Example: Configuring Logical Systems in an Active/Passive Chassis Cluster (IPv6)

This example shows how to configure logical systems in a basic active/passive chassis cluster with IPv6 addresses.

Note: The master administrator configures the chassis cluster and creates logical systems (including an optional interconnect logical system), administrators, and security profiles. Either the master administrator or the user logical system administrator configures a user logical system. The configuration is synchronized between nodes in the cluster.

Requirements

Before you begin:

• Obtain two high-end SRX Series Services Gateways with identical hardware configurations. See Example: Configuring an SRX Series Services Gateway for the High End as a Chassis Cluster in the Junos OS Security Configuration Guide . This chassis cluster deployment scenario includes the configuration of the SRX Series device for connections to an MX240 edge router and an EX8208 Ethernet Switch.
• Physically connect the two devices (back-to-back for the fabric and control ports) and ensure that they are the same models. You can configure both the fabric and control ports on the SRX5000 line. For the SRX1400 devices and the SRX3000 line, you can configure the fabric ports only.
• Set the chassis cluster ID and node ID on each device and reboot the devices to enable clustering. See Example: Setting the Chassis Cluster Node ID and Cluster ID in the Junos OS Security Configuration Guide .

Note: For this example, chassis cluster and logical system configuration is performed on the primary (node 0) device at the root level by the master administrator. Log in to the device as the master administrator. See Understanding the Master Logical System and the Master Administrator Role.

Note: When you use SRX Series devices running logical systems in a chassis cluster, you must purchase and install the same number of logical system licenses for each node in the chassis cluster. Logical system licenses pertain to a single chassis or node within a chassis cluster and not to the cluster collectively. See Understanding Licenses for Logical Systems on SRX Series Devices.

Overview

In this example, the basic active/passive chassis cluster consists of two devices:

• One device actively provides logical systems, along with maintaining control of the chassis cluster.
• The other device passively maintains its state for cluster failover capabilities should the active device become inactive.

Note: Logical systems in an active/active chassis cluster are configured in a similar manner as for logical systems in an active/passive chassis cluster. For active/active chassis clusters, there can be multiple redundancy groups that can be primary on different nodes.

• Master logical system—The master administrator configures a security profile to provision portions of the system’s security resources to the master logical system and configures the resources of the master logical system.
• User logical systems LSYS1 and LSYS2 and their administrators—The master administrator also configures security profiles to provision portions of the system’s security resources to user logical systems. The user logical system administrator can then configure interfaces, routing, and security resources allocated to his or her logical system.
• Interconnect logical system LSYS0 that connects logical systems on the device—The master administrator configures logical tunnel interfaces between the interconnect logical system and each logical system. These peer interfaces effectively allow for the establishment of tunnels.

Note: This example does not describe configuring features such as NAT, IDP, or VPNs for a logical system. See SRX Series Logical System Master Administrator Configuration Tasks Overview and User Logical System Configuration Overview for more information about features that can be configured for logical systems. If you are performing proxy ARP in a chassis cluster configuration, you must apply the proxy ARP configuration to the reth interfaces rather than the member interfaces because the reth interfaces contain the logical configurations. See Configuring Proxy ARP (CLI Procedure) in the Junos OS Security Configuration Guide .

Topology

Figure 1 shows the topology used in this example.

Figure 1: Logical Systems in a Chassis Cluster (IPv6)

Configuration

• Chassis Cluster Configuration with IPv6 Addresses (Master Administrator)
• Logical System Configuration with IPv6 Addresses (Master Administrator)
• User Logical System Configuration with IPv6 (User Logical System Administrator)

Chassis Cluster Configuration with IPv6 Addresses (Master Administrator)

CLI Quick Configuration

To quickly create logical systems and user logical system administrators and configure the master and interconnect logical systems, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

On {primary:node0}

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

To configure a chassis cluster:

Note: Perform the following steps on the primary device (node 0). They are automatically copied over to the secondary device (node 1) when you execute a commit command.

1. Configure control ports for the clusters.
   [edit chassis cluster]user@host# set control-ports fpc 0 port 0user@host# set control-ports fpc 6 port 0
2. Configure the fabric (data) ports of the cluster that are used to pass RTOs in active/passive mode.
   [edit interfaces]user@host# set fab0 fabric-options member-interfaces ge-1/1/0user@host# set fab1 fabric-options member-interfaces ge-7/1/0
3. Assign some elements of the configuration to a specific member. Configure out-of-band management on the fxp0 interface of the SRX Services Gateway using separate IP addresses for the individual control planes of the cluster.
   [edit]user@host# set groups node0 system host-name SRX5800-1user@host# set groups node0 interfaces fxp0 unit 0 family inet address 10.157.90.24/9user@host# set groups node0 system backup-router 10.157.64.1 destination 0.0.0.0/0user@host# set groups node1 system host-name SRX5800-2user@host# set groups node1 interfaces fxp0 unit 0 family inet address 10.157.90.23/19user@host# set groups node1 system backup-router 10.157.64.1 destination 0.0.0.0/0user@host# set apply-groups “${node}”
4. Configure redundancy groups for chassis clustering.
   [edit chassis cluster]user@host# set reth-count 5user@host# set redundancy-group 0 node 0 priority 200user@host# set redundancy-group 0 node 1 priority 100user@host# set redundancy-group 1 node 0 priority 200user@host# set redundancy-group 1 node 1 priority 100
5. Configure the data interfaces on the platform so that in the event of a data plane failover, the other chassis cluster member can take over the connection seamlessly.
   [edit interfaces]user@host# set ge-1/0/0 gigether-options redundant-parent reth0 user@host# set ge-1/0/1 gigether-options redundant-parent reth1 user@host# set ge-1/0/2 gigether-options redundant-parent reth2 user@host# set ge-1/0/3 gigether-options redundant-parent reth3 user@host# set ge-7/0/0 gigether-options redundant-parent reth0 user@host# set ge-7/0/1 gigether-options redundant-parent reth1 user@host# set ge-7/0/2 gigether-options redundant-parent reth2 user@host# set ge-7/0/3 gigether-options redundant-parent reth3 user@host# set reth0 redundant-ether-options redundancy-group 1user@host# set reth0 unit 0 family inet6 address 9995::1/64user@host# set reth1 redundant-ether-options redundancy-group 1 user@host# set reth2 redundant-ether-options redundancy-group 1 user@host# set reth3 redundant-ether-options redundancy-group 1

Results

From operational mode, confirm your configuration by entering the show configuration command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

version ;
groups { 
    node0 { 
        system { 
            host-name SRX5800­1; 
            backup-router 10.157.64.1 destination 0.0.0.0/0; 

        } 
        interfaces { 
            fxp0 { 
                unit 0 { 
                    family inet { 
                        address 10.157.90.24/9;
                    } 
                } 
            }
        }
    }
    node1 { 
        system { 
            host-name SRX5800­2; 
            backup-router 10.157.64.1 destination 0.0.0.0/0; 

