Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

TechLibrary
Navigation
Table of Contents
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Configuring User Logical Systems

    This example shows the configuration of interfaces, routing instances, zones, and security policies for user logical systems.

    Requirements

    Before you begin:

    Overview

    This example configures the ls-marketing-dept and ls-accounting-dept user logical systems shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.

    This example configures the parameters described in Table 1 and Table 2.

    Table 1: ls-marketing-dept Logical System Configuration

    Feature

    Name

    Configuration Parameters

    Interface

    ge-0/0/6.1

    • IP address 13.1.1.1/24
    • VLAN ID 800

    Routing instance

    mk-vr1

    • Instance type: virtual router
    • Includes interfaces ge-0/0/6.1 and lt-0/0/0.5
    • Static routes:
      • 12.1.1.0/24 next-hop 10.0.1.2
      • 14.1.1.0/24 next-hop 10.0.1.4
      • 12.12.1.0/24 next-hop 10.0.1.1

    Zones

    ls-marketing-trust

    Bind to interface ge-0/0/6.1.

    ls-marketing-untrust

    Bind to interface lt-0/0/0.5

    Address books

    marketing-internal

    • Address marketers: 13.1.1.0/24
    • Attach to zone ls-marketing-trust

    marketing-external

    • Address design: 12.1.1.0/24
    • Address accounting: 14.1.1.0/24
    • Address others: 12.12.1.0/24
    • Address set otherlsys: design, accounting
    • Attach to zone ls-marketing-untrust

    Policies

    permit-all-to-otherlsys

    Permit the following traffic:

    • From zone: ls-marketing-trust
    • To zone: ls-marketing-untrust
    • Source address: marketers
    • Destination address: otherlsys
    • Application: any

    permit-all-from-otherlsys

    Permit the following traffic:

    • From zone: ls-marketing-untrust
    • To zone: ls-marketing-trust
    • Source address: otherlsys
    • Destination address: marketers
    • Application: any

    Table 2: ls-accounting-dept Logical System Configuration

    Feature

    Name

    Configuration Parameters

    Interface

    ge-0/0/7.1

    • IP address 14.1.1.1/24
    • VLAN ID 900

    Routing instance

    acct-vr1

    • Instance type: virtual router
    • Includes interfaces ge-0/0/7.1 and lt-0/0/0.7
    • Static routes:
      • 12.1.1.0/24 next-hop 10.0.1.2
      • 13.1.1.0/24 next-hop 10.0.1.3
      • 12.12.1.0/24 next-hop 10.0.1.1

    Zones

    ls-accounting-trust

    Bind to interface ge-0/0/7.1.

    ls-accounting-untrust

    Bind to interface lt-0/0/0.7

    Address books

    accounting-internal

    • Address accounting: 14.1.1.0/24
    • Attach to zone ls-accounting-trust

    accounting-external

    • Address design: 12.1.1.0/24
    • Address marketing: 13.1.1.0/24
    • Address others: 12.12.1.0/24
    • Address set otherlsys: design, marketing
    • Attach to zone ls-accounting-untrust

    Policies

    permit-all-to-otherlsys

    Permit the following traffic:

    • From zone: ls-accounting-trust
    • To zone: ls-accounting-untrust
    • Source address: accounting
    • Destination address: otherlsys
    • Application: any

    permit-all-from-otherlsys

    Permit the following traffic:

    • From zone: ls-accounting-untrust
    • To zone: ls-accounting-trust
    • Source address: otherlsys
    • Destination address: accounting
    • Application: any

    Configuration

    Configuring the ls-marketing-dept User Logical System

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set interfaces ge-0/0/6 unit 1 family inet address 13.1.1.1/24set interfaces ge-0/0/6 unit 1 vlan-id 800set routing-instances mk-vr1 instance-type virtual-router set routing-instances mk-vr1 interface ge-0/0/6.1 set routing-instances mk-vr1 interface lt-0/0/0.5 set routing-instances mk-vr1 routing-options static route 12.1.1.0/24 next-hop 10.0.1.2 set routing-instances mk-vr1 routing-options static route 14.1.1.0/24 next-hop 10.0.1.4 set routing-instances mk-vr1 routing-options static route 12.12.1.0/24 next-hop 10.0.1.1 set security zones security-zone ls-marketing-trust interfaces ge-0/0/6.1 set security zones security-zone ls-marketing-untrust interfaces lt-0/0/0.5 set security address-book marketing-external address design 12.1.1.0/24 set security address-book marketing-external address accounting 14.1.1.0/24 set security address-book marketing-external address others 12.12.1.0/24 set security address-book marketing-external address-set otherlsys address design set security address-book marketing-external address-set otherlsys address accounting set security address-book marketing-external attach zone ls-marketing-untrust set security address-book marketing-internal address marketers 13.1.1.0/24 set security address-book marketing-internal attach zone ls-marketing-trustset security policies from-zone ls-marketing-trust to-zone ls-marketing-untrust policy permit-all-to-otherlsys match source-address marketers set security policies from-zone ls-marketing-trust to-zone ls-marketing-untrust policy permit-all-to-otherlsys match destination-address otherlsys set security policies from-zone ls-marketing-trust to-zone ls-marketing-untrust policy permit-all-to-otherlsys match application any set security policies from-zone ls-marketing-trust to-zone ls-marketing-untrust policy permit-all-to-otherlsys then permit set security policies from-zone ls-marketing-untrust to-zone ls-marketing-trust policy permit-all-from-otherlsys match source-address otherlsys set security policies from-zone ls-marketing-untrust to-zone ls-marketing-trust policy permit-all-from-otherlsys match destination-address marketers set security policies from-zone ls-marketing-untrust to-zone ls-marketing-trust policy permit-all-from-otherlsys match application any set security policies from-zone ls-marketing-untrust to-zone ls-marketing-trust policy permit-all-from-otherlsys then permit

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure a user logical system:

    1. Log in to the user logical system as the logical system administrator and enter configuration mode.
      lsmarketingadmin1@host:ls-marketing-dept> configurelsmarketingadmin1@host:ls-marketing-dept#
    2. Configure the logical interface for a user logical system.
      [edit interfaces]lsmarketingadmin1@host:ls-marketing-dept# set ge-0/0/6 unit 1 family inet address 13.1.1.1/24lsmarketingadmin1@host:ls-marketing-dept# set ge-0/0/6 unit 1 vlan-id 800
    3. Configure the routing instance and assign interfaces.
      [edit routing-instances]lsmarketingadmin1@host:ls-marketing-dept# set mk-vr1 instance-type virtual-routerlsmarketingadmin1@host:ls-marketing-dept# set mk-vr1 interface ge-0/0/6.1lsmarketingadmin1@host:ls-marketing-dept# set mk-vr1 interface lt-0/0/0.5
    4. Configure static routes.
      [edit routing-instances]lsmarketingadmin1@host:ls-marketing-dept# set mk-vr1 routing-options static route 12.1.1.0/24 next-hop 10.0.1.2lsmarketingadmin1@host:ls-marketing-dept# set mk-vr1 routing-options static route 14.1.1.0/24 next-hop 10.0.1.4lsmarketingadmin1@host:ls-marketing-dept# set mk-vr1 routing-options static route 12.12.1.0/24 next-hop 10.0.1.1
    5. Configure security zones and assign interfaces to each zone.
      [edit security zones]lsmarketingadmin1@host:ls-marketing-dept# set security-zone ls-marketing-trust interfaces ge-0/0/6.1lsmarketingadmin1@host:ls-marketing-dept# set security-zone ls-marketing-untrust interfaces lt-0/0/0.5
    6. Create address book entries.
      [edit security]lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-internal address marketers 13.1.1.0/24lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-external address design 12.1.1.0/24lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-external address accounting 14.1.1.0/24lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-external address others 12.12.1.0/24lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-external address-set otherlsys address designlsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-external address-set otherlsys address accounting
    7. Attach address books to zones.
      [edit security]lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-internal attach zone ls-marketing-trustlsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-external attach zone ls-marketing-untrust
    8. Configure a security policy that permits traffic from the ls-marketing-trust zone to the ls-marketing-untrust zone.
      [edit security policies from-zone ls-marketing-trust to-zone ls-marketing-untrust]lsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-to-otherlsys match source-address marketerslsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-to-otherlsys match destination-address otherlsyslsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-to-otherlsys match application anylsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-to-otherlsys then permit
    9. Configure a security policy that permits traffic from the ls-marketing-untrust zone to the ls-marketing-trust zone.
      [edit security policies from-zone ls-marketing-untrust to-zone ls-marketing-trust]lsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-from-otherlsys match source-address otherlsyslsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-from-otherlsys match destination-address marketerslsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-from-otherlsys match application anylsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-from-otherlsys then permit

    Results

    From configuration mode, confirm your configuration by entering the show routing-instances and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    lsmarketingadmin1@host:ls-marketing-dept# show routing instancesmk-vr1 {instance-type virtual-router;interface ge-0/0/6.1;interface lt-0/0/0.5;routing-options {static {route 12.1.1.0/24 next-hop 10.0.1.2;route 14.1.1.0/24 next-hop 10.0.1.4;route 12.12.1.0/24 next-hop 10.0.1.1;}}}lsmarketingadmin1@host:ls-marketing-dept# show securityaddress-book {marketing-external {address product-designers 12.1.1.0/24;address accounting 14.1.1.0/24;address others 12.12.1.0/24;address-set otherlsys {address product-designers;address accounting;}attach {zone ls-marketing-untrust;}}marketing-internal {address marketers 13.1.1.0/24;attach {zone ls-marketing-trust;}}}policies {from-zone ls-marketing-trust to-zone ls-marketing-untrust {policy permit-all-to-otherlsys {match {source-address marketers;destination-address otherlsys;application any;}then {permit;}}}from-zone ls-marketing-untrust to-zone ls-marketing-trust {policy permit-all-from-otherlsys {match {source-address otherlsys;destination-address marketers;application any;}then {permit;}}}}zones {security-zone ls-marketing-trust {interfaces {ge-0/0/6.1;}}security-zone ls-marketing-untrust {interfaces {lt-0/0/0.5;}}}

    If you are done configuring the device, enter commit from configuration mode.

    Configuring the ls-accounting-dept User Logical System

    CLI Quick Configuration

    To quickly configure this section of the example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, and then copy and paste the commands into the CLI at the [edit] hierarchy level.

    set interfaces ge-0/0/7 unit 1 family inet address 14.1.1.1/24set interfaces ge-0/0/7 unit 1 vlan-id 900set routing-instances acct-vr1 instance-type virtual-router set routing-instances acct-vr1 interface ge-0/0/7.1 set routing-instances acct-vr1 interface lt-0/0/0.7 set routing-instances acct-vr1 routing-options static route 12.12.1.0/24 next-hop 10.0.1.1 set routing-instances acct-vr1 routing-options static route 12.1.1.0/24 next-hop 10.0.1.2 set routing-instances acct-vr1 routing-options static route 13.1.1.0/24 next-hop 10.0.1.3 set security address-book accounting-internal address accounting 14.1.1.0/24 set security address-book accounting-internal attach zone ls-accounting-trust set security address-book accounting-external address design 12.1.1.0/24 set security address-book accounting-external address marketing 13.1.1.0/24 set security address-book accounting-external address others 12.12.1.0/24 set security address-book accounting-external address-set otherlsys address design set security address-book accounting-external address-set otherlsys address marketing set security address-book accounting-external attach zone ls-accounting-untrust set security policies from-zone ls-accounting-trust to-zone ls-accounting-untrust policy permit-all-to-otherlsys match source-address accounting set security policies from-zone ls-accounting-trust to-zone ls-accounting-untrust policy permit-all-to-otherlsys match destination-address otherlsys set security policies from-zone ls-accounting-trust to-zone ls-accounting-untrust policy permit-all-to-otherlsys match application any set security policies from-zone ls-accounting-trust to-zone ls-accounting-untrust policy permit-all-to-otherlsys then permit set security policies from-zone ls-accounting-untrust to-zone ls-accounting-trust policy permit-all-from-otherlsys match source-address otherlsys set security policies from-zone ls-accounting-untrust to-zone ls-accounting-trust policy permit-all-from-otherlsys match destination-address accounting set security policies from-zone ls-accounting-untrust to-zone ls-accounting-trust policy permit-all-from-otherlsys match application any set security policies from-zone ls-accounting-untrust to-zone ls-accounting-trust policy permit-all-from-otherlsys then permit set security zones security-zone ls-accounting-trust interfaces ge-0/0/7.1 set security zones security-zone ls-accounting-untrust interfaces lt-0/0/0.7

    Step-by-Step Procedure

    The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide PDF Document.

