Logical systems on Junos are quite easy to configure. Their purpose is to partition the system up into completely separate routers, each running its own routing daemon (rpd). The systems don’t talk to each other at all – you connect them together using physical or vlan-tagged virtual interfaces if they need to communicate.
Unless I’m mistaken, the ability to create a user with control over a single logical system is not covered by the manual. I thought I’d write it up here, just in case it is of any use to anyone.
In the configuration below, I create two logical systems, and a link between them that has a /30 subnet configured. The interfaces are in OSPF area 0, so a neighbour gets formed between them.
set logical-systems EDGE interface ge-0/0/0 unit 0 description DMZ set logical-systems EDGE interface ge-0/0/0 unit 0 family inet address 10.1.1.1/24 set logical-systems EDGE interface ge-0/0/1 unit 0 description INTERCONNECT set logical-systems EDGE interface ge-0/0/1 unit 0 family inet address 10.99.99.2/30 set logical-systems EDGE protocols ospf area 0.0.0.0 interface ge-0/0/0 passive set logical-systems EDGE protocols ospf area 0.0.0.0 interface ge-0/0/1 set logical-systems CORE interface ge-0/0/2 unit 0 description LAN set logical-systems CORE interface ge-0/0/2 unit 0 family inet address 10.2.2.1/24 set logical-systems CORE interface ge-0/0/3 unit 0 description INTERCONNECT set logical-systems CORE interface ge-0/0/3 unit 0 family inet address 10.99.99.1/30 set logical-systems CORE protocols ospf area 0.0.0.0 interface ge-0/0/3
If you do a ‘show ospf neighbor’ you won’t see anything – you need to specify the logical system you are interested in, as follows:
root@R1# run show ospf neighbor logical-system EDGE Address Interface State ID Pri Dead 10.99.99.1 ge-0/0/1.0 Full 10.2.2.1 128 36
If you want to switch to the logical system, you simply type “set cli logical-system EDGE”, and to come back out of it, “clear cli logical-system”.
And finally, here’s how to create a user that only has control over the EDGE logical system. First create a custom login class with privileges, and then make a user based on that class:
set system login class EDGE-superuser logical-system EDGE set system login class EDGE-superuser permissions all set system login user USER1 uid 2000 set system login user USER1 class EDGE-superuser set system login user USER1 authentication encrypted-password "$1$1jQ2LQ/A$U"
When USER1 logs in, he goes straight into the EDGE logical system – as denoted by the login prompt, which looks like this: