Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Tenant Systems Overview

A tenant system supports routing, services and security features.

Understanding Tenant Systems

A tenant system logically partitions the physical firewall into separate and isolated logical firewall. Although similar to logical systems, tenant systems have much higher scalability and fewer routing features. Each tenant system on a device allows you to control a discrete administrative domain for security services. By transforming your device into a multitenant system, you can provide various departments, organizations, customers, and partners—depending on your environment—private and logically separated use of system resources and tenant-specific views of security configuration and KPIs. A primary administrator creates and manages all the tenant systems. Figure 1 shows a single device with a primary logical system and discrete tenant systems.

Figure 1: Tenant SystemsTenant Systems

Differences Between Logical Systems and Tenant Systems

Table 1 describes the key differences between logical systems and tenant systems.

Table 1: Differences Between Logical Systems and Tenant Systems

Functionality

Logical Systems

Tenant Systems

Feature support

Supports all the routing features to provide optimal data routing paths.

Supports routing features and high-scale security virtualization to isolate customer environments.

Scalability

A maximum of 32 logical systems can be configured on a physical SRX Series Firewall.

A maximum of 500 tenant systems can be configured on a physical SRX Series Firewall to provide high scalability.

Routing protocol process

Every logical system needs an individual copy of the routing protocol process to logically separate the resources on a device.

The primary logical system has a single routing protocol process, which is shared by the tenant systems. Routing instances supported by this single routing protocol process achieve the security resource separation on the firewall.

Routing instance

A default routing instance is automatically created for every logical system.

Starting in Junos OS Release 19.2R1, the virtual-router configured in a tenant system is passed as the default routing-instance to ping, telnet, ssh, traceroute, show arp, clear arp, show ipv6 neighbors, and clear ipv6 neighbors commands.

Logical interface configuration

The primary administrator assigns the logical interfaces and the logical system administrator can configure the interface attributes.

A tenant system administrator cannot configure the logical interfaces. The primary administrator assigns the logical interfaces to a tenant system.

Use Cases for Logical Systems and Tenant Systems

A logical system is used when more than one virtual router is required. For example, you have multiple connections to the external network and they cannot co-exist in the same virtual router. Tenant systems are used when you need to separate departments, organization, or customers and each of them can be limited to one virtual router. The main difference between a logical system and a tenant system is that a logical system supports advanced routing functionality using multiple routing instances. In comparison, a tenant system supports only one routing instance, but supports the deployment of significantly more tenants per system.

Deployment Scenarios for Multitenant Systems

You can deploy an SRX Series Firewall running a multitenant system in many environments such as a managed security service provider (MSSP), an enterprise network, or a branch office segment. Table 2 describes the various deployment scenarios and the roles played by the tenant systems in such scenarios.

Table 2: Deployment Scenarios with Respect to Tenant Systems

Deployment Scenarios

Roles of a Tenant System

Managed security service provider (MSSP)

  • In a managed security service provider (MSSP), each customer can be isolated from other customer to protect data privacy. Customers that require defined service level agreements (SLAs) can be be allocated memory and system resources to meet these SLAs.

  • The customer can configure distinct security policies for compliance and control per tenant system.

Enterprise network

  • A tenant system can be assigned to a workgroup, department, or other organizational construct within an enterprise.

  • A tenant system can define the distinct security policies for the enterprise workgroup, department, or other organizational construct of the enterprise.

Branch office segment

  • In a branch office, a tenant system can individually manage and segregate corporate and guest traffic.

  • Advanced security policies can be configured per tenant system; this approach allows granular control of the security policies.

  • A tenant system provides ease of management and troubleshooting.

Benefits of Tenant Systems

  • Curtail cost by reducing the number of physical devices required for your organization. You can consolidate services for various groups of users on a single device and reduce the hardware costs, power expenditure, and rack space.

  • Provide isolation and logical separation at the tenant system level. Provides the ability to separate tenant systems with administrative separation at large scale in which each tenant system can define its own security controls and restrictions without impacting other tenant systems.

Roles and Responsibilities of Primary Administrator and Tenant System Administrator

A primary administrator creates and manages all the tenant systems. A primary logical system is created at the root level and is allocated a single routing protocol process. Although this routing protocol process is shared, tenant systems enable logical resource separation on the firewall. By default, all system resources are assigned to the primary logical system, and the primary administrator allocates them to the tenant system administrators.

Note:

In Junos OS command-line reference, primary logical system is referred as root logical system.

A tenant system is created that is subtended by the primary logical system. Although all the tenants under the primary logical system share a single routing process, each tenant system has a single routing instance. Table 3 describes the roles and responsibilities of the primary administrator and tenant system administrator.

Table 3: Roles and Responsibilities With Respect to Tenant Systems

Roles

Definition

Responsibilities

Primary administrator

A user account with superuser configuration and verification privileges for all logical systems and tenant systems.

  • View and access all logical systems and tenant systems.

  • Create login accounts for all the tenant systems and assign the login accounts to the appropriate tenant system.

  • Create and allocate the resources to the tenant systems.

  • Create one custom routing instance under the tenant system which acts as the default routing instance for the tenant system.

  • Create a virtual router under the tenant system and assign it to the tenant system.

  • Create logical interfaces to assign to the tenant systems.

  • Manage the tenant systems in the primary logical system.

  • Ensure duplicate names for tenant system, logs, and trace file do not exist.

Tenant system administrator

A tenant system account with all configuration and verification privileges.

Note:

The configuration and verification privileges of a tenant system administrator depends on the permission assigned to them by the primary administrator while creating the tenant system administrator. Multiple tenant system administrators can be created for a tenant system with different permission levels based on your requirement.

  • Access and view the resources of the tenant system.

  • Configure the resources allocated and routing protocols.

  • Configure schedulers, security profiles, and security features.

The following privileges are not supported by the tenant system administrator:

  • Define access restrictions and the default routing instance for the tenant system.

  • Access and view the resources of other tenant systems.

  • Modify the number of allocated resources for a tenant system.

  • Create logical interfaces, virtual router, and policy options.

Tenant System Capacity

The maximum number of tenant systems that can be created on the device are listed in Table 4.

Table 4: Tenant Systems Capacity

Platform

Logical Systems Capacity

Tenant Systems Capacity for Junos OS Release 18.4R1

Tenant Systems Capacity starting in Junos OS Release 20.1R1

Tenant Systems Capacity starting in Junos OS Release 23.4R1

SRX1500

32

50

50

SRX1600

32

50

SRX2300

32

200

SRX4100 and SRX4200

32

200

200

SRX4600

32

300

300

SRX5400, SRX5600, and SRX5800 Series devices with SPC2 cards

32

100

100

SRX5400, SRX5600, and SRX5800 Series devices with SPC3 cards

32

500

500

SRX5400, SRX5600, and SRX5800 Series devices with SPC2 and SPC3 cards

32

100

100

vSRX

8

42

Note:

Starting in Junos OS Release 20.1R1, vSRX Virtual Firewall and vSRX3.0 instances with a memory capacity of 16GB or more and at least two CPUs in the Routing Engine support logical systems and tenant systems.

Starting in Junos OS Release 18.4R1, tenant systems can be supported on an SRX5000 line security services gateway equipped with a combination of third generation service processing cards (SRX5K-SPC3) and second generation service processing cards (SRX5K-SPC-4-15-320). Prior to Junos OS Release 18.4R1, tenant systems was supported on SPC2 only.

Tenant System Configuration Overview

The primary administrator creates a tenant system and assigns an administrator for managing the tenant system. A tenant system can have multiple administrators. The roles and responsibilities of a tenant system administrator are explained in Understanding Tenant Systems.

The primary administrator configures the logical interfaces and assigns those interfaces to the tenant system. Configure one routing instance and the routing protocols, and add options for the routing instance. See Configuring a Routing Instance for a Tenant System.

Tenant systems have their own configuration database. After successful configuration, the changes are merged to the primary database for each tenant systems. Multiple tenant systems can perform configuration changes at a time. You can commit the changes for only one tenant at a time. If the primary administrator and a tenant system administrator performs configuration changes simultaneously, the configuration changes performed by the primary administrator override the configuration changes performed by the tenant system administrator.

The following steps explain the tasks that the tenant system administrator performs to configure the security features in a tenant system:

  1. Use the SSH service to access the device, and then log in to the tenant system with the login ID and password provided by the primary administrator.

    After you are authenticated, the presence of the “>” prompt indicates that you accessed to the CLI operational mode. The prompt is preceded by a string that contains the username, the hostname of the device, and the name of the tenant system. When the CLI starts, you are at the top level in operational mode.

  2. Access the configuration mode by entering the configure command.
  3. Enter the quit command to exit the configuration mode and return to the CLI operational mode.
  4. Configure the following security features in the tenant system as necessary:

Configuring a Routing Instance for a Tenant System

A routing instance is a collection of routing tables, interfaces, and routing protocol parameters. A set of interfaces that belong to the routing instance and the routing protocol parameters control the information in the routing instance. A tenant system can configure the assigned routing instance and the interfaces that belong to the routing instance within a tenant system.

Note:

Only one routing instance can be created for a tenant system.

The following procedure describes the steps to configure a routing instance and interfaces in a routing table for a tenant system:

  1. Create a tenant system named TSYS1.
  2. Create a routing instance r1 and assign the routing instance type for the tenant system.
  3. Specify the interface name for the routing instance.
  4. Specify the routing option for the routing instance.
  5. Commit the configuration.

To view the configuration for the tenant system TSYS1, run the show tenants TSYS1 command.

The show tenants TSYS1 command displays all the routing instance parameters configured for the tenant system TSYS1.

Understanding Routing and Interfaces for Tenant Systems

A routing instance is a collection of routing tables, interfaces, and routing protocol parameters. The interfaces are used for forwarding data for the routing instance, and to learn the routing information from other peers (SRX Series Firewalls) using routing protocols.

A Logical interface (IFL) can be defined at either one of the following levels:

  • Global level (root logical system)

  • User logical system level

  • Tenant system level (Starting from Release Junos OS 18.4R1)

The IFL defined at the global level can be used either in root logical system or in one of the tenant systems. The IFL defined in a tenant system can be used in that tenant system only.

Default routing instance is not available for tenant systems. So, when a custom routing instance is created for a tenant system, all the interfaces defined in that tenant system should be added to that routing instance.

Overview: Configuring Routing and Interfaces for Tenant Systems

This overview shows how to configure interfaces and routing instances for a tenant system.

Requirements

Before you begin:

Overview

The following procedure describes the steps to configure a routing instance and interfaces in a routing table within a tenant system.

This topic configures the interfaces and routing instances described in Table 5.

Table 5: User Tenant System Interface and Routing Instance Configuration

Feature

Name

Configuration Parameters

Interface

ge-0/0/2.1

ge-0/0/2.2

ge-0/0/2.3

  • IP address 10.0.0.1/24

  • IP address 10.0.0.2/24

  • IP address 10.0.0.3/24

Routing instance

r1

r2

  • Instance type: virtual router

  • Includes interfaces ge-0/0/2.1, ge-0/0/2.3, and ge-0/0/2.2

Configuration

Procedure
CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure an interface and a routing instance in a user logical system:

  1. Configure the interfaces to support VLAN tagging.

  2. Configure the IFL at the root level.

  3. Create a tenant system named TSYS1.

  4. Define the Interface in the tenant system TSYS1.

  5. Create a routing instance r1 and assign the routing instance type for the tenant system.

  6. Specify the interface name for the routing instance.

  7. Create a tenant system named TSYS2.

  8. Define the Interface in the tenant system TSYS2.

  9. Create a routing instance r2 and assign the routing instance type for the tenant system.

  10. Specify the interface name for the routing instance.

  11. Commit the configuration.

Results

From configuration mode, confirm your configuration by entering the show interfaces and show tenants commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

The show tenants command displays all the interfaces that are defined in the tenant systems TSYS1 and TSYS2, and the routing instance parameters configured for both the tenant systems.

Understanding Tenant System Security Profiles (Primary Administrators Only)

Tenant systems allow you to virtually divide a supported SRX Series Firewall into multiple devices, securing them from intrusion and attacks, and protecting them from faulty conditions outside their own contexts. To protect tenant systems, security resources are configured in a manner similar to how they are configured for a discrete device. However, the primary administrator assigns resources to the tenant systems.

An SRX Series Firewall running tenant systems can be partitioned into tenant systems, an interconnected tenant system, if necessary, and the default primary logical system. When the system is initialized, the primary logical system is created at the root. All system resources are assigned to it, effectively creating a default primary logical system security profile. To distribute security resources across the tenant systems, the primary administrator creates security profiles that specify the resources to be allocated to a tenant system. Only the primary administrator can configure security profiles and bind them to the tenant systems. The tenant system administrator uses these resources for the respective tenant system.

The tenant systems are defined by the resources allocated to them, including security components, interfaces, routing instance, static routes, and dynamic routing protocols. The primary administrator configures the security profiles and assigns them to the tenant systems. You cannot commit a tenant system configuration without a security profile assigned to it.

This topic includes the following sections:

Tenant Systems Security Profiles

The primary administrator can configure and assign a security profile to a specific tenant system or multiple tenant systems. The maximum number of security profiles that can be configured depends on the capacity of an SRX Series Firewall. When the maximum number of security profiles have been created, you need to delete a security profile and commit the configuration change before you can create and commit another security profile. In many cases, fewer security profiles are needed because you can bind a single security profile to more than one tenant system.

Security profiles allow you to:

  • Share the device’s resources, including policies, zones, addresses and address books, flow sessions, and various forms of NAT, among all tenant systems appropriately. You can assign various amounts of a resource to the tenant systems and allow the tenant systems to utilize the resources effectively.

    Security profiles protect against one tenant system exhausting a resource that is required at the same time by other tenant systems. Security profiles protect critical system resources and maintain a better performance among tenant systems when the device is experiencing a heavy traffic flow. Security profiles defend against one tenant system dominating the use of resources and allow the other tenant systems to use the resources effectively.

  • Configure the device in a scalable way to allow for creation of additional tenant systems.

You need to delete the security profile of a tenant system before you can delete the tenant system.

Understanding How the System Assesses Resources Assignment and Use Across the Tenant Systems

To provision a tenant system with security features, the primary administrator configures a security profile that specifies the resource for each security feature:

  • A reserved quota that guarantees that the specified resource amount is always available to the tenant system.

  • A maximum allowed quota. If a tenant system requires additional resources that exceed the reserved quota, then it can utilize the resources configured for the global maximum amount if the global resources are not allocated to the other tenant systems. The maximum allowed quota does not guarantee that the amount specified for the resource in the security profile is available. The tenant systems need to utilize the global resources effectively based on the available resources.

If a reserved quota is not configured for a resource, the default value is 0. If a maximum allowed quota is not configured for a resource, the default value is the global system quota for the resource (global system quotas are platform-dependent). The primary administrator must configure the appropriate maximum allowed quota values in the security profiles so that the maximum resource usage of a specific tenant system does not negatively impact other tenant systems configured on the device.

The system maintains a count of all allocated resources that are reserved, used, and made available again when a tenant system is deleted. This count determines whether resources are available to use for tenant systems or to increase the amount of the resources allocated to existing tenant systems through their security profiles.

Resources configured in security profiles are characterized as static modular resources or dynamic resources. For static resources, we recommend setting a maximum quota for a resource equal or close to the amount specified as its reserved quota, to allow for scalable configuration of tenant systems. A maximum quota for a resource gives a tenant system greater flexibility through access to a larger amount of that resource, but it constrains the amount of resources available to allocate to other tenant systems.

The following security features resources can be specified in a security profile:

  • Security zones

  • Addresses and address books for security policies

  • Application firewall rule sets

  • Application firewall rules

  • Firewall authentication

  • Flow sessions and gates

  • NAT, including:

    • Cone NAT bindings

    • NAT destination rule

    • NAT destination pool

    • NAT IP address in source pool without Port Address Translation (PAT)

      Note:

      IPv6 addresses in IPv6 source pools without PAT are not included in security profiles.

    • NAT IP address in source pool with PAT

    • NAT port overloading

    • NAT source pool

    • NAT source rule

    • NAT static rule

Note:

All resources except flow sessions are static.

You can modify a tenant system security profile dynamically while the security profile is assigned to other tenant systems. However, to ensure that the system resource quota is not exceeded, the system takes the following actions:

  • If a static quota is changed, the system process that maintains the tenant system counts for resources specified in security profiles subsequently reevaluates the security profiles assigned to the profile associated with the static quota. This check identifies the number of resources assigned across all tenant systems to determine whether the allocated resources, including their increased amounts are available.

    These quota checks are the same quota checks that the system performs when you add a tenant system and bind a security profile to it. They are also performed when you bind a different security profile from the security profile that is currently assigned to it to an existing tenant system (or the primary logical system).

  • If a dynamic quota is revised, no check is performed, but the revised quota is imposed on future resource usage.

Cases: Assessments of Reserved Resources Assigned Through Security Profiles

To understand how the system assesses allocation of reserved resources through security profiles, consider the following three cases explained in Table 7 and that address allocation of the resources and zones. To keep the example simple, 10 zones are allocated in security-profile-1: 4 reserved zones and 6 maximum zones. This example assumes that the maximum amount specified—six zones—is available for the tenant systems. The system maximum number of zones is 10.

The three cases address the configuration across the tenant systems. The three cases verify whether a configuration succeeds or fails when it is committed based on the allocation of zones.

Table 6 shows the security profiles and their zone allocations.

Table 6: Security Profiles Used for Reserved Resource Assessments

Two Security Profiles Used in the Configuration Cases

security-profile-1

  • zones reserved quota = 4

  • zones maximum quota = 6

Note:

The primary administrator dynamically increases the reserved zone count specified in this profile later.

primary-logical-system-profile

  • zones maximum quota = 10

  • no reserved quota

Table 7 shows three cases that illustrate how the system assesses reserved resources for zones across the tenant systems based on the security profile configurations.

  • The configuration for the first case succeeds because the cumulative reserved resource quota for zones configured in the security profiles bound to all tenant systems is 8, which is less than the system maximum resource quota.

  • The configuration for the second case fails because the cumulative reserved resource quota for zones configured in the security profiles bound to all logical systems is 12, which is greater than the system maximum resource quota.

  • The configuration for the third case fails because the cumulative reserved resource quota for zones configured in the security profiles bound to all tenant systems is 12, which is greater than the system maximum resource quota.

Table 7: Reserved Resource Allocation Assessment Across Tenant Systems

Reserved Resource Quota Checks Across Tenant Systems

Example 1: Succeeds

This configuration is within bounds: 4+4+0=8, maximum capacity =10.

Security Profiles Used

  • The security profile security-profile-1 is bound to two tenant systems: tenant-system-1 and tenant-system-2.

  • The primary-logical-system-profile profile is used exclusively for the primary logical system.

  • tenant-system-1 = 4 reserved zones.

  • tenant-system-2 = 4 reserved zones.

  • primary-logical-system = 0 reserved zones.

Example 2: Fails

This configuration is out of bounds: 4+4+4=12, maximum capacity =10.

  • tenant-system-1 = 4 reserved zones.

  • tenant-system-2 = 4 reserved zones.

  • primary-logical-system = 0 reserved zones.

  • new-tenant-system = 4 reserved zones.

Security Profiles

  • The security profile security-profile-1 is bound to two tenant systems: tenant-system-1 and tenant-system-2.

  • The primary-logical-system-profile is bound to the primary logical system and used exclusively for it.

  • The primary administrator configures a new tenant system called new-tenant-system and binds security-profile-1 to it.

Example 3: Fails

This configuration is out of bounds: 6+6=12, maximum capacity =10.

The primary administrator modifies the reserved zones quota in security-profile-1, increasing the count to 6.

  • tenant-system-1 = 6 reserved zones.

  • tenant-system-2 = 6 reserved zones.

  • primary-logical-system = 0 reserved zones.

Example: Creating Tenant Systems, Tenant System Administrators, and an Interconnect VPLS Switch

This example shows how to create tenant systems, tenant system administrators, and an interconnect VPLS switch. Only the primary administrator can create user login accounts for tenant system administrators and interconnect VPLS switch.

Requirements

This example uses the following hardware and software components:

  • Before you begin creating the tenant systems, tenant system administrators, and an interconnect VPLS switch, read Tenant Systems Overview to understand how this task fits into the overall configuration process.

Overview

This example shows how to create the tenant systems TSYS1, TSYS2, and TSYS3, and the tenant system administrators for them. You can create multiple tenant system administrators for a tenant system with different permission levels based on your requirements.

This topic also covers the interconnect virtual private LAN service (VPLS) switch connecting one tenant system to another on the same device. The VPLS switch enables both transit traffic and traffic terminated at a tenant system to pass between tenant systems. To allow traffic to pass between tenant systems, logical tunnel (lt-0/0/0) interfaces should be configured in the same subnet.

Topology

The Figure 2 shows an SRX Series Firewall deployed and configured for tenant systems. The configuration example uses static routing to allow the PCs to reach the Internet.

Figure 2: Creating Tenant Systems and Interconnect VPLS SwitchCreating Tenant Systems and Interconnect VPLS Switch

Full SRX Quick Configuration

Configuring Logical and Tenant Systems, and Interconnect VPLS Switch

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, and change any details necessary to match your network configuration to include interfaces and user passwords. Then copy and paste the commands into the CLI at the [edit] hierarchy level, and enter commit from configuration mode.

Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide. We will only be covering the configuration of one tenant for the step-by-step procedure.

  1. Create the login user accounts for each tenant. We will only show the steps for creating the tenant TSYS1 user account.

    1. Create the user login class and assign it to the tenant system.

    2. Assign a permissions level to the login class, for this example we will use the level all which allows full access to the tenant system administrator.

    3. Create a user account and assign it to the class from the previous steps. This will allow the user to login to the tenant system.

    4. Create a user login password for the user account.

  2. Configure the VPLS switch. The VPLS switch enables both transit traffic and traffic terminated at a tenant system to pass between tenant systems with a single logical tunnel. Logical tunnel interfaces should be configured in the same subnet to allow traffic between tenant systems.

    1. Configure the logical tunnel interfaces.

    2. Configure a routing instance for the VPLS switch and assign the logical tunnel interfaces.

  3. Configure the tenant systems. We are only showing the configuration for one tenant.

    1. Configure the interfaces associated with the tenant.

    2. Configure the tenant, routing instance, static routing and assign the interfaces.

  4. Configure the security profiles. We are only showing the minimal configuration needed to configure logical and tenant systems for this example.

  5. Configure the logical systems. This example using an interconnect VPLS switch requires a logical systems.

    1. Configure the interfaces.

    2. Configure the static routes.

  6. Configure security zones and policies in the logical systems to allow traffic flow from the tenants to the Internet. Additional security policies can be configured on both the logical and tenant systems to allow traffic between tenants.

    1. Configure security zones.

    2. Configure security policies.

  7. Configure security zones and policies in each tenant systems to allow traffic flow to the Internet.

    1. Configure security zones.

    2. Configure security policies.

Results

From configuration mode, confirm your configuration by entering the show tenants TSYS1 command to verify that the tenant system is created. Enter the show system login class TSYS1admin1 command to view the permission level for each class that you defined. To ensure that the tenant system administrators are created, enter the show system login user TSYS1admin1 command. To ensure that the interfaces for interconnect VPLS switch are created, enter the show interfaces command. Enter show logical-systems to verify the root logical systems configuration.

If the output does not display the intended configuration, repeat the configuration instructions in these examples to correct it. If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Tenant Systems and Login Configurations Using Primary Administrator

Purpose

Verify that the tenant systems exist and you can enter them from root as the primary administrator. Return from the tenant system to the root.

Action

From operational mode, use the following command to enter the tenant systems TSYS1:

Now you are entered to the tenant systems TSYS1. Use the following command to exit from tenant systems TSYS1 to the root:

Meaning

Tenant system exists and you can enter to the tenant system from the root as the primary administrator.

Verifying Tenant Systems and Login Configurations Using SSH

Purpose

Verify that the tenant systems you created exist, and that the administrator login IDs and passwords that you created are correct.

Action

Use SSH to log in to each user tenant system administrator.

  1. Run SSH specifying the IP address of your SRX Series Firewall.

  2. Enter the login ID and password for the tenant systems administrator that you created. After you log in, the prompt shows the tenant systems administrator name. Notice how this result differs from the result produced when you log in to the tenant system from the primary logical system at root. Repeat this procedure for all of your tenant systems.

Meaning

Tenant system administrator TSYS1admin1 exists and you can login as the tenant system administrator.

Verifying PC1 Connectivity to the Internet

Purpose

Verify end-to-end connectivity.

Action

Ping and run traceroute to the Internet from PC1. In our example the Internet is 192.168.10.254.

  1. Run ping from PC1.

  2. Run traceroute from PC1.

Meaning

PC1 is able to reach the Internet.

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
19.2R1
Starting in Junos OS Release 19.2R1, the virtual-router configured in a tenant system is passed as the default routing-instance to ping, telnet, ssh, traceroute, show arp, clear arp, show ipv6 neighbors, and clear ipv6 neighbors commands.