Partition a Juniper router into logical systems

My last post explained that my CCIE is on short hold thanks to me not currently holding my passport. And so instead of just wasting time I’ve decided to learn a bit more about my Juniper devices.

A while back I showed how you can load JUNOS onto some old Nokia devices. This post and this post shows how.

One of the problems in the second post was that you could only install up to JUNOS 8.4 on these boxes. Anything more and you bork the box and need to start over.

So what if you need to run a bunch of Juniper routers and don’t have 10 sitting on your desk? Well the beauty of JUNOS is that you can partition a single router into multiple logical routers. This is not simply a separate VRF, it’s a whole logical router running it’s own processes and everything. In fact each logical system can even be running it’s own vrfs as well!

So I happen to have an old M10 router sitting in my lab. I actually have 2, but only 1 is currently working. To do any proper configuration you need more than a single box of course. This M10 is running a much newer release of JUNOS – 10.4 R1.9

So let’s get started. I’ve factory default the box by doing a load factory-default then commit

root> show version
Model: m10
JUNOS Base OS boot [10.4R1.9]
/removed/

This is my actual physical topology:


There is simply a physical Cat5 cable connecting port fe-0/0/0 to port fe-0/0/1

Below is the planned logical topology. 2 Juniper routers connected over 2 separate links.

First I’m going to set the interfaces to send tagged traffic so I can run multiple virtual links, each with a different vlan tag. Then I’ll set up the interfaces as above

set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/1 vlan-tagging
set logical-systems JUNIPER1 interfaces fe-0/0/0 unit 1 vlan-id 20
set logical-systems JUNIPER1 interfaces fe-0/0/0 unit 1 family inet address 10.2.2.1/24
set logical-systems JUNIPER1 interfaces fe-0/0/1 unit 1 vlan-id 10
set logical-systems JUNIPER1 interfaces fe-0/0/1 unit 1 family inet address 10.1.1.1/24
set logical-systems JUNIPER2 interfaces fe-0/0/0 unit 2 vlan-id 10
set logical-systems JUNIPER2 interfaces fe-0/0/0 unit 2 family inet address 10.1.1.2/24
set logical-systems JUNIPER2 interfaces fe-0/0/1 unit 2 vlan-id 20
set logical-systems JUNIPER2 interfaces fe-0/0/1 unit 2 family inet address 10.2.2.2/24

Here we have created 2 logical systems – JUNIPER1 and JUNIPER2. I’ve then assigned 2 subinterfaces to each router. Let’s have a look to see if this actually works. To log into a logical system we use the set cli logical-system [logical system name] command. Once in there we can check the interfaces and then ping across

root> set cli logical-system JUNIPER1
Logical system: JUNIPER1

root:JUNIPER1> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
fe-0/0/0
fe-0/0/0.1              up    up   inet     10.2.2.1/24
fe-0/0/1
fe-0/0/1.1              up    up   inet     10.1.1.1/24

root:JUNIPER1> ping 10.2.2.2 rapid
PING 10.2.2.2 (10.2.2.2): 56 data bytes
!!!!!
--- 10.2.2.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.055/1.572/3.450/0.941 ms

No problems there at all. Note that once you are inside a logical system, you can configure it as though it’s a normal box. You don’t need to mention any logical system in the config. Let’s configure OSPF on these 2 interfaces:

root:JUNIPER1> configure
Entering configuration mode

[edit]
root:JUNIPER1# edit protocols ospf area 0.0.0.0

[edit protocols ospf area 0.0.0.0]
root:JUNIPER1# set interface fe-0/0/0.1

[edit protocols ospf area 0.0.0.0]
root:JUNIPER1# set interface fe-0/0/1.1

[edit protocols ospf area 0.0.0.0]
root:JUNIPER1# commit
commit complete

[edit protocols ospf area 0.0.0.0]
root:JUNIPER1# exit

[edit]
root:JUNIPER1# exit
Exiting configuration mode

So now how do we get out of this logical system back into the root? Use the clear cli logical-system command. Let’s get of of JUNIPER1 and go into JUNIPER2 and configure OSPF

root:JUNIPER1> clear cli logical-system
Cleared default logical system

root> set cli logical-system JUNIPER2
Logical system: JUNIPER2

root:JUNIPER2> configure
Entering configuration mode

[edit]
root:JUNIPER2# edit protocols ospf area 0.0.0.0

[edit protocols ospf area 0.0.0.0]
root:JUNIPER2# set interface fe-0/0/0.2

[edit protocols ospf area 0.0.0.0]
root:JUNIPER2# set interface fe-0/0/1.2

[edit protocols ospf area 0.0.0.0]
root:JUNIPER2# top

[edit]
root:JUNIPER2# commit
commit complete

[edit]
root:JUNIPER2# exit
Exiting configuration mode

So has it all worked?

