Junos logical systems, and logical system users

2 08 2010

Logical systems on Junos are quite easy to configure. Their purpose is to partition the system up into completely separate routers, each running its own routing daemon (rpd). The systems don’t talk to each other at all – you connect them together using physical or vlan-tagged virtual interfaces if they need to communicate.

Unless I’m mistaken, the ability to create a user with control over a single logical system is not covered by the manual. I thought I’d write it up here, just in case it is of any use to anyone.

In the configuration below, I create two logical systems, and a link between them that has a /30 subnet configured. The interfaces are in OSPF area 0, so a neighbour gets formed between them.

set logical-systems EDGE interface ge-0/0/0 unit 0 description DMZ
set logical-systems EDGE interface ge-0/0/0 unit 0 family inet address 10.1.1.1/24
set logical-systems EDGE interface ge-0/0/1 unit 0 description INTERCONNECT
set logical-systems EDGE interface ge-0/0/1 unit 0 family inet address 10.99.99.2/30
set logical-systems EDGE protocols ospf area 0.0.0.0 interface ge-0/0/0 passive
set logical-systems EDGE protocols ospf area 0.0.0.0 interface ge-0/0/1
set logical-systems CORE interface ge-0/0/2 unit 0 description LAN
set logical-systems CORE interface ge-0/0/2 unit 0 family inet address 10.2.2.1/24
set logical-systems CORE interface ge-0/0/3 unit 0 description INTERCONNECT
set logical-systems CORE interface ge-0/0/3 unit 0 family inet address 10.99.99.1/30
set logical-systems CORE protocols ospf area 0.0.0.0 interface ge-0/0/3

If you do a ‘show ospf neighbor’ you won’t see anything – you need to specify the logical system you are interested in, as follows:

root@R1# run show ospf neighbor logical-system EDGE
 Address          Interface              State     ID               Pri  Dead
 10.99.99.1       ge-0/0/1.0             Full      10.2.2.1         128    36

If you want to switch to the logical system, you simply type “set cli logical-system EDGE”, and to come back out of it, “clear cli logical-system”.

And finally, here’s how to create a user that only has control over the EDGE logical system. First create a custom login class with privileges, and then make a user based on that class:

set system login class EDGE-superuser logical-system EDGE
set system login class EDGE-superuser permissions all
set system login user USER1 uid 2000
set system login user USER1 class EDGE-superuser
set system login user USER1 authentication encrypted-password "$1$1jQ2LQ/A$U"

When USER1 logs in, he goes straight into the EDGE logical system – as denoted by the login prompt, which looks like this:

USER1@R1:EDGE>

Advertisements

Actions

Information

One response

2 08 2010
Bryce

Good to see you are starting to write a little more often! What are your thoughts on the SRX series platform. I am having a real hard time seeing the benefit of JunOS over the very mature netscreen SSG and ISG platforms currently.

Also have you read the 2600 article on modifying propriety JunOS code, I would never do it on a business device, but it looks fun to play with for my personal network devices that run JunOS.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




%d bloggers like this: