Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

header-navigation

Solutions

Featured solutions AI Campus and branch Data center WAN Security Service provider Cloud operator Industries
Campus and Branch

Welcome to the NOW Way to Wi-Fi

Take your networking performance to new heights with a modern, cloud-native, AI-Native architecture. Only Juniper can help you unleash the full potential of Wi-Fi 7 with our AI-Native platform for innovation.
Prepare for liftoff
Business intelligence analyst dashboard on virtual screen. Big data Graphs Charts.

AI Data Center Networking

Juniper’s AI data center solution is a quick way to deploy high performing AI training and inference networks that are the most flexible to design and easiest to manage with limited IT resources.
Find out more
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Zero trust security

Ops4AI Lab

Visit our lab in Sunnyvale, CA and see our AI data center solution for yourself. You can try out your own model’s functionality and performance, too.
Visit the lab
Enterprise AI-Native Networking

Enterprise AI‑Native Routing

Juniper's Ai-Native routing solution delivers robust 400GbE and 800GbE capabilities for unmatched performance, reliability, and sustainability at scale.
Explore enterprise routing
Higher Education

Shaping Student Experiences: The NOW Way to Build Higher Education Networks

Join Juniper Networks CIO Sharon Mandell and a virtual summit of C-level IT leaders from prestigious institutions as they discuss ongoing efforts to support digital transformation.
Register to attend
Hand on tablet with healthcare overlay of graphics

Security in healthcare

In this IDC Spotlight report, discover how AI networking can automate and strengthen a healthcare ecosystem to defeat criminals and prevent loss. 
Gain insights into ecosystem security
Retail

The Future of In-Store Technologies

Join us for an enlightening webinar with Kevin McCartan, Senior IT Service Delivery Engineer at Musgrave; retail guru Jack Stratten of Insider Trends; and Christian Gilby, Director of Product Marketing at Juniper Networks, as they discuss the future of in-store technologies.
Reserve my spot

Products

Wireless access Wired access SD-WAN / SASE Routing and switching Security Mist AI™ Management software Network operating system Blueprint for AI-Native Acceleration Optics
  • Operations
ACX7020 router

Juniper ACX7020 Cloud Metro Access Router

Legacy networks simply cannot meet the demands of today’s rapidly evolving metro landscape. Unlock a new generation of highly scalable architectures and automated operations with the Juniper ACX7020. 
Learn more
EX4000 Ethernet Switch

Next-gen AI-Native EX4000 line of switches

Lack of AI innovation from your current networking vendor slowing you down? Embrace Juniper’s cloud-native, AI-Native access switches that support every level and layer, across nearly every deployment.
Discover how
The Q and AI text with an image of Bob Friday and Kedar Dhuru.

The Q&AI Podcast

Delivering practical solutions and enriching discussions, this podcast series is a vital resource for those seeking an in-depth exploration of AI's transformative potential.
Catch the latest episode

Services

Services
Services AI Care

Juniper AI Care Services Revolutionize Your Service Experience

Our industry-first AI-Native services couple AIOps with our deep expertise across the full network life cycle. You can move from reactive response to proactive insight and action.
Explore AI Care Services
Services AI Data Center

Juniper AI Data Center Deployment Services Optimize Your AI Model Runs

We use our expertise and validated designs to help design, deploy, validate and tune networks, including GPUs and storage, to get the most from your AI infrastructure operation.
Learn about AI Data Center Deployment Services

Partners

Partners

Support and Documentation

Support and Documentation

Learn

About Juniper Training Events The Feed Resources Technology learning topics Thought leadership and insights
Audience raising hands up while businessman is speaking in training at the office.

Juniper certification and training news

See the latest
Ringing of the bell

All global events

See the latest
AI-native-now

AI-Native NOW event series

Register now
Juniper's Christina Hendrix at the head of a conference table. With the text "The NOW Way to Network" overlayed, with "NOW" emphasizing the "O" in green color.

The NOW Way to Network

Watch the video series
AI Native Now

Executive insights

Dive deep with leading experts and thought leaders on all the topics that matter most to your business, from AI to network security to driving rapid, relevant transformation for your business.
Learn more
A keynote speaker giving a presentation at a conference. There are dozens of people sitting around them. The presentation is displayed via projector on all the walls in the room.

Leadership voices

Juniper Networks’ leaders operate on the front lines of creating the network of the future. Take a look around to see what’s on their minds.
Watch now
Bob Friday and Jessica Garrison speaking

Bob Friday Talks

Join Bob as he ventures into all the knowns -- and -- unknowns -- of AI.
Catch the latest episode
Documentation
Menu
License Guide
Quick Starts
Validated Designs
Explore Pathfinder Apps
CLI Explorer
Feature Explorer
Hardware Compatibility Tool
Port Checker
Browse All
Collapse

Pathfinder Apps

All

By Software

By Hardware

Learn More
Pathfinder HomeCLI ExplorerCompliance AdvisorFeature ExplorerHardware Compatibility ToolJunos XML API ExplorerJunos YANG Data Model ExplorerPort CheckerPower CalculatorSNMP MIB ExplorerSystem Log Explorer
CLI ExplorerFeature ExplorerJunos XML API ExplorerJunos YANG Data Model ExplorerSNMP MIB ExplorerSystem Log Explorer
Compliance AdvisorFeature ExplorerHardware Compatibility ToolPort CheckerPower Calculator
Home Documentation Junos OS Logical Systems and Tenant Systems User Guide for Security Devices Tenant Systems

Logical Systems and Tenant Systems User Guide for Security Devices

keyboard_arrow_up
close
keyboard_arrow_left
Logical Systems and Tenant Systems User Guide for Security Devices
Table of Contents Expand all
list Table of Contents
file_download PDF
{ "lLangCode": "en", "lName": "English", "lCountryCode": "us", "transcode": "en_US" }
English
ON THIS PAGE
keyboard_arrow_right

Tenant Systems Overview

date_range 30-May-24
arrow_backward
arrow_forward

A tenant system supports routing, services and security features.

Understanding Tenant Systems

A tenant system logically partitions the physical firewall into separate and isolated logical firewall. Although similar to logical systems, tenant systems have much higher scalability and fewer routing features. Each tenant system on a device allows you to control a discrete administrative domain for security services. By transforming your device into a multitenant system, you can provide various departments, organizations, customers, and partners—depending on your environment—private and logically separated use of system resources and tenant-specific views of security configuration and KPIs. A primary administrator creates and manages all the tenant systems. Figure 1 shows a single device with a primary logical system and discrete tenant systems.

Figure 1: Tenant SystemsTenant Systems

Differences Between Logical Systems and Tenant Systems

Table 1 describes the key differences between logical systems and tenant systems.

Table 1: Differences Between Logical Systems and Tenant Systems

Functionality

Logical Systems

Tenant Systems

Feature support

Supports all the routing features to provide optimal data routing paths.

Supports routing features and high-scale security virtualization to isolate customer environments.

Scalability

A maximum of 32 logical systems can be configured on a physical SRX Series Firewall.

A maximum of 500 tenant systems can be configured on a physical SRX Series Firewall to provide high scalability.

Routing protocol process

Every logical system needs an individual copy of the routing protocol process to logically separate the resources on a device.

