Try Junos OS with Juniper Networks’s vSRX virtual firewall – Simple Topology

Hi! My last post gives an overview about how to prepare for JNCIA certification and get started with Junos OS. This post is for the people who are looking to get some hands on with Junos OS devices.

If you do not have access to real physical Juniper devices, you can try Juniper Networks’s vSRX (formely known as Firefly Perimeter) virtual firewall.

Download and deploy the virtual appliance in VMware ESXi

You can download (evaluation download) vSRX VMware/KVM virtual appliance here.   Please refer vSRX documentation to know about vSRX, its features, download/install instructions and initial configuration etc.

In this post, I intend to introduce vSRX to those who have not heard about it ( I think I am already done 🙂 ) and like to discuss how to setup simple OSPF topology with the vSRX deployed inside the VMware ESXi host.

Topology

Three vSRX VMs and OSPF is running in the vSRX.

The above screenshot is taken from Junos Space Network Management Platform’s Network Monitoring topology (Powered by OpenNMS).

 Setup

Three vSRX virtual appliances have been deployed in ESXi hosts.

  1. sulaiman_fp1_10
  2. sulaiman_fp2_11
  3. sulaiman_fp3_12

I have added one extra vNIC on all the vSRXs. By default it comes with 2 vNICs.  You can add up to 10 vNICs.

I used ge-0/0/0.0 interface as management interface on all the vSRX and hence the  Network Adapter 1 (ge-0/0/0.0 interface) is assigned to the port-group configured in the vSphere Standard Switch which has uplink to  physical switch.

All the initial configuration on the vSRX is done (i.e root password, default static route etc.)  Please refer above documentation link if you have difficulty in setting up the initial configuration.

VMware Standard Switch

vSphere has many types of virtual switches (i.e Standard Switch, Distributed Switch and NSX Logical switch)

To form a OSPF topology with three network segments as show in above topology, I have used  Standard Switch by creating three vSwitches and configured one port-group each in it.

You can also create a single vSwitch and configure three port-groups with different VLAN ID.

The remaining network adapters of vSRX are assigned to appropriate port-group based on the network segments (See below).

There are no uplinks required for these port-groups as traffic between these network segments will never leave the host (hypervisor).  vSRX will route traffic between them!

  1. 10.10.10.0/24 Between sulaiman_fp1_10 (ge-0/0/1.0) and sulaiman_fp2_11 (ge-0/0/1.0)
  2. 172.16.0.0/24 Between sulaiman_fp1_10 (ge-0/0/2.0) and sulaiman_fp3_12 (ge-0/0/1.0)
  3. 172.31.0.0/24 Between sulaiman_fp2_11 (ge-0/0/2.0) and sulaiman_fp3_12 (ge-0/0/2.0)

 Interface configuration snippet

sulaiman_fp1_10

root@sulaiman_fp1_10> show version 
Hostname: sulaiman_fp1_10
Model: firefly-perimeter
JUNOS Software Release [12.1X47-D20.7]
root@sulaiman_fp1_10> show configuration | display set | match "unit 0" 
set interfaces ge-0/0/0 unit 0 family inet address 10.155.80.10/20
set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.10/24
set interfaces ge-0/0/2 unit 0 family inet address 172.16.0.10/24
set interfaces lo0 unit 0 family inet address 1.1.1.1/32

sulaiman_fp2_11

root@sulaiman_fp2_11> show configuration | display set | match "unit 0" 
set interfaces ge-0/0/0 unit 0 family inet address 10.155.80.11/20
set interfaces ge-0/0/1 unit 0 family inet address 10.10.10.11/24
set interfaces ge-0/0/2 unit 0 family inet address 172.31.0.11/24
set interfaces lo0 unit 0 family inet address 2.2.2.2/32

sulaiman_fp3_12

root@sulaiman_fb3_12> show configuration | display set | match "unit 0" 
set interfaces ge-0/0/0 unit 0 family inet address 10.155.80.12/20
set interfaces ge-0/0/1 unit 0 family inet address 172.16.0.12/24
set interfaces ge-0/0/2 unit 0 family inet address 172.31.0.12/24
set interfaces lo0 unit 0 family inet address 3.3.3.3/32

IMPORTANT: vSRX is firewall, so configure security-zones and allow needed traffic between the zones. If you do not require vSRX to run in flow mode, you can disable the flow mode.

