Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Primary Logical Systems Overview

Primary logical systems can create a user logical system and configure the security resources of the user logical system. Primary logical systems assign the logical interfaces to the user logical systems. For more information, see the following topics:

Understanding the Primary Logical Systems and the Primary Administrator Role

When, as a primary administrator, you initialize an SRX Series Firewall running logical systems, a primary logical system is created at the root level. You can log in to the device as root and change the root password.

By default, all system resources are assigned to the primary logical system, and the primary administrator allocates them to the user logical systems.

As primary administrator, you manage the device and all its logical systems. You also manage the primary logical system and configure its assigned resources. There can be more than one primary administrator managing a device running logical systems.

  • The primary administrator’s role and main responsibilities include:

    • Creating user logical systems and configuring their administrators. You can create one or more user logical system administrators for each user logical system.

    • Creating login accounts for users for all logical systems and assigning them to the appropriate logical systems.

    • Configuring an interconnect logical system if you want to allow communication between logical systems on the device. The interconnect logical system acts as an internal switch. It does not require an administrator.

      To configure an interconnect logical system, you configure lt-0/0/0 interfaces between the interconnect logical system and each logical system. These peer interfaces effectively allow for establishment of tunnels.

    • Configuring security profiles to provision portions of the system’s security resources to user logical systems and the primary logical system.

      Only the primary administrator can create, change, and delete security profiles and bind them to logical systems.

      Note:

      A user logical system administrator can configure interface, routing, and security resources allocated to his logical system.

    • Creating logical interfaces to assign to user logical systems. (The user logical system administrator configures logical interfaces assigned to his logical system.)

    • Viewing and managing user logical systems, as required, and deleting user logical systems. When a user logical system is deleted, its allocated reserved resources are released for use by other logical systems.

    • Configuring IDP, AppTrack, application identification, and application firewall features. The primary administrator can also use trace and debug at the root level, and he can perform commit rollbacks. The primary administrator manages the primary logical system and configures all the features that a user logical system administrator can configure for his or her own logical systems including routing instances, static routes, dynamic routing protocols, zones, security policies, screens, and firewall authentication.

See Also

SRX Series Logical Systems Primary Administrator Configuration Tasks Overview

This topic describes the primary administrator’s tasks in the order in which they are performed.

An SRX Series Firewall running logical systems is managed by a primary administrator. The primary administrator has the same capabilities as the root administrator of an SRX Series Firewall not running logical systems. However, the primary administrator’s role and responsibilities extend beyond those of other SRX Series Firewall administrators because an SRX Series Firewall running logical systems is partitioned into discrete logical systems, each with its own resources, configuration, and management concerns. The primary administrator is responsible for creating these user logical systems and provisioning them with resources.

For an overview of the primary administrator’s role and responsibilities, see Understanding the Primary Logical Systems and the Primary Administrator Role.

As the primary administrator, you perform the following tasks to configure an SRX Series Firewall running logical systems:

  1. Configure a root password. Initially the primary administrator logs in to the device as the root user without needing to specify a password. After you log in to the device, you must define a root password for later use.

    See Example: Configuring Root Password for Logical Systems for configuration information.

  2. Create user logical systems and their administrators and users. Optionally, create an interconnect logical system.

    For each user logical system that you want to configure on the device, you must create a logical system, define one or more administrators for it, and add users to it.

    The primary administrator configures login accounts for user logical system administrators and users and associates them with the user logical system. A user logical system can have more than one administrator; the primary administrator must define and add all user logical system administrators and add them to their user logical systems.

    The primary administrator adds users to user logical systems on behalf of the user logical system administrator. For example, if you have created a user logical system for the product design department, you must create user accounts for the users who belong to that department and associate them with the user logical system. The user logical system administrator does not have the ability to do this. Rather, the user logical administrator tells you the user accounts that you must create and add for his logical system.

  3. Configure one or more security profiles. Security profiles assign security resources to logical systems. You can assign a single security profile to more than one logical system if you intend to allocate the same kinds and amounts of resources to them.
  4. Configure interfaces, routing instances, and static routes for logical systems, as appropriate.

    • If you plan to use an interconnect logical system, configure its logical tunnel interfaces and add them to its virtual routing instance.

