Deploying vSRX 3.0 (19.1R1) on Openstack

vSRX is the Virtual edition of Juniper’s SRX Series physical firewalls, offering same features but in a much lighter package suitable for virtual and cloud environments. vSRX 3.0 is the new architecture of vSRX that was introduced back in 18.4R1. Many features have been introduced with that architecture change, including a greatly improved boot time compared to the old one. I’m experimenting with it to demonstrate some features of Contrail, so here’s how to deploy it on Openstack environments.

Get vSRX 3.0 Image

You can download vSRX 3.0 images directly from Juniper support website here. Make sure to download the qcow2 image file. For this post, I’ll be using 19.1R1-S1.3, but procedures will likely be similar on all vSRX 3.0 releases. You can also obtain an evaluation license from here.

Create the Config File

While creating the instance, you should provide it with the configuration file that must be applied to vSRX. You can boot the instance without config though, but you would have to do everything manually after boot-up, not fun.

Configuration file must start with #junos-config which will be interpreted by cloud-init to do the deployment. The following is a sample configuration file. Password for contrail user is c0ntrail123:

#junos-config
system {
    login {
        user contrail {
            uid 2001;
            class super-user;
            authentication {
                encrypted-password "$6$Iy8/HCH7$lCieBO4EGSAt8P2TOIRgyL2fDkXKRJqDkiTZnWCI.VeXSdEzPi5ENBz4N6yGESnkTFmeGvTYxHqJNMCmSToN40"; ## SECRET-DATA
            }
        }
    }
    root-authentication {
        encrypted-password "$6$Iy8/HCH7$lCieBO4EGSAt8P2TOIRgyL2fDkXKRJqDkiTZnWCI.VeXSdEzPi5ENBz4N6yGESnkTFmeGvTYxHqJNMCmSToN40"; ## SECRET-DATA
    }
    services {
        ssh {
            root-login allow;
        }
        web-management {
            http {
                interface fxp0.0;
            }
        }
    }
    host-name vSRX;
    syslog {
        file messages {
            any any;
        }
    }
    license {
        autoupdate {
            url https://ae1.juniper.net/junos/key_retrieval;
        }
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: 'queue-size' is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
        }
        security-zone untrust {
            screen untrust-screen;
        }
    }
}
interfaces {
    fxp0 {
        unit 0 {
            family inet {
                dhcp;
            }
        }
    }
}

Create the Flavor

After loading your Openstack RC file:

# openstack flavor create --ram 4096 --disk 20 --vcpus 2 vsrx_small

Create the Image

This image is for the minimum requirements to run vSRX. If you intend to run heavier workloads, please check the official documentation for other sizing parameters.

# openstack image create vSRX3-19.1R1 --file junos-vsrx3-x86-64-19.1R1-S1.3.qcow2 --disk-format qcow2 --container-format bare --min-disk 20 --min-ram 4096

Deploy vSRX

We will pass the configuration file mentioned above as a text file called vsrx_vm.txt using –user-data parameter. Rest of the command is what you normally do.

# openstack server create --user-data vsrx_vm.txt --image vSRX3-19.1R1 --flavor vsrx_small --nic net-id=4da6a643-9bf2-47c5-9aac-f923cc7d55e5 vSRX_One

Access vSRX from any neighbor node or from Openstack Dashboard

[root@deployer vsrx]# openstack server list --name vSRX_One
+--------------------------------------+----------+--------+--------------------------+--------------+------------+
| ID                                   | Name     | Status | Networks                 | Image        | Flavor     |
+--------------------------------------+----------+--------+--------------------------+--------------+------------+
| 5d2fcccb-6df8-4af5-bb60-00499d81159d | vSRX_One | ACTIVE | zone_a_internal=10.1.1.7 | vSRX3-19.1R1 | vsrx_small |
+--------------------------------------+----------+--------+--------------------------+--------------+------------+

[root@centosvm ~]# ssh contrail@10.1.1.7
The authenticity of host '10.1.1.7 (10.1.1.7)' can't be established.
ECDSA key fingerprint is SHA256:EEjaLWtjxIuauDDbDWdKfxSTxDqATYceV5KYBjG+k8Y.
ECDSA key fingerprint is MD5:6a:81:f1:10:00:2a:05:ab:78:3f:96:72:c4:ca:84:69.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '10.1.1.7' (ECDSA) to the list of known hosts.
Password:
--- JUNOS 19.1R1-S1.3 Kernel 64-bit XEN JNPR-11.0-20190305.df99236_buil

contrail@vSRX>; show version
Hostname: vSRX
Model: vSRX
Junos: 19.1R1-S1.3
JUNOS OS Kernel 64-bit XEN [20190305.df99236_builder_stable_11]
JUNOS OS libs [20190305.df99236_builder_stable_11]
JUNOS OS runtime [20190305.df99236_builder_stable_11]
................

That’s it. In next post I’ll talk about establishing BGP between Contrail and this vSRX node. Stay tuned.