Security Zones in Logical Systems
Security zones are the building blocks for policies. Security zones are logical entities to which one or more interfaces are bound and provides a means of distinguishing groups of hosts (user logical systems and other hosts, such as servers), resources from one another in order to apply different security measures. For more information, see the following topics:
Understanding Logical Systems Zones
Security zones are logical entities to which one or more interfaces are bound. Security zones can be configured on the primary logical system by the primary administrator or on user logical systems by the user logical system administrator. On a logical system, the administrator can configure multiple security zones, dividing the network into network segments to which various security options can be applied.
The primary administrator configures the maximum
and reserved numbers of security zones for each user logical system.
The user logical system administrator can then create security zones
in the user logical system and assign interfaces to each security
zone. From a user logical system, the user logical system administrator
can use the show system security-profile zones command
to view the number of security zones allocated to the user logical
system and the show interfaces command to view the interfaces
allocated to the user logical system.
The primary administrator can configure a security profile for the primary logical system that specifies the maximum and reserved numbers of security zones applied to the primary logical system. The number of zones configured in the primary logical system count toward the maximum number of zones available on the device.
The primary and user administrator can configure the following properties of a security zone in a logical system:
Interfaces that are part of a security zone.
Screen options—For every security zone, you can enable a set of predefined screen options that detect and block various kinds of traffic that the device determines as potentially harmful.
TCP-Reset—When this feature is enabled, the system sends a TCP segment with the RESET flag set when traffic arrives that does not match an existing session and does not have the synchronize flag set.
Host inbound traffic—This feature specifies the kinds of traffic that can reach the device from systems that are directly connected to its interfaces. You can configure these parameters at the zone level, in which case they affect all interfaces of the zone, or at the interface level. (Interface configuration overrides that of the zone.)
There are no preconfigured security zones in the primary logical system or user logical system.
The management functional zone (MGT) can only be configured for the primary logical system. There is only one management interface per device and that interface is allocated to the primary logical system.
The all interface can only be assigned
to a zone in the primary logical system by the primary administrator.
The user logical system administrator can configure and view all attributes for a security zone in a user logical system. All attributes of a security zone in a user logical system are also visible to the primary administrator.
See Also
Example: Configuring User Logical Systems
This example shows the configuration of interfaces, routing instances, zones, and security policies for user logical systems.
Requirements
Before you begin:
Log in to the user logical system as the logical system administrator. See User Logical Systems Configuration Overview.
Be sure you know which logical interfaces and optionally, which logical tunnel interface (and its IP address) are allocated to your user logical system by the primary administrator. See Understanding the Primary Logical Systems and the Primary Administrator Role.
Overview
This example configures the ls-marketing-dept and ls-accounting-dept user logical systems shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
This example configures the parameters described in Table 1 and Table 2.
Feature |
Name |
Configuration Parameters |
|---|---|---|
Interface |
ge-0/0/6.1 |
|
Routing instance |
mk-vr1 |
|
Zones |
ls-marketing-trust |
Bind to interface ge-0/0/6.1. |
ls-marketing-untrust |
Bind to interface lt-0/0/0.5 |
|
Address books |
marketing-internal |
|
marketing-external |
|
|
Policies |
permit-all-to-otherlsys |
Permit the following traffic:
|
permit-all-from-otherlsys |
Permit the following traffic:
|
Feature |
Name |
Configuration Parameters |
|---|---|---|
Interface |
ge-0/0/7.1 |
|
Routing instance |
acct-vr1 |
|
Zones |
ls-accounting-trust |
Bind to interface ge-0/0/7.1. |
ls-accounting-untrust |
Bind to interface lt-0/0/0.7 |
|
Address books |
accounting-internal |
|
accounting-external |
|
|
Policies |
permit-all-to-otherlsys |
Permit the following traffic:
|
permit-all-from-otherlsys |
Permit the following traffic:
|
Configuration
- Configuring the ls-marketing-dept User Logical System
- Configuring the ls-accounting-dept User Logical System
Configuring the ls-marketing-dept User Logical System
