Support Support Downloads Knowledge Base Apex Support Portal Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

[ScreenOS] How many VSYS (Virtual System), VR (Virtual Router) or Zones are available for use with existing license?

0

0

Article ID: KB11474 KB Last Updated: 15 Dec 2017Version: 7.0
Summary:

This article discusses how to determine how many licenses are available for VSYS, VR or Zone creation.

Symptoms:

The output of the command get zone all shows how many zones exist, but this can sometimes be more than the current license limit.

  • How can I tell how many zones are available for provisioning?
  • The available count is not consistent between ScreenOS versions. Are there differences in licensing between ScreenOS versions?
  • When did this change and what is the impact?
  • I am unable to create another VSYS even though there are licenses available. What is impacting this?
Solution:

Determining the number of available license resources can sometimes cause confusion. A look at the output from an NS5200 will help to explain.

Note: The number of base licenses can vary between platforms. Please check the product specification sheet to verify for a specific platform.

A base license for an NS5200 provides for three (3) Virtual Routers (VRs) and twenty three (23) zones. Adding a VSYS license pack also adds VR (x1) and Zone (x2) licenses. For example, adding a 50-VSYS license to the base install provides the following totals:

     Base + Lic.    = Total
VSYS:   0  +  50     =  50
VR  :   3  +  50     =  53
ZONE:  23  +  50 x 2 = 123

These numbers can be seen from the "get license" command below:

ns5200-> get license
vsys_key            : <license key>
<snip>
Vsys:               50 virtual systems
Vrouters:           53 virtual routers
Zones:              123 zones
<snip> 


So, how are these resources consumed?

VSYS:

In the example above, the VSYS license allows for 50 custom VSYS to be created. Each new VSYS will consume one license count, but it is important to note that creating a VSYS also requires an associated VR which is auto-created. If there are no available VR licenses, then you will not be able to create any more VSYS regardless of available VSYS license count.

To see the total number of VSYS created, use the "get vsys" command. The following output shows five custom VSYS created on the NS5200:

ns5200-> get vsys
Total number of vsys: 5
Name            Id  Interface           IP Address          Vlan vsd
test1            1  N/A                 N/A                  N/A
test2            2  N/A                 N/A                  N/A
test3            3  N/A                 N/A                  N/A
test4            4  N/A                 N/A                  N/A
test5            5  N/A                 N/A                  N/A

 

VR:
The get vr command will show the list of VRs in the current VSYS only. Use get vr all to see the full list of VRs across all VSYS.

ns5200-> get vr all  
* indicates default vrouter for the current vsys
A - AutoExport, R - RIP, O - OSPF, B - BGP

   ID Name            Vsys            Owner     Routes    Flags
    1 untrust-vr      Root            shared      0/max      
*   2 trust-vr        Root            shared      2/max      
    3 test1-vr        test1           system      1/max      
    4 test2-vr        test2           system      1/max      
    5 test3-vr        test3           system      1/max      
    6 test4-vr        test4           system      1/max      
    7 test5-vr        test5           system      1/max      

total 7 vrouters shown and 0 of them defined by user

You can see in the output above, the two default VRs (namely "untrust-vr" and "trust-vr") and the auto-created VRs for each of the custom VSYS. These VRs each consume one VR license.

In summary, the VR licenses are consumed by each of the following:

  • system-default VRs ("untrust-vr", "trust-vr") - each consumes one license.
  • auto-created VRs (one per custom VSYS  eg. "test1-vr") - each consumes one license.
  • user-defined (custom) VRs - each consumes one license.

Note: The base license provides for three VRs. With two of them already consumed by the two default VRs, this leaves only one remaining for a custom VR. With an added VSYS license VR licenses are also added, but note for VSYS provisioning, creating more than one custom VR will impact the total number of VSYS available.

 

ZONE:
The get zone command will list the zones for the current VSYS only. Use get zone all to view the full list of zones on the device. The number of available zone licenses is indicated on the second line of output with <x> are available to configure.

Note: ScreenOS 5.4.0 brought in a change in the license counting for zones. In earlier versions, some system-default zones and auto-created zones (from custom VSYS) also consumed license counts. From ScreenOS 5.4.0 and later, only custom zones consume a license count.