The primary logical system has a single routing protocol process, which is shared by the tenant systems. Routing instances supported by this single routing protocol process achieve the security resource separation on the firewall.

Routing instance

A default routing instance is automatically created for every logical system.

Starting in Junos OS Release 19.2R1, the virtual-router configured in a tenant system is passed as the default routing-instance to ping, telnet, ssh, traceroute, show arp, clear arp, show ipv6 neighbors, and clear ipv6 neighbors commands.

Logical interface configuration

The primary administrator assigns the logical interfaces and the logical system administrator can configure the interface attributes.

A tenant system administrator cannot configure the logical interfaces. The primary administrator assigns the logical interfaces to a tenant system.

Use Cases for Logical Systems and Tenant Systems

A logical system is used when more than one virtual router is required. For example, you have multiple connections to the external network and they cannot co-exist in the same virtual router. Tenant systems are used when you need to separate departments, organization, or customers and each of them can be limited to one virtual router. The main difference between a logical system and a tenant system is that a logical system supports advanced routing functionality using multiple routing instances. In comparison, a tenant system supports only one routing instance, but supports the deployment of significantly more tenants per system.

Deployment Scenarios for Multitenant Systems

You can deploy an SRX Series Firewall running a multitenant system in many environments such as a managed security service provider (MSSP), an enterprise network, or a branch office segment. Table 2 describes the various deployment scenarios and the roles played by the tenant systems in such scenarios.

Table 2: Deployment Scenarios with Respect to Tenant Systems

Deployment Scenarios

Roles of a Tenant System

Managed security service provider (MSSP)

  • In a managed security service provider (MSSP), each customer can be isolated from other customer to protect data privacy. Customers that require defined service level agreements (SLAs) can be be allocated memory and system resources to meet these SLAs.

  • The customer can configure distinct security policies for compliance and control per tenant system.

Enterprise network

  • A tenant system can be assigned to a workgroup, department, or other organizational construct within an enterprise.

  • A tenant system can define the distinct security policies for the enterprise workgroup, department, or other organizational construct of the enterprise.

Branch office segment

  • In a branch office, a tenant system can individually manage and segregate corporate and guest traffic.

  • Advanced security policies can be configured per tenant system; this approach allows granular control of the security policies.

  • A tenant system provides ease of management and troubleshooting.

Benefits of Tenant Systems

  • Curtail cost by reducing the number of physical devices required for your organization. You can consolidate services for various groups of users on a single device and reduce the hardware costs, power expenditure, and rack space.

  • Provide isolation and logical separation at the tenant system level. Provides the ability to separate tenant systems with administrative separation at large scale in which each tenant system can define its own security controls and restrictions without impacting other tenant systems.

Roles and Responsibilities of Primary Administrator and Tenant System Administrator

A primary administrator creates and manages all the tenant systems. A primary logical system is created at the root level and is allocated a single routing protocol process. Although this routing protocol process is shared, tenant systems enable logical resource separation on the firewall. By default, all system resources are assigned to the primary logical system, and the primary administrator allocates them to the tenant system administrators.

Note:

In Junos OS command-line reference, primary logical system is referred as root logical system.

A tenant system is created that is subtended by the primary logical system. Although all the tenants under the primary logical system share a single routing process, each tenant system has a single routing instance. Table 3 describes the roles and responsibilities of the primary administrator and tenant system administrator.

Table 3: Roles and Responsibilities With Respect to Tenant Systems

Roles

Definition

Responsibilities

Primary administrator

A user account with superuser configuration and verification privileges for all logical systems and tenant systems.

  • View and access all logical systems and tenant systems.

  • Create login accounts for all the tenant systems and assign the login accounts to the appropriate tenant system.

  • Create and allocate the resources to the tenant systems.

  • Create one custom routing instance under the tenant system which acts as the default routing instance for the tenant system.

  • Create a virtual router under the tenant system and assign it to the tenant system.

  • Create logical interfaces to assign to the tenant systems.

  • Manage the tenant systems in the primary logical system.

  • Ensure duplicate names for tenant system, logs, and trace file do not exist.

Tenant system administrator

A tenant system account with all configuration and verification privileges.

Note:

The configuration and verification privileges of a tenant system administrator depends on the permission assigned to them by the primary administrator while creating the tenant system administrator. Multiple tenant system administrators can be created for a tenant system with different permission levels based on your requirement.

  • Access and view the resources of the tenant system.

  • Configure the resources allocated and routing protocols.

  • Configure schedulers, security profiles, and security features.

The following privileges are not supported by the tenant system administrator:

  • Define access restrictions and the default routing instance for the tenant system.

  • Access and view the resources of other tenant systems.

  • Modify the number of allocated resources for a tenant system.

  • Create logical interfaces, virtual router, and policy options.

Tenant System Capacity

The maximum number of tenant systems that can be created on the device are listed in Table 4.

Table 4: Tenant Systems Capacity

Platform

Logical Systems Capacity

Tenant Systems Capacity for Junos OS Release 18.4R1

Tenant Systems Capacity starting in Junos OS Release 20.1R1

Tenant Systems Capacity starting in Junos OS Release 23.4R1

SRX1500

32

50

50

SRX1600

32

50

SRX2300

32

200

SRX4100 and SRX4200

32

200

200

SRX4600

32

300

300

SRX5400, SRX5600, and SRX5800 Series devices with SPC2 cards

32

100

100

SRX5400, SRX5600, and SRX5800 Series devices with SPC3 cards

32

500

500

SRX5400, SRX5600, and SRX5800 Series devices with SPC2 and SPC3 cards

32

100

100

vSRX

8

42

Note:

Starting in Junos OS Release 20.1R1, vSRX Virtual Firewall and vSRX3.0 instances with a memory capacity of 16GB or more and at least two CPUs in the Routing Engine support logical systems and tenant systems.

Starting in Junos OS Release 18.4R1, tenant systems can be supported on an SRX5000 line security services gateway equipped with a combination of third generation service processing cards (SRX5K-SPC3) and second generation service processing cards (SRX5K-SPC-4-15-320). Prior to Junos OS Release 18.4R1, tenant systems was supported on SPC2 only.

See Also

Tenant System Configuration Overview

The primary administrator creates a tenant system and assigns an administrator for managing the tenant system. A tenant system can have multiple administrators. The roles and responsibilities of a tenant system administrator are explained in Understanding Tenant Systems.

The primary administrator configures the logical interfaces and assigns those interfaces to the tenant system. Configure one routing instance and the routing protocols, and add options for the routing instance. See Configuring a Routing Instance for a Tenant System.

Tenant systems have their own configuration database. After successful configuration, the changes are merged to the primary database for each tenant systems. Multiple tenant systems can perform configuration changes at a time. You can commit the changes for only one tenant at a time. If the primary administrator and a tenant system administrator performs configuration changes simultaneously, the configuration changes performed by the primary administrator override the configuration changes performed by the tenant system administrator.