        } 
        interfaces { 
            fxp0 { 
                unit 0 { 
                    family inet { 
                        address 10.157.90.23/19;
                    } 
                } 
            }
        }
    }
}
apply-groups "${node}";
chassis {
    cluster {
        control-link-recovery;
        reth-count 5;
        control-ports {
            fpc 0 port 0;
            fpc 6 port 0;
        }
        redundancy-group 0 {
            node 0 priority 200;
            node 1 priority 100;
        }
        redundancy-group 1 {
            node 0 priority 200;
            node 1 priority 100;
        } 
    }
}
interfaces { 
    ge-1/0/0 {
        gigether–options {
            redundant–parent reth0; 
        } 
    } 
    ge-1/0/1 { 
        gigether–options {
            redundant–parent reth1; 
        } 
    } 
    ge-1/0/2 { 
        gigether–options {
            redundant–parent reth2; 
        } 
    } 
    ge-1/0/3 { 
        gigether–options {
            redundant–parent reth3; 
        } 
    } 
    ge-7/0/0 {
        gigether–options {
            redundant–parent reth0; 
        } 
    } 
    ge-7/0/1 { 
        gigether–options {
            redundant–parent reth1; 
        } 
    } 
    ge-7/0/2 { 
        gigether–options {
            redundant–parent reth2; 
        } 
    } 
    ge-7/0/3 { 
        gigether–options {
            redundant–parent reth3; 
        } 
    } 
    fab0 { 
        fabric–options {
            member–interfaces {
                ge-1/1/0;
            } 
        } 
    } 
    fab1 { 
        fabric–options {
            member–interfaces {
                ge-7/1/0;
            } 
        } 
    } 
    reth0 { 
        redundant–ether–options { 
            redundancy–group 1;
        }
        unit 0 { 
            family inet6 {
                address 9995::1/64;
            } 
        } 
    } 
    reth1 { 
        redundant–ether–options { 
            redundancy–group 1;
        }
    }
    reth2 { 
        redundant–ether–options { 
            redundancy–group 1;
        } 
    }
    reth3 { 
        redundant–ether–options { 
            redundancy–group 1;
        } 
    }
}

Logical System Configuration with IPv6 Addresses (Master Administrator)

CLI Quick Configuration

To quickly create logical systems and user logical system administrators and configure the master and interconnect logical systems, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Note: You are prompted to enter and then reenter plain-text passwords.

On {primary:node0}

Step-by-Step Procedure

1. Create the interconnect and user logical systems.
   [edit logical-systems]user@host# set LSYS0user@host# set LSYS1user@host# set LSYS2
2. Configure user logical system administrators.

   Step-by-Step Procedure

   1. Configure the user logical system administrator for LSYS1.
      [edit system login]user@host# set class lsys1 logical-system LSYS1user@host# set class lsys1 permissions alluser@host# set user lsys1admin full-name lsys1-adminuser@host# set user lsys1admin class lsys1user@host# set user lsys1admin authentication plain-text-password
   2. Configure the user logical system administrator for LSYS2.
      [edit system login]user@host# set class lsys2 logical-system LSYS2user@host# set class lsys2 permissions alluser@host# set user lsys2admin full-name lsys2-adminuser@host# set user lsys2admin class lsys2user@host# set user lsys2admin authentication plain-text-password
3. Configure security profiles and assign them to logical systems.

   Step-by-Step Procedure

   1. Configure a security profile and assign it to the root logical system.
      [edit system security-profile]user@host# set SP-root policy maximum 200user@host# set SP-root policy reserved 100user@host# set SP-root zone maximum 200user@host# set SP-root zone reserved 100user@host# set SP-root flow-session maximum 200user@host# set SP-root flow-session reserved 100user@host# set SP-root root-logical-system
   2. Assign a dummy security profile containing no resources to the interconnect logical system LSYS0.
      [edit system security-profile]user@host# set SP0 logical-system LSYS0
   3. Configure a security profile and assign it to LSYS1.
      [edit system security-profile]user@host# set SP1 policy maximum 100user@host# set SP1 policy reserved 50user@host# set SP1 zone maximum 100user@host# set SP1 zone reserved 50user@host# set SP1 flow-session maximum 100user@host# set SP1 flow-session reserved 50user@host# set SP1 logical-system LSYS1
   4. Configure a security profile and assign it to LSYS2.
      [edit system security-profile]user@host# set SP2 policy maximum 100user@host# set SP2 policy reserved 50user@host# set SP2 zone maximum 100user@host# set SP2 zone reserved 50user@host# set SP2 flow-session maximum 100user@host# set SP2 flow-session reserved 50user@host# set SP2 logical-system LSYS2
4. Configure the master logical system.