Compare the output below taken from an NS5200 with a 50-VSYS license and a blank config. Note the difference in available zones; with no custom zones created the later version still has the full 123 zones available (23 default + 100 from the VSYS license = 123). The earlier version already has some of the license counts consumed:

From ScreenOS 5.0.0:

ns5200-> get zone all
Total of 13 zones in system, 7 are policy configurable.
117 are available to configure.
------------------------------------------------------------------------
  Id Name               Type    Attr   VR           Default-If   vsys     
   0 Null               Null    Shared untrust-vr   hidden       Root     
   1 Untrust            Sec(L3) Shared trust-vr     null         Root     
   2 Trust              Sec(L3)        trust-vr     null         Root     
   3 DMZ                Sec(L3)        trust-vr     null         Root     
   4 Self               Func           trust-vr     self         Root     
   5 MGT                Func           trust-vr     mgt          Root     
   6 HA                 Func           trust-vr     ha1          Root     
  10 Global             Sec(L3)        trust-vr     null         Root     
  11 V1-Untrust         Sec(L2)        trust-vr     v1-untrust   Root     
  12 V1-Trust           Sec(L2)        trust-vr     v1-trust     Root     
  13 V1-DMZ             Sec(L2)        trust-vr     v1-dmz       Root     
  14 VLAN               Func           trust-vr     vlan1        Root     
  16 Untrust-Tun        Tun            trust-vr     hidden.1     Root     
------------------------------------------------------------------------

From ScreenOS 6.0.0:

ns5200-> get zone all
Total of 14 zones in system, 8 are policy configurable.
123 are available to configure.
------------------------------------------------------------------------
  Id Name               Type    Attr    VR    Default-If   vsys     
   0 Null               Null    Shared untrust-vr   hidden       Root               
   1 Untrust            Sec(L3) Shared trust-vr     null         Root               
   2 Trust              Sec(L3)        trust-vr     null         Root               
   3 DMZ                Sec(L3)        trust-vr     null         Root               
   4 Self               Func           trust-vr     self         Root               
   5 MGT                Func           trust-vr     mgt          Root               
   6 HA                 Func           trust-vr     ha1          Root               
  10 Global             Sec(L3)        trust-vr     null         Root               
  11 V1-Untrust         Sec(L2) Shared trust-vr     v1-untrust   Root               
  12 V1-Trust           Sec(L2) Shared trust-vr     v1-trust     Root               
  13 V1-DMZ             Sec(L2) Shared trust-vr     v1-dmz       Root               
  14 VLAN               Func    Shared trust-vr     vlan1        Root               
  15 V1-Null            Sec(L2) Shared trust-vr     l2v          Root               
  16 Untrust-Tun        Tun            trust-vr     hidden.1     Root               
------------------------------------------------------------------------

From ScreenOS 6.0.0 onward, by default there are 14 zones (no zones vsys configured) out of 14: 6 are functional and the rest are policy-configurable. The maximum number of zones which we can create is 23+vsysx2. But sometimes in get zone all we see more than 23+vsysx2. This is because when we create VSYS, three zones are created automatically by the name of VSYS. This is per design. See the example below:

get license

Model: Advanced
Sessions: 2000064 sessions
Capacity: unlimited number of users
NSRP: ActiveActive
VPN tunnels: 25000 tunnels
Vsys: 500 virtual systems
Vrouters: 503 virtual routers
Zones: 1023 zones
VLANs: 4000 vlans


Total number of zones which a user can configure is 23+500x2 =1023, so we are able to configure 1023 zones:

ns5400->
ns5400-> get zone all
Total of 1037 zones in system, 1031 are policy configurable.
0 are available to configure.


So above we see 1037=1023+14 (by default zones) zones out of which 6 zones are functional zones, which are not configurable, which gives the number of 1031.  Following is what happens if we try to configure zone number 1024:

ns5400->
ns5400-> set zone name cust1024
Maximum security zone number reached for Root!

