One of the practical advantages of Juniper logical systems in a production environment is the ability to create user accounts that are scoped to specific logical systems. This means different teams or customers can be given SSH access to their own logical router without being able to see or interact with any other logical system on the same device. This video covers exactly how to set that up.

User and class configuration for logical systems cannot be done from within a logical system context — it must be done from the global configuration mode. This is one of the few tasks that requires dropping back to the master instance, and the video demonstrates why the set system options are limited when you’re operating inside a logical system.

The configuration involves two steps. First, create a login class using set system login class, specify which logical system it applies to using the logical-system option, and set the permissions for that class. In the demonstration we create a class called pe1-only scoped to the PE1 logical system with all permissions. Second, create the user account, assign it to the new class, and set a plain text password.

Once committed we log in as the new user and confirm the behaviour — the session drops immediately into the PE1 logical system with no ability to change context. The set CLI logical-system command is restricted, clear CLI logical-system is blocked, and show configuration only shows the PE1 configuration. The user is completely isolated to their assigned logical system.

This is a genuinely useful security feature for any environment using logical systems in production — whether that’s a managed service provider giving customers access to their own virtual router, or an enterprise team where different groups manage different logical systems on shared hardware.