Vsys Configurations in NSM Overview

A vsys is a virtual system that exists within a physical security device. By logically partitioning a single, physical security device into multiple virtual systems (each in its own domain), you can provide secure multitenant services. The physical device (known as the “ root” device) shares some settings across all vsys, but each vsys also has its own unique settings. To enable the physical device to correctly route traffic to the appropriate vsys device, you must use VLAN tags at the vsys level or IP classification at the root level.

To add a vsys to the NSM system, you must first add a physical device that can contain vsys devices (NetScreen-500, 5000 line, ISG1000, and ISG2000 security devices support vsys), and then add each vsys to the physical device. An NSM administrator with full device configuration permissions can see both the root and vsys devices in a domain, but an administrator with only vsys permissions can see only the vsys devices in a domain. To create a secure, multi-tenant system, place the root device in the global domain and each vsys device in its own domain, and then assign vsys administrations to manage each domain. For details on adding a vsys, see “Adding Vsys Devices” in the Network and Security Manager Administration Guide.

After you have added or modeled a new root device and vsys to the NSM system, you must configure the vsys interfaces and subinterfaces, and any shared virtual routers and shared security zones on the root device. When importing an existing root device and vsys, NSM automatically imports the existing root and vsys settings from each device (physical and virtual).

The NetScreen 5000 line of security devices running ScreenOS 5.0 L2V also support vsys transparent mode, also known as Layer 2 vsys, or L2V vsys. To create an L2V vsys, when modeling the root device into NSM, ensure that the mode is set to Transparent (for imported devices, you must enable Transparent mode on the physical device using the Web UI or CLI).

For more information about vsys, refer to the Concepts & Examples ScreenOS Reference Guide: Virtual Systems. For more information about how to configure transparent vsys, refer to the Juniper Networks New Features Guide for ScreenOS 5.0-L2V software.

Related Documentation