Support Support Downloads Knowledge Base Case Manager My Juniper Community

Knowledge Base

Search our Knowledge Base sites to find answers to your questions.

Ask All Knowledge Base Sites All Knowledge Base Sites JunosE Defect (KA)Knowledge BaseSecurity AdvisoriesTechnical BulletinsTechnotes Sign in to display secure content and recently viewed articles

How to use configuration groups for logical systems?

0

0

Article ID: KB9299 KB Last Updated: 19 Jun 2019Version: 4.0
Summary:
Configuration groups are used to aggregate the common attributes in Junos configuration.  The groups allow you to create smaller, more logically constructed configuration files, making it easier to configure and maintain the Junos software.  To use configuration groups on logical systems's configuration, the groups must be defined at correct hierarchy.
Symptoms:

While using groups in [logical-systems] configuration hierarchy, if the groups defined for the root system are simply applied under logical systems, the commit will be successful but those groups will not take effect.

Examples below show the problem of using configuration groups in [logical-systems] and how to solve it.  In the examples, groups are used to configure all of the OSPF neighbors to use MD5 authentication for both the root system and the logical system.
 
The problem happens when the groups defined for root system are just applied to logical system. The configuration can be committed without errors, however the command show | display inheritance displays that the groups are applied to the root system but not the logical system. Thus the configuration groups will not take effect in the logical system.
 
groups {   
    OSPF-use-MD5 {
        protocols {
            ospf {
                area <*> {
                    authentication-type md5;
                }
            }
        }
    }
}
protocols {
    ospf {
        apply-groups OSPF-use-MD5;
        area 0.0.0.0 {
            interface lo0.0;
        }
    }              
}
logical-systems {  
    LS {
        protocols {
            ospf {
                apply-groups OSPF-use-MD5;
                area 0.0.0.0 {
                    interface lo0.1;
                }
            }
        }
    }
}
 
user@router# show protocols | display inheritance
ospf {
    area 0.0.0.0 {
        ##
        ## 'md5' was inherited from group 'OSPF-use-MD5'
        ##
        authentication-type md5;
        interface lo0.0;
    }
}
 
[edit]
user@router# show logical-systems | display inheritance
LS {
    protocols {
        ospf {
            area 0.0.0.0 {
                interface lo0.1;
            }
        }
    }
}
 
Solution:
Below are correct configurations that solve the problem above.

Solution 1:  Define and apply a new group for logical system at the [logical-systems] hierarchy. 
 
groups {
    OSPF-use-MD5 {
        protocols {
            ospf {
                area <*> {
                    authentication-type md5;
                }
            }
        }
    }
    LS-OSPF-use-MD5 {
        logical-systems {
            <*> {
                protocols {
                    ospf {
                        area <*> {
                            authentication-type md5;
                        }
                    }
                }
            }
        }
    }
}
protocols {
    ospf {
        apply-groups OSPF-use-MD5;
        area 0.0.0.0 {
            interface lo0.0;
        }
    }
}
logical-systems {
    LS {
        protocols {
            ospf {
                apply-groups LS-OSPF-use-MD5;
                area 0.0.0.0 {
                    interface lo0.1;
                }
            }
        }
    }
}
 


Solution 2: Use a single group that works for both the root system and the other logical systems, while the group will be defined at both hierarchies.
 
groups {
    OSPF-use-MD5 {
        logical-systems {
            <*> {  
                protocols {
                    ospf {
                        area <*> {
                            authentication-type md5;
                        }
                    }
                }
            }
        }
        protocols {
            ospf {
                area <*> {
                    authentication-type md5;
                }
            }
        }
    }
}
protocols {        
    ospf {
        apply-groups OSPF-use-MD5;
        area 0.0.0.0 {
            interface lo0.0;
        }
    }
logical-systems {
    LS {
        protocols {
            ospf {
                apply-groups OSPF-use-MD5;
                area 0.0.0.0 {
                    interface lo0.1;
                }
            }
        }
    }
}
Modification History:
2019-06-15: update product list to include SRX Series
Comment on this article > Affected Products Browse the Knowledge Base for more articles related to these product categories. Select a category to begin.

Getting Up and Running with Junos

Getting Up and Running with Junos Security Alerts and Vulnerabilities Product Alerts and Software Release Notices Problem Report (PR) Search Tool EOL Notices and Bulletins JTAC User Guide Customer Care User Guide Pathfinder SRX High Availability Configurator SRX VPN Configurator Training Courses and Videos End User Licence Agreement Global Search