   Step-by-Step Procedure

   1. Configure logical tunnel interfaces.
      [edit interfaces]user@host# set lt-0/0/0 unit 1 encapsulation ethernetuser@host# set lt-0/0/0 unit 1 peer-unit 0user@host# set lt-0/0/0 unit 1 family inet6 address 2111::1/64
   2. Configure a routing instance.
      [edit routing-instances]user@host# set vr0 instance-type virtual-routeruser@host# set vr0 interface lt-0/0/0.1user@host# set vr0 interface reth0.0user@host# set vr0 routing-options rib vr0.inet6.0 static route 8885::/64 next-hop 2111::3user@host# set vr0 routing-options rib vr0.inet6.0 static route 7775::/64 next-hop 2111::3user@host# set vr0 routing-options rib vr0.inet6.0 static route 6665::/64 next-hop 2111::5
   3. Configure zones.
      [edit security zones]user@host# set security-zone root-trust host-inbound-traffic system-services alluser@host# set security-zone root-trust host-inbound-traffic protocols alluser@host# set security-zone root-trust interfaces reth0.0user@host# set security-zone root-untrust host-inbound-traffic system-services alluser@host# set security-zone root-untrust host-inbound-traffic protocols alluser@host# set security-zone root-untrust interfaces lt-0/0/0.1
   4. Configure security policies.
      [edit security policies from-zone root-trust to-zone root-untrust]user@host# set policy root-Trust_to_root-Untrust match source-address anyuser@host# set policy root-Trust_to_root-Untrust match destination-address anyuser@host# set policy root-Trust_to_root-Untrust match application anyuser@host# set policy root-Trust_to_root-Untrust then permit
      [edit security policies from-zone root-untrust to-zone root-trust]user@host# set policy root-Untrust_to_root-Trust match source-address anyuser@host# set policy root-Untrust_to_root-Trust match destination-address anyuser@host# set policy root-Untrust_to_root-Trust match application anyuser@host# set policy root-Untrust_to_root-Trust then permit
      [edit security policies from-zone root-untrust to-zone root-untrust]user@host# set policy root-Untrust_to_root-Untrust match source-address anyuser@host# set policy root-Untrust_to_root-Untrust match destination-address anyuser@host# set policy root-Untrust_to_root-Untrust match application anyuser@host# set policy root-Untrust_to_root-Untrust then permit
      [edit security policies from-zone root-trust to-zone root-trust]user@host# set policy root-Trust_to_root-Trust match source-address anyuser@host# set policy root-Trust_to_root-Trust match destination-address anyuser@host# set policy root-Trust_to_root-Trust match application anyuser@host# set policy root-Trust_to_root-Trust then permit
5. Configure the interconnect logical system.

   Step-by-Step Procedure

   1. Configure logical tunnel interfaces.
      [edit logical-systems LSYS0 interfaces]user@host# set lt-0/0/0 unit 0 encapsulation ethernet-vplsuser@host# set lt-0/0/0 unit 0 peer-unit 1user@host# set lt-0/0/0 unit 2 encapsulation ethernet-vplsuser@host# set lt-0/0/0 unit 2 peer-unit 3user@host# set lt-0/0/0 unit 4 encapsulation ethernet-vplsuser@host# set lt-0/0/0 unit 4 peer-unit 5
   2. Configure the VPLS routing instance.
      [edit logical-systems LSYS0 routing-instances]user@host# set vr instance-type vplsuser@host# set vr interface lt-0/0/0.0user@host# set vr interface lt-0/0/0.2user@host# set vr interface lt-0/0/0.4
6. Configure logical tunnel interfaces for the user logical systems.

   Step-by-Step Procedure

   1. Configure logical tunnel interfaces for LSYS1.
      [edit logical-systems LSYS1 interfaces ]user@host# set lt-0/0/0 unit 3 encapsulation ethernetuser@host# set lt-0/0/0 unit 3 peer-unit 2user@host# set lt-0/0/0 unit 3 family inet6 address 2111::3/64
   2. Configure logical tunnel interfaces for LSYS2.
      [edit logical-systems LSYS2 interfaces ]user@host# set lt-0/0/0 unit 5 encapsulation ethernetuser@host# set lt-0/0/0 unit 5 peer-unit 4user@host# set lt-0/0/0 unit 5 family inet6 address 2111::5/64

Results

From configuration mode, confirm the configuration for LSYS0 by entering the show logical-systems LSYS0 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm the configuration for the master logical system by entering the show interfaces, show routing-instances, and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

User Logical System Configuration with IPv6 (User Logical System Administrator)

CLI Quick Configuration

To quickly configure user logical systems, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

Enter the following commands while logged in as the user logical system administrator for LSYS1:

Enter the following commands while logged in as the user logical system administrator for LSYS2:

Step-by-Step Procedure

Note: The user logical system administrator performs the following configuration while logged into his or her user logical system. The master administrator can also configure a user logical system at the [edit logical-systems logical-system] hierarchy level.

