Creating and connecting logical systems on the Juniper MX router

The old M10 I have in my lab cannot support the tunnel services PIC due to the ancient FEB it has. With the MX router and the correct line cards you can reserve some bandwidth to make a built-in tunnel PIC to use for things like GRE/Multicast/Logical-tunnels.

This is especially handy for when you have a single box and want to create a big topology with routers connected to each other. As a quick guide I’ll show an MX5 divided and connected into two logical-systems.

There are no physical interfaces plugged into anything. The box is simply on.

First we need to configure tunnel services:

darreno> show configuration chassis
fpc 1 {
    pic 0 {
        tunnel-services {
            bandwidth 1g;
        }
    }
}

This creates the lt interface in a specific place. Check this as you’ll need to know which numbers to refer to later:

darreno> show interfaces terse | match lt
lt-1/0/10               up    up

Let’s configure two systems. I’ll attach an lt interface to each, bind those two interfaces together and give each an IP address. I’ll also create a loopback interface in each and run OSPF:

darreno> show configuration logical-systems
J1 {
    interfaces {
        lt-1/0/10 {
            unit 0 {
                encapsulation ethernet;
                peer-unit 1;
                family inet {
                    address 10.0.0.1/24;
                }
            }
        }
        lo0 {
            unit 1 {
                family inet {
                    address 1.1.1.1/32;
                }
            }
        }
    }
    protocols {
        ospf {
            area 0.0.0.0 {
                interface all;
            }
        }
    }
}
J2 {
    interfaces {
        lt-1/0/10 {
            unit 1 {
                encapsulation ethernet;
                peer-unit 0;
                family inet {
                    address 10.0.0.2/24;
                }
            }
        }
        lo0 {
            unit 2 {
                family inet {
                    address 2.2.2.2/32;
                }
            }
        }
    }
    protocols {
        ospf {
            area 0.0.0.0 {
                interface all;
            }
        }
    }
}

To confirm I can log into one of them and check connectivity:

darreno> set cli logical-system J1
Logical system: J1

darreno:J1> show ospf neighbor
Address          Interface              State     ID               Pri  Dead
10.0.0.2         lt-1/0/10.0            Full      2.2.2.2          128    37

darreno:J1> ping 2.2.2.2 rapid
PING 2.2.2.2 (2.2.2.2): 56 data bytes
!!!!!
--- 2.2.2.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 0.432/0.492/0.675/0.092 ms

There are a few things to note. Logical tunnels are point to point. Even though the encapsulation is ethernet, you cannot connect more than 2 units to the same segment. You can also configure a unit on the main routing instance which can connect to a logical system. This is not only good for certification testing, but can open up all kinds of possibilities in a real-world design.

As long as you have a tunnel-services PIC on your M/T, or a Trio MPC/MIC on your MX router you are good to go with the above.

IPSec OSPFv3 authentication between Junos logical-systems

At first it may seem like you can’t do IPSec authentication between logical systems on Junos. Take the following config on an M router:

 

 

darreno> show configuration security
ipsec {
    security-association OSPFv3-AUTH {
        mode transport;
        manual {
            direction bidirectional {
                protocol esp;
                spi 256;
                authentication {
                    algorithm hmac-sha1-96;
                    key ascii-text blah blah blah
                }
            }
        }
    }
}

darreno> show configuration protocols ospf3
area 0.0.0.0 {
    interface fe-1/0/3.12 {
        ipsec-sa OSPFv3-AUTH;
    }
    interface fe-0/0/3.112 {
        ipsec-sa OSPFv3-AUTH;
    }
}

On a logical system I don’t have access to the security stanza:

USER2:R2# set security?
No valid completions
[edit]

Therefore I cannot make a security association to attach to my OSPFv3 interfaces. However you don’t need to. The logical systems can use the SA created in the root system. I have already created the SA in the root system above and I can apply it to my OSPFv3 interfaces in the logical system:

