My last post explained that my CCIE is on short hold thanks to me not currently holding my passport. And so instead of just wasting time I’ve decided to learn a bit more about my Juniper devices.
One of the problems in the second post was that you could only install up to JUNOS 8.4 on these boxes. Anything more and you bork the box and need to start over.
So what if you need to run a bunch of Juniper routers and don’t have 10 sitting on your desk? Well the beauty of JUNOS is that you can partition a single router into multiple logical routers. This is not simply a separate VRF, it’s a whole logical router running it’s own processes and everything. In fact each logical system can even be running it’s own vrfs as well!
So I happen to have an old M10 router sitting in my lab. I actually have 2, but only 1 is currently working. To do any proper configuration you need more than a single box of course. This M10 is running a much newer release of JUNOS – 10.4 R1.9
So let’s get started. I’ve factory default the box by doing a load factory-default then commit
root> show version Model: m10 JUNOS Base OS boot [10.4R1.9] /removed/
This is my actual physical topology:
First I’m going to set the interfaces to send tagged traffic so I can run multiple virtual links, each with a different vlan tag. Then I’ll set up the interfaces as above
set interfaces fe-0/0/0 vlan-tagging set interfaces fe-0/0/1 vlan-tagging set logical-systems JUNIPER1 interfaces fe-0/0/0 unit 1 vlan-id 20 set logical-systems JUNIPER1 interfaces fe-0/0/0 unit 1 family inet address 10.2.2.1/24 set logical-systems JUNIPER1 interfaces fe-0/0/1 unit 1 vlan-id 10 set logical-systems JUNIPER1 interfaces fe-0/0/1 unit 1 family inet address 10.1.1.1/24 set logical-systems JUNIPER2 interfaces fe-0/0/0 unit 2 vlan-id 10 set logical-systems JUNIPER2 interfaces fe-0/0/0 unit 2 family inet address 10.1.1.2/24 set logical-systems JUNIPER2 interfaces fe-0/0/1 unit 2 vlan-id 20 set logical-systems JUNIPER2 interfaces fe-0/0/1 unit 2 family inet address 10.2.2.2/24
Here we have created 2 logical systems – JUNIPER1 and JUNIPER2. I’ve then assigned 2 subinterfaces to each router. Let’s have a look to see if this actually works. To log into a logical system we use the set cli logical-system [logical system name] command. Once in there we can check the interfaces and then ping across
root> set cli logical-system JUNIPER1 Logical system: JUNIPER1 root:JUNIPER1> show interfaces terse Interface Admin Link Proto Local Remote fe-0/0/0 fe-0/0/0.1 up up inet 10.2.2.1/24 fe-0/0/1 fe-0/0/1.1 up up inet 10.1.1.1/24 root:JUNIPER1> ping 10.2.2.2 rapid PING 10.2.2.2 (10.2.2.2): 56 data bytes !!!!! --- 10.2.2.2 ping statistics --- 5 packets transmitted, 5 packets received, 0% packet loss round-trip min/avg/max/stddev = 1.055/1.572/3.450/0.941 ms
No problems there at all. Note that once you are inside a logical system, you can configure it as though it’s a normal box. You don’t need to mention any logical system in the config. Let’s configure OSPF on these 2 interfaces:
root:JUNIPER1> configure Entering configuration mode  root:JUNIPER1# edit protocols ospf area 0.0.0.0 [edit protocols ospf area 0.0.0.0] root:JUNIPER1# set interface fe-0/0/0.1 [edit protocols ospf area 0.0.0.0] root:JUNIPER1# set interface fe-0/0/1.1 [edit protocols ospf area 0.0.0.0] root:JUNIPER1# commit commit complete [edit protocols ospf area 0.0.0.0] root:JUNIPER1# exit  root:JUNIPER1# exit Exiting configuration mode
So now how do we get out of this logical system back into the root? Use the clear cli logical-system command. Let’s get of of JUNIPER1 and go into JUNIPER2 and configure OSPF
root:JUNIPER1> clear cli logical-system Cleared default logical system root> set cli logical-system JUNIPER2 Logical system: JUNIPER2 root:JUNIPER2> configure Entering configuration mode  root:JUNIPER2# edit protocols ospf area 0.0.0.0 [edit protocols ospf area 0.0.0.0] root:JUNIPER2# set interface fe-0/0/0.2 [edit protocols ospf area 0.0.0.0] root:JUNIPER2# set interface fe-0/0/1.2 [edit protocols ospf area 0.0.0.0] root:JUNIPER2# top  root:JUNIPER2# commit commit complete  root:JUNIPER2# exit Exiting configuration mode
So has it all worked?
root:JUNIPER2> show ospf neighbor Address Interface State ID Pri Dead 10.1.1.1 fe-0/0/0.2 Full 10.1.1.1 128 36 10.2.2.1 fe-0/0/1.2 Full 10.1.1.1 128 37
Of course it has ;)
While this works, it’s a big hassle having to log into the root system and then logging into the logical system. It also defeats the purpose of a logical system a bit as it would be ideal to give different users access to different logical systems.
Let’s create 2 users. user1 will be responsible for JUNIPER1 and user2 will be responsible for JUNIPER2. You’ll need to get back into the root system to do this.
set system login class USER1 logical-system JUNIPER1 set system login class USER1 permissions all set system login class USER2 logical-system JUNIPER2 set system login class USER2 permissions all set system login user user1 class USER1 set system login user user1 authentication encrypted-password "$1$2.bgMkK/$ALFH1kC1Q2s.Rgm8Uvuuh/" set system login user user2 class USER2 set system login user user2 authentication encrypted-password "$1$aOaM2CQa$OXMUk4burCY7vFlzmLZdR0"
Let’s give this a test by logging right out and then back in:
Amnesiac (ttyd0) login: user1 Password: --- JUNOS 10.4R1.9 built 2010-12-04 09:20:43 UTC user1:JUNIPER1>
Note that if you log in this way, you can’t clear out of the logical system. As far as you are concerned this is a separate router
user1:JUNIPER1> clear cli logical-system error: You are not a allowed to execute this command
So there you have it. I now have 2 routers running inside a single physical box. Juniper says you can have up to 15 logical routers inside a box so that gives me a lot to play with. If I get the second M10 working that’ll be 30 Juniper routers at my disposal. More than enough for even the most complex topologies