root:JUNIPER2> show ospf neighbor
Address          Interface              State     ID               Pri  Dead
10.1.1.1         fe-0/0/0.2             Full      10.1.1.1         128    36
10.2.2.1         fe-0/0/1.2             Full      10.1.1.1         128    37

Of course it has ;)

While this works, it’s a big hassle having to log into the root system and then logging into the logical system. It also defeats the purpose of a logical system a bit as it would be ideal to give different users access to different logical systems.

Let’s create 2 users. user1 will be responsible for JUNIPER1 and user2 will be responsible for JUNIPER2. You’ll need to get back into the root system to do this.

set system login class USER1 logical-system JUNIPER1
set system login class USER1 permissions all
set system login class USER2 logical-system JUNIPER2
set system login class USER2 permissions all
set system login user user1 class USER1
set system login user user1 authentication encrypted-password "$1$2.bgMkK/$ALFH1kC1Q2s.Rgm8Uvuuh/"
set system login user user2 class USER2
set system login user user2 authentication encrypted-password "$1$aOaM2CQa$OXMUk4burCY7vFlzmLZdR0"

Let’s give this a test by logging right out and then back in:

Amnesiac (ttyd0)

login: user1
Password:

--- JUNOS 10.4R1.9 built 2010-12-04 09:20:43 UTC
user1:JUNIPER1> 

Note that if you log in this way, you can’t clear out of the logical system. As far as you are concerned this is a separate router

user1:JUNIPER1> clear cli logical-system
error: You are not a allowed to execute this command

So there you have it. I now have 2 routers running inside a single physical box. Juniper says you can have up to 15 logical routers inside a box so that gives me a lot to play with. If I get the second M10 working that’ll be 30 Juniper routers at my disposal. More than enough for even the most complex topologies

8 thoughts on “Partition a Juniper router into logical systems”

  1. If you have a tunnel services, link services, or adaptive services PIC you can create a virtual connection between the two routers. It’ll save you all the cabling.

  2. Hi Paul.

    Indeed, I actually though it could be done without those PICs and it was going to be the basis of another blog post. However my M10 doesn’t have and even my currently deployed M7is do not have those PICs. The documentation doesn’t mention a link services PIC anywhere. All 3 PICs can be picked off ebay for various costs, so I might look into that. Do all 3 work on both the M10 and M7i chassis and is any one better than the others?

  3. Hi Darren,

    Maybe a dumb question, but how can I use a telnet client to login to the different logical-systems at the same time?

    Any help would be greatly appreciated.

  4. Hi Mohammad.

    No worries. This part of the config sorts that out:
    set system login class USER1 logical-system JUNIPER1
    set system login class USER1 permissions all

    If you login with username USER1, you go straight into logical system 1

    I have my tabbed ssh client automatically log into the same address with different usernames. That gives me a tabbed connection to each logical system and it works perfectly :)

  5. Hello Darren,
    According my job I now have a task to build some kind on math model of several Logical systems inside one Juniper router. From this point I have a question – what are the restrictions of logical systems – from your point of view – if we compare with “separate” routers?

    - certainly, if the “main” router shuts down, all log systems will be switched down.
    (But can I shut down one of logical systems, and in the same time have other log. systems working?)
    - In your example, to make it possible to use one physical port by 2 log. systems you have to cretae 2 subinterfaces on this port?
    - are there some important features, which I am not able to manage for separate log systems, and I have to manage these features only for whole router?
    - could you write 1-2 other restrictions in this way, please?

    Thank you,
    Viacheslav

  6. So am I correct in my understanding that if I do not create a user on the logical system then there is no way to gain access to that logical router except from the main router? If so, that sounds like a great security enhancement for something that might be internet-facing. It looks like from my reading of the documentation that if I do not create a loopback interface on the logical system, that it will use the filter on the main system which is also good because it means that someone can not gain access to the logical system and change the control plane filter, that would have to be done from the main router.

    George

  7. Correct.

    If you don’t create a user attached to the logical-system, you can only log into the logical system via the main routing-instance.

    In regards to the loopback filter, as soon as you apply a filter to the logical systems loopback, it ‘takes over’. If there is no filter applied, then it will use the main routing-instance filter

Leave a Reply