65.0.0.0/8 next-table vr11.inet.0;route 2.1.1.0/24 next-table vr11.inet.0;}}}}[edit]lsys1-admin@host:LSYS1# show routing-optionsrib-groups {vr11vr12v4 {import-rib [ vr11.inet.0 vr12.inet.0 ];}}[edit]lsys1-admin@host:LSYS1# show securitysecurity {policies {from-zone lsys1-trust to-zone lsys1-untrust {policy lsys1trust-to-lsys1untrust {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone lsys1-untrust to-zone lsys1-trust {policy lsys1untrust-to-lsys1trust {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone lsys1-untrust to-zone lsys1-untrust {policy lsys1untrust-to-lsys1untrust {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone lsys1-trust to-zone lsys1-trust {policy lsys1trust-to-lsys1trust {match {source-address any;destination-address any;application any;}then {permit;}}}}zones {security-zone lsys1-trust {host-inbound-traffic {system-services {all;}protocols {all;}}interfaces {reth1.0;lt-0/0/0.3;}}security-zone lsys1-untrust {host-inbound-traffic {system-services {all;}protocols {all;}}interfaces {reth2.0;}}}}

From configuration mode, confirm the configuration for LSYS2 by entering the show interfaces, show routing-instances, and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

lsys2-admin@host:LSYS2# show interfaces[edit]interfaces {lt-0/0/0 {unit 5 {encapsulation ethernet;peer-unit 4;family inet {address 2.1.1.5/24;}}}reth3 {unit 0 {family inet {address 65.66.66.1/8;}}}}[edit]lsys2-admin@host:LSYS2# show routing-instancesrouting-instances {vr2 {instance-type virtual-router;interface lt-0/0/0.5;interface reth3.0;routing-options {static {route 75.0.0.0/8 next-hop 2.1.1.3;route 85.0.0.0/8 next-hop 2.1.1.3;route 95.0.0.0/8 next-hop 2.1.1.1;}}}}[edit]lsys2-admin@host:LSYS2# show securitysecurity {policies {from-zone lsys2-trust to-zone lsys2-untrust {policy lsys2trust-to-lsys2untrust {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone lsys2-untrust to-zone lsys2-trust {policy lsys2untrust-to-lsys2trust {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone lsys2-untrust to-zone lsys2-untrust {policy lsys2untrust-to-lsys2untrust {match {source-address any;destination-address any;application any;}then {permit;}}}from-zone lsys2-trust to-zone lsys2-trust {policy lsys2trust-to-lsys2trust {match {source-address any;destination-address any;application any;}then {permit;}}}}zones {security-zone lsys2-trust {host-inbound-traffic {system-services {all;}protocols {all;}}interfaces {reth3.0;}}security-zone lsys2-untrust {host-inbound-traffic {system-services {all;}protocols {all;}}interfaces {lt-0/0/0.5;}}}}

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Chassis Cluster Status

Purpose

Verify the chassis cluster status, failover status, and redundancy group information.

Action

From operational mode, enter the show chassis cluster status command.

{primary:node0}

show chassis cluster status

Cluster ID: 1 
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   200         primary        no       no  
    node1                   100         secondary      no       no  

Redundancy group: 1 , Failover count: 1
    node0                   200         primary        no       no  
    node1                   100         secondary      no       no

Troubleshooting Chassis Cluster with Logs

Purpose

Use these logs to identify any chassis cluster issues. You should run these logs on both nodes.

Action

From operational mode, enter these show log commands.

user@host> show log jsrpd

user@host> show log chassisd

user@host> show log messages

user@host> show log dcd

user@host> show traceoptions

Verifying Logical System Licenses

Purpose

Verify information about logical system licenses.

Action

From operational mode, enter the show system license status logical-system all command.

{primary:node0}

user@host> show system license status logical-system
all

node0:
--------------------------------------------------------------------------
Logical system license status:
                
logical system name                 license status
root-logical-system                 enabled       
LSYS0                               enabled       
LSYS1                               enabled       
LSYS2                               enabled

Verifying Logical System License Usage

Purpose

Verify information about logical system license usage.

Note: The actual number of licenses used is only displayed on the primary node.

Action

From operational mode, enter the show system license command.