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide .

To configure the LSYS1 user logical system:

1. Configure interfaces.
   [edit interfaces]lsys1-admin@host:LSYS1# set reth1 unit 0 family inet6 address 8885::1/64lsys1-admin@host:LSYS1# set reth2 unit 0 family inet6 address 7775::1/64
2. Configure routing.
   [edit routing-instances]lsys1-admin@host:LSYS1# set vr11 instance-type virtual-routerlsys1-admin@host:LSYS1# set vr11 interface lt-0/0/0.3lsys1-admin@host:LSYS1# set vr11 interface reth1.0lsys1-admin@host:LSYS1# set vr11 routing-options rib vr11.inet6.0 static route 6665::/64 next-hop 2111::5lsys1-admin@host:LSYS1# set vr11 routing-options rib vr11.inet6.0 static route 9995::/64 next-hop 2111::1lsys1-admin@host:LSYS1# set vr12 instance-type virtual-routerlsys1-admin@host:LSYS1# set vr12 interface reth2.0lsys1-admin@host:LSYS1# set vr12 routing-options interface-routes rib-group inet6 vr11vr12v6lsys1-admin@host:LSYS1# set vr12 routing-options rib vr12.inet6.0 static route 8885::/64 next-table vr11.inet6.0lsys1-admin@host:LSYS1# set vr12 routing-options rib vr12.inet6.0 static route 9995::/64 next-table vr11.inet6.0lsys1-admin@host:LSYS1# set vr12 routing-options rib vr12.inet6.0 static route 6665::/64 next-table vr11.inet6.0lsys1-admin@host:LSYS1# set vr12 routing-options rib vr12.inet6.0 static route 2111::/64 next-table vr11.inet6.0
   [edit routing-options]lsys1-admin@host:LSYS1# set rib-groups vr11vr12v6 import-rib vr11.inet6.0lsys1-admin@host:LSYS1# set rib-groups vr11vr12v6 import-rib vr12.inet6.0
3. Configure zones and security policies.
   [edit security zones]lsys1-admin@host:LSYS1# set security-zone lsys1-trust host-inbound-traffic system-services alllsys1-admin@host:LSYS1# set security-zone lsys1-trust host-inbound-traffic protocols alllsys1-admin@host:LSYS1# set security-zone lsys1-trust interfaces reth1.0lsys1-admin@host:LSYS1# set security-zone lsys1-trust interfaces lt-0/0/0.3lsys1-admin@host:LSYS1# set security-zone lsys1-untrust host-inbound-traffic system-services alllsys1-admin@host:LSYS1# set security-zone lsys1-untrust host-inbound-traffic protocols alllsys1-admin@host:LSYS1# set security-zone lsys1-untrust interfaces reth2.0
   [edit security policies from-zone lsys1-trust to-zone lsys1-untrust]lsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1untrust match source-address anylsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1untrust match destination-address anylsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1untrust match application anylsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1untrust then permit
   [edit security policies from-zone lsys1-untrust to-zone lsys1-trust]lsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1trust match source-address anylsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1trust match destination-address anylsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1trust match application anylsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1trust then permit
   [edit security policies from-zone lsys1-untrust to-zone lsys1-untrust]lsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1untrust match source-address anylsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1untrust match destination-address anylsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1untrust match application anylsys1-admin@host:LSYS1# set policy lsys1untrust-to-lsys1untrust then permit
   [edit security policies from-zone lsys1-trust to-zone lsys1-trust]lsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1trust match source-address anylsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1trust match destination-address anylsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1trust match application anylsys1-admin@host:LSYS1# set policy lsys1trust-to-lsys1trust then permit