    • Configure interfaces for the primary logical system. Optionally, create its logical tunnel interface to allow it to communicate with other logical systems on the device. Create a virtual routing instance for the primary logical system and add its interfaces and static routes to it. Also configure logical interfaces for user logical systems with VLAN tagging.

      Note:

      The primary administrator tells the user logical system administrators which interfaces are assigned to their logical systems. It is the user logical system administrator’s responsibility to configure their interfaces.

    • Optionally, configure logical tunnel interfaces for any user logical systems that you want to allow to communicate with one another using the internal VPLS switch. VPLS is a virtual private network (VPN) technology. It allows point-to-point layer 2 tunnels connectivity.

      By creating a VPLS type routing-instance (RI), we define a VPLS switch. VPLS switch behaves like a L2 ethernet switch. We assign multiple LT IFLs to the VPLS switch. Each LT IFL have encapsulation ethernet-vpls and this behaves as L2 switch port. To connect to the VPLS switch, each logical system creates a LT IFL and assigns to a port of the VPLS switch.

      Starting with Junos OS Release 18.2R1, it is not required to define a dedicated interconnect logical system for including VPLS switch. For ease, VPLS switch is defined in root logical system. This approach is enabled by configuring multiple VPLS switches and LT IFLs per logical system.

      When one LT logical interface connects to a VPLS switch, the routing engine assigns VPLS switch unique MAC address from MAC address pool of the LT interface. This determines the number of LT IFLs that connect a VPLS switch.

  5. Enable CPU utilization control and configure the CPU control target and reserved CPU quotas for logical systems. See Example: Configuring CPU Utilization (Primary Administrators Only).
  6. Optionally, configure dynamic routing protocols for the primary logical system. See Example: Configuring OSPF Routing Protocol for the Primary Logical Systems
  7. Configure zones, security policies, and security features for the primary logical system. See Example: Configuring Security Features for the Primary Logical Systems.
  8. Configure IDP for the primary logical system. See Example: Configuring an IDP Policy for the Primary Logical Systems.
  9. Configure application firewall services on the primary logical system. See Understanding Logical Systems Application Firewall Services and Example: Configuring Application Firewall Services for a Primary Logical Systems.
  10. Configure a route-based VPN to secure traffic between a logical system and a remote site. See Example: Configuring IKE and IPsec SAs for a VPN Tunnel (Primary Administrators Only).

See Also

Example: Configuring Multiple VPLS Switches and LT Interfaces for Logical Systems

This example shows how to interconnect multiple logical systems. This is achieved by configuring multiple logical systems with a Logical Tunnel (LT) interface point-to-point connection (Encapsulation Ethernet, Encapsulation Frame-Relay and Virtual Private LAN Service switch). More than one LT interface under a logical system and multiple VPLS switches are configured to pass the traffic without leaving an SRX Series Firewall. The frame-relay encapsulation adds data-link connection identifier (DLCI) information to the given frame.

Requirements

This example uses an SRX Series Firewall running Junos OS with logical system.

Before you begin:

Overview

In this example, we configure multiple LT interfaces and multiple VPLS switches under one logical system.

In this example, we also configure interconnect multiple logical systems with LT interface point-to point connection (Encapsulation Ethernet and Encapsulation Frame-Relay).

Figure 1 shows the topology for interconnecting logical systems.

Figure 1: Configuring the interconnect logical systemsConfiguring the interconnect logical systems

  • For the interconnect logical system with LT interface point-to-point connection (encapsulation ethernet), the example configures logical tunnel interfaces lt-0/0/0. This example configures security-zone and assigns interfaces to the logical systems.

    The interconnect logical systems lt-0/0/0 interfaces are configured with Ethernet as the encapsulation type. The corresponding peer lt-0/0/0 interfaces in the logical systems are configured with Ethernet as the encapsulation type. A security profile is assigned to the logical systems.

  • For the interconnect logical systems with LT interface point-to-point connection (encapsulation frame-relay), this example configures logical tunnel interfaces lt-0/0/0. This example configures security-zone and assigns interfaces to the logical systems.

    The interconnect logical systems lt-0/0/0 interfaces are configured with frame-relay as the encapsulation type. The corresponding peer lt-0/0/0 interfaces in the logical systems are configured with frame-relay as the encapsulation type. A security profile is assigned to the logical systems.