USER2:R2> show configuration protocols ospf3
area 0.0.0.0 {
    interface fe-0/0/3.12 {
        ipsec-sa OSPFv3-AUTH;
    }
    interface fe-1/0/3.112 {
        ipsec-sa OSPFv3-AUTH;
    }
}

This commits just fine. Let’s confirm:

darreno> show ospf3 neighbor
ID               Interface              State     Pri   Dead
2.2.2.2          fe-0/0/3.112           Full      128     37
  Neighbor-address fe80::290:6900:706c:2881
2.2.2.2          fe-1/0/3.12            Full      128     37
  Neighbor-address fe80::290:6900:c6c:2803

The adjacencies are up. We can check the SA status:

darreno> show ipsec security-associations
Security association: OSPFv3-AUTH
    Direction SPI         AUX-SPI     Mode       Type     Protocol
    inbound   256         0           transport  manual   ESP
    outbound  256         0           transport  manual   ESP

So it does work, but you can only verifiy from the root system. If I try and check the SA status from a logical system it doesn’t work:

USER2:R2> show ipsec
               ^
syntax error, expecting 

Second JUNOS topology – SP Network

I bashed this up together as I wanted a topology I could easily jump on and do things. This is all running on logical systems on a single M10.

This is the logical topology (Click to view the full size image):


The actual physical topology is very simple:

The switch has been configured to run dot1q trunks to the M10 and I’ve created and allowed all needed vlan tags across.

I’ve used 2 different fastethernet PICs, but there is nothing stopping you from using just one. I’ve created a separate user account for each system so that I can log in with a user directly into each logical-system. Just adjust the config for your interfaces

This is my actual configuration itself:

set system login class J1-superuser logical-system J1
set system login class J1-superuser permissions all
set system login class J10-superuser logical-system J10
set system login class J10-superuser permissions all
set system login class J11-superuser logical-system J11
set system login class J11-superuser permissions all
set system login class J12-superuser logical-system J12
set system login class J12-superuser permissions all
set system login class J13-superuser logical-system J13
set system login class J13-superuser permissions all
set system login class J2-superuser logical-system J2
set system login class J2-superuser permissions all
set system login class J3-superuser logical-system J3
set system login class J3-superuser permissions all
set system login class J4-superuser logical-system J4
set system login class J4-superuser permissions all
set system login class J5-superuser logical-system J5
set system login class J5-superuser permissions all
set system login class J6-superuser logical-system J6
set system login class J6-superuser permissions all
set system login class J7-superuser logical-system J7
set system login class J7-superuser permissions all
set system login class J8-superuser logical-system J8
set system login class J8-superuser permissions all
set system login class J9-superuser logical-system J9
set system login class J9-superuser permissions all
set system login user USER1 uid 2000
set system login user USER1 class J1-superuser
set system login user USER1 authentication encrypted-password "$1$fEMYRcpU$ckP4LFp/joAmkQ1sLnQ1a0"
set system login user USER10 uid 2012
set system login user USER10 class J10-superuser
set system login user USER10 authentication encrypted-password "$1$LDmrPRX.$Nkk0p1Ou8h.p2FGMYLlne1"
set system login user USER11 uid 2017
set system login user USER11 class J11-superuser
set system login user USER11 authentication encrypted-password "$1$1RNXWIVL$VRfTSmnGaJIkUfHf0exW1/"
set system login user USER12 uid 2018
set system login user USER12 class J12-superuser
set system login user USER12 authentication encrypted-password "$1$.Nd48UM0$RZS1F/5Rp3DrdgN2sEGsY0"
set system login user USER13 uid 2019
set system login user USER13 class J13-superuser
set system login user USER13 authentication encrypted-password "$1$EODMZXa4$z2qvVh/p57DtJPv0NFyzx1"
set system login user USER2 uid 2003
set system login user USER2 class J2-superuser
set system login user USER2 authentication encrypted-password "$1$U/jh6hA/$pmtdTtpVmjSCiQ4khqvNa1"
set system login user USER3 uid 2009
set system login user USER3 class J3-superuser
set system login user USER3 authentication encrypted-password "$1$/T3X1azh$lZYZHo4ZVSQUQkcZYbZyg0"
set system login user USER4 uid 2010
set system login user USER4 class J4-superuser
set system login user USER4 authentication encrypted-password "$1$Gnf/qqpk$ntwqdXpCIrqb2GBf.jlHu/"
set system login user USER5 uid 2011
set system login user USER5 class J5-superuser
set system login user USER5 authentication encrypted-password "$1$V5u2xmGv$wywji87Ny6BYK5mryKPnL0"
set system login user USER6 uid 2013
set system login user USER6 class J6-superuser
set system login user USER6 authentication encrypted-password "$1$D6.zttrE$wBubykb76IPG1Pf89OCkL1"
set system login user USER7 uid 2014
set system login user USER7 class J7-superuser
set system login user USER7 authentication encrypted-password "$1$23BG/cYA$VTtS3i6TK7m/9VjU.ENJE0"
set system login user USER8 uid 2015
set system login user USER8 class J8-superuser
set system login user USER8 authentication encrypted-password "$1$c5cJZahO$mqIttBhdQdnuK6pf7RQxk0"
set system login user USER9 uid 2016
set system login user USER9 class J9-superuser
set system login user USER9 authentication encrypted-password "$1$pNo90Key$.3KVzcsuBLu9TI1ke93rh0"
set system login user darreno full-name "Darren O'Connor"
set system login user darreno uid 2002
set system login user darreno class super-user
set system login user darreno authentication encrypted-password "$1$lWD7BqVU$/51zXBjngOU3B/qQLgeLW1"
set system services ssh
set system services telnet
set system syslog user * any emergency
set system syslog file messages any notice
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set logical-systems J1 interfaces fe-0/0/0 unit 13 vlan-id 13
set logical-systems J1 interfaces fe-0/0/0 unit 13 family inet address 10.1.3.1/24
set logical-systems J1 interfaces fe-0/0/0 unit 15 vlan-id 15
set logical-systems J1 interfaces fe-0/0/0 unit 15 family inet address 10.1.8.1/24
set logical-systems J1 interfaces lo0 unit 1 family inet address 1.1.1.1/32
set logical-systems J10 interfaces fe-0/0/1 unit 56 vlan-id 56
set logical-systems J10 interfaces fe-0/0/1 unit 56 family inet address 10.56.56.10/24
set logical-systems J10 interfaces fe-1/3/0 unit 79 vlan-id 79
set logical-systems J10 interfaces fe-1/3/0 unit 79 family inet address 10.10.13.10/24
set logical-systems J10 interfaces fe-1/3/3 unit 72 vlan-id 72
set logical-systems J10 interfaces fe-1/3/3 unit 72 family inet address 10.10.12.10/24