Step-by-Step Procedure

1. Configure interfaces.
   [edit interfaces]lsys2-admin@host:LSYS2# set reth3 unit 0 family inet6 address 6665::1/64
2. Configure routing.
   [edit routing-instances]lsys2-admin@host:LSYS2# set vr2 instance-type virtual-routerlsys2-admin@host:LSYS2# set vr2 interface lt-0/0/0.5lsys2-admin@host:LSYS2# set vr2 interface reth3.0lsys2-admin@host:LSYS2# set vr2 routing-options rib vr2.inet6.0 static route 7775::/64 next-hop 2111::3lsys2-admin@host:LSYS2# set vr2 routing-options rib vr2.inet6.0 static route 8885::/64 next-hop 2111::3lsys2-admin@host:LSYS2# set vr2 routing-options rib vr2.inet6.0 static route 9995::/64 next-hop 2111::1
3. Configure zones and security policies.
   [edit security zones]lsys2-admin@host:LSYS2# set security-zone lsys2-trust host-inbound-traffic system-services alllsys2-admin@host:LSYS2# set security-zone lsys2-trust host-inbound-traffic protocols alllsys2-admin@host:LSYS2# set security-zone lsys2-trust interfaces reth3.0lsys2-admin@host:LSYS2# set security zones security-zone lsys2-untrust host-inbound-traffic system-services alllsys2-admin@host:LSYS2# set security-zone lsys2-untrust host-inbound-traffic protocols alllsys2-admin@host:LSYS2# set security-zone lsys2-untrust interfaces lt-0/0/0.5
   [edit security policies from-zone lsys2-trust to-zone lsys2-untrust]lsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2untrust match source-address anylsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2untrust match destination-address anylsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2untrust match application anylsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2untrust then permit
   [edit security policies from-zone from-zone lsys2-untrust to-zone lsys2-trust]lsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2trust match source-address anylsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2trust match destination-address anylsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2trust match application anylsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2trust then permit
   [edit security policies from-zone lsys2-untrust to-zone lsys2-untrust]lsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2untrust match source-address anylsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2untrust match destination-address anylsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2untrust match application anylsys2-admin@host:LSYS2# set policy lsys2untrust-to-lsys2untrust then permit
   [edit security policies from-zone lsys2-trust to-zone lsys2-trust]lsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2trust match source-address anylsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2trust match destination-address anylsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2trust match application anylsys2-admin@host:LSYS2# set policy lsys2trust-to-lsys2trust then permit

Results

From configuration mode, confirm the configuration for LSYS1 by entering the show interfaces, show routing-instances, show routing-options, and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

From configuration mode, confirm the configuration for LSYS2 by entering the show interfaces, show routing-instances, and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

• Verifying Chassis Cluster Status (IPv6)
• Troubleshooting Chassis Cluster with Logs (IPv6)
• Verifying Logical System Licenses (IPv6)
• Verifying Logical System License Usage (IPv6)
• Verifying Intra-Logical System Traffic on a Logical System (IPv6)
• Verifying Intra-Logical System Traffic Within All Logical Systems (IPv6)
• Verifying Traffic Between User Logical Systems (IPv6)

Verifying Chassis Cluster Status (IPv6)

Purpose

Verify the chassis cluster status, failover status, and redundancy group information.

Action

From operational mode, enter the show chassis cluster status command.

Cluster ID: 1 
Node                  Priority          Status    Preempt  Manual failover

Redundancy group: 0 , Failover count: 1
    node0                   200         primary        no       no  
    node1                   100         secondary      no       no  

Redundancy group: 1 , Failover count: 1
    node0                   200         primary        no       no  
    node1                   100         secondary      no       no  

Troubleshooting Chassis Cluster with Logs (IPv6)

Purpose

Use these logs to identify any chassis cluster issues. You should run these logs on both nodes.

Action

From operational mode, enter these show log commands.