{primary:node0}

user@host> show system license

License usage: 
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed 
  logical-system                        4           25           0    permanent 

Licenses installed: 
  License identifier: JUNOS305013
  License version: 2
  Valid for device: JN110B54BAGB
  Features:
    logical-system-25 - Logical System Capacity
      permanent

Verifying Intra-Logical System Traffic on a Logical System

Purpose

Verify information about currently active security sessions within a logical system.

Action

From operational mode, enter the show security flow session logical-system LSYS1 command.

{primary:node0}

user@host> show security flow session logical-system
LSYS1

node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC2 PIC0:
Total sessions: 0

Flow Sessions on FPC2 PIC1:

Session ID: 90000114, Policy name: lsys1trust-to-lsys1untrust/8, State: Active, Timeout: 1782, Valid
  In: 85.88.88.2/34538 --> 75.77.77.2/23;tcp, If: reth1.0, Pkts: 33, Bytes: 1881
  Out: 75.77.77.2/23 --> 85.88.88.2/34538;tcp, If: reth2.0, Pkts: 28, Bytes: 2329
Total sessions: 1

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC2 PIC0:
Total sessions: 0

Flow Sessions on FPC2 PIC1:

Session ID: 90000001, Policy name: lsys1trust-to-lsys1untrust/8, State: Backup, Timeout: 14388, Valid
  In: 85.88.88.2/34538 --> 75.77.77.2/23;tcp, If: reth1.0, Pkts: 0, Bytes: 0
  Out: 75.77.77.2/23 --> 85.88.88.2/34538;tcp, If: reth2.0, Pkts: 0, Bytes: 0
Total sessions: 1

Verifying Intra-Logical System Traffic Within All Logical Systems

Purpose

Verify information about currently active security sessions on all logical systems.

Action

From operational mode, enter the show security flow session logical-system all command.

{primary:node0}

user@host> show security flow session logical-system
all

node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC2 PIC0:
Total sessions: 0

Flow Sessions on FPC2 PIC1:

Session ID: 90000114, Policy name: lsys1trust-to-lsys1untrust/8, State: Active, Timeout: 1776, Valid
Logical system: LSYS1
  In: 85.88.88.2/34538 --> 75.77.77.2/23;tcp, If: reth1.0, Pkts: 33, Bytes: 1881
  Out: 75.77.77.2/23 --> 85.88.88.2/34538;tcp, If: reth2.0, Pkts: 28, Bytes: 2329
Total sessions: 1

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC2 PIC0:
Total sessions: 0

Flow Sessions on FPC2 PIC1:

Session ID: 90000001, Policy name: lsys1trust-to-lsys1untrust/8, State: Backup, Timeout: 14382, Valid
Logical system: LSYS1
  In: 85.88.88.2/34538 --> 75.77.77.2/23;tcp, If: reth1.0, Pkts: 0, Bytes: 0
  Out: 75.77.77.2/23 --> 85.88.88.2/34538;tcp, If: reth2.0, Pkts: 0, Bytes: 0
Total sessions: 1

Verifying Traffic Between User Logical Systems

Purpose

Verify information about currently active security sessions between logical systems.

Action

From operational mode, enter the show security flow session logical-system logical-system-name command.

{primary:node0}

user@host> show security flow session logical-system
LSYS1

node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:

Session ID: 10000094, Policy name: root-Untrust_to_root-Trust/5, State: Active, Timeout: 1768, Valid
  In: 75.77.77.2/34590 --> 95.99.99.2/23;tcp, If: lt-0/0/0.1, Pkts: 23, Bytes: 1351
  Out: 95.99.99.2/23 --> 75.77.77.2/34590;tcp, If: reth0.0, Pkts: 22, Bytes: 1880
Total sessions: 1

Flow Sessions on FPC2 PIC0:
Total sessions: 0

Flow Sessions on FPC2 PIC1:
Total sessions: 0

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:

Session ID: 10000002, Policy name: root-Untrust_to_root-Trust/5, State: Backup, Timeout: 14384, Valid
  In: 75.77.77.2/34590 --> 95.99.99.2/23;tcp, If: lt-0/0/0.1, Pkts: 0, Bytes: 0
  Out: 95.99.99.2/23 --> 75.77.77.2/34590;tcp, If: reth0.0, Pkts: 0, Bytes: 0
Total sessions: 1

Flow Sessions on FPC2 PIC0:
Total sessions: 0

Flow Sessions on FPC2 PIC1:
Total sessions: 0

{primary:node0}

user@host> show security flow session logical-system
LSYS2

node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC2 PIC0:

