SRX Series Logical System Master Administrator Configuration Tasks Overview

This topic identities and describes the master administrator’s tasks in the order in which they are performed.

An SRX Series device running logical systems is managed by a master administrator. The master administrator has the same capabilities as the root administrator of an SRX Series device not running logical systems. However, the master administrator’s role and responsibilities extend beyond those of other SRX Series device administrators because an SRX Series device running logical systems is partitioned into discrete logical systems, each with its own resources, configuration, and management concerns. The master administrator is responsible for creating these user logical systems and provisioning them with resources.

For an overview of the master administrator’s role and responsibilities, see Understanding the Master Logical System and the Master Administrator Role.

As the master administrator, you perform the following tasks to configure an SRX Series device running logical systems:

1. Configure a root password. Initially the master administrator logs in to the device as the root user without needing to specify a password. After you log in to the device, you must define a root password for later use.

   See Example: Configuring a Root Password for the Device for configuration information.

2. Create user logical systems and their administrators and users. Optionally, create an interconnect logical system.

   For each user logical system that you want to configure on the device, you must create a logical system and define one or more administrators for it.

   The master administrator configures login accounts for user logical system administrators and associates them with the user logical system. A user logical system can have more than one administrator; the master administrator must define and add all user logical system administrators and add them to their user logical systems.

   The master administrator adds users to user logical systems on behalf of the user logical system administrator. For example, if you have created a user logical system for the product design department, you must create user accounts for the users who belong to that department and associate them with the user logical system. The user logical system administrator does not have the ability to do this. Rather, the user logical administrator tells you the user accounts that you must create and add for his logical system.

   If you intend to use an internal virtual private LAN service (VPLS) switch to allow logical systems to communicate with one another, you must create an interconnect logical system. An interconnect logical system does not require an administrator.

   • For configuration information, see Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System
   • For information on user logical system administrators, see Understanding User Logical Systems and the User Logical System Administrator Role.
   • For information on the interconnect logical system, see Understanding the Interconnect Logical System and Logical Tunnel Interfaces.
3. Configure one or more security profiles. Security profiles assign security resources to logical systems. You can assign a single security profile to more than one logical system if you intend to allocate the same kinds and amounts of resources to them.
   • For configuration information, see Example: Configuring Logical Systems Security Profiles.
   • For information on security profiles, see Understanding Logical Systems Security Profiles.
4. Configure interfaces, routing instances, and static routes for logical systems, as appropriate.
   • If you plan to use an interconnect logical system, configure its logical tunnel interfaces and add them to its virtual routing instance.
   • Configure interfaces for the master logical system. Optionally, create its logical tunnel interface to allow it to communicate with other logical systems on the device. Create a virtual routing instance for the master logical system and add its interfaces and static routes to it. Also configure logical interfaces for user logical systems with VLAN tagging.

     Note: The master administrator tells the user logical system administrators which interfaces are assigned to their logical systems. It is the user logical system administrator’s responsibility to configure their interfaces.

   • Optionally, configure logical tunnel interfaces for any user logical systems that you want to allow to communicate with one another using the internal VPLS switch.
   • For configuration information, see Example: Configuring Interfaces, Routing Instances, and Static Routes for the Master and Interconnect Logical Systems and Logical Tunnel Interfaces for User Logical Systems .
   • For information about the interconnect logical system and logical tunnel (lt-0/0/0) interfaces, see Understanding the Interconnect Logical System and Logical Tunnel Interfaces.
5. Enable CPU utilization control and configure the CPU control target and reserved CPU quotas for logical systems. See Example: Configuring CPU Utilization.
6. Optionally, configure dynamic routing protocols for the master logical system. See Example: Configuring OSPF Routing Protocol for the Master Logical System
7. Configure zones, security policies, and security features for the master logical system. See Example: Configuring Security Features for the Master Logical System.
8. Configure IDP for the master logical system. See Example: Configuring an IDP Policy for the Master Logical System.
9. Configure application firewall services on the master logical system. See Understanding Logical System Application Firewall Services and Example: Configuring Application Firewall Services for a Master Logical System.
10. Configure a route-based VPN to secure traffic between a logical system and a remote site. See Example: Configuring IKE and IPsec SAs for a VPN Tunnel.