Verifying Logical System Licenses (IPv6)

Purpose

Verify information about logical system licenses.

Action

From operational mode, enter the show system license status logical-system all command.

node0:
--------------------------------------------------------------------------
Logical system license status:
                
logical system name                 license status
root-logical-system                 enabled       
LSYS0                               enabled       
LSYS1                               enabled       
LSYS2                               enabled       

Verifying Logical System License Usage (IPv6)

Purpose

Verify information about logical system license usage.

Note: The actual number of licenses used is only displayed on the primary node.

Action

From operational mode, enter the show system license command.

License usage: 
                                 Licenses     Licenses    Licenses    Expiry
  Feature name                       used    installed      needed 
  logical-system                        4           25           0    permanent 

Licenses installed: 
  License identifier: JUNOS305013
  License version: 2
  Valid for device: JN110B54BAGB
  Features:
    logical-system-25 - Logical System Capacity
      permanent

Verifying Intra-Logical System Traffic on a Logical System (IPv6)

Purpose

Verify information about currently active security sessions within a logical system.

Action

From operational mode, enter the show security flow session logical-system LSYS1 command.

node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:

Session ID: 10000115, Policy name: lsys1trust-to-lsys1untrust/8, State: Active, Timeout: 1784, Valid
  In: 8885::2/34564 --> 7775::2/23;tcp, If: reth1.0, Pkts: 22, Bytes: 1745
  Out: 7775::2/23 --> 8885::2/34564;tcp, If: reth2.0, Pkts: 19, Bytes: 2108
Total sessions: 1

Flow Sessions on FPC2 PIC0:
Total sessions: 0

Flow Sessions on FPC2 PIC1:
Total sessions: 0

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:

Session ID: 10000006, Policy name: lsys1trust-to-lsys1untrust/8, State: Backup, Timeout: 14392, Valid
  In: 8885::2/34564 --> 7775::2/23;tcp, If: reth1.0, Pkts: 0, Bytes: 0
  Out: 7775::2/23 --> 8885::2/34564;tcp, If: reth2.0, Pkts: 0, Bytes: 0
Total sessions: 1

Flow Sessions on FPC2 PIC0:
Total sessions: 0

Flow Sessions on FPC2 PIC1:
Total sessions: 0

Verifying Intra-Logical System Traffic Within All Logical Systems (IPv6)

Purpose

Verify information about currently active security sessions on all logical systems.

Action

From operational mode, enter the show security flow session logical-system all command.

node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:

Session ID: 10000115, Policy name: lsys1trust-to-lsys1untrust/8, State: Active, Timeout: 1776, Valid
Logical system: LSYS1
  In: 8885::2/34564 --> 7775::2/23;tcp, If: reth1.0, Pkts: 22, Bytes: 1745
  Out: 7775::2/23 --> 8885::2/34564;tcp, If: reth2.0, Pkts: 19, Bytes: 2108
Total sessions: 1

Flow Sessions on FPC2 PIC0:
Total sessions: 0

Flow Sessions on FPC2 PIC1:
Total sessions: 0

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:

Session ID: 10000006, Policy name: lsys1trust-to-lsys1untrust/8, State: Backup, Timeout: 14384, Valid
Logical system: LSYS1
  In: 8885::2/34564 --> 7775::2/23;tcp, If: reth1.0, Pkts: 0, Bytes: 0
  Out: 7775::2/23 --> 8885::2/34564;tcp, If: reth2.0, Pkts: 0, Bytes: 0
Total sessions: 1

Flow Sessions on FPC2 PIC0:
Total sessions: 0

Flow Sessions on FPC2 PIC1:
Total sessions: 0

Verifying Traffic Between User Logical Systems (IPv6)

Purpose

Verify information about currently active security sessions between logical systems.