    To configure a user logical system:

    1. Log in to the user logical system as the logical system administrator and enter configuration mode.
      lsaccountingadmin1@host:ls-accounting-dept> configurelsaccountingadmin1@host:ls-accounting-dept#
    2. Configure the logical interface for a user logical system.
      [edit interfaces]lsaccountingadmin1@host:ls-accounting-dept# set ge-0/0/7 unit 1 family inet address 14.1.1.1/24lsaccountingadmin1@host:ls-accounting-dept# set ge-0/0/7 unit 1 vlan-id 900
    3. Configure the routing instance and assign interfaces.
      [edit routing-instances]lsaccountingadmin1@host:ls-accounting-dept# set acct-vr1 instance-type virtual-routerlsaccountingadmin1@host:ls-accounting-dept# set acct-vr1 interface ge-0/0/7.1lsaccountingadmin1@host:ls-accounting-dept# set acct-vr1 interface lt-0/0/0.7
    4. Configure static routes.
      [edit routing-instances]lsaccountingadmin1@host:ls-accounting-dept# set acct-vr1 routing-options static route 12.1.1.0/24 next-hop 10.0.1.2lsaccountingadmin1@host:ls-accounting-deptt# set acct-vr1 routing-options static route 13.1.1.0/24 next-hop 10.0.1.3lsaccountingadmin1@host:ls-accounting-dept# set acct-vr1 routing-options static route 12.12.1.0/24 next-hop 10.0.1.1
    5. Configure security zones and assign interfaces to each zone.
      [edit security zones]lsaccountingadmin1@host:ls-accounting-dept# set security-zone ls-accounting-trust interfaces ge-0/0/7.1lsaccountingadmin1@host:ls-accounting-dept# set security-zone ls-accounting-untrust interfaces lt-0/0/0.7
    6. Create address book entries.
      [edit security]lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-internal address accounting 14.1.1.0/24lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-external address design 12.1.1.0/24lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-external address marketing 13.1.1.0/24lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-external address others 12.12.1.0/24lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-external address-set otherlsys address designlsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-external address-set otherlsys address marketing
    7. Attach address books to zones.
      [edit security]lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-internal attach zone ls-accounting-trustlsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-external attach zone ls-accounting-untrust
    8. Configure a security policy that permits traffic from the ls-accounting-trust zone to the ls-accounting-untrust zone.
      [edit security policies from-zone ls-accounting-trust to-zone ls-accounting-untrust]lsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-to-otherlsys match source-address accountinglsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-to-otherlsys match destination-address otherlsyslsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-to-otherlsys match application anylsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-to-otherlsys then permit
    9. Configure a security policy that permits traffic from the ls-accounting-untrust zone to the ls-accounting-trust zone.
      [edit security policies from-zone ls-accounting-untrust to-zone ls-accounting-trust]lsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-from-otherlsys match source-address otherlsyslsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-from-otherlsys match destination-address accountinglsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-from-otherlsys match application anylsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-from-otherlsys then permit

    Results

    From configuration mode, confirm your configuration by entering the show routing-instances and show security commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

    lsaccountingadmin1@host:ls-accounting-dept# show routing-instancesacct-vr1 {instance-type virtual-router;interface ge-0/0/7.1;interface lt-0/0/0.7;routing-options {static {route 12.12.1.0/24 next-hop 10.0.1.1;route 12.1.1.0/24 next-hop 10.0.1.2;route 13.1.1.0/24 next-hop 10.0.1.3;}}}lsaccountingadmin1@host:ls-accounting-dept# show securityaddress-book {accounting-internal {address accounting 14.1.1.0/24;attach {zone ls-accounting-trust;}}accounting-external {address design 12.1.1.0/24;address marketing 13.1.1.0/24;address others 12.12.1.0/24;address-set otherlsys {address design;address marketing;}attach {zone ls-accounting-untrust;}}}policies {from-zone ls-accounting-trust to-zone ls-accounting-untrust {policy permit-all-to-otherlsys {match {source-address accounting;destination-address otherlsys;application any;}then {permit;}}}from-zone ls-accounting-untrust to-zone ls-accounting-trust {policy permit-all-from-otherlsys {match {source-address otherlsys;destination-address accounting;application any;}then {permit;}}}}zones {security-zone ls-accounting-trust {interfaces {ge-0/0/7.1;}}security-zone ls-accounting-untrust {interfaces {lt-0/0/0.7;}}}

    If you are done configuring the device, enter commit from configuration mode.

    Verification

    To confirm that the configuration is working properly, perform these tasks:

    Verifying Policy Configuration

    Purpose

    Verify information about policies and rules.

    Action

    From operational mode, enter the show security policies detail command to display a summary of all policies configured on the logical system.

     

    Related Documentation

     

    Published: 2012-06-29

    Previous Page Next Page