set logical-systems J10 interfaces lo0 unit 10 family inet address 10.10.10.10/32
set logical-systems J11 interfaces fe-0/0/0 unit 51 vlan-id 51
set logical-systems J11 interfaces fe-0/0/0 unit 51 family inet address 10.8.11.11/24
set logical-systems J11 interfaces fe-0/0/1 unit 66 vlan-id 66
set logical-systems J11 interfaces fe-0/0/1 unit 66 family inet address 10.9.11.11/24
set logical-systems J11 interfaces fe-1/3/0 unit 16 vlan-id 16
set logical-systems J11 interfaces fe-1/3/0 unit 16 family inet address 10.11.12.11/24
set logical-systems J11 interfaces fe-1/3/0 unit 19 vlan-id 19
set logical-systems J11 interfaces fe-1/3/0 unit 19 family inet address 10.11.13.11/24
set logical-systems J11 interfaces lo0 unit 11 family inet address 11.11.11.11/32
set logical-systems J12 interfaces fe-0/0/0 unit 59 vlan-id 59
set logical-systems J12 interfaces fe-0/0/0 unit 59 family inet address 10.8.12.12/24
set logical-systems J12 interfaces fe-1/3/0 unit 72 vlan-id 72
set logical-systems J12 interfaces fe-1/3/0 unit 72 family inet address 10.10.12.12/24
set logical-systems J12 interfaces fe-1/3/3 unit 14 vlan-id 14
set logical-systems J12 interfaces fe-1/3/3 unit 14 family inet address 10.12.13.12/24
set logical-systems J12 interfaces fe-1/3/3 unit 16 vlan-id 16
set logical-systems J12 interfaces fe-1/3/3 unit 16 family inet address 10.11.12.12/24
set logical-systems J12 interfaces lo0 unit 12 family inet address 12.12.12.12/32
set logical-systems J13 interfaces fe-0/0/1 unit 63 vlan-id 63
set logical-systems J13 interfaces fe-0/0/1 unit 63 family inet address 10.9.13.13/24
set logical-systems J13 interfaces fe-1/3/0 unit 14 vlan-id 14
set logical-systems J13 interfaces fe-1/3/0 unit 14 family inet address 10.12.13.13/24
set logical-systems J13 interfaces fe-1/3/3 unit 19 vlan-id 19
set logical-systems J13 interfaces fe-1/3/3 unit 19 family inet address 10.11.13.13/24
set logical-systems J13 interfaces fe-1/3/3 unit 79 vlan-id 79
set logical-systems J13 interfaces fe-1/3/3 unit 79 family inet address 10.10.13.13/24
set logical-systems J13 interfaces lo0 unit 13 family inet address 13.13.13.13/32
set logical-systems J2 interfaces fe-0/0/0 unit 25 vlan-id 25
set logical-systems J2 interfaces fe-0/0/0 unit 25 family inet address 10.2.8.2/24
set logical-systems J2 interfaces lo0 unit 2 family inet address 2.2.2.2/32
set logical-systems J3 interfaces fe-0/0/1 unit 13 vlan-id 13
set logical-systems J3 interfaces fe-0/0/1 unit 13 family inet address 10.1.3.3/24
set logical-systems J3 interfaces fe-0/0/1 unit 36 vlan-id 36
set logical-systems J3 interfaces fe-0/0/1 unit 36 family inet address 10.3.9.3/24
set logical-systems J3 interfaces lo0 unit 3 family inet address 3.3.3.3/32
set logical-systems J4 interfaces fe-0/0/1 unit 46 vlan-id 46
set logical-systems J4 interfaces fe-0/0/1 unit 46 family inet address 10.4.9.4/24
set logical-systems J4 interfaces lo0 unit 4 family inet address 4.4.4.4/32
set logical-systems J5 interfaces fe-1/3/0 unit 56 vlan-id 56
set logical-systems J5 interfaces fe-1/3/0 unit 56 family inet address 10.56.56.5/24
set logical-systems J5 interfaces lo0 unit 5 family inet address 5.5.5.5/32
set logical-systems J6 interfaces fe-1/3/3 unit 56 vlan-id 56
set logical-systems J6 interfaces fe-1/3/3 unit 56 family inet address 10.56.56.6/24
set logical-systems J6 interfaces lo0 unit 6 family inet address 6.6.6.6/32
set logical-systems J7 interfaces fe-0/0/0 unit 56 vlan-id 56
set logical-systems J7 interfaces fe-0/0/0 unit 56 family inet address 10.56.56.7/24
set logical-systems J7 interfaces lo0 unit 7 family inet address 7.7.7.7/32
set logical-systems J8 interfaces fe-0/0/1 unit 15 vlan-id 15
set logical-systems J8 interfaces fe-0/0/1 unit 15 family inet address 10.1.8.8/24
set logical-systems J8 interfaces fe-0/0/1 unit 25 vlan-id 25
set logical-systems J8 interfaces fe-0/0/1 unit 25 family inet address 10.2.8.8/24
set logical-systems J8 interfaces fe-0/0/1 unit 51 vlan-id 51
set logical-systems J8 interfaces fe-0/0/1 unit 51 family inet address 10.8.11.8/24
set logical-systems J8 interfaces fe-0/0/1 unit 59 vlan-id 59
set logical-systems J8 interfaces fe-0/0/1 unit 59 family inet address 10.8.12.8/24
set logical-systems J8 interfaces lo0 unit 8 family inet address 8.8.8.8/32
set logical-systems J9 interfaces fe-0/0/0 unit 36 vlan-id 36
set logical-systems J9 interfaces fe-0/0/0 unit 36 family inet address 10.3.9.9/24
set logical-systems J9 interfaces fe-0/0/0 unit 46 vlan-id 46
set logical-systems J9 interfaces fe-0/0/0 unit 46 family inet address 10.4.9.9/24
set logical-systems J9 interfaces fe-0/0/0 unit 63 vlan-id 63
set logical-systems J9 interfaces fe-0/0/0 unit 63 family inet address 10.9.13.9/24
set logical-systems J9 interfaces fe-0/0/0 unit 66 vlan-id 66
set logical-systems J9 interfaces fe-0/0/0 unit 66 family inet address 10.9.11.9/24
set logical-systems J9 interfaces lo0 unit 9 family inet address 9.9.9.9/32
set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/1 vlan-tagging
set interfaces fe-1/3/0 vlan-tagging
set interfaces fe-1/3/3 vlan-tagging