Action

From operational mode, enter the show security flow session logical-system logical-system-name command.

node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC2 PIC0:

Session ID: 80000118, Policy name: lsys1trust-to-lsys1trust/11, State: Active, Timeout: 1792, Valid
  In: 8885::2/34565 --> 6665::2/23;tcp, If: reth1.0, Pkts: 91, Bytes: 6802
  Out: 6665::2/23 --> 8885::2/34565;tcp, If: lt-0/0/0.3, Pkts: 65, Bytes: 6701
Total sessions: 1

Flow Sessions on FPC2 PIC1:
Total sessions: 0

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC2 PIC0:

Session ID: 80000010, Policy name: lsys1trust-to-lsys1trust/11, State: Backup, Timeout: 14388, Valid
  In: 8885::2/34565 --> 6665::2/23;tcp, If: reth1.0, Pkts: 0, Bytes: 0
  Out: 6665::2/23 --> 8885::2/34565;tcp, If: lt-0/0/0.3, Pkts: 0, Bytes: 0
Total sessions: 1

Flow Sessions on FPC2 PIC1:
Total sessions: 0

node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC2 PIC0:

Session ID: 80000119, Policy name: lsys2untrust-to-lsys2trust/13, State: Active, Timeout: 1788, Valid
  In: 8885::2/34565 --> 6665::2/23;tcp, If: lt-0/0/0.5, Pkts: 91, Bytes: 6802
  Out: 6665::2/23 --> 8885::2/34565;tcp, If: reth3.0, Pkts: 65, Bytes: 6701
Total sessions: 1

Flow Sessions on FPC2 PIC1:
Total sessions: 0

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC2 PIC0:

Session ID: 80000011, Policy name: lsys2untrust-to-lsys2trust/13, State: Backup, Timeout: 14380, Valid
  In: 8885::2/34565 --> 6665::2/23;tcp, If: lt-0/0/0.5, Pkts: 0, Bytes: 0
  Out: 6665::2/23 --> 8885::2/34565;tcp, If: reth3.0, Pkts: 0, Bytes: 0
Total sessions: 1

Flow Sessions on FPC2 PIC1:
Total sessions: 0

node0:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0

Flow Sessions on FPC2 PIC0:

Session ID: 80000118, Policy name: lsys1trust-to-lsys1trust/11, State: Active, Timeout: 1784, Valid
Logical system: LSYS1
  In: 8885::2/34565 --> 6665::2/23;tcp, If: reth1.0, Pkts: 91, Bytes: 6802
  Out: 6665::2/23 --> 8885::2/34565;tcp, If: lt-0/0/0.3, Pkts: 65, Bytes: 6701

Session ID: 80000119, Policy name: lsys2untrust-to-lsys2trust/13, State: Active, Timeout: 1784, Valid
Logical system: LSYS2
  In: 8885::2/34565 --> 6665::2/23;tcp, If: lt-0/0/0.5, Pkts: 91, Bytes: 6802
  Out: 6665::2/23 --> 8885::2/34565;tcp, If: reth3.0, Pkts: 65, Bytes: 6701
Total sessions: 2

Flow Sessions on FPC2 PIC1:
Total sessions: 0

node1:
--------------------------------------------------------------------------

Flow Sessions on FPC0 PIC1:
Total sessions: 0
 
Flow Sessions on FPC2 PIC0:

Session ID: 80000010, Policy name: lsys1trust-to-lsys1trust/11, State: Backup, Timeout: 14378, Valid
Logical system: LSYS1
  In: 8885::2/34565 --> 6665::2/23;tcp, If: reth1.0, Pkts: 0, Bytes: 0
  Out: 6665::2/23 --> 8885::2/34565;tcp, If: lt-0/0/0.3, Pkts: 0, Bytes: 0

Session ID: 80000011, Policy name: lsys2untrust-to-lsys2trust/13, State: Backup, Timeout: 14376, Valid
Logical system: LSYS2
  In: 8885::2/34565 --> 6665::2/23;tcp, If: lt-0/0/0.5, Pkts: 0, Bytes: 0
  Out: 6665::2/23 --> 8885::2/34565;tcp, If: reth3.0, Pkts: 0, Bytes: 0
Total sessions: 2

Flow Sessions on FPC2 PIC1:
Total sessions: 0