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set interfaces ge-0/0/6 unit 1 family inet address 13.1.1.1/24 set interfaces ge-0/0/6 unit 1 vlan-id 800 set routing-instances mk-vr1 instance-type virtual-router set routing-instances mk-vr1 interface ge-0/0/6.1 set routing-instances mk-vr1 interface lt-0/0/0.5 set routing-instances mk-vr1 routing-options static route 12.1.1.0/24 next-hop 10.0.1.2 set routing-instances mk-vr1 routing-options static route 14.1.1.0/24 next-hop 10.0.1.4 set routing-instances mk-vr1 routing-options static route 12.12.1.0/24 next-hop 10.0.1.1 set security zones security-zone ls-marketing-trust interfaces ge-0/0/6.1 set security zones security-zone ls-marketing-untrust interfaces lt-0/0/0.5 set security address-book marketing-external address design 12.1.1.0/24 set security address-book marketing-external address accounting 14.1.1.0/24 set security address-book marketing-external address others 12.12.1.0/24 set security address-book marketing-external address-set otherlsys address design set security address-book marketing-external address-set otherlsys address accounting set security address-book marketing-external attach zone ls-marketing-untrust set security address-book marketing-internal address marketers 13.1.1.0/24 set security address-book marketing-internal attach zone ls-marketing-trust set security policies from-zone ls-marketing-trust to-zone ls-marketing-untrust policy permit-all-to-otherlsys match source-address marketers set security policies from-zone ls-marketing-trust to-zone ls-marketing-untrust policy permit-all-to-otherlsys match destination-address otherlsys set security policies from-zone ls-marketing-trust to-zone ls-marketing-untrust policy permit-all-to-otherlsys match application any set security policies from-zone ls-marketing-trust to-zone ls-marketing-untrust policy permit-all-to-otherlsys then permit set security policies from-zone ls-marketing-untrust to-zone ls-marketing-trust policy permit-all-from-otherlsys match source-address otherlsys set security policies from-zone ls-marketing-untrust to-zone ls-marketing-trust policy permit-all-from-otherlsys match destination-address marketers set security policies from-zone ls-marketing-untrust to-zone ls-marketing-trust policy permit-all-from-otherlsys match application any set security policies from-zone ls-marketing-untrust to-zone ls-marketing-trust policy permit-all-from-otherlsys then permit
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure a user logical system:
Log in to the user logical system as the logical system administrator and enter configuration mode.
lsmarketingadmin1@host:ls-marketing-dept> configure lsmarketingadmin1@host:ls-marketing-dept#
Configure the logical interface for a user logical system.
[edit interfaces] lsmarketingadmin1@host:ls-marketing-dept# set ge-0/0/6 unit 1 family inet address 13.1.1.1/24 lsmarketingadmin1@host:ls-marketing-dept# set ge-0/0/6 unit 1 vlan-id 800
Configure the routing instance and assign interfaces.
[edit routing-instances] lsmarketingadmin1@host:ls-marketing-dept# set mk-vr1 instance-type virtual-router lsmarketingadmin1@host:ls-marketing-dept# set mk-vr1 interface ge-0/0/6.1 lsmarketingadmin1@host:ls-marketing-dept# set mk-vr1 interface lt-0/0/0.5
Configure static routes.
[edit routing-instances] lsmarketingadmin1@host:ls-marketing-dept# set mk-vr1 routing-options static route 12.12.1.0/24 next-hop 10.0.1.2 lsmarketingadmin1@host:ls-marketing-dept# set mk-vr1 routing-options static route 14.1.1.0/24 next-hop 10.0.1.4 lsmarketingadmin1@host:ls-marketing-dept# set mk-vr1 routing-options static route 12.12.1.0/24 next-hop 10.0.1.1
Configure security zones and assign interfaces to each zone.
[edit security zones] lsmarketingadmin1@host:ls-marketing-dept# set security-zone ls-marketing-trust interfaces ge-0/0/6.1 lsmarketingadmin1@host:ls-marketing-dept# set security-zone ls-marketing-untrust interfaces lt-0/0/0.5
Create address book entries.
[edit security] lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-internal address marketers 13.1.1.0/24 lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-external address design 12.1.1.0/24 lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-external address accounting 14.1.1.0/24 lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-external address others 12.12.1.0/24 lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-external address-set otherlsys address design lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-external address-set otherlsys address accounting
Attach address books to zones.
[edit security] lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-internal attach zone ls-marketing-trust lsmarketingadmin1@host:ls-marketing-dept# set address-book marketing-external attach zone ls-marketing-untrust
Configure a security policy that permits traffic from the ls-marketing-trust zone to the ls-marketing-untrust zone.
[edit security policies from-zone ls-marketing-trust to-zone ls-marketing-untrust] lsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-to-otherlsys match source-address marketers lsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-to-otherlsys match destination-address otherlsys lsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-to-otherlsys match application any lsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-to-otherlsys then permit
Configure a security policy that permits traffic from the ls-marketing-untrust zone to the ls-marketing-trust zone.