First JUNOS logical topology

Following on from my last post, I wanted to put together a small lab for me to start with inside my M10. As a reminder the extremely simple topology looks like so:

The plan is to make a simple lab like so:

This should give me something to start with. I can always add more to make things a lot more complicated. Below I’ll paste my config which also includes IP addressing for the links and loopbacks:

set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/1 vlan-tagging
set logical-systems J1 interfaces fe-0/0/0 unit 15 vlan-id 15
set logical-systems J1 interfaces fe-0/0/0 unit 15 family inet address 10.15.15.1/24
set logical-systems J1 interfaces fe-0/0/0 unit 121 vlan-id 121
set logical-systems J1 interfaces fe-0/0/0 unit 121 family inet address 10.12.12.1/24
set logical-systems J1 interfaces fe-0/0/0 unit 122 vlan-id 122
set logical-systems J1 interfaces fe-0/0/0 unit 122 family inet address 10.21.21.1/24
set logical-systems J1 interfaces lo0 unit 1 family inet address 1.1.1.1/32
set logical-systems J2 interfaces fe-0/0/1 unit 25 vlan-id 25
set logical-systems J2 interfaces fe-0/0/1 unit 25 family inet address 10.25.25.2/24
set logical-systems J2 interfaces fe-0/0/1 unit 121 vlan-id 121
set logical-systems J2 interfaces fe-0/0/1 unit 121 family inet address 10.12.12.2/24
set logical-systems J2 interfaces fe-0/0/1 unit 122 vlan-id 122
set logical-systems J2 interfaces fe-0/0/1 unit 122 family inet address 10.21.21.2/24
set logical-systems J2 interfaces lo0 unit 2 family inet address 2.2.2.2/32
set logical-systems J3 interfaces fe-0/0/0 unit 35 vlan-id 35
set logical-systems J3 interfaces fe-0/0/0 unit 35 family inet address 10.35.35.3/24
set logical-systems J3 interfaces fe-0/0/1 unit 34 vlan-id 34
set logical-systems J3 interfaces fe-0/0/1 unit 34 family inet address 10.34.34.4/24
set logical-systems J3 interfaces lo0 unit 3 family inet address 3.3.3.3/32
set logical-systems J4 interfaces fe-0/0/0 unit 34 vlan-id 34
set logical-systems J4 interfaces fe-0/0/0 unit 34 family inet address 10.34.34.4/24
set logical-systems J4 interfaces fe-0/0/1 unit 45 vlan-id 45
set logical-systems J4 interfaces fe-0/0/1 unit 45 family inet address 10.45.45.4/24
set logical-systems J4 interfaces lo0 unit 4 family inet address 4.4.4.4/32
set logical-systems J5 interfaces fe-0/0/0 unit 25 vlan-id 25
set logical-systems J5 interfaces fe-0/0/0 unit 25 family inet address 10.25.25.5/24
set logical-systems J5 interfaces fe-0/0/0 unit 45 vlan-id 45
set logical-systems J5 interfaces fe-0/0/0 unit 45 family inet address 10.45.45.5/24
set logical-systems J5 interfaces fe-0/0/1 unit 15 vlan-id 15
set logical-systems J5 interfaces fe-0/0/1 unit 15 family inet address 10.15.15.5/24
set logical-systems J5 interfaces fe-0/0/1 unit 35 vlan-id 35
set logical-systems J5 interfaces fe-0/0/1 unit 35 family inet address 10.35.35.5/24
set logical-systems J5 interfaces lo0 unit 5 family inet address 5.5.5.5/32