Failed command - set zone name cust1024
ns5400->

At this stage we can see that we have reached the maximum limit. However we might see much higher value in the output of the command get zone all. This is because of the VSYS. Whenever we create a VSYS, three zones are created by default on the name of the VSYS.  They are a part of the design:

ns5400-> set vsys newcustom
ns5400(newcustom)->
ns5400(newcustom)->
ns5400(newcustom)-> get zone
Total 3 zones created in vsys newcustom - 2 are policy configurable.
Total policy configurable zones for newcustom is 7.
------------------------------------------------------------------------
ID Name Type Attr VR Default-IF VSYS
0 Null Null Shared untrust-vr null Root
1 Untrust Sec(L3) Shared trust-vr null Root
11 V1-Untrust Sec(L2) Shared trust-vr v1-untrust Root
12 V1-Trust Sec(L2) Shared trust-vr v1-trust Root
13 V1-DMZ Sec(L2) Shared trust-vr v1-dmz Root
14 VLAN Func Shared trust-vr vlan1 Root
15 V1-Null Sec(L2) Shared trust-vr l2v Root
19 Trust-newcustom Sec(L3) newcustom-~ null newcustom
20 Untrust-Tun-newcustom Tun newcustom-~ null newcustom
21 Global-newcustom Sec(L3) newcustom-~ null newcustom
------------------------------------------------------------------------
ns5400(newcustom)->
ns5400(newcustom)->
ns5400(newcustom)-> sa
ns5400(newcustom)->
ns5400(newcustom)-> exit
exit vsys newcustom
ns5400->
ns5400->
ns5400-> get zone all
Total of 1040 zones in system, 1033 are policy configurable.
0 are available to configure.


Trust-newcustom, Untrust-Tun-newcustom, and Global-newcustom are three extra zones that were created. It does not affect the limitation of 1023 zones. But we can see that the total number of zones has now increased to 1040.  It is clear the total number of zones that can be created is 23+vsysx2, but we might see more zones in get zone all output due to VSYS.

The output below is from the same two environments described above, but now each has created five (5) custom VSYS. The older version consumes one zone license count for each created VSYS, but the newer version does not:

From ScreenOS 5.0.0:

ns5200-> get zone all
Total of 28 zones in system, 17 are policy configurable.
112 are available to configure.
------------------------------------------------------------------------
  Id Name               Type    Attr    VR    Default-If   vsys     
   0 Null               Null    Shared untrust-vr   hidden       Root     
   1 Untrust            Sec(L3) Shared trust-vr     null         Root     
   2 Trust              Sec(L3)        trust-vr     null         Root     
   3 DMZ                Sec(L3)        trust-vr     null         Root     
   4 Self               Func           trust-vr     self         Root     
   5 MGT                Func           trust-vr     mgt          Root     
   6 HA                 Func           trust-vr     ha1          Root     
  10 Global             Sec(L3)        trust-vr     null         Root     
  11 V1-Untrust         Sec(L2)        trust-vr     v1-untrust   Root     
  12 V1-Trust           Sec(L2)        trust-vr     v1-trust     Root     
  13 V1-DMZ             Sec(L2)        trust-vr     v1-dmz       Root     
  14 VLAN               Func           trust-vr     vlan1        Root     
  16 Untrust-Tun        Tun            trust-vr     hidden.1     Root      
  17 Trust-test1        Sec(L3)        test1-vr     null         test1     <---  Auto-created VSYS
  18 Untrust-Tun-test1  Tun            test1-vr     null         test1     <     zones each consume
  19 Global-test1       Sec(L3)        test1-vr     null         test1     <     one VR license.
  20 Trust-test2        Sec(L3)        test2-vr     null         test2     <
  21 Untrust-Tun-test2  Tun            test2-vr     null         test2     <
  22 Global-test2       Sec(L3)        test2-vr     null         test2     <
  23 Trust-test3        Sec(L3)        test3-vr     null         test3     <
  24 Untrust-Tun-test3  Tun            test3-vr     null         test3     <
  25 Global-test3       Sec(L3)        test3-vr     null         test3     <
  26 Trust-test4        Sec(L3)        test4-vr     null         test4     <
  27 Untrust-Tun-test4  Tun            test4-vr     null         test4     <
  28 Global-test4       Sec(L3)        test4-vr     null         test4     <
  29 Trust-test5        Sec(L3)        test5-vr     null         test5     <
  30 Untrust-Tun-test5  Tun            test5-vr     null         test5     <
  31 Global-test5       Sec(L3)        test5-vr     null         test5
     <
------------------------------------------------------------------------