[edit security policies from-zone ls-marketing-untrust to-zone ls-marketing-trust] lsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-from-otherlsys match source-address otherlsys lsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-from-otherlsys match destination-address marketers lsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-from-otherlsys match application any lsmarketingadmin1@host:ls-marketing-dept# set policy permit-all-from-otherlsys then permit
Results
From configuration mode, confirm your configuration
by entering the show routing-instances and show security commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
lsmarketingadmin1@host:ls-marketing-dept# show routing instances
mk-vr1 {
instance-type virtual-router;
interface ge-0/0/6.1;
interface lt-0/0/0.5;
routing-options {
static {
route 12.1.1.0/24 next-hop 10.0.1.2;
route 14.1.1.0/24 next-hop 10.0.1.4;
route 12.12.1.0/24 next-hop 10.0.1.1;
}
}
}
lsmarketingadmin1@host:ls-marketing-dept# show security
address-book {
marketing-external {
address product-designers 12.1.1.0/24;
address accounting 14.1.1.0/24;
address others 12.12.1.0/24;
address-set otherlsys {
address product-designers;
address accounting;
}
attach {
zone ls-marketing-untrust;
}
}
marketing-internal {
address marketers 13.1.1.0/24;
attach {
zone ls-marketing-trust;
}
}
}
policies {
from-zone ls-marketing-trust to-zone ls-marketing-untrust {
policy permit-all-to-otherlsys {
match {
source-address marketers;
destination-address otherlsys;
application any;
}
then {
permit;
}
}
}
from-zone ls-marketing-untrust to-zone ls-marketing-trust {
policy permit-all-from-otherlsys {
match {
source-address otherlsys;
destination-address marketers;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone ls-marketing-trust {
interfaces {
ge-0/0/6.1;
}
}
security-zone ls-marketing-untrust {
interfaces {
lt-0/0/0.5;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Configuring the ls-accounting-dept User Logical System
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set interfaces ge-0/0/7 unit 1 family inet address 14.1.1.1/24 set interfaces ge-0/0/7 unit 1 vlan-id 900 set routing-instances acct-vr1 instance-type virtual-router set routing-instances acct-vr1 interface ge-0/0/7.1 set routing-instances acct-vr1 interface lt-0/0/0.7 set routing-instances acct-vr1 routing-options static route 12.12.1.0/24 next-hop 10.0.1.1 set routing-instances acct-vr1 routing-options static route 12.1.1.0/24 next-hop 10.0.1.2 set routing-instances acct-vr1 routing-options static route 13.1.1.0/24 next-hop 10.0.1.3 set security address-book accounting-internal address accounting 14.1.1.0/24 set security address-book accounting-internal attach zone ls-accounting-trust set security address-book accounting-external address design 12.1.1.0/24 set security address-book accounting-external address marketing 13.1.1.0/24 set security address-book accounting-external address others 12.12.1.0/24 set security address-book accounting-external address-set otherlsys address design set security address-book accounting-external address-set otherlsys address marketing set security address-book accounting-external attach zone ls-accounting-untrust set security policies from-zone ls-accounting-trust to-zone ls-accounting-untrust policy permit-all-to-otherlsys match source-address accounting set security policies from-zone ls-accounting-trust to-zone ls-accounting-untrust policy permit-all-to-otherlsys match destination-address otherlsys set security policies from-zone ls-accounting-trust to-zone ls-accounting-untrust policy permit-all-to-otherlsys match application any set security policies from-zone ls-accounting-trust to-zone ls-accounting-untrust policy permit-all-to-otherlsys then permit set security policies from-zone ls-accounting-untrust to-zone ls-accounting-trust policy permit-all-from-otherlsys match source-address otherlsys set security policies from-zone ls-accounting-untrust to-zone ls-accounting-trust policy permit-all-from-otherlsys match destination-address accounting set security policies from-zone ls-accounting-untrust to-zone ls-accounting-trust policy permit-all-from-otherlsys match application any set security policies from-zone ls-accounting-untrust to-zone ls-accounting-trust policy permit-all-from-otherlsys then permit set security zones security-zone ls-accounting-trust interfaces ge-0/0/7.1 set security zones security-zone ls-accounting-untrust interfaces lt-0/0/0.7
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode.
To configure a user logical system:
Log in to the user logical system as the logical system administrator and enter configuration mode.
lsaccountingadmin1@host:ls-accounting-dept> configure lsaccountingadmin1@host:ls-accounting-dept#
Configure the logical interface for a user logical system.
