Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Primary Logical Systems Overview

Learn about the overview of primary logical systems and primary administrator role.

The primary logical system creates user logical systems, configures their security resources, and assigns logical interfaces to them. For more information, see the following topics:

Primary Logical Systems and the Primary Administrator Role

When you initialize a device with logical systems as the primary administrator, a primary logical system is created at the root level. You can log in to the device as root and change the root password. By default, all system resources are assigned to the primary logical system, and the primary administrator allocates them to the user logical systems.

The primary administrator manages the device, all logical systems, and resources of the primary logical system.

The primary administrator’s role and main responsibilities include:

  • Create user logical systems and configure their administrators. You can create multiple user logical system administrators for each user logical system.

  • Create login accounts for all users and assign them to the appropriate logical systems.

  • Configure an interconnect logical system to enable communication between logical systems on the device. It functions as an internal switch and does not require an administrator.

    To configure an interconnect logical system, you configure lt-0/0/0 interfaces between the interconnect logical system and each logical system. These peer interfaces effectively allow for establishment of tunnels.

  • Configure security profiles to allocate portions of the system’s security resources to both user logical systems and the primary logical system.

    A user logical system administrator can configure interface, routing, and security resources allocated to their logical system.

    Only the primary administrator can create, change, and delete security profiles and bind them to logical systems.

  • Create logical interfaces and assign them to user logical systems. The user logical system administrator then configures the interfaces assigned to their system.

  • View, manage, and delete user logical systems as required. When a user logical system is deleted, its reserved resources become available for other logical systems.

  • Configure IDP, AppTrack, application identification, and application firewall features.

    The primary administrator can run trace and debug at the root level and roll back commits. It also manages the primary logical system and can configure the same features as a logical system administrator for their own logical systems, including:

    • Routing instances

    • Static routes

    • Dynamic routing protocols

    • Zones

    • Security policies

    • Screens

    • Firewall authentication.

Logical Systems Primary Administrator Configuration Tasks Overview

This topic describes the primary administrator’s tasks in the order in which they are performed.

A device with logical systems is managed by a primary administrator, who has the same capabilities as the root administrator on a device without logical systems. However, their role extends further, as they manage discrete logical systems with unique resources, configurations, and management concerns. The primary administrator creates and provisions these user logical systems.

For an overview of the primary administrator’s role and responsibilities, see Understanding the Primary Logical Systems and the Primary Administrator Role.

As the primary administrator, you perform the following tasks to configure a security device running logical systems:

  1. Configure a root password.

    The primary administrator can initially log in as the root user without a password. After logging in, define a root password for later use.

    See Example: Configuring Root Password for Logical Systems for configuration information.

  2. Create user logical systems along with their administrators and users. You can also create an interconnect logical system if needed.

    For each user logical system, create the system, assign one or more administrators, and add users.

    The primary administrator configures login accounts for user logical system administrators and users and associates them with the user logical system. A user logical system can have multiple administrators. The primary administrator must define and add all administrators to their systems.

    The primary administrator adds users to user logical systems on behalf of the user logical system administrator. For example, after creating a logical system for a department, the primary administrator creates the required user accounts and assigns them to that system. User logical system administrators cannot create users; they provide the required details for the accounts to be added.

  3. Configure one or more security profiles.

    Security profiles assign security resources to logical systems. You can use one profile for multiple logical systems if they need the same resources.

  4. Configure interfaces, routing instances, and static routes for logical systems, as appropriate.
    • If you plan to use an interconnect logical system, configure its logical tunnel interfaces and add them to its virtual routing instance.

    • Configure interfaces for the primary logical system. Optionally, create its logical tunnel interface to allow it to communicate with other logical systems on the device. Create a virtual routing instance for the primary logical system and add its interfaces and static routes to it. Also configure logical interfaces for user logical systems with VLAN tagging.

      The primary administrator assigns interfaces to user logical system administrators. These administrators are responsible for configuring their interfaces.

    • Optionally, configure logical tunnel interfaces for any user logical systems that you want to allow to communicate with one another using the internal VPLS switch. VPLS is a virtual private network (VPN) technology. It allows point-to-point layer 2 tunnels connectivity.

      By creating a VPLS type routing-instance (RI), we define a VPLS switch. VPLS switch behaves like a L2 ethernet switch. We assign multiple LT IFLs to the VPLS switch. Each LT IFL have encapsulation ethernet-vpls and this behaves as L2 switch port. To connect to the VPLS switch, each logical system creates a LT IFL and assigns to a port of the VPLS switch.

      It is not necessary to define a dedicated interconnect logical system for including VPLS switch. For ease, VPLS switch is defined in root logical system. This approach is enabled by configuring multiple VPLS switches and LT IFLs per logical system.

      When one LT logical interface connects to a VPLS switch, the routing engine assigns VPLS switch unique MAC address from MAC address pool of the LT interface. This determines the number of LT IFLs that connect a VPLS switch.

  5. Enable CPU utilization control and configure the CPU control target and reserved CPU quotas for logical systems. See Example: Configuring CPU Utilization (Primary Administrators Only).
  6. Optionally, configure dynamic routing protocols for the primary logical system. See Example: Configuring OSPF Routing Protocol for the Primary Logical Systems
  7. Configure zones, security policies, and security features for the primary logical system. See Example: Configuring Security Features for the Primary Logical Systems.
  8. Configure IDP for the primary logical system. See Example: Configuring an IDP Policy for the Primary Logical Systems.
  9. Configure application firewall services on the primary logical system. See Understanding Logical Systems Application Firewall Services and Example: Configuring Application Firewall Services for a Primary Logical Systems.
  10. Configure a route-based VPN to secure traffic between a logical system and a remote site. See Example: Configuring IKE and IPsec SAs for a VPN Tunnel (Primary Administrators Only).