From ScreenOS 6.0.0:

ns5200-> get zone all
Total of 29 zones in system, 18 are policy configurable.
123 are available to configure.
------------------------------------------------------------------------
  Id Name               Type    Attr    VR    Default-If   vsys     
   0 Null               Null    Shared untrust-vr   null         Root      

   1 Untrust            Sec(L3) Shared trust-vr     ethernet2/1  Root      
   2 Trust              Sec(L3)        trust-vr     ethernet2/2  Root      
   3 DMZ                Sec(L3)        trust-vr     null         Root      
   4 Self               Func           trust-vr     self         Root      
   5 MGT                Func           trust-vr     mgt          Root      
   6 HA                 Func           trust-vr     ha2          Root      
  10 Global             Sec(L3)        trust-vr     null         Root      

  11 V1-Untrust         Sec(L2) Shared trust-vr     v1-untrust   Root      
  12 V1-Trust           Sec(L2) Shared trust-vr     v1-trust     Root      
  13 V1-DMZ             Sec(L2) Shared trust-vr     v1-dmz       Root      
  14 VLAN               Func    Shared trust-vr     vlan1        Root      
  15 V1-Null            Sec(L2) Shared trust-vr     l2v          Root      
  16 Untrust-Tun        Tun            trust-vr     hidden.1     Root      
  19 Trust-test1        Sec(L3)        test1-vr     null         test1     <-- Auto-created VSYS
  20 Untrust-Tun-test1  Tun            test1-vr     null         test1     <   zones no longer
  21 Global-test1       Sec(L3)        test1-vr     null         test1     <   consume VR licenses.
  22 Trust-test2        Sec(L3)        test2-vr     null         test2     <
  23 Untrust-Tun-test2  Tun            test2-vr     null         test2     <
  24 Global-test2       Sec(L3)        test2-vr     null         test2     <
  25 Trust-test3        Sec(L3)        test3-vr     null         test3     <
  26 Untrust-Tun-test3  Tun            test3-vr     null         test3     <
  27 Global-test3       Sec(L3)        test3-vr     null         test3     <
  28 Trust-test4        Sec(L3)        test4-vr     null         test4     <
  29 Untrust-Tun-test4  Tun            test4-vr     null         test4     <
  30 Global-test4       Sec(L3)        test4-vr     null         test4     <
  31 Trust-test5        Sec(L3)        test5-vr     null         test5     <
  32 Untrust-Tun-test5  Tun            test5-vr     null         test5     <
  33 Global-test5       Sec(L3)        test5-vr     null         test5     <

------------------------------------------------------------------------
 

 

In summary, here is how the VSYS, VR and Zone licenses counted:

VSYS

  • Adding a VSYS consumes one VSYS license and one VR license.
  • In pre-ScreenOS 5.4.0 versions, adding a VSYS also consumes one Zone license.
  • If there are not enough VR or Zone licenses to support the additional resources, then you will not be permitted to create the VSYS, regardless of how many VSYS licenses are free.
  • The total number of existing VSYS can be seen with get vsys | include total.

VR

  • Adding a custom VR consumes one VR license.
  • Adding a VSYS consumes one VR license.
  • The total number of existing VRs can be seen with "get vr all | include total".

Zone

  • Adding a custom zone consumes one Zone license.
  • In pre-ScreenOS 5.4.0 versions, adding a custom VSYS consumes one Zone license.
  • The total number of existing zones can be seen with get zone all | include total, but not all zones consume a Zone license count.
  • The total number of available zones licenses can be seen with get zone all | include available.

Installed Licenses

  • The total number of installed licenses can be seen with get license output.

 

Modification History:
2017-12-07: Article reviewed for accuracy. No changes made. Article is correct and complete.
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search