The following steps explain the tasks that the tenant system administrator performs to configure the security features in a tenant system:

  1. Use the SSH service to access the device, and then log in to the tenant system with the login ID and password provided by the primary administrator.
    content_copy zoom_out_map
    login: <tenant_name>
password: <password>

    After you are authenticated, the presence of the “>” prompt indicates that you accessed to the CLI operational mode. The prompt is preceded by a string that contains the username, the hostname of the device, and the name of the tenant system. When the CLI starts, you are at the top level in operational mode.

    content_copy zoom_out_map
    TSYS1_admin1@host:TSYS1>
  2. Access the configuration mode by entering the configure command.
    content_copy zoom_out_map
    TSYS1_admin1@host:TSYS1> configure
TSYS1_admin1@host:TSYS1#
  3. Enter the quit command to exit the configuration mode and return to the CLI operational mode.
    content_copy zoom_out_map
    TSYS1_admin1@host:TSYS1# quit
TSYS1_admin1@host:TSYS1>
  4. Configure the following security features in the tenant system as necessary:

Configuring a Routing Instance for a Tenant System

A routing instance is a collection of routing tables, interfaces, and routing protocol parameters. A set of interfaces that belong to the routing instance and the routing protocol parameters control the information in the routing instance. A tenant system can configure the assigned routing instance and the interfaces that belong to the routing instance within a tenant system.

Note:

Only one routing instance can be created for a tenant system.

The following procedure describes the steps to configure a routing instance and interfaces in a routing table for a tenant system:

  1. Create a tenant system named TSYS1.
    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1
  2. Create a routing instance r1 and assign the routing instance type for the tenant system.
    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1 routing-instances r1 instance-type virtual-router
  3. Specify the interface name for the routing instance.
    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1 routing-instances r1 interface lt-0/0/0.101
user@host# set tenants TSYS1 routing-instances r1 interface xe-0/0/0.0
user@host# set tenants TSYS1 routing-instances r1 interface xe-0/0/1.0
  4. Specify the routing option for the routing instance.
    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1 routing-instances r1 routing-options router-id 1.1.1.101
  5. Commit the configuration.
    content_copy zoom_out_map
    [edit]
user@host# commit

To view the configuration for the tenant system TSYS1, run the show tenants TSYS1 command.

content_copy zoom_out_map
routing-instances {
    r1 {
        instance-type virtual-router;
        interface lt-0/0/0.101;
        interface xe-0/0/0.0;
        interface xe-0/0/1.0;
        routing-options {
            router-id 1.1.1.101;
        }
    }
}

The show tenants TSYS1 command displays all the routing instance parameters configured for the tenant system TSYS1.

Understanding Routing and Interfaces for Tenant Systems

A routing instance is a collection of routing tables, interfaces, and routing protocol parameters. The interfaces are used for forwarding data for the routing instance, and to learn the routing information from other peers (SRX Series Firewalls) using routing protocols.

A Logical interface (IFL) can be defined at either one of the following levels:

  • Global level (root logical system)

  • User logical system level

  • Tenant system level (Starting from Release Junos OS 18.4R1)

The IFL defined at the global level can be used either in root logical system or in one of the tenant systems. The IFL defined in a tenant system can be used in that tenant system only.

Default routing instance is not available for tenant systems. So, when a custom routing instance is created for a tenant system, all the interfaces defined in that tenant system should be added to that routing instance.

Overview: Configuring Routing and Interfaces for Tenant Systems

This overview shows how to configure interfaces and routing instances for a tenant system.

Requirements

Before you begin:

Overview

The following procedure describes the steps to configure a routing instance and interfaces in a routing table within a tenant system.

This topic configures the interfaces and routing instances described in Table 5.

Table 5: User Tenant System Interface and Routing Instance Configuration

Feature

Name

Configuration Parameters

Interface

ge-0/0/2.1

ge-0/0/2.2

ge-0/0/2.3

  • IP address 10.0.0.1/24

  • IP address 10.0.0.2/24

  • IP address 10.0.0.3/24

Routing instance

r1

r2

  • Instance type: virtual router

  • Includes interfaces ge-0/0/2.1, ge-0/0/2.3, and ge-0/0/2.2

Configuration

Procedure
CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, change any details necessary to match your network configuration, copy and paste the commands into the CLI at the [edit] hierarchy level, and then enter commit from configuration mode.

content_copy zoom_out_map
set interfaces ge-0/0/2 vlan-tagging
set interfaces ge-0/0/2.3 vlan-id 103
set interfaces ge-0/0/2.3 family inet address 10.0.0.3/24
set tenants TSYS1
set tenants TSYS1 interfaces ge-0/0/2.1 vlan-id 101
set tenants TSYS1 interfaces ge-0/0/2.1 family inet address 10.0.0.1/24
set tenants TSYS1 routing-instances r1 instance-type virtual-router
set tenants TSYS1 routing-instances r1 interface ge-0/0/2.1
set tenants TSYS1 routing-instances r1 interface ge-0/0/2.3
set tenants TSYS2
set tenants TSYS2 interfaces ge-0/0/2.2 vlan-id 102
set tenants TSYS2 interfaces ge-0/0/2.2 family inet address 10.0.0.2/24
set tenants TSYS2 routing-instances r2 instance-type virtual-router
set tenants TSYS2 routing-instances r2 interface ge-0/0/2.2
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the Junos OS CLI User Guide.

To configure an interface and a routing instance in a user logical system:

  1. Configure the interfaces to support VLAN tagging.

    content_copy zoom_out_map
    [edit]
user@host# set interfaces ge-0/0/2 vlan-tagging

  2. Configure the IFL at the root level.

    content_copy zoom_out_map
    [edit]
set interfaces ge-0/0/2.3 vlan-id 103
set interfaces ge-0/0/2.3 family inet address 10.0.0.3/24

  3. Create a tenant system named TSYS1.

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1

  4. Define the Interface in the tenant system TSYS1.

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1 interfaces ge-0/0/2.1 vlan-id 101
user@host# set tenants TSYS1 interfaces ge-0/0/2.1 family inet address 10.0.0.1/24
user@host# set tenants TSYS1 routing-instances r1 interface ge-0/0/2.3

  5. Create a routing instance r1 and assign the routing instance type for the tenant system.

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1 routing-instances r1 instance-type virtual-router

  6. Specify the interface name for the routing instance.

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS1 routing-instances r1 interface ge-0/0/2.1

  7. Create a tenant system named TSYS2.

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS2

  8. Define the Interface in the tenant system TSYS2.

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS2 interfaces ge-0/0/2.2 vlan-id 102
user@host# set tenants TSYS2 interfaces ge-0/0/2.2 family inet address 10.0.0.2/24

  9. Create a routing instance r2 and assign the routing instance type for the tenant system.

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS2 routing-instances r2 instance-type virtual-router

  10. Specify the interface name for the routing instance.

    content_copy zoom_out_map
    [edit]
user@host# set tenants TSYS2 routing-instances r2 interface ge-0/0/2.2

  11. Commit the configuration.

    content_copy zoom_out_map
    [edit]
user@host# commit
Results

From configuration mode, confirm your configuration by entering the show interfaces and show tenants commands. If the output does not display the intended configuration, repeat the configuration instructions in this example to correct it.

