Partition a Juniper router into logical systems

My last post explained that my CCIE is on short hold thanks to me not currently holding my passport. And so instead of just wasting time I’ve decided to learn a bit more about my Juniper devices.

A while back I showed how you can load JUNOS onto some old Nokia devices. This post and this post shows how.

One of the problems in the second post was that you could only install up to JUNOS 8.4 on these boxes. Anything more and you bork the box and need to start over.

So what if you need to run a bunch of Juniper routers and don’t have 10 sitting on your desk? Well the beauty of JUNOS is that you can partition a single router into multiple logical routers. This is not simply a separate VRF, it’s a whole logical router running it’s own processes and everything. In fact each logical system can even be running it’s own vrfs as well!

So I happen to have an old M10 router sitting in my lab. I actually have 2, but only 1 is currently working. To do any proper configuration you need more than a single box of course. This M10 is running a much newer release of JUNOS – 10.4 R1.9

So let’s get started. I’ve factory default the box by doing a load factory-default then commit

root> show version
Model: m10
JUNOS Base OS boot [10.4R1.9]
/removed/

This is my actual physical topology:

Juniper Physical Partition a Juniper router into logical systems
There is simply a physical Cat5 cable connecting port fe-0/0/0 to port fe-0/0/1

Below is the planned logical topology. 2 Juniper routers connected over 2 separate links.
Juniper Logical Partition a Juniper router into logical systems

First I’m going to set the interfaces to send tagged traffic so I can run multiple virtual links, each with a different vlan tag. Then I’ll set up the interfaces as above

set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/1 vlan-tagging
set logical-systems JUNIPER1 interfaces fe-0/0/0 unit 1 vlan-id 20
set logical-systems JUNIPER1 interfaces fe-0/0/0 unit 1 family inet address 10.2.2.1/24
set logical-systems JUNIPER1 interfaces fe-0/0/1 unit 1 vlan-id 10
set logical-systems JUNIPER1 interfaces fe-0/0/1 unit 1 family inet address 10.1.1.1/24
set logical-systems JUNIPER2 interfaces fe-0/0/0 unit 2 vlan-id 10
set logical-systems JUNIPER2 interfaces fe-0/0/0 unit 2 family inet address 10.1.1.2/24
set logical-systems JUNIPER2 interfaces fe-0/0/1 unit 2 vlan-id 20
set logical-systems JUNIPER2 interfaces fe-0/0/1 unit 2 family inet address 10.2.2.2/24

Here we have created 2 logical systems – JUNIPER1 and JUNIPER2. I’ve then assigned 2 subinterfaces to each router. Let’s have a look to see if this actually works. To log into a logical system we use the set cli logical-system [logical system name] command. Once in there we can check the interfaces and then ping across

root> set cli logical-system JUNIPER1
Logical system: JUNIPER1

root:JUNIPER1> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
fe-0/0/0
fe-0/0/0.1              up    up   inet     10.2.2.1/24
fe-0/0/1
fe-0/0/1.1              up    up   inet     10.1.1.1/24

root:JUNIPER1> ping 10.2.2.2 rapid
PING 10.2.2.2 (10.2.2.2): 56 data bytes
!!!!!
--- 10.2.2.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.055/1.572/3.450/0.941 ms

No problems there at all. Note that once you are inside a logical system, you can configure it as though it’s a normal box. You don’t need to mention any logical system in the config. Let’s configure OSPF on these 2 interfaces:

root:JUNIPER1> configure
Entering configuration mode

[edit]
root:JUNIPER1# edit protocols ospf area 0.0.0.0

[edit protocols ospf area 0.0.0.0]
root:JUNIPER1# set interface fe-0/0/0.1

[edit protocols ospf area 0.0.0.0]
root:JUNIPER1# set interface fe-0/0/1.1

[edit protocols ospf area 0.0.0.0]
root:JUNIPER1# commit
commit complete

[edit protocols ospf area 0.0.0.0]
root:JUNIPER1# exit

[edit]
root:JUNIPER1# exit
Exiting configuration mode

So now how do we get out of this logical system back into the root? Use the clear cli logical-system command. Let’s get of of JUNIPER1 and go into JUNIPER2 and configure OSPF