[edit interfaces] lsaccountingadmin1@host:ls-accounting-dept# set ge-0/0/7 unit 1 family inet address 14.1.1.1/24 lsaccountingadmin1@host:ls-accounting-dept# set ge-0/0/7 unit 1 vlan-id 900
Configure the routing instance and assign interfaces.
[edit routing-instances] lsaccountingadmin1@host:ls-accounting-dept# set acct-vr1 instance-type virtual-router lsaccountingadmin1@host:ls-accounting-dept# set acct-vr1 interface ge-0/0/7.1 lsaccountingadmin1@host:ls-accounting-dept# set acct-vr1 interface lt-0/0/0.7
Configure static routes.
[edit routing-instances] lsaccountingadmin1@host:ls-accounting-dept# set acct-vr1 routing-options static route 12.1.1.0/24 next-hop 10.0.1.2 lsaccountingadmin1@host:ls-accounting-deptt# set acct-vr1 routing-options static route 13.1.1.0/24 next-hop 10.0.1.3 lsaccountingadmin1@host:ls-accounting-dept# set acct-vr1 routing-options static route 12.12.1.0/24 next-hop 10.0.1.1
Configure security zones and assign interfaces to each zone.
[edit security zones] lsaccountingadmin1@host:ls-accounting-dept# set security-zone ls-accounting-trust interfaces ge-0/0/7.1 lsaccountingadmin1@host:ls-accounting-dept# set security-zone ls-accounting-untrust interfaces lt-0/0/0.7
Create address book entries.
[edit security] lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-internal address accounting 14.1.1.0/24 lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-external address design 12.1.1.0/24 lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-external address marketing 13.1.1.0/24 lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-external address others 12.12.1.0/24 lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-external address-set otherlsys address design lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-external address-set otherlsys address marketing
Attach address books to zones.
[edit security] lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-internal attach zone ls-accounting-trust lsaccountingadmin1@host:ls-accounting-dept# set address-book accounting-external attach zone ls-accounting-untrust
Configure a security policy that permits traffic from the ls-accounting-trust zone to the ls-accounting-untrust zone.
[edit security policies from-zone ls-accounting-trust to-zone ls-accounting-untrust] lsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-to-otherlsys match source-address accounting lsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-to-otherlsys match destination-address otherlsys lsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-to-otherlsys match application any lsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-to-otherlsys then permit
Configure a security policy that permits traffic from the ls-accounting-untrust zone to the ls-accounting-trust zone.
[edit security policies from-zone ls-accounting-untrust to-zone ls-accounting-trust] lsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-from-otherlsys match source-address otherlsys lsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-from-otherlsys match destination-address accounting lsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-from-otherlsys match application any lsaccountingadmin1@host:ls-accounting-dept# set policy permit-all-from-otherlsys then permit
Results
From configuration mode, confirm your configuration
by entering the show routing-instances and show security commands. If the output does not display the intended configuration,
repeat the configuration instructions in this example to correct it.
lsaccountingadmin1@host:ls-accounting-dept# show routing-instances
acct-vr1 {
instance-type virtual-router;
interface ge-0/0/7.1;
interface lt-0/0/0.7;
routing-options {
static {
route 12.12.1.0/24 next-hop 10.0.1.1;
route 12.1.1.0/24 next-hop 10.0.1.2;
route 13.1.1.0/24 next-hop 10.0.1.3;
}
}
}
lsaccountingadmin1@host:ls-accounting-dept# show security
address-book {
accounting-internal {
address accounting 14.1.1.0/24;
attach {
zone ls-accounting-trust;
}
}
accounting-external {
address design 12.1.1.0/24;
address marketing 13.1.1.0/24;
address others 12.12.1.0/24;
address-set otherlsys {
address design;
address marketing;
}
attach {
zone ls-accounting-untrust;
}
}
}
policies {
from-zone ls-accounting-trust to-zone ls-accounting-untrust {
policy permit-all-to-otherlsys {
match {
source-address accounting;
destination-address otherlsys;
application any;
}
then {
permit;
}
}
}
from-zone ls-accounting-untrust to-zone ls-accounting-trust {
policy permit-all-from-otherlsys {
match {
source-address otherlsys;
destination-address accounting;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone ls-accounting-trust {
interfaces {
ge-0/0/7.1;
}
}
security-zone ls-accounting-untrust {
interfaces {
lt-0/0/0.7;
}
}
}
If you are done configuring the device, enter commit from configuration mode.