content_copy zoom_out_map
[edit]
user@host# show interfaces
ge-0/0/2 {
    vlan-tagging;
    unit 3 {
        vlan-id 103;
        family inet {
            address 10.0.0.3/24;
        }
    }
}
content_copy zoom_out_map
[edit]
user@host# show tenants
TSYS1 {
    interfaces {
        ge-0/0/2 {
            unit 1 {
                vlan-id 101;
                family inet {
                    address 10.0.0.1/24;
                }
            }
        }
    }
    routing-instances {
        r1 {
            instance-type virtual-router;
            interface ge-0/0/2.1;
            interface ge-0/0/2.3;
        }
    }
}
TSYS2 {
    interfaces {
        ge-0/0/2 {
            unit 2 {
                vlan-id 102;
                family inet {
                    address 10.0.0.2/24;
                }
            }
        }
    }
    routing-instances {
        r2 {
            instance-type virtual-router;
            interface ge-0/0/2.2;
        }
    }
}

The show tenants command displays all the interfaces that are defined in the tenant systems TSYS1 and TSYS2, and the routing instance parameters configured for both the tenant systems.

content_copy zoom_out_map
user@host> show interfaces ge-0/0/2.1 detail
  Logical interface ge-0/0/2.1 (Index 89) (SNMP ifIndex 548) (Generation 161)
    Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.101 ]  Encapsulation: ENET2
    Tenant Name: TSYS1
    Traffic statistics:
     Input  bytes  :                    0
     Output bytes  :                   46
     Input  packets:                    0
     Output packets:                    1
    Local statistics:
     Input  bytes  :                    0
     Output bytes  :                   46
     Input  packets:                    0
     Output packets:                    1
    Transit statistics:
     Input  bytes  :                    0                    0 bps
     Output bytes  :                    0                    0 bps
     Input  packets:                    0                    0 pps
     Output packets:                    0                    0 pps
    Security: Zone: Null
    Flow Statistics :
..............................
content_copy zoom_out_map
user@host> show interfaces ge-0/0/2.2 detail
  Logical interface ge-0/0/2.2 (Index 90) (SNMP ifIndex 549) (Generation 162)
    Flags: Up SNMP-Traps 0x4000 VLAN-Tag [ 0x8100.102 ]  Encapsulation: ENET2
    Tenant Name: TSYS2
    Traffic statistics:
     Input  bytes  :                    0
     Output bytes  :                   46
     Input  packets:                    0
     Output packets:                    1
    Local statistics:
     Input  bytes  :                    0
     Output bytes  :                   46
     Input  packets:                    0
     Output packets:                    1
    Transit statistics:
     Input  bytes  :                    0                    0 bps
     Output bytes  :                    0                    0 bps
     Input  packets:                    0                    0 pps
     Output packets:                    0                    0 pps
    Security: Zone: Null
    Flow Statistics :
    Flow Input statistics :
      Self packets :                     0
      ICMP packets :                     0
      VPN packets :              ..............................

See Also

Understanding Tenant System Security Profiles (Primary Administrators Only)

Tenant systems allow you to virtually divide a supported SRX Series Firewall into multiple devices, securing them from intrusion and attacks, and protecting them from faulty conditions outside their own contexts. To protect tenant systems, security resources are configured in a manner similar to how they are configured for a discrete device. However, the primary administrator assigns resources to the tenant systems.

An SRX Series Firewall running tenant systems can be partitioned into tenant systems, an interconnected tenant system, if necessary, and the default primary logical system. When the system is initialized, the primary logical system is created at the root. All system resources are assigned to it, effectively creating a default primary logical system security profile. To distribute security resources across the tenant systems, the primary administrator creates security profiles that specify the resources to be allocated to a tenant system. Only the primary administrator can configure security profiles and bind them to the tenant systems. The tenant system administrator uses these resources for the respective tenant system.

The tenant systems are defined by the resources allocated to them, including security components, interfaces, routing instance, static routes, and dynamic routing protocols. The primary administrator configures the security profiles and assigns them to the tenant systems. You cannot commit a tenant system configuration without a security profile assigned to it.

This topic includes the following sections:

Tenant Systems Security Profiles

The primary administrator can configure and assign a security profile to a specific tenant system or multiple tenant systems. The maximum number of security profiles that can be configured depends on the capacity of an SRX Series Firewall. When the maximum number of security profiles have been created, you need to delete a security profile and commit the configuration change before you can create and commit another security profile. In many cases, fewer security profiles are needed because you can bind a single security profile to more than one tenant system.

Security profiles allow you to:

  • Share the device’s resources, including policies, zones, addresses and address books, flow sessions, and various forms of NAT, among all tenant systems appropriately. You can assign various amounts of a resource to the tenant systems and allow the tenant systems to utilize the resources effectively.

    Security profiles protect against one tenant system exhausting a resource that is required at the same time by other tenant systems. Security profiles protect critical system resources and maintain a better performance among tenant systems when the device is experiencing a heavy traffic flow. Security profiles defend against one tenant system dominating the use of resources and allow the other tenant systems to use the resources effectively.

  • Configure the device in a scalable way to allow for creation of additional tenant systems.

You need to delete the security profile of a tenant system before you can delete the tenant system.

Understanding How the System Assesses Resources Assignment and Use Across the Tenant Systems

To provision a tenant system with security features, the primary administrator configures a security profile that specifies the resource for each security feature:

  • A reserved quota that guarantees that the specified resource amount is always available to the tenant system.

  • A maximum allowed quota. If a tenant system requires additional resources that exceed the reserved quota, then it can utilize the resources configured for the global maximum amount if the global resources are not allocated to the other tenant systems. The maximum allowed quota does not guarantee that the amount specified for the resource in the security profile is available. The tenant systems need to utilize the global resources effectively based on the available resources.

If a reserved quota is not configured for a resource, the default value is 0. If a maximum allowed quota is not configured for a resource, the default value is the global system quota for the resource (global system quotas are platform-dependent). The primary administrator must configure the appropriate maximum allowed quota values in the security profiles so that the maximum resource usage of a specific tenant system does not negatively impact other tenant systems configured on the device.

The system maintains a count of all allocated resources that are reserved, used, and made available again when a tenant system is deleted. This count determines whether resources are available to use for tenant systems or to increase the amount of the resources allocated to existing tenant systems through their security profiles.

Resources configured in security profiles are characterized as static modular resources or dynamic resources. For static resources, we recommend setting a maximum quota for a resource equal or close to the amount specified as its reserved quota, to allow for scalable configuration of tenant systems. A maximum quota for a resource gives a tenant system greater flexibility through access to a larger amount of that resource, but it constrains the amount of resources available to allocate to other tenant systems.

The following security features resources can be specified in a security profile:

  • Security zones

  • Addresses and address books for security policies

  • Application firewall rule sets

  • Application firewall rules

  • Firewall authentication

  • Flow sessions and gates

  • NAT, including:

    • Cone NAT bindings

    • NAT destination rule

    • NAT destination pool

    • NAT IP address in source pool without Port Address Translation (PAT)

      Note:

      IPv6 addresses in IPv6 source pools without PAT are not included in security profiles.

    • NAT IP address in source pool with PAT

    • NAT port overloading

    • NAT source pool

    • NAT source rule

    • NAT static rule

Note:

All resources except flow sessions are static.

You can modify a tenant system security profile dynamically while the security profile is assigned to other tenant systems. However, to ensure that the system resource quota is not exceeded, the system takes the following actions:

  • If a static quota is changed, the system process that maintains the tenant system counts for resources specified in security profiles subsequently reevaluates the security profiles assigned to the profile associated with the static quota. This check identifies the number of resources assigned across all tenant systems to determine whether the allocated resources, including their increased amounts are available.

