Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System

    This example shows how to create user logical systems and assign administrators to them. It shows how to add users to a user logical system. And the example shows how to create an interconnect logical system, which is optional.

    Note: Only the master administrator can create user login accounts for administrators and users. If a user logical system administrator wants to add users to his logical system, he must convey the information to the master administrator, who will add the users.

    Requirements

    The example uses an SRX5600 device running Junos OS with logical systems.

    Overview

    Before you begin, read SRX Series Logical System Master Administrator Configuration Tasks Overview to understand how this task fits into the overall configuration process.

    This example is for a company that includes product design, marketing, and accounting departments. The company wants to curtail hardware and energy costs, but not at the risk of exposing data across departments or to the Internet.

    Each department has its own security requirements in regard both to other departments and to the Internet. To meet its requirements for cost control without forfeiting security, the company deploys the SRX5600 device. The master administrator configures three user logical systems giving each department a logical device that is private and fully secured.

    This topic covers how to:

    • Create user logical systems and an interconnect logical system that is used as an internal VPLS switch to allow traffic to pass from one logical system to another.
    • Create administrators for user logical systems other than the interconnect logical system. A user logical system can have more than one administrator. The interconnect logical system does not require an administrator.
    • Add users to a user logical system.

      Note: This example shows how to configure only two users—lsdesignuser1 and lsdesignuser2. In reality, every user logical system will include many users that would require configurations similar to those shown in this example.

    Figure 1 shows an SRX5600 device deployed and configured for logical systems. The configuration examples reflect this deployment.

    Figure 1: SRX Series Device Configured for Logical Systems

    SRX Series Device Configured for Logical Systems

    Configuration

    Configuring User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set logical-systems ls-product-designset system login class ls-design-admin logical-system ls-product-designset system login class ls-design-admin permissions allset system login user lsdesignadmin1 full-name lsdesignadmin1set system login user lsdesignadmin1 class ls-design-adminset system login user lsdesignadmin1 authentication encrypted-password "$1$VYfdRheI$CMSegr7Zi9RG4JNKa90iS/"set system login class ls-design-user logical-system ls-product-designset system login class ls-design-user permissions viewset system login user lsdesignuser1 full-name lsdesignuser1set system login user lsdesignuser1 class ls-design-userset system login user lsdesignuser1 authentication encrypted-password "$1$7tUK.xiD$NrODFcA1r5mRAFfP2ltXt0"set system login user lsdesignuser2 full-name lsdesignuser2set system login user lsdesignuser2 class ls-design-userset system login user lsdesignuser2 authentication encrypted-password "$1$KLh7M1ri$QhWyFK76lNfIJ0cJv0Wic0"set logical-systems ls-marketing-deptset system login class ls-marketing-admin logical-system ls-marketing-deptset system login class ls-marketing-admin permissions all set system login user lsmarketingadmin1 class ls-marketing-adminset system login user lsmarketingadmin1 full-name lsmarketingadmin1set system login user lsmarketingadmin1 authentication encrypted-password "$1$vEJdnI3F$/srH5kEqO/bUhsbOOWxXB."set system login user lsmarketingadmin2 full-name lsmarketingadmin2set system login user lsmarketingadmin2 class ls-marketing-adminset system login user lsmarketingadmin2 authentication encrypted-password "$1$ANlhADCm$UKnXtRMajiDxhREL2XA5k."set logical-systems ls-accounting-deptset system login class ls-accounting-admin logical-system ls-accounting-deptset system login class ls-accounting-admin permissions allset system login user lsaccountingadmin1 full-name lsaccountingadmin1set system login user lsaccountingadmin1 class ls-accounting-adminset system login user lsaccountingadmin1 authentication encrypted-password "$1$qZt6lVFr$NfjsX9pe7CsKzveNnIUz11"set logical-systems interconnect-logical-system

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    1. Create the first user logical system and define its administrator.

      Step-by-Step Procedure

      1. Create the user logical system.
        [edit]user@host# set logical-systems ls-product-design
      2. Assign the user login class to the user logical system.
        [edit system]user@host# set login class ls-design-admin logical-system ls-product-design
      3. Create the login class to give the user logical system administrator full permission over the user logical system.
        [edit system]user@host# set login class ls-design-admin permissions all
      4. Assign a full name to the user logical system administrator.
        [edit system]user@host# set login user lsdesignadmin1 full-name lsdesignadmin1
      5. Associate the login class with the user logical system administrator to allow the administrator to log in to the user logical system.
        [edit system]user@host# set login user lsdesignadmin1 class ls-design-admin
      6. Create a user login password for the user logical system administrator.
        [edit system]user@host# set login user lsdesignadmin1 authentication plain-text-passwordNew password: Talk1234Retype new password: Talk1234
    2. Configure the first user for the logical system.

      Step-by-Step Procedure

      1. Configure the user login class and assign it to the user logical system.
        [edit system]user@host# set login class ls-design-user logical-system ls-product-design
      2. To give the first user the ability to see the logical system’s resources and settings but not change them, assign view as the permission to the login class.
        [edit system]user@host# set login class ls-design-user permissions view
      3. Assign a full name to the logical system user.
        [edit system]user@host# set login user lsdesignuser1 full-name lsdesignuser1
      4. Associate the login class with the user to allow the user to log in to the user logical system.
        user@host# set login user lsdesignuser1 class ls-design-user
      5. Create a user login password for the user.
        [edit system]user@host# set login user lsdesignuser1 authentication plain-text-passwordNew password: Talk4234Retype new password: Talk4234
    3. Create the second user for logical system ls-product-design.