Verification
To confirm that the configuration is working properly, perform these tasks:
Example: Configuring Security Zones for a User Logical Systems
This example shows how to configure zones for a user logical system.
Requirements
Before you begin:
Log in to the user logical system as the user logical system administrator. See User Logical Systems Configuration Overview.
Use the
show system security-profile zonescommand to see the zone resources allocated to the logical system.Logical interfaces for the user logical system must be configured. See Example: Configuring Interfaces and Routing Instances for a User Logical Systems.
Overview
This example configures the ls-product-design user logical system shown in Example: Creating User Logical Systems, Their Administrators, Their Users, and an Interconnect Logical System.
This example creates the zones and address books described in Table 3.
Feature |
Name |
Configuration Parameters |
|---|---|---|
Zones |
ls-product-design-trust |
|
ls-product-design-untrust |
|
|
Address books |
product-design-internal |
|
product-design-external |
|
Configuration
Procedure
CLI Quick Configuration
To quickly configure this example, copy the
following commands, paste them into a text file, remove any line breaks,
change any details necessary to match your network configuration,
copy and paste the commands into the CLI at the [edit] hierarchy
level, and then enter commit from configuration mode.
set security address-book product-design-internal address product-designers 12.1.1.0/24 set security address-book product-design-internal attach zone ls-product-design-trust set security address-book product-design-external address marketing 13.1.1.0/24 set security address-book product-design-external address accounting 14.1.1.0/24 set security address-book product-design-external address others 12.12.1.0/24 set security address-book product-design-external address-set otherlsys address marketing set security address-book product-design-external address-set otherlsys address accounting set security address-book product-design-external attach zone ls-product-design-untrust set security zones security-zone ls-product-design-trust tcp-rst set security zones security-zone ls-product-design-trust interfaces ge-0/0/5.1 set security zones security-zone ls-product-design-untrust interfaces lt-0/0/0.3
Step-by-Step Procedure
The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.
To configure zones in a user logical system:
Log in to the user logical system as the logical system administrator and enter configuration mode.
lsdesignadmin1@host:ls-product-design> configure lsdesignadmin1@host:ls-product-design#
Configure a security zone and assign it to an interface.
[edit security zones] lsdesignadmin1@host:ls-product-design# set security-zone ls-product-design-trust interfaces ge-0/0/5.1
Configure the TCP-Reset parameter for the zone.
[edit security zones security-zone ls-product-design-trust] lsdesignadmin1@host:ls-product-design# set tcp-rst
Configure a security zone and assign it to an interface.
[edit security zones] lsdesignadmin1@host:ls-product-design# set security-zone ls-product-design-untrust interfaces lt-0/0/0.3
Create global address book entries.
[edit security] lsdesignadmin1@host:ls-product-design# set address-book product-design-internal address product-designers 12.1.1.0/24 lsdesignadmin1@host:ls-product-design# set address-book product-design-external address marketing 13.1.1.0/24 lsdesignadmin1@host:ls-product-design# set address-book product-design-external address accounting 14.1.1.0/24 lsdesignadmin1@host:ls-product-design# set address-book product-design-external address others 12.12.1.0/24 lsdesignadmin1@host:ls-product-design# set address-book product-design-external address-set otherlsys address marketing lsdesignadmin1@host:ls-product-design# set address-book product-design-external address-set otherlsys address accounting
Attach address books to zones.
[edit security] lsdesignadmin1@host:ls-product-design# set address-book product-design-internal attach zone ls-product-design-trust lsdesignadmin1@host:ls-product-design# set address-book product-design-external attach zone ls-product-design-untrust
Results
From configuration mode, confirm your configuration
by entering the show security command. If the output does
not display the intended configuration, repeat the configuration instructions
in this example to correct it.
lsdesignadmin1@host:ls-product-design# show security
address-book {
product-design-internal {
address product-designers 12.1.1.0/24;
attach {
zone ls-product-design-trust;
}
}
product-design-external {
address marketing 13.1.1.0/24;
address accounting 14.1.1.0/24;
address others 12.12.1.0/24;
address-set otherlsys {
address marketing;
address accounting;
}
attach {
zone ls-product-design-untrust;
}
}
}
zones {
security-zone ls-product-design-trust {
tcp-rst;
interfaces {
ge-0/0/5.1;
}
}
security-zone ls-product-design-untrust {
interfaces {
lt-0/0/0.3;
}
}
}
If you are done configuring the device, enter commit from configuration mode.