Sample configuration snippet to configure security-zones

set security policies from-zone trust to-zone trust policy default-permit match source-address any
set security policies from-zone trust to-zone trust policy default-permit match destination-address any
set security policies from-zone trust to-zone trust policy default-permit match application any
set security policies from-zone trust to-zone trust policy default-permit then permit
set security policies from-zone trust to-zone untrust policy default-permit match source-address any
set security policies from-zone trust to-zone untrust policy default-permit match destination-address any
set security policies from-zone trust to-zone untrust policy default-permit match application any
set security policies from-zone trust to-zone untrust policy default-permit then permit
set security policies from-zone untrust to-zone trust policy default-deny match source-address any
set security policies from-zone untrust to-zone trust policy default-deny match destination-address any
set security policies from-zone untrust to-zone trust policy default-deny match application any
set security policies from-zone untrust to-zone trust policy default-deny then deny
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic protocols ospf
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services any-service
set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services any-service
set security zones security-zone trust interfaces lo0.0 host-inbound-traffic system-services any-service
set security zones security-zone untrust screen untrust-screen
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services http
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services https
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services dhcp
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services ping
set security zones security-zone untrust interfaces ge-0/0/0.0 host-inbound-traffic system-services snmp

Above snippet should be self explanatory. Most of the configuration will comes as default factory settings. You can see management interface ge-0/0/0.0 is bound to untrust zone and only the management related traffic is enabled.  Pay attention to this config if you find something is not working in your environment.

 Configure single area OSPF

It is very straightforward!

root@sulaiman_fp1_10> show configuration | display set | match ospf 
set protocols ospf area 0.0.0.0 interface ge-0/0/0.0 passive
set protocols ospf area 0.0.0.0 interface ge-0/0/1.0
set protocols ospf area 0.0.0.0 interface ge-0/0/2.0
set protocols ospf area 0.0.0.0 interface lo0.0 passive
set security zones security-zone trust host-inbound-traffic protocols ospf

Note: ge-0/0/0.0 and loopback interface is configured as passive OSPF interface. Loopback address will be the router-id.

root@sulaiman_fp1_10> show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
10.10.10.11      ge-0/0/1.0             Full      2.2.2.2          128    38
172.16.0.12      ge-0/0/2.0             Full      3.3.3.3          128    33
root@sulaiman_fp2_11> show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
10.10.10.10      ge-0/0/1.0             Full      1.1.1.1          128    36
172.31.0.12      ge-0/0/2.0             Full      3.3.3.3          128    33
root@sulaiman_fb3_12> show ospf neighbor 
Address          Interface              State     ID               Pri  Dead
172.16.0.10      ge-0/0/1.0             Full      1.1.1.1          128    39
172.31.0.11      ge-0/0/2.0             Full      2.2.2.2          128    34
root@sulaiman_fb3_12> show route protocol ospf    

inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
+ = Active Route, - = Last Active, * = Both

1.1.1.1/32         *[OSPF/10] 3w0d 18:00:17, metric 1
                    > to 172.16.0.10 via ge-0/0/1.0
2.2.2.2/32         *[OSPF/10] 3w0d 18:00:07, metric 1
                    > to 172.31.0.11 via ge-0/0/2.0
10.10.10.0/24      *[OSPF/10] 3w0d 18:00:07, metric 2
                    > to 172.16.0.10 via ge-0/0/1.0
                      to 172.31.0.11 via ge-0/0/2.0
224.0.0.5/32       *[OSPF/10] 3w0d 18:01:32, metric 1
                      MultiRecv

root@sulaiman_fb3_12> ping 10.10.10.11 
PING 10.10.10.11 (10.10.10.11): 56 data bytes
64 bytes from 10.10.10.11: icmp_seq=0 ttl=63 time=10.338 ms
64 bytes from 10.10.10.11: icmp_seq=1 ttl=63 time=10.426 ms
^C
--- 10.10.10.11 ping statistics ---
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max/stddev = 10.338/10.382/10.426/0.044 ms

Configure LLDP

In the topology diagram shown above, in addition to OSPF link, LLDP links also got discovered. To configure LLDP

root@sulaiman_fp1_10> show configuration | display set | match lldp    
set protocols lldp interface ge-0/0/1.0
set protocols lldp interface ge-0/0/2.0
root@sulaiman_fp1_10> show lldp neighbors 
Local Interface    Parent Interface    Chassis Id          Port info          System Name
ge-0/0/1.0         -                   4c:96:14:3e:12:80   ge-0/0/1.0         sulaiman_fp2_11     
ge-0/0/2.0         -                   4c:96:14:78:91:80   ge-0/0/1.0         sulaiman_fb3_12

topo_lldp_10_11

Hope you find this post useful! Enjoy Network Virtualization!

Bonus Tips: If you have prior experience in ScreenOS, you can take a web based training “Junos as a Security Language

If you find any errors in the post, please contact me. I will be happy to correct it.