All tested and working so feel free to use the configuration yourself

Partition a Juniper router into logical systems

My last post explained that my CCIE is on short hold thanks to me not currently holding my passport. And so instead of just wasting time I’ve decided to learn a bit more about my Juniper devices.

A while back I showed how you can load JUNOS onto some old Nokia devices. This post and this post shows how.

One of the problems in the second post was that you could only install up to JUNOS 8.4 on these boxes. Anything more and you bork the box and need to start over.

So what if you need to run a bunch of Juniper routers and don’t have 10 sitting on your desk? Well the beauty of JUNOS is that you can partition a single router into multiple logical routers. This is not simply a separate VRF, it’s a whole logical router running it’s own processes and everything. In fact each logical system can even be running it’s own vrfs as well!

So I happen to have an old M10 router sitting in my lab. I actually have 2, but only 1 is currently working. To do any proper configuration you need more than a single box of course. This M10 is running a much newer release of JUNOS – 10.4 R1.9

So let’s get started. I’ve factory default the box by doing a load factory-default then commit

root> show version
Model: m10
JUNOS Base OS boot [10.4R1.9]
/removed/

This is my actual physical topology:


There is simply a physical Cat5 cable connecting port fe-0/0/0 to port fe-0/0/1

Below is the planned logical topology. 2 Juniper routers connected over 2 separate links.

First I’m going to set the interfaces to send tagged traffic so I can run multiple virtual links, each with a different vlan tag. Then I’ll set up the interfaces as above

set interfaces fe-0/0/0 vlan-tagging
set interfaces fe-0/0/1 vlan-tagging
set logical-systems JUNIPER1 interfaces fe-0/0/0 unit 1 vlan-id 20
set logical-systems JUNIPER1 interfaces fe-0/0/0 unit 1 family inet address 10.2.2.1/24
set logical-systems JUNIPER1 interfaces fe-0/0/1 unit 1 vlan-id 10
set logical-systems JUNIPER1 interfaces fe-0/0/1 unit 1 family inet address 10.1.1.1/24
set logical-systems JUNIPER2 interfaces fe-0/0/0 unit 2 vlan-id 10
set logical-systems JUNIPER2 interfaces fe-0/0/0 unit 2 family inet address 10.1.1.2/24
set logical-systems JUNIPER2 interfaces fe-0/0/1 unit 2 vlan-id 20
set logical-systems JUNIPER2 interfaces fe-0/0/1 unit 2 family inet address 10.2.2.2/24