  • For interconnect logical systems with multiple VPLS switches, this example configures logical tunnel interfaces lt-0/0/0 with ethernet-vpls as the encapsulation type. The corresponding peer lt-0/0/0 interfaces and security-profiles are assigned to the logical systems. The routing instance for the VPLS switch-1 and VPLS switch-2 are also assigned to the logical systems.

    Figure 2 shows the topology for interconnect logical systems with VPLS switches.

    Figure 2: Configuring the interconnect logical systems with VPLS switchesConfiguring the interconnect logical systems with VPLS switches
    Note:

    Multiple LT interfaces can be configured within a logical system.

Configuration

To configure interfaces for the logical system, perform these tasks:

Configuring Logical Systems Interconnect with Logical Tunnel Interface point-to-point connection (Encapsulation Ethernet)

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

  1. Define a security profile and assign to a logical system.

  2. Set the LT interface as encapsulation ethernet in the logical system.

  3. Configure a peer relationship for logical systems LSYS2.

  4. Specify the IP address for the LT interface.

  5. Set the security zone for the LT interface.

  6. Define a security profile and assign to a logical system.

  7. Set the LT interface as encapsulation ethernet in the logical system 2A.

  8. Configure a peer relationship for logical systems LSYS2A.

  9. Specify the IP address for the LT interface.

  10. Configure a security policy that permits traffic from the LT zone to the LT policy LT zone.

  11. Configure a security policy that permits traffic from default-policy.

  12. Configure security zones.

Results

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS2 command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS2A command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring Logical Systems Interconnect with Logical Tunnel Interface point-to-point connection (Encapsulation Frame-Relay)

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

  1. Define a security profile and assign to a logical system.

  2. Set the LT interface as encapsulation frame-relay in the logical system.

  3. Configure the logical tunnel interface by including the dlci.

  4. Configure a peer unit relationship between LT interfaces, thus creating a point-to-point connection.

  5. Specify the IP address for the LT interface.

  6. Set the security zone for the LT interface.

  7. Set the LT interface as encapsulation frame-relay in the logical system.

  8. Configure the logical tunnel interface by including the dlci.

  9. Configure a peer unit relationship between LT interfaces, thus creating a point-to-point connection.

  10. Specify the IP address for the LT interface.

  11. Configure a security policy that permits traffic from the LT zone to the LT policy LT zone.

  12. Configure a security policy that permits traffic from default-policy.

  13. Configure security zones.

Results

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS3 commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS3A commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Configuring Logical Systems Interconnect with Multiple VPLS Switches

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.

  1. Configure the lt-0/0/0 interfaces.

  2. Configure the routing instance for the VPLS switches and add interfaces to it.

  3. Configure LSYS1 with lt-0/0/0.1 interface and peer lt-0/0/0.11.

  4. Configure LSYS2 with lt-0/0/0.2 interface and peer lt-0/0/0.12.

  5. Configure LSYS3 with lt-0/0/0.3 interface and peer lt-0/0/0.13

  6. Configure LSYS2B with lt-0/0/0 interface and peer-unit 24.

  7. Assign security-profile for logical-systems.

Results

  • From configuration mode, confirm your configuration by entering the show interfaces lt-0/0/0, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it

  • From configuration mode, confirm your configuration by entering the show routing-instances, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS1, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS2, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS3, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show logical-systems LSYS2B, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

  • From configuration mode, confirm your configuration by entering the show system security-profile, command. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

If you are done configuring the device, enter commit from configuration mode.

Verification

To confirm that the configuration is working properly, perform these tasks:

Verifying the Security-Profile for all Logical-systems

Purpose

Verify security profile for each logical systems.

Action

From operational mode, enter the show system security-profile security-log-stream-number logical-system all command.

Meaning

The output provides the usage and reserved values for the logical systems when security-log-stream is configured.

Verifying the LT Interfaces for all Logical systems

Purpose

Verify interfaces for logical systems.

Action

From operational mode, enter the show interfaces lt-0/0/0 terse command.

Meaning

The output provides the status of LT interfaces. All the LT interfaces are up.

See Also