JN0-637 Logical Systems and Tenant Systems

Logical Systems and Tenant Systems Detailed Explanation

Overview

Logical systems (LS) and tenant systems (TS) are features of Junos-based SRX devices that allow for advanced network segmentation and multi-tenancy. These tools enable a single physical SRX device to support multiple isolated virtual environments.

Core Concepts

1. Logical Systems

Logical systems are like virtual routers within a single SRX device. They operate independently, with separate configurations, management access, and resources.

Purpose

• Logical systems partition a physical SRX device into multiple virtual devices, each functioning independently.
• This feature is especially useful in scenarios requiring strict isolation, such as multi-department environments or service provider settings.

Features

• Independent Configuration:
  • Each logical system has its own routing tables, policies, NAT rules, and more.
  • Changes in one logical system do not affect others.
• Separate Management Access:
  • Each logical system can be managed independently by different administrators.
  • Provides enhanced control and delegation capabilities.

Applications

• Multi-Department Segregation:
  • Organizations can assign a logical system to each department, ensuring complete isolation of traffic and policies.
• Managed Service Providers (MSPs):
  • Service providers can offer customers dedicated logical systems, simulating the experience of having separate physical devices.

2. Tenant Systems

Tenant systems build on logical systems to support multi-tenancy. They are specifically designed to facilitate shared usage while maintaining strict separation of resources and privileges.

Purpose

• Tenant systems allow different tenants (customers or internal units) to share an SRX device while maintaining isolation.

Features

• Master Tenant (Root):
  • The root system manages all tenant systems.
  • Responsible for creating, assigning, and monitoring tenant resources.
• Sub-Tenants:
  • Sub-tenants have limited administrative privileges and can only manage their allocated resources.

Applications

• Multi-Tenancy for Businesses:
  • Companies with multiple business units can share a single SRX device while maintaining independence.
• Secure SaaS Environments:
  • SaaS providers can create isolated environments for each customer.

Configuration Details

1. Logical Systems

Logical systems require defining and assigning resources, such as interfaces and routes.

Step-by-Step Configuration

1. Assign Interfaces to Logical Systems:

   • Allocate specific interfaces to a logical system:

     set logical-systems ls1 interfaces ge-0/0/1
     

2. Set Static Routes for Logical Systems:

   • Define static routes to enable traffic forwarding:

     set logical-systems ls1 routing-options static route 0.0.0.0/0 next-hop 192.168.1.1
     

3. Access a Logical System:

   • Use the following command to enter a logical system:

     start shell user root logical-system ls1
     

2. Tenant Systems

Tenant systems require configuration for creating tenants and assigning resources.

Step-by-Step Configuration

1. Create a Tenant System:

   • Assign resources to a tenant:

     set tenant-system tenant1 interfaces ge-0/0/2
     

2. Assign Policies:

   • Define security policies specific to the tenant:

     set tenant-system tenant1 policies policy-set-1
     

Troubleshooting Logical Systems

1. Misconfigured Interfaces

If a logical system does not function as expected, the first step is to verify the interface assignments.

• Command:

  show configuration logical-systems
  

• What to Check:

  • Ensure interfaces are properly assigned to the logical system.
  • Verify there are no overlaps or conflicts.

2. Routing Issues

Logical systems require independent routing tables. Misconfigured routes can lead to connectivity problems.

• Command:

  show route logical-system ls1
  

• What to Check:

  • Validate that all required routes are present.
  • Check the next-hop IP addresses and ensure they are reachable.

Tenant System Challenges

1. Insufficient Resource Allocation

Tenant systems rely on allocated resources (interfaces, policies, bandwidth, etc.). If resources are insufficient, tenant systems may not function correctly.

• Command:

  show tenant-system resources
  

• What to Check:

  • Ensure each tenant has enough resources for their requirements.
  • Redistribute resources if necessary.

2. Administrative Privileges

Sub-tenants have limited privileges. Ensure that administrators have the correct permissions for their operations.

• What to Check:
  • Verify the privilege levels assigned to tenant administrators.
  • Adjust privileges as needed to enable required configurations.

Logical Systems and Tenant Systems (Additional Content)

1. Logical Systems (LS) – Key Enhancements

Relationship with the Root System

• In Junos OS, every device includes a default root logical system, also known as the primary system.

• All user-defined logical systems (LS) are created under this root.

• By default, any configuration applied outside a logical system context only affects the root system.

• To configure a specific logical system, you must explicitly enter its context using configuration mode.

Important Note:

All logical systems exist under the root system. Configuration changes outside a logical system context affect only the root unless explicitly directed to a specific LS.

Resource Isolation Across Logical Systems

Logical systems provide full separation of resources, meaning no configuration state is shared between LS instances.

Examples of Fully Isolated Resource Objects:

• Routing instances – Each LS maintains independent routing tables.

• Firewall filters – Filters are unique and scoped per logical system.

• Address books – Address objects are not visible across LS boundaries.

• NAT rules – Source/destination NAT rules are independently defined.

• Security zones and policies – Policies are not shared; each LS handles its own.

• System login and authentication – Each LS can have unique usernames, access levels, and remote authentication servers.

Exam Tip:

You may be asked to identify which resources are isolated and which are shared. In general, resources like interface physical properties or hardware counters may be globally visible, but logical configuration is strictly isolated.

2. Tenant Systems (TS) – Clarifications and Relationships

Relationship Between TS and LS

While logical systems handle resource segmentation, tenant systems are designed to provide governance and hierarchical control over logical systems.

Key Distinction:

Logical Systems (LS) segment configurations and resources.
Tenant Systems (TS) manage those LSs in a structured, role-based way for multi-tenant environments.

Core Concepts:

• A Tenant System is a container for one or more logical systems.

• Tenants provide administrative boundaries, allowing operators to delegate control without full root access.

• Each tenant must include at least one logical system (usually one named after the tenant).

• Resource allocation and visibility are managed at the tenant level, but enforced at the logical system level.

Exam-Focused Clarification:

A tenant system is not a standalone routing or security domain.
Instead, it groups and governs logical systems under a defined tenant hierarchy.

3. Operational and Configuration Command Layer Enhancements

For real-world operations and exam prep, it’s important to know the correct command structure for managing logical and tenant systems.

Scenario	Command	Description
View all configured logical systems	show logical-systems	Lists all LS defined under the root system
Enter a specific LS configuration	configure logical-system <logical-system-name>	Used to enter the configuration mode for a logical system
Enter shell for a logical system	start shell user root logical-system <name>	Grants shell access inside a specific logical system
View tenant-system status	show tenant-system tenant1	Displays TS configuration and bound resources
View interfaces per tenant	show tenant-system tenant1 interfaces	Shows interfaces assigned to that tenant
View policies per tenant	show tenant-system tenant1 policies	Lists active or defined policies inside the tenant scope

Quick Knowledge Checks (for exam revision)

1. Is every logical system part of a tenant system?
   → No. Logical systems exist independently. Tenant systems are used for hierarchical grouping.

2. Is the root system a logical system?
   → Yes. It is the default logical system under which all others are created.

3. Can address books be shared across logical systems?
   → No. Address books are logically scoped and isolated per logical system.

4. What’s the difference between entering shell vs configuration mode in LS?
   → start shell gives OS-level access; configure logical-system <name> enters Junos configuration mode.