Example: Configure Multiple VPLS Switches and LT Interfaces for Logical Systems

This example shows how to interconnect multiple logical systems. This is achieved by configuring multiple logical systems with a Logical Tunnel (LT) interface point-to-point connection (Encapsulation Ethernet, Encapsulation Frame-Relay and Virtual Private LAN Service switch). More than one LT interface under a logical system and multiple VPLS switches are configured to pass the traffic without leaving a security device. The frame-relay encapsulation adds data-link connection identifier (DLCI) information to the given frame.

Requirements

This example uses any supported security device running Junos OS with logical system.

Before you begin:

Overview

In this example, we configure multiple LT interfaces and multiple VPLS switches under one logical system.

In this example, we also configure interconnect multiple logical systems with LT interface point-to point connection (Encapsulation Ethernet and Encapsulation Frame-Relay).

Figure 1 shows the topology for interconnecting logical systems.

Figure 1: Configure the interconnect logical systems SRX Series device network topology with VPLS connecting logical systems LSYS1, LSYS2, and LSYS3 using logical tunnel interfaces.

Table 1 describes the logical system interconnect configuration overview.

Table 1: Logical System Interconnect Configuration
Scenario Encapsulation Type Interfaces Configured Key Configuration Details
Point-to-point interconnect logical systems Ethernet lt-0/0/0 and corresponding peer interfaces Configure security zones, assign interfaces to logical systems, and apply a security profile
Point-to-point interconnect logical systems Frame-relay lt-0/0/0 and corresponding peer interfaces Configure security zones, assign interfaces to logical systems, and apply a security profile
Interconnect logical systems with multiple VPLS switches Ethernet-VPLS lt-0/0/0 and corresponding peer interfaces Assign security profiles and configure routing instances for VPLS switch-1 and switch-2

Configuration

To configure interfaces for the logical system, perform these tasks:

Configure Logical Systems Interconnect with Logical Tunnel Interface point-to-point connection (Encapsulation Ethernet)

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

  1. Define a security profile and assign to a logical system.

  2. Set the LT interface as encapsulation ethernet in the logical system.

  3. Configure a peer relationship for logical systems LSYS2.

  4. Specify the IP address for the LT interface.

  5. Set the security zone for the LT interface.

  6. Define a security profile and assign to a logical system.

  7. Set the LT interface as encapsulation ethernet in the logical system 2A.

  8. Configure a peer relationship for logical systems LSYS2A.

  9. Specify the IP address for the LT interface.

  10. Configure a security policy that permits traffic from the LT zone to the LT policy LT zone.

  11. Configure a security policy that permits traffic from default-policy.

  12. Configure security zones.

Results
  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS2 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS2A command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configure Logical Systems Interconnect with Logical Tunnel Interface point-to-point connection (Encapsulation Frame-Relay)

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

  1. Define a security profile and assign to a logical system.

  2. Set the LT interface as encapsulation frame-relay in the logical system.

  3. Configure the logical tunnel interface by including the dlci.

  4. Configure a peer unit relationship between LT interfaces, thus creating a point-to-point connection.

  5. Specify the IP address for the LT interface.

  6. Set the security zone for the LT interface.

  7. Set the LT interface as encapsulation frame-relay in the logical system.

  8. Configure the logical tunnel interface by including the dlci.

  9. Configure a peer unit relationship between LT interfaces, thus creating a point-to-point connection.

  10. Specify the IP address for the LT interface.

  11. Configure a security policy that permits traffic from the LT zone to the LT policy LT zone.

  12. Configure a security policy that permits traffic from default-policy.

  13. Configure security zones.

Results
  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS3 commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS3A commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configure Logical Systems Interconnect with Multiple VPLS Switches

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

  1. Configure the lt-0/0/0 interfaces.

  2. Configure the routing instance for the VPLS switches and add interfaces to it.

  3. Configure LSYS1 with lt-0/0/0.1 interface and peer lt-0/0/0.11.

  4. Configure LSYS2 with lt-0/0/0.2 interface and peer lt-0/0/0.12.

  5. Configure LSYS3 with lt-0/0/0.3 interface and peer lt-0/0/0.13

  6. Configure LSYS2B with lt-0/0/0 interface and peer-unit 24.

  7. Assign security-profile for logical-systems.

Results
  • From configuration mode, confirm your configuration by entering the show interfaces lt-0/0/0, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it

  • From configuration mode, confirm your configuration by entering the show routing-instances, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS1, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS2, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS3, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS2B, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show system security-profile, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verify the Security-Profile for all Logical-systems

Purpose

Verify security profile for each logical systems.

Action

From operational mode, enter the show system security-profile security-log-stream-number logical-system all command.

Meaning

The output provides the usage and reserved values for the logical systems when security-log-stream is configured.

Verify the LT Interfaces for all Logical systems

Purpose

Verify interfaces for logical systems.

Action

From operational mode, enter the show interfaces lt-0/0/0 terse command.

Meaning

The output provides the status of LT interfaces. All the LT interfaces are up.