    These quota checks are the same quota checks that the system performs when you add a tenant system and bind a security profile to it. They are also performed when you bind a different security profile from the security profile that is currently assigned to it to an existing tenant system (or the primary logical system).

  • If a dynamic quota is revised, no check is performed, but the revised quota is imposed on future resource usage.

Cases: Assessments of Reserved Resources Assigned Through Security Profiles

To understand how the system assesses allocation of reserved resources through security profiles, consider the following three cases explained in Table 7 and that address allocation of the resources and zones. To keep the example simple, 10 zones are allocated in security-profile-1: 4 reserved zones and 6 maximum zones. This example assumes that the maximum amount specified—six zones—is available for the tenant systems. The system maximum number of zones is 10.

The three cases address the configuration across the tenant systems. The three cases verify whether a configuration succeeds or fails when it is committed based on the allocation of zones.

Table 6 shows the security profiles and their zone allocations.

Table 6: Security Profiles Used for Reserved Resource Assessments

Two Security Profiles Used in the Configuration Cases

security-profile-1

  • zones reserved quota = 4

  • zones maximum quota = 6

Note:

The primary administrator dynamically increases the reserved zone count specified in this profile later.

primary-logical-system-profile

  • zones maximum quota = 10

  • no reserved quota

Table 7 shows three cases that illustrate how the system assesses reserved resources for zones across the tenant systems based on the security profile configurations.

  • The configuration for the first case succeeds because the cumulative reserved resource quota for zones configured in the security profiles bound to all tenant systems is 8, which is less than the system maximum resource quota.

  • The configuration for the second case fails because the cumulative reserved resource quota for zones configured in the security profiles bound to all logical systems is 12, which is greater than the system maximum resource quota.

  • The configuration for the third case fails because the cumulative reserved resource quota for zones configured in the security profiles bound to all tenant systems is 12, which is greater than the system maximum resource quota.

Table 7: Reserved Resource Allocation Assessment Across Tenant Systems

Reserved Resource Quota Checks Across Tenant Systems

Example 1: Succeeds

This configuration is within bounds: 4+4+0=8, maximum capacity =10.

Security Profiles Used

  • The security profile security-profile-1 is bound to two tenant systems: tenant-system-1 and tenant-system-2.

  • The primary-logical-system-profile profile is used exclusively for the primary logical system.

  • tenant-system-1 = 4 reserved zones.

  • tenant-system-2 = 4 reserved zones.

  • primary-logical-system = 0 reserved zones.

Example 2: Fails

This configuration is out of bounds: 4+4+4=12, maximum capacity =10.

  • tenant-system-1 = 4 reserved zones.

  • tenant-system-2 = 4 reserved zones.

  • primary-logical-system = 0 reserved zones.

  • new-tenant-system = 4 reserved zones.

Security Profiles

  • The security profile security-profile-1 is bound to two tenant systems: tenant-system-1 and tenant-system-2.

  • The primary-logical-system-profile is bound to the primary logical system and used exclusively for it.

  • The primary administrator configures a new tenant system called new-tenant-system and binds security-profile-1 to it.

Example 3: Fails

This configuration is out of bounds: 6+6=12, maximum capacity =10.

The primary administrator modifies the reserved zones quota in security-profile-1, increasing the count to 6.

  • tenant-system-1 = 6 reserved zones.

  • tenant-system-2 = 6 reserved zones.

  • primary-logical-system = 0 reserved zones.

Example: Creating Tenant Systems, Tenant System Administrators, and an Interconnect VPLS Switch

This example shows how to create tenant systems, tenant system administrators, and an interconnect VPLS switch. Only the primary administrator can create user login accounts for tenant system administrators and interconnect VPLS switch.

Requirements

This example uses the following hardware and software components:

  • Before you begin creating the tenant systems, tenant system administrators, and an interconnect VPLS switch, read Tenant Systems Overview to understand how this task fits into the overall configuration process.

Overview

This example shows how to create the tenant systems TSYS1, TSYS2, and TSYS3, and the tenant system administrators for them. You can create multiple tenant system administrators for a tenant system with different permission levels based on your requirements.

This topic also covers the interconnect virtual private LAN service (VPLS) switch connecting one tenant system to another on the same device. The VPLS switch enables both transit traffic and traffic terminated at a tenant system to pass between tenant systems. To allow traffic to pass between tenant systems, logical tunnel (lt-0/0/0) interfaces should be configured in the same subnet.

Topology

The Figure 2 shows an SRX Series Firewall deployed and configured for tenant systems. The configuration example uses static routing to allow the PCs to reach the Internet.

Figure 2: Creating Tenant Systems and Interconnect VPLS SwitchCreating Tenant Systems and Interconnect VPLS Switch

Full SRX Quick Configuration

Configuring Logical and Tenant Systems, and Interconnect VPLS Switch

CLI Quick Configuration

To quickly configure this example, copy the following commands, paste them into a text file, remove any line breaks, and change any details necessary to match your network configuration to include interfaces and user passwords. Then copy and paste the commands into the CLI at the [edit] hierarchy level, and enter commit from configuration mode.