Here we have created 2 logical systems – JUNIPER1 and JUNIPER2. I’ve then assigned 2 subinterfaces to each router. Let’s have a look to see if this actually works. To log into a logical system we use the set cli logical-system [logical system name] command. Once in there we can check the interfaces and then ping across

root> set cli logical-system JUNIPER1
Logical system: JUNIPER1

root:JUNIPER1> show interfaces terse
Interface               Admin Link Proto    Local                 Remote
fe-0/0/0
fe-0/0/0.1              up    up   inet     10.2.2.1/24
fe-0/0/1
fe-0/0/1.1              up    up   inet     10.1.1.1/24

root:JUNIPER1> ping 10.2.2.2 rapid
PING 10.2.2.2 (10.2.2.2): 56 data bytes
!!!!!
--- 10.2.2.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 1.055/1.572/3.450/0.941 ms

No problems there at all. Note that once you are inside a logical system, you can configure it as though it’s a normal box. You don’t need to mention any logical system in the config. Let’s configure OSPF on these 2 interfaces:

root:JUNIPER1> configure
Entering configuration mode

[edit]
root:JUNIPER1# edit protocols ospf area 0.0.0.0

[edit protocols ospf area 0.0.0.0]
root:JUNIPER1# set interface fe-0/0/0.1

[edit protocols ospf area 0.0.0.0]
root:JUNIPER1# set interface fe-0/0/1.1

[edit protocols ospf area 0.0.0.0]
root:JUNIPER1# commit
commit complete

[edit protocols ospf area 0.0.0.0]
root:JUNIPER1# exit

[edit]
root:JUNIPER1# exit
Exiting configuration mode

So now how do we get out of this logical system back into the root? Use the clear cli logical-system command. Let’s get of of JUNIPER1 and go into JUNIPER2 and configure OSPF

root:JUNIPER1> clear cli logical-system
Cleared default logical system

root> set cli logical-system JUNIPER2
Logical system: JUNIPER2

root:JUNIPER2> configure
Entering configuration mode

[edit]
root:JUNIPER2# edit protocols ospf area 0.0.0.0

[edit protocols ospf area 0.0.0.0]
root:JUNIPER2# set interface fe-0/0/0.2

[edit protocols ospf area 0.0.0.0]
root:JUNIPER2# set interface fe-0/0/1.2

[edit protocols ospf area 0.0.0.0]
root:JUNIPER2# top

[edit]
root:JUNIPER2# commit
commit complete

[edit]
root:JUNIPER2# exit
Exiting configuration mode

So has it all worked?

root:JUNIPER2> show ospf neighbor
Address          Interface              State     ID               Pri  Dead
10.1.1.1         fe-0/0/0.2             Full      10.1.1.1         128    36
10.2.2.1         fe-0/0/1.2             Full      10.1.1.1         128    37

Of course it has ;)

While this works, it’s a big hassle having to log into the root system and then logging into the logical system. It also defeats the purpose of a logical system a bit as it would be ideal to give different users access to different logical systems.

Let’s create 2 users. user1 will be responsible for JUNIPER1 and user2 will be responsible for JUNIPER2. You’ll need to get back into the root system to do this.

set system login class USER1 logical-system JUNIPER1
set system login class USER1 permissions all
set system login class USER2 logical-system JUNIPER2
set system login class USER2 permissions all
set system login user user1 class USER1
set system login user user1 authentication encrypted-password "$1$2.bgMkK/$ALFH1kC1Q2s.Rgm8Uvuuh/"
set system login user user2 class USER2
set system login user user2 authentication encrypted-password "$1$aOaM2CQa$OXMUk4burCY7vFlzmLZdR0"

Let’s give this a test by logging right out and then back in:

Amnesiac (ttyd0)

login: user1
Password:

--- JUNOS 10.4R1.9 built 2010-12-04 09:20:43 UTC
user1:JUNIPER1> 

Note that if you log in this way, you can’t clear out of the logical system. As far as you are concerned this is a separate router

user1:JUNIPER1> clear cli logical-system
error: You are not a allowed to execute this command

So there you have it. I now have 2 routers running inside a single physical box. Juniper says you can have up to 15 logical routers inside a box so that gives me a lot to play with. If I get the second M10 working that’ll be 30 Juniper routers at my disposal. More than enough for even the most complex topologies