Session ID: 80000089, Policy name: lsys2untrust-to-lsys2trust/13, State: Active, Timeout: 1790, Valid
  In: 85.88.88.2/34539 --> 65.66.66.2/23;tcp, If: lt-0/0/0.5, Pkts: 40, Bytes: 2252
  Out: 65.66.66.2/23 --> 85.88.88.2/34539;tcp, If: reth3.0, Pkts: 32, Bytes: 2114
Total sessions: 1

Flow Sessions on FPC2 PIC1:
Total sessions: 0

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC2 PIC0:

Session ID: 80000002, Policy name: lsys2untrust-to-lsys2trust/13, State: Backup, Timeout: 14398, Valid
  In: 85.88.88.2/34539 --> 65.66.66.2/23;tcp, If: lt-0/0/0.5, Pkts: 0, Bytes: 0
  Out: 65.66.66.2/23 --> 85.88.88.2/34539;tcp, If: reth3.0, Pkts: 0, Bytes: 0
Total sessions: 1

Flow Sessions on FPC2 PIC1:
Total sessions: 0

{primary:node0}

user@host> show security flow session logical-system
all

node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC2 PIC0:

Session ID: 80000088, Policy name: lsys1trust-to-lsys1trust/11, State: Active, Timeout: 1782, Valid
Logical system: LSYS1
  In: 85.88.88.2/34539 --> 65.66.66.2/23;tcp, If: reth1.0, Pkts: 40, Bytes: 2252
  Out: 65.66.66.2/23 --> 85.88.88.2/34539;tcp, If: lt-0/0/0.3, Pkts: 32, Bytes: 2114

Session ID: 80000089, Policy name: lsys2untrust-to-lsys2trust/13, State: Active, Timeout: 1782, Valid
Logical system: LSYS2
  In: 85.88.88.2/34539 --> 65.66.66.2/23;tcp, If: lt-0/0/0.5, Pkts: 40, Bytes: 2252
  Out: 65.66.66.2/23 --> 85.88.88.2/34539;tcp, If: reth3.0, Pkts: 32, Bytes: 2114
Total sessions: 2

Flow Sessions on FPC2 PIC1:
Total sessions: 0

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC2 PIC0:

Session ID: 80000001, Policy name: lsys1trust-to-lsys1trust/11, State: Backup, Timeout: 14382, Valid
Logical system: LSYS1
  In: 85.88.88.2/34539 --> 65.66.66.2/23;tcp, If: reth1.0, Pkts: 0, Bytes: 0
  Out: 65.66.66.2/23 --> 85.88.88.2/34539;tcp, If: lt-0/0/0.3, Pkts: 0, Bytes: 0

Session ID: 80000002, Policy name: lsys2untrust-to-lsys2trust/13, State: Backup, Timeout: 14390, Valid
Logical system: LSYS2
  In: 85.88.88.2/34539 --> 65.66.66.2/23;tcp, If: lt-0/0/0.5, Pkts: 0, Bytes: 0
  Out: 65.66.66.2/23 --> 85.88.88.2/34539;tcp, If: reth3.0, Pkts: 0, Bytes: 0
Total sessions: 2

Flow Sessions on FPC2 PIC1:
Total sessions: 0

TechLibrary

Related Documentation

Example: Configuring Logical Systems in an Active/Passive Chassis Cluster

Requirements

Overview

Topology

Configuration

Chassis Cluster Configuration (Master Administrator)

CLI Quick Configuration

Step-by-Step Procedure

Results

Logical System Configuration (Master Administrator)

CLI Quick Configuration

Step-by-Step Procedure

Step-by-Step Procedure

Step-by-Step Procedure

Step-by-Step Procedure

Step-by-Step Procedure

Step-by-Step Procedure

Results

User Logical System Configuration (User Logical System Administrator)

CLI Quick Configuration

Step-by-Step Procedure

Step-by-Step Procedure

Results

Verification

Verifying Chassis Cluster Status

Purpose

Action

Troubleshooting Chassis Cluster with Logs

Purpose

Action

Verifying Logical System Licenses

Purpose

Action

Verifying Logical System License Usage

Purpose

Action

Verifying Intra-Logical System Traffic on a Logical System

Purpose

Action

Verifying Intra-Logical System Traffic Within All Logical Systems

Purpose

Action

Verifying Traffic Between User Logical Systems

Purpose

Action

Related Documentation

Published: 2012-06-29