content_copy zoom_out_map
set system login class TSYS1admin1 tenant TSYS1
set system login class TSYS1admin1 permissions all
set system login class TSYS2admin1 tenant TSYS2
set system login class TSYS2admin1 permissions all
set system login class TSYS3admin1 tenant TSYS3
set system login class TSYS3admin1 permissions all
set system login user TSYS1admin1 uid 2001
set system login user TSYS1admin1 class TSYS1admin1
set system login user TSYS1admin1 authentication encrypted-password "$ABC123"
set system login user TSYS2admin1 uid 2003
set system login user TSYS2admin1 class TSYS2admin1
set system login user TSYS2admin1 authentication encrypted-password "$ABC123"
set system login user TSYS3admin1 uid 2005
set system login user TSYS3admin1 class TSYS3admin1
set system login user TSYS3admin1 authentication encrypted-password "$ABC123"
set system security-profile SP0 logical-system root-ls
set system security-profile SP1 tenant TSYS1
set system security-profile SP2 tenant TSYS2
set system security-profile SP3 tenant TSYS3
set logical-systems root-ls interfaces ge-0/0/0 unit 0 family inet address 192.168.10.1/24
set logical-systems root-ls interfaces lt-0/0/0 unit 0 encapsulation ethernet
set logical-systems root-ls interfaces lt-0/0/0 unit 0 peer-unit 100
set logical-systems root-ls interfaces lt-0/0/0 unit 0 family inet address 10.0.1.10/24
set logical-systems root-ls routing-options static route 192.168.1.0/24 next-hop 10.0.1.1
set logical-systems root-ls routing-options static route 192.168.2.0/24 next-hop 10.0.1.2
set logical-systems root-ls routing-options static route 192.168.3.0/24 next-hop 10.0.1.3
set logical-systems root-ls security address-book global address TSYS1 192.168.1.0/24
set logical-systems root-ls security address-book global address TSYS2 192.168.2.0/24
set logical-systems root-ls security address-book global address TSYS3 192.168.3.0/24
set logical-systems root-ls security policies from-zone trust to-zone untrust policy allow-out match source-address TSYS1
set logical-systems root-ls security policies from-zone trust to-zone untrust policy allow-out match source-address TSYS2
set logical-systems root-ls security policies from-zone trust to-zone untrust policy allow-out match source-address TSYS3
set logical-systems root-ls security policies from-zone trust to-zone untrust policy allow-out match destination-address any
set logical-systems root-ls security policies from-zone trust to-zone untrust policy allow-out match application any
set logical-systems root-ls security policies from-zone trust to-zone untrust policy allow-out then permit
set logical-systems root-ls security zones security-zone trust host-inbound-traffic system-services ping
set logical-systems root-ls security zones security-zone trust interfaces lt-0/0/0.0
set logical-systems root-ls security zones security-zone untrust host-inbound-traffic system-services ping
set logical-systems root-ls security zones security-zone untrust interfaces ge-0/0/0.0
set interfaces lt-0/0/0 unit 1 encapsulation ethernet
set interfaces lt-0/0/0 unit 1 peer-unit 101
set interfaces lt-0/0/0 unit 1 family inet address 10.0.1.1/24
set interfaces lt-0/0/0 unit 2 encapsulation ethernet
set interfaces lt-0/0/0 unit 2 peer-unit 102
set interfaces lt-0/0/0 unit 2 family inet address 10.0.1.2/24
set interfaces lt-0/0/0 unit 3 encapsulation ethernet
set interfaces lt-0/0/0 unit 3 peer-unit 103
set interfaces lt-0/0/0 unit 3 family inet address 10.0.1.3/24
set interfaces lt-0/0/0 unit 100 encapsulation ethernet-vpls
set interfaces lt-0/0/0 unit 100 peer-unit 0
set interfaces lt-0/0/0 unit 101 encapsulation ethernet-vpls
set interfaces lt-0/0/0 unit 101 peer-unit 1
set interfaces lt-0/0/0 unit 102 encapsulation ethernet-vpls
set interfaces lt-0/0/0 unit 102 peer-unit 2
set interfaces lt-0/0/0 unit 103 encapsulation ethernet-vpls
set interfaces lt-0/0/0 unit 103 peer-unit 3
set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.254/24
set interfaces ge-0/0/2 unit 0 family inet address 192.168.2.254/24
set interfaces ge-0/0/3 unit 0 family inet address 192.168.3.254/24
set routing-instances VPLS instance-type vpls
set routing-instances VPLS interface lt-0/0/0.100
set routing-instances VPLS interface lt-0/0/0.101
set routing-instances VPLS interface lt-0/0/0.102
set routing-instances VPLS interface lt-0/0/0.103
set tenants TSYS1 routing-instances vr1 instance-type virtual-router
set tenants TSYS1 routing-instances vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.1.10
set tenants TSYS1 routing-instances vr1 interface lt-0/0/0.1
set tenants TSYS1 routing-instances vr1 interface ge-0/0/1.0
set tenants TSYS1 security address-book global address PC1 192.168.1.0/24
set tenants TSYS1 security policies from-zone PC1 to-zone VPLS policy allow-out match source-address PC1
set tenants TSYS1 security policies from-zone PC1 to-zone VPLS policy allow-out match destination-address any
set tenants TSYS1 security policies from-zone PC1 to-zone VPLS policy allow-out match application any
set tenants TSYS1 security policies from-zone PC1 to-zone VPLS policy allow-out then permit
set tenants TSYS1 security zones security-zone PC1 host-inbound-traffic system-services ping
set tenants TSYS1 security zones security-zone PC1 interfaces ge-0/0/1.0
set tenants TSYS1 security zones security-zone VPLS host-inbound-traffic system-services ping
set tenants TSYS1 security zones security-zone VPLS interfaces lt-0/0/0.1
set tenants TSYS2 routing-instances vr2 instance-type virtual-router
set tenants TSYS2 routing-instances vr2 routing-options static route 0.0.0.0/0 next-hop 10.0.1.10
set tenants TSYS2 routing-instances vr2 interface lt-0/0/0.2
set tenants TSYS2 routing-instances vr2 interface ge-0/0/2.0
set tenants TSYS2 security address-book global address PC2 192.168.2.0/24
set tenants TSYS2 security policies from-zone PC2 to-zone VPLS policy allow-out match source-address PC2
set tenants TSYS2 security policies from-zone PC2 to-zone VPLS policy allow-out match destination-address any
set tenants TSYS2 security policies from-zone PC2 to-zone VPLS policy allow-out match application any
set tenants TSYS2 security policies from-zone PC2 to-zone VPLS policy allow-out then permit
set tenants TSYS2 security zones security-zone PC2 host-inbound-traffic system-services ping
set tenants TSYS2 security zones security-zone PC2 interfaces ge-0/0/2.0
set tenants TSYS2 security zones security-zone VPLS host-inbound-traffic system-services ping
set tenants TSYS2 security zones security-zone VPLS interfaces lt-0/0/0.2
set tenants TSYS3 routing-instances vr3 instance-type virtual-router
set tenants TSYS3 routing-instances vr3 routing-options static route 0.0.0.0/0 next-hop 10.0.1.10
set tenants TSYS3 routing-instances vr3 interface lt-0/0/0.3
set tenants TSYS3 routing-instances vr3 interface ge-0/0/3.0
set tenants TSYS3 security address-book global address PC3 192.168.3.0/24
set tenants TSYS3 security policies from-zone PC3 to-zone VPLS policy allow-out match source-address PC3
set tenants TSYS3 security policies from-zone PC3 to-zone VPLS policy allow-out match destination-address any
set tenants TSYS3 security policies from-zone PC3 to-zone VPLS policy allow-out match application any
set tenants TSYS3 security policies from-zone PC3 to-zone VPLS policy allow-out then permit
set tenants TSYS3 security zones security-zone PC3 host-inbound-traffic system-services ping
set tenants TSYS3 security zones security-zone PC3 interfaces ge-0/0/3.0
set tenants TSYS3 security zones security-zone VPLS host-inbound-traffic system-services ping
set tenants TSYS3 security zones security-zone VPLS interfaces lt-0/0/0.3
Step-by-Step Procedure

The following example requires you to navigate various levels in the configuration hierarchy. For instructions on how to do that, see Using the CLI Editor in Configuration Mode in the CLI User Guide. We will only be covering the configuration of one tenant for the step-by-step procedure.

  1. Create the login user accounts for each tenant. We will only show the steps for creating the tenant TSYS1 user account.

    1. Create the user login class and assign it to the tenant system.

      content_copy zoom_out_map
      [edit]
user@SRX# set system login class TSYS1admin1 tenant TSYS1

    2. Assign a permissions level to the login class, for this example we will use the level all which allows full access to the tenant system administrator.

      content_copy zoom_out_map
      [edit]
user@SRX# set system login class TSYS1admin1 permissions all

    3. Create a user account and assign it to the class from the previous steps. This will allow the user to login to the tenant system.

      content_copy zoom_out_map
      [edit]
user@SRX# set system login user TSYS1admin1 class TSYS1admin1

    4. Create a user login password for the user account.

      content_copy zoom_out_map
      [edit]
user@SRX# set system login user TSYS1admin1 authentication plain-text-password
New password: "$ABC123"
Retype new password: "$ABC123"

  2. Configure the VPLS switch. The VPLS switch enables both transit traffic and traffic terminated at a tenant system to pass between tenant systems with a single logical tunnel. Logical tunnel interfaces should be configured in the same subnet to allow traffic between tenant systems.