      Step-by-Step Procedure

      1. Assign a full name to the user.
        [edit system]user@host# set login user lsdesignuser2 full-name lsdesignuser2
      2. Associate the user with the login class to allow the user to log in to the user logical system.
        user@host# set login user lsdesignuser2 class ls-design-user
      3. Create a user login password.
        [edit system]user@host# set login user lsdesignuser2 authentication plain-text-password New password: Talk9234Retype new password: Talk9234
    4. Create the second user logical system and define its administrator.

      Step-by-Step Procedure

      1. Create the user logical system.
        [edit]user@host# set logical-systems ls-marketing-dept
      2. Configure the user login class and assign it to the user logical system.
        [edit system]user@host# set login class ls-marketing-admin logical-system ls-marketing-dept
      3. To give the user logical system administrator control over the user logical system, assign all as the permissions to the login class.
        [edit system]user@host# set login class ls-marketing-admin permissions all
      4. Assign a full name to the user logical system administrator.
        [edit system]user@host# set login user lsmarketingadmin1 full-name lsmarketingadmin1
      5. Associate the user logical system administrator with the login class to allow the administrator to log in to the user logical system.
        [edit system]user@host# set login user lsmarketingadmin1 class ls-marketing-admin
      6. Create a user login password for the user logical system administrator.
        [edit system]user@host# set login user lsmarketingadmin1 authentication plain-text-passwordNew password: Talk2345Retype new password: Talk2345
    5. Create a second user logical system administrator for the ls-marketing-dept logical system.

      Step-by-Step Procedure

      1. Assign a full name to the user logical system administrator.
        [edit system]user@host# set login user lsmarketingadmin2 full-name lsmarketingadmin2
      2. Associate the user logical system administrator with the login class to allow the administrator to log in to the user logical system.
        [edit system]user@host# set login lsmarketingadmin2 class ls-marketing-admin
      3. Create a user login password for the user logical system administrator.
        [edit system]user@host# set login user lsmarketingadmin2 authentication plain-text-passwordNew password: Talk6345Retype new password: Talk6345
    6. Create the third user logical system and define its administrator.

      Step-by-Step Procedure

      1. Create the user logical system.
        [edit]user@host# set logical-systems ls-accounting-dept
      2. Configure the user login class and assign it to the user logical system.
        [edit system]user@host# set login class ls-accounting-admin logical-system ls-accounting-dept
      3. To give the user logical system administrator control over the user logical system, assign permissions to the login class.
        [edit system]user@host# set login class ls-accounting-admin permissions all
      4. Assign a full name to the user logical system administrator.
        [edit system]user@host# set login user lsaccountingadmin1 full-name lsaccountingadmin1
      5. Associate the user logical system administrator with the login class to allow the administrator to log in to the user logical system.
        [edit system]user@host# set login user lsaccountingadmin1 class ls-accounting-admin
      6. Create a login password for the user logical system administrator.
        [edit system]user@host# set login user lsaccountingadmin1 authentication plain-text-passwordNew password: Talk5678Retype new password: Talk5678
    7. Configure an interconnect logical system to allow logical systems to pass traffic from one to another.
      user@host# set logical-systems interconnect-logical-system

    Results

    From configuration mode, confirm your configuration by entering the show logical-systems command to verify that the logical systems were created. Also enter the show system login class command for each class that you defined.

    To ensure that the logical systems administrators were created, enter the show system login user command.

    If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    user@host# show logical-systems ?interconnect-logical-system;ls-accounting-dept;ls-marketing-dept;ls-product-design;
    user@host# show system login class ls-design-admin logical-system ls-product-design;permissions all;
    user@host# show system login class ls-design-user logical-system ls-product-designpermissions view;
    user@host show system login class ls-marketing-admin logical-system ls-marketing-dept;permissions all;
    user@host show system login class ls-accounting-admin logical-system ls-accounting-dept;permissions all;
    user@host show system login user ? lsaccountingadmin1 lsaccountingadmin1lsdesignadmin1 lsdesignadmin1lsdesignuser2 lsdesignuser2lsmarketingadmin1 lsmarketingadmin1lsmarketingadmin2 lsmarketingadmin2

    Verification

    To confirm that the configuration is working properly, perform these tasks:

    Verifying User Logical Systems and Login Configurations from the Master Logical System

    Purpose

    Verify that the user logical systems exist and that you, as the master administrator, can enter them from root. Return from a user logical system to the master logical system.

    Action

    From operational mode, enter the following command:

    root@host> set cli logical-system ls-product-designLogical system:ls-product-designroot@host:ls-product-design>
    root@host:ls-product-design> clear cli logical-systemCleared default logical systemroot@host>
    root@host> set cli logical-system ls-marketing-deptLogical system:ls-marketing-deptroot@host:ls-marketing-dept>
    root@host:ls-marketing-dept> clear cli logical-systemCleared default logical systemroot@host>
    root@host> set cli logical-system ls-accounting-deptLogical system:ls-accounting-deptroot@host:ls-accounting-dept>
    root@host:ls-accounting-dept> clear cli logical-systemCleared default logical systemroot@host>

    Verifying User Logical Systems and Login Configurations Using Telnet

    Purpose

    Verify that the user logical systems you created exist and that the administrators’ login IDs and passwords that you created are correct.

    Action

    Use Telnet to log in to each user logical system as its user administrator would do.

    1. Run Telnet specifying the IP address of your SRX Series device. For example:
      telnet 10.11.11.19
    2. Enter the login ID and password for the administrator for one of the user logical systems that you created. After you log in, the prompt shows the administrator name. Notice how this result differs from the result produced when you log in to the user logical system from the master logical system at root. Repeat this procedure for all of your user logical systems.
      login: lsdesignadmin1Password: Talk1234lsdesignadmin1@host: ls-product-design>
     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page