root:JUNIPER1> clear cli logical-system
Cleared default logical system

root> set cli logical-system JUNIPER2
Logical system: JUNIPER2

root:JUNIPER2> configure
Entering configuration mode

[edit]
root:JUNIPER2# edit protocols ospf area 0.0.0.0

[edit protocols ospf area 0.0.0.0]
root:JUNIPER2# set interface fe-0/0/0.2

[edit protocols ospf area 0.0.0.0]
root:JUNIPER2# set interface fe-0/0/1.2

[edit protocols ospf area 0.0.0.0]
root:JUNIPER2# top

[edit]
root:JUNIPER2# commit
commit complete

[edit]
root:JUNIPER2# exit
Exiting configuration mode

So has it all worked?

root:JUNIPER2> show ospf neighbor
Address          Interface              State     ID               Pri  Dead
10.1.1.1         fe-0/0/0.2             Full      10.1.1.1         128    36
10.2.2.1         fe-0/0/1.2             Full      10.1.1.1         128    37

Of course it has ;)

While this works, it’s a big hassle having to log into the root system and then logging into the logical system. It also defeats the purpose of a logical system a bit as it would be ideal to give different users access to different logical systems.

Let’s create 2 users. user1 will be responsible for JUNIPER1 and user2 will be responsible for JUNIPER2. You’ll need to get back into the root system to do this.

set system login class USER1 logical-system JUNIPER1
set system login class USER1 permissions all
set system login class USER2 logical-system JUNIPER2
set system login class USER2 permissions all
set system login user user1 class USER1
set system login user user1 authentication encrypted-password "$1$2.bgMkK/$ALFH1kC1Q2s.Rgm8Uvuuh/"
set system login user user2 class USER2
set system login user user2 authentication encrypted-password "$1$aOaM2CQa$OXMUk4burCY7vFlzmLZdR0"

Let’s give this a test by logging right out and then back in:

Amnesiac (ttyd0)

login: user1
Password:

--- JUNOS 10.4R1.9 built 2010-12-04 09:20:43 UTC
user1:JUNIPER1> 

Note that if you log in this way, you can’t clear out of the logical system. As far as you are concerned this is a separate router

user1:JUNIPER1> clear cli logical-system
error: You are not a allowed to execute this command

So there you have it. I now have 2 routers running inside a single physical box. Juniper says you can have up to 15 logical routers inside a box so that gives me a lot to play with. If I get the second M10 working that’ll be 30 Juniper routers at my disposal. More than enough for even the most complex topologies

5 thoughts on “Partition a Juniper router into logical systems”

  1. If you have a tunnel services, link services, or adaptive services PIC you can create a virtual connection between the two routers. It’ll save you all the cabling.

  2. Hi Paul.

    Indeed, I actually though it could be done without those PICs and it was going to be the basis of another blog post. However my M10 doesn’t have and even my currently deployed M7is do not have those PICs. The documentation doesn’t mention a link services PIC anywhere. All 3 PICs can be picked off ebay for various costs, so I might look into that. Do all 3 work on both the M10 and M7i chassis and is any one better than the others?

  3. Hi Darren,

    Maybe a dumb question, but how can I use a telnet client to login to the different logical-systems at the same time?

    Any help would be greatly appreciated.

  4. Hi Mohammad.

    No worries. This part of the config sorts that out:
    set system login class USER1 logical-system JUNIPER1
    set system login class USER1 permissions all

    If you login with username USER1, you go straight into logical system 1

    I have my tabbed ssh client automatically log into the same address with different usernames. That gives me a tabbed connection to each logical system and it works perfectly :)

Leave a Reply