    1. Configure the logical tunnel interfaces.

      content_copy zoom_out_map
      [edit]
user@SRX# set interfaces lt-0/0/0 unit 100 encapsulation ethernet-vpls
user@SRX# set interfaces lt-0/0/0 unit 100 peer-unit 0
user@SRX# set interfaces lt-0/0/0 unit 101 encapsulation ethernet-vpls
user@SRX# set interfaces lt-0/0/0 unit 101 peer-unit 1
user@SRX# set interfaces lt-0/0/0 unit 102 encapsulation ethernet-vpls
user@SRX# set interfaces lt-0/0/0 unit 102 peer-unit 2
user@SRX# set interfaces lt-0/0/0 unit 103 encapsulation ethernet-vpls
user@SRX# set interfaces lt-0/0/0 unit 103 peer-unit 3

    2. Configure a routing instance for the VPLS switch and assign the logical tunnel interfaces.

      content_copy zoom_out_map
      [edit]
user@SRX# set routing-instances VPLS instance-type vpls
user@SRX# set routing-instances VPLS interface lt-0/0/0.100
user@SRX# set routing-instances VPLS interface lt-0/0/0.101
user@SRX# set routing-instances VPLS interface lt-0/0/0.102
user@SRX# set routing-instances VPLS interface lt-0/0/0.103

  3. Configure the tenant systems. We are only showing the configuration for one tenant.

    1. Configure the interfaces associated with the tenant.

      content_copy zoom_out_map
      [edit]
user@SRX# set interfaces lt-0/0/0 unit 1 encapsulation ethernet
user@SRX# set interfaces lt-0/0/0 unit 1 peer-unit 101
user@SRX# set interfaces lt-0/0/0 unit 1 family inet address 10.0.1.1/24
user@SRX# set interfaces ge-0/0/1 unit 0 family inet address 192.168.1.254/24

    2. Configure the tenant, routing instance, static routing and assign the interfaces.

      content_copy zoom_out_map
      [edit]
user@SRX# set tenants TSYS1 routing-instances vr1 instance-type virtual-router
user@SRX# set tenants TSYS1 routing-instances vr1 routing-options static route 0.0.0.0/0 next-hop 10.0.1.10
user@SRX# set tenants TSYS1 routing-instances vr1 interface lt-0/0/0.1
user@SRX# set tenants TSYS1 routing-instances vr1 interface ge-0/0/1.0

  4. Configure the security profiles. We are only showing the minimal configuration needed to configure logical and tenant systems for this example.

    content_copy zoom_out_map
    [edit]
user@SRX# set system security-profile SP0 logical-system root-ls
user@SRX# set system security-profile SP1 tenant TSYS1
user@SRX# set system security-profile SP2 tenant TSYS2
user@SRX# set system security-profile SP3 tenant TSYS3

  5. Configure the logical systems. This example using an interconnect VPLS switch requires a logical systems.

    1. Configure the interfaces.

      content_copy zoom_out_map
      [edit]
user@SRX# set logical-systems root-ls interfaces ge-0/0/0 unit 0 family inet address 192.168.10.1/24
user@SRX# set logical-systems root-ls interfaces lt-0/0/0 unit 0 encapsulation ethernet
user@SRX# set logical-systems root-ls interfaces lt-0/0/0 unit 0 peer-unit 100
user@SRX# set logical-systems root-ls interfaces lt-0/0/0 unit 0 family inet address 10.0.1.10/24

    2. Configure the static routes.

      content_copy zoom_out_map
      [edit]
user@SRX# set logical-systems root-ls routing-options static route 192.168.1.0/24 next-hop 10.0.1.1
user@SRX# set logical-systems root-ls routing-options static route 192.168.2.0/24 next-hop 10.0.1.2
user@SRX# set logical-systems root-ls routing-options static route 192.168.3.0/24 next-hop 10.0.1.3

  6. Configure security zones and policies in the logical systems to allow traffic flow from the tenants to the Internet. Additional security policies can be configured on both the logical and tenant systems to allow traffic between tenants.

    1. Configure security zones.

      content_copy zoom_out_map
      [edit]
user@SRX# set logical-systems root-ls security zones security-zone trust host-inbound-traffic system-services ping
user@SRX# set logical-systems root-ls security zones security-zone trust interfaces lt-0/0/0.0
user@SRX# set logical-systems root-ls security zones security-zone untrust host-inbound-traffic system-services ping
user@SRX# set logical-systems root-ls security zones security-zone untrust interfaces ge-0/0/0.0

    2. Configure security policies.

      content_copy zoom_out_map
      [edit]
user@SRX# set logical-systems root-ls security address-book global address TSYS1 192.168.1.0/24
user@SRX# set logical-systems root-ls security address-book global address TSYS2 192.168.2.0/24
user@SRX# set logical-systems root-ls security address-book global address TSYS3 192.168.3.0/24
user@SRX# set logical-systems root-ls security policies from-zone trust to-zone untrust policy allow-out match source-address TSYS1
user@SRX# set logical-systems root-ls security policies from-zone trust to-zone untrust policy allow-out match source-address TSYS2
user@SRX# set logical-systems root-ls security policies from-zone trust to-zone untrust policy allow-out match source-address TSYS3
user@SRX# set logical-systems root-ls security policies from-zone trust to-zone untrust policy allow-out match destination-address any
user@SRX# set logical-systems root-ls security policies from-zone trust to-zone untrust policy allow-out match application any
user@SRX# set logical-systems root-ls security policies from-zone trust to-zone untrust policy allow-out then permit

  7. Configure security zones and policies in each tenant systems to allow traffic flow to the Internet.

    1. Configure security zones.

      content_copy zoom_out_map
      [edit]
user@SRX# set tenants TSYS1 security zones security-zone PC1 host-inbound-traffic system-services ping
user@SRX# set tenants TSYS1 security zones security-zone PC1 interfaces ge-0/0/1.0
user@SRX# set tenants TSYS1 security zones security-zone VPLS host-inbound-traffic system-services ping
user@SRX# set tenants TSYS1 security zones security-zone VPLS interfaces lt-0/0/0.1

    2. Configure security policies.

      content_copy zoom_out_map
      [edit]
user@SRX# set tenants TSYS1 security address-book global address PC1 192.168.1.0/24
user@SRX# set tenants TSYS1 security policies from-zone PC1 to-zone VPLS policy allow-out match source-address PC1
user@SRX# set tenants TSYS1 security policies from-zone PC1 to-zone VPLS policy allow-out match destination-address any
user@SRX# set tenants TSYS1 security policies from-zone PC1 to-zone VPLS policy allow-out match application any
user@SRX# set tenants TSYS1 security policies from-zone PC1 to-zone VPLS policy allow-out then permit
Results

From configuration mode, confirm your configuration by entering the show tenants TSYS1 command to verify that the tenant system is created. Enter the show system login class TSYS1admin1 command to view the permission level for each class that you defined. To ensure that the tenant system administrators are created, enter the show system login user TSYS1admin1 command. To ensure that the interfaces for interconnect VPLS switch are created, enter the show interfaces command. Enter show logical-systems to verify the root logical systems configuration.

content_copy zoom_out_map
user@SRX# show tenants TSYS1
routing-instances {
    vr1 {
        instance-type virtual-router;
        routing-options {
            static {
                route 0.0.0.0/0 next-hop 10.0.1.10;
            }
        }
        interface lt-0/0/0.1;
        interface ge-0/0/1.0;
    }
}
security {
    address-book {
        global {
            address PC1 192.168.1.0/24;
        }
    }
    policies {
        from-zone PC1 to-zone VPLS {
            policy allow-out {
                match {
                    source-address PC1;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone PC1 {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                ge-0/0/1.0;
            }
        }
        security-zone VPLS {
            host-inbound-traffic {
                system-services {
                    ping;
                }
            }
            interfaces {
                lt-0/0/0.1;
            }
        }
    }
}
content_copy zoom_out_map
user@SRX# show system login class TSYS1admin1
tenant TSYS1;
permissions all;
content_copy zoom_out_map
user@SRX# show system login user TSYS1admin1
uid 2001;
class TSYS1admin1;
authentication {
    encrypted-password "$ABC123";
}
content_copy zoom_out_map
user@SRX# show interfaces
lt-0/0/0 {
    unit 1 {
        encapsulation ethernet;
        peer-unit 101;
        family inet {
            address 10.0.1.1/24;
        }
    }
    unit 2 {
        encapsulation ethernet;
        peer-unit 102;
        family inet {
            address 10.0.1.2/24;
        }
    }
    unit 3 {
        encapsulation ethernet;
        peer-unit 103;
        family inet {
            address 10.0.1.3/24;
        }
    }
    unit 100 {
        encapsulation ethernet-vpls;
        peer-unit 0;
    }
    unit 101 {
        encapsulation ethernet-vpls;
        peer-unit 1;
    }
    unit 102 {
        encapsulation ethernet-vpls;
        peer-unit 2;
    }
    unit 103 {
        encapsulation ethernet-vpls;
        peer-unit 3;
    }
}
ge-0/0/1 {
    unit 0 {
        family inet {
            address 192.168.1.254/24;
        }
    }
}
ge-0/0/2 {
    unit 0 {
        family inet {
            address 192.168.2.254/24;
        }
    }
}
ge-0/0/3 {
    unit 0 {
        family inet {
            address 192.168.3.254/24;
        }
    }
}
content_copy zoom_out_map
user@SRX# show logical-systems
root-ls {
    interfaces {
        ge-0/0/0 {
            unit 0 {
                family inet {
                    address 192.168.10.1/24;
                }
            }
        }
        lt-0/0/0 {
            unit 0 {
                encapsulation ethernet;
                peer-unit 100;
                family inet {
                    address 10.0.1.10/24;
                }
            }
        }
    }
    routing-options {
        static {
            route 192.168.1.0/24 next-hop 10.0.1.1;
            route 192.168.2.0/24 next-hop 10.0.1.2;
            route 192.168.3.0/24 next-hop 10.0.1.3;
        }
    }
    security {
        address-book {
            global {
                address TSYS1 192.168.1.0/24;
                address TSYS2 192.168.2.0/24;
                address TSYS3 192.168.3.0/24;
            }
        }
        policies {
            from-zone trust to-zone untrust {
                policy allow-out {
                    match {
                        source-address [ TSYS1 TSYS2 TSYS3 ];
                        destination-address any;
                        application any;
                    }
                    then {
                        permit;
                    }
                }
            }
        }
        zones {
            security-zone trust {
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                }
                interfaces {
                    lt-0/0/0.0;
                }
            }
            security-zone untrust {
                host-inbound-traffic {
                    system-services {
                        ping;
                    }
                }
                interfaces {
                    ge-0/0/0.0;
                }
            }
        }
    }
}

If the output does not display the intended configuration, repeat the configuration instructions in these examples to correct it. If you are done configuring the device, enter commit from configuration mode.

Verification

Confirm that the configuration is working properly.

Verifying Tenant Systems and Login Configurations Using Primary Administrator

Purpose

Verify that the tenant systems exist and you can enter them from root as the primary administrator. Return from the tenant system to the root.

Action

From operational mode, use the following command to enter the tenant systems TSYS1:

content_copy zoom_out_map
user@SRX> set cli tenant TSYS1
Tenant: TSYS1
user@SRX:TSYS1>

Now you are entered to the tenant systems TSYS1. Use the following command to exit from tenant systems TSYS1 to the root:

content_copy zoom_out_map
user@SRX:TSYS1> clear cli tenant
Cleared default tenants
user@SRX>
Meaning

Tenant system exists and you can enter to the tenant system from the root as the primary administrator.

Verifying Tenant Systems and Login Configurations Using SSH

Purpose

Verify that the tenant systems you created exist, and that the administrator login IDs and passwords that you created are correct.

Action

Use SSH to log in to each user tenant system administrator.

  1. Run SSH specifying the IP address of your SRX Series Firewall.

  2. Enter the login ID and password for the tenant systems administrator that you created. After you log in, the prompt shows the tenant systems administrator name. Notice how this result differs from the result produced when you log in to the tenant system from the primary logical system at root. Repeat this procedure for all of your tenant systems.

    content_copy zoom_out_map
    login: TSYS1admin1
Password: "$ABC123"

TSYS1admin1@SRX: TSYS1>
Meaning

Tenant system administrator TSYS1admin1 exists and you can login as the tenant system administrator.

Verifying PC1 Connectivity to the Internet

Purpose

Verify end-to-end connectivity.

Action

Ping and run traceroute to the Internet from PC1. In our example the Internet is 192.168.10.254.

  1. Run ping from PC1.

    content_copy zoom_out_map
    user@PC1> ping 192.168.10.254 count 2
PING 192.168.10.254 (192.168.10.254): 56 data bytes
64 bytes from 192.168.10.254: icmp_seq=0 ttl=62 time=3.178 ms
64 bytes from 192.168.10.254: icmp_seq=1 ttl=62 time=3.082 ms

--- 192.168.10.254 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 3.082/3.130/3.178/0.048 ms

  2. Run traceroute from PC1.

    content_copy zoom_out_map
    user@PC1> traceroute 192.168.10.254
traceroute to 192.168.10.254 (192.168.10.254), 30 hops max, 52 byte packets
 1  192.168.1.254 (192.168.1.254)  2.188 ms  1.779 ms  1.896 ms
 2  10.0.1.10 (10.0.1.10)  1.888 ms  1.535 ms  1.661 ms
 3  192.168.10.254 (192.168.10.254)  3.243 ms  15.077 ms  3.499 ms
Meaning

PC1 is able to reach the Internet.

See Also

Related Documentation

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
19.2R1
Starting in Junos OS Release 19.2R1, the virtual-router configured in a tenant system is passed as the default routing-instance to ping, telnet, ssh, traceroute, show arp, clear arp, show ipv6 neighbors, and clear ipv6 neighbors commands.
arrow_backward PREVIOUS Troubleshooting Logical Systems
NEXT arrow_forward Security Zones for Tenant Systems
footer-navigation

© 1999 - 2025 Juniper Networks, Inc. All rights reserved.

Scroll to top