Setting up your own vSRX lab

Recently, I’ve been having some fun with the vSRX. I wanted to share the lab I created so others can see how easy it is to get things going with the vSRX. The vSRX doesn’t require a lot of resources and it is a really nice way to get acquainted with both the routing and firewalling capabilities that Junos has to offer. Labbing with a vSRX allows you to quickly test and play with routing-protocols (OSPF(v3), IS-IS, BGP), stateful firewalling, NAT, IPsec or even MPLS. This guide offers an insight into how you can setup a lab and it will provide you with some basic configurations to get started yourself.

I used several x3550 hosts, running ESXi, connected to a switch (EX4200):



The lab contains two firewalls and two routers. Each vSRX runs OSPF3 to distribute prefix information for both IPv4 and IPv6:



The vSRX-01 and vSRX-02 are used for firewalling. In between the firewalls, there are the vSRX-router-01 and the vSRX-router-02. These have the flow forwarding mode set to ‘packet based’ instead of ‘flow based’ (basically turning them into routers).

On every vSRX, the first vNIC (ge-0/0/0, not in the picture) was placed into an untagged port-group and it was configured with a management IP:



All other vSRX interfaces (ge-0/0/1 and ge-0/0/2) were placed into a port-group that was tagged:



To deploy the SRX in VMware, go to File > deploy OVF Template > next > next > accept > next > name the VM > next > select cluster > select resource pool > select storage > thin provision it > next (add vNICs and networks later) and finish.

After the VM is created, edit the VM. Add two vNICs so you’ll have a total of three interfaces. Put the first vNIC in the management port-group and place the rest into the tagged port-group. Press start and wait for Junos.

When you boot the vSRX in Vmware for the first time, you can only access it via the console screen. To be able to quickly copy-paste the configuration into the vSRX, the vSRX will need to have an IP address and it needs to be configured for telnet/ssh access. To avoid too much typing, simply make 1 vSRX managable like this:

root
cli
configure
delete
set system host-name vSRX
set system root-authentication plain-text-password
playplay1
set system login user play uid 9999
set system login user play class super-user
set system login user play authentication plain-text-password
playplay1
set system services telnet
set interfaces ge-0/0/0 unit 0 family inet address 10.10.13.200/24
set security zones functional-zone management interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
commit and-quit

Power down this first vSRX and clone it 3 times. Then boot the VMs one by one and copy paste the configuration below into the vSRX:

vSRX-01:
delete
set system host-name vSRX-01
set system root-authentication encrypted-password "$1$brjswqXa$/5315/zMuQuIiUu8kQT8U/"
set system login user play uid 9999
set system login user play class super-user
set system login user play authentication encrypted-password "$1$Z/K/ZEGJ$ydYmwT99wlfVJXgy8ZBhn."
set system services ssh
set system services telnet
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces ge-0/0/0 description mgmt
set interfaces ge-0/0/0 unit 0 family inet address 10.10.13.201/24
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 3009 description vSRX-router-01
set interfaces ge-0/0/1 unit 3009 vlan-id 3009
set interfaces ge-0/0/1 unit 3009 family inet address 192.168.50.2/30
set interfaces ge-0/0/1 unit 3009 family inet6 address 2001:db8::0/127
set interfaces ge-0/0/2 vlan-tagging
set interfaces ge-0/0/2 unit 3001 description VM
set interfaces ge-0/0/2 unit 3001 vlan-id 3001
set interfaces ge-0/0/2 unit 3001 family inet address 172.16.0.1/24
set interfaces ge-0/0/2 unit 3001 family inet6 address 2001:db8:1::1/64
set interfaces lo0 unit 0 family inet address 192.168.1.1/32 primary
set interfaces lo0 unit 0 family inet6
set routing-options router-id 192.168.1.1
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface ge-0/0/1.3009 interface-type p2p
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface lo0.0 passive
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface ge-0/0/2.3001 passive
set protocols ospf3 area 0.0.0.0 interface ge-0/0/1.3009 interface-type p2p
set protocols ospf3 area 0.0.0.0 interface lo0.0 passive
set protocols ospf3 area 0.0.0.0 interface ge-0/0/2.3001 passive
set security forwarding-options family inet6 mode flow-based
set security zones functional-zone management interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones functional-zone management interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone wan interfaces ge-0/0/1.3009 host-inbound-traffic system-services ping
set security zones security-zone wan interfaces ge-0/0/1.3009 host-inbound-traffic protocols ospf3
set security zones security-zone wan interfaces lo0.0 host-inbound-traffic system-services ping
set security zones security-zone lan interfaces ge-0/0/2.3001 host-inbound-traffic system-services ping
set security zones security-zone lan interfaces ge-0/0/2.3001 host-inbound-traffic system-services dhcp
set routing-instances management instance-type virtual-router
set routing-instances management interface ge-0/0/0.0
set routing-instances management routing-options static route 0.0.0.0/0 next-hop 10.10.13.1
set applications application junos-telnet inactivity-timeout never
set applications application junos-ssh inactivity-timeout never
vSRX-02:
delete
set system host-name vSRX-02
set system root-authentication encrypted-password "$1$brjswqXa$/5315/zMuQuIiUu8kQT8U/"
set system login user play uid 9999
set system login user play class super-user
set system login user play authentication encrypted-password "$1$Z/K/ZEGJ$ydYmwT99wlfVJXgy8ZBhn."
set system services ssh
set system services telnet
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces ge-0/0/0 description mgmt
set interfaces ge-0/0/0 unit 0 family inet address 10.10.13.202/24
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 3011 description vSRX-router-02
set interfaces ge-0/0/1 unit 3011 vlan-id 3011
set interfaces ge-0/0/1 unit 3011 family inet address 192.168.50.6/30
set interfaces ge-0/0/1 unit 3011 family inet6 address 2001:db8::5/127
set interfaces ge-0/0/2 vlan-tagging
set interfaces ge-0/0/2 unit 3002 description VM
set interfaces ge-0/0/2 unit 3002 vlan-id 3002
set interfaces ge-0/0/2 unit 3002 family inet address 172.16.1.1/24
set interfaces ge-0/0/2 unit 3002 family inet6
set interfaces lo0 unit 0 family inet address 192.168.1.2/32
set interfaces lo0 unit 0 family inet6
set routing-options router-id 192.168.1.2
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface ge-0/0/1.3011 interface-type p2p
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface lo0.0 passive
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface ge-0/0/2.3002 passive
set protocols ospf3 area 0.0.0.0 interface ge-0/0/1.3011 interface-type p2p
set protocols ospf3 area 0.0.0.0 interface lo0.0 passive
set protocols ospf3 area 0.0.0.0 interface ge-0/0/2.3002 passive
set security forwarding-options family inet6 mode flow-based
set security policies from-zone wan to-zone wan policy 1 description allow-ping-to-loopback
set security policies from-zone wan to-zone wan policy 1 match source-address any-ipv4
set security policies from-zone wan to-zone wan policy 1 match destination-address loopback
set security policies from-zone wan to-zone wan policy 1 match application junos-ping
set security policies from-zone wan to-zone wan policy 1 then permit
set security zones functional-zone management interfaces ge-0/0/0.0 host-inbound-traffic system-services telnet
set security zones functional-zone management interfaces ge-0/0/0.0 host-inbound-traffic system-services ssh
set security zones security-zone wan address-book address loopback 192.168.1.2/32
set security zones security-zone wan interfaces ge-0/0/1.3011 host-inbound-traffic system-services ping
set security zones security-zone wan interfaces ge-0/0/1.3011 host-inbound-traffic protocols ospf3
set security zones security-zone wan interfaces lo0.0 host-inbound-traffic system-services ping
set security zones security-zone lan interfaces ge-0/0/2.3002
set routing-instances management instance-type virtual-router
set routing-instances management interface ge-0/0/0.0
set routing-instances management routing-options static route 0.0.0.0/0 next-hop 10.10.13.1
set applications application junos-telnet inactivity-timeout never
set applications application junos-ssh inactivity-timeout never
vSRX-router-01:
delete
set system host-name vSRX-router-01
set system root-authentication encrypted-password "$1$brjswqXa$/5315/zMuQuIiUu8kQT8U/"
set system login user play uid 9999
set system login user play class super-user
set system login user play authentication encrypted-password "$1$Z/K/ZEGJ$ydYmwT99wlfVJXgy8ZBhn."
set system services ssh
set system services telnet
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces ge-0/0/0 description mgmt
set interfaces ge-0/0/0 unit 0 family inet address 10.10.13.203/24
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 3009 description vSRX-01
set interfaces ge-0/0/1 unit 3009 vlan-id 3009
set interfaces ge-0/0/1 unit 3009 family inet address 192.168.50.1/30
set interfaces ge-0/0/1 unit 3009 family inet6 address 2001:db8::1/127
set interfaces ge-0/0/2 vlan-tagging
set interfaces ge-0/0/2 unit 3010 description vSRX-router-02
set interfaces ge-0/0/2 unit 3010 vlan-id 3010
set interfaces ge-0/0/2 unit 3010 family inet address 10.1.0.1/30
set interfaces ge-0/0/2 unit 3010 family inet6 address 2001:db8::2/127
set interfaces lo0 unit 0 family inet address 10.0.0.1/32
set interfaces lo0 unit 0 family inet6
set routing-options router-id 10.0.0.1
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface ge-0/0/2.3010 interface-type p2p
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface ge-0/0/1.3009 interface-type p2p
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface lo0.0 passive
set protocols ospf3 area 0.0.0.0 interface ge-0/0/2.3010 interface-type p2p
set protocols ospf3 area 0.0.0.0 interface ge-0/0/1.3009 interface-type p2p
set protocols ospf3 area 0.0.0.0 interface lo0.0 passive
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set routing-instances management instance-type virtual-router
set routing-instances management interface ge-0/0/0.0
set routing-instances management routing-options static route 0.0.0.0/0 next-hop 10.10.13.1
vSRX-router-02:
delete
set system host-name vSRX-router-02
set system root-authentication encrypted-password "$1$brjswqXa$/5315/zMuQuIiUu8kQT8U/"
set system login user play uid 9999
set system login user play class super-user
set system login user play authentication encrypted-password "$1$Z/K/ZEGJ$ydYmwT99wlfVJXgy8ZBhn."
set system services ssh
set system services telnet
set system syslog user * any emergency
set system syslog file messages any any
set system syslog file messages authorization info
set system syslog file interactive-commands interactive-commands any
set interfaces ge-0/0/0 description mgmt
set interfaces ge-0/0/0 unit 0 family inet address 10.10.13.204/24
set interfaces ge-0/0/1 vlan-tagging
set interfaces ge-0/0/1 unit 3011 description vSRX-02
set interfaces ge-0/0/1 unit 3011 vlan-id 3011
set interfaces ge-0/0/1 unit 3011 family inet address 192.168.50.5/30
set interfaces ge-0/0/1 unit 3011 family inet6 address 2001:db8::4/127
set interfaces ge-0/0/2 vlan-tagging
set interfaces ge-0/0/2 unit 3010 description vSRX-router-01
set interfaces ge-0/0/2 unit 3010 vlan-id 3010
set interfaces ge-0/0/2 unit 3010 family inet address 10.1.0.2/30
set interfaces ge-0/0/2 unit 3010 family inet6 address 2001:db8::3/127
set interfaces ge-0/0/2 unit 3010 family inet6 address 2001:db8:2::1/64
set interfaces lo0 unit 0 family inet address 10.0.0.2/32
set interfaces lo0 unit 0 family inet6
set routing-options router-id 10.0.0.2
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface ge-0/0/2.3010 interface-type p2p
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface ge-0/0/1.3011 interface-type p2p
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface lo0.0 passive
set protocols ospf3 area 0.0.0.0 interface ge-0/0/1.3011 interface-type p2p
set protocols ospf3 area 0.0.0.0 interface ge-0/0/2.3010 interface-type p2p
set protocols ospf3 area 0.0.0.0 interface lo0.0 passive
set security forwarding-options family inet6 mode packet-based
set security forwarding-options family mpls mode packet-based
set routing-instances management instance-type virtual-router
set routing-instances management interface ge-0/0/0.0
set routing-instances management routing-options static route 0.0.0.0/0 next-hop 10.10.13.1

After a commit and-quit on every vSRX, reset all of them and check the following:

play@vSRX-01> ping source 192.168.1.1 192.168.1.2 rapid
PING 192.168.1.2 (192.168.1.2): 56 data bytes
!!!!!
--- 192.168.1.2 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max/stddev = 15.037/18.973/20.195/1.974 ms

play@vSRX-02> show security flow session destination-prefix 192.168.1.2
Session ID: 49816, Policy name: 1/4, Timeout: 2, Valid
  In: 192.168.1.1/0 --> 192.168.1.2/39187;icmp, If: ge-0/0/1.3011, Pkts: 1, Bytes: 84
  Out: 192.168.1.2/39187 --> 192.168.1.1/0;icmp, If: .local..0, Pkts: 1, Bytes: 84

This lab is nothing really groundbreaking, but it offers a nice start to get into the vSRX. It is easy to expand the lab start playing with different scenarios. A last example where I make it possible for two VM's to ping each other:

vSRX-01:
set interfaces ge-0/0/2 unit 3001 description VM
set interfaces ge-0/0/2 unit 3001 vlan-id 3001
set interfaces ge-0/0/2 unit 3001 family inet address 172.16.0.1/24
set interfaces ge-0/0/2 unit 3001 family inet6

set security zones security-zone lan address-book address lan-hosts range-address 172.16.1.2 to 172.16.1.45

set system services dhcp pool 172.16.0.0/24 address-range low 172.16.0.2
set system services dhcp pool 172.16.0.0/24 address-range high 172.16.0.45
set system services dhcp pool 172.16.0.0/24 domain-name play.play
set system services dhcp pool 172.16.0.0/24 name-server 8.8.4.4
set system services dhcp pool 172.16.0.0/24 router 172.16.0.1
set system services dhcp pool 172.16.0.0/24 default-lease-time 36000

set security zones security-zone lan interfaces ge-0/0/2.3001 host-inbound-traffic system-services dhcp
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface ge-0/0/2.3001 passive
set protocols ospf3 area 0.0.0.0 interface ge-0/0/2.3001 passive
set security zones security-zone lan interfaces ge-0/0/2.3001 host-inbound-traffic system-services ping
set security zones security-zone lan interfaces ge-0/0/2.3001 host-inbound-traffic system-services dhcp

set security policies from-zone wan to-zone lan policy 1 description allow-ping-all-to-dhcp-range
set security policies from-zone wan to-zone lan policy 1 match source-address any-ipv4
set security policies from-zone wan to-zone lan policy 1 match destination-address lan-hosts
set security policies from-zone wan to-zone lan policy 1 match application junos-ping
set security policies from-zone wan to-zone lan policy 1 then permit

set security policies from-zone lan to-zone wan policy 1 description allow-ping
set security policies from-zone lan to-zone wan policy 1 match source-address lan-hosts
set security policies from-zone lan to-zone wan policy 1 match destination-address any-ipv4
set security policies from-zone lan to-zone wan policy 1 match application junos-ping
set security policies from-zone lan to-zone wan policy 1 then permit
vSRX-02:
set interfaces ge-0/0/2 unit 3002 description VM
set interfaces ge-0/0/2 unit 3002 vlan-id 3002
set interfaces ge-0/0/2 unit 3002 family inet address 172.16.1.1/24
set interfaces ge-0/0/2 unit 3002 family inet6

set security zones security-zone lan address-book address lan-hosts range-address 172.16.1.2 to 172.16.1.45

set system services dhcp pool 172.16.1.0/24 address-range low 172.16.1.2
set system services dhcp pool 172.16.1.0/24 address-range high 172.16.1.45
set system services dhcp pool 172.16.1.0/24 domain-name play.play
set system services dhcp pool 172.16.1.0/24 name-server 8.8.4.4
set system services dhcp pool 172.16.1.0/24 router 172.16.1.1
set system services dhcp pool 172.16.1.0/24 default-lease-time 36000

set security zones security-zone lan interfaces ge-0/0/2.3002 host-inbound-traffic system-services dhcp
set protocols ospf3 realm ipv4-unicast area 0.0.0.0 interface ge-0/0/2.3002 passive
set protocols ospf3 area 0.0.0.0 interface ge-0/0/2.3002 passive
set security zones security-zone lan interfaces ge-0/0/2.3002 host-inbound-traffic system-services ping
set security zones security-zone lan interfaces ge-0/0/2.3002 host-inbound-traffic system-services dhcp

set security policies from-zone wan to-zone lan policy 1 description allow-ping-all-to-dhcp-range
set security policies from-zone wan to-zone lan policy 1 match source-address any-ipv4
set security policies from-zone wan to-zone lan policy 1 match destination-address lan-hosts
set security policies from-zone wan to-zone lan policy 1 match application junos-ping
set security policies from-zone wan to-zone lan policy 1 then permit

set security policies from-zone lan to-zone wan policy 1 description allow-ping
set security policies from-zone lan to-zone wan policy 1 match source-address lan-hosts
set security policies from-zone lan to-zone wan policy 1 match destination-address any-ipv4
set security policies from-zone lan to-zone wan policy 1 match application junos-ping
set security policies from-zone lan to-zone wan policy 1 then permit

After applying this configuration, I started two VMs and I put them into an untagged port-group that matched the vlan-id I used configuring the subinterfaces of the SRX. After sending some traffic from the VM located behind vSRX-01 to the VM located on vSRX-02, I was able to observe the following:



play@vSRX-02> show security flow session destination-prefix 172.16.1.10
Session ID: 4617, Policy name: 1/5, Timeout: 2, Valid
  In: 172.16.0.10/42127 --> 172.16.1.10/1;icmp, If: ge-0/0/1.3011, Pkts: 1, Bytes: 60
  Out: 172.16.1.10/1 --> 172.16.0.10/42127;icmp, If: ge-0/0/2.3002, Pkts: 1, Bytes: 60

Some verification commands I used:

show route terse
show ospf3 neighbor
show system services dhcp pool
show system services dhcp binding
show security flow session
show security flow status
show security flow session summary

I think the vSRX is more than worth your while. First of all, the vSRX runs Junos. This offers a robust and featurific platform. Besides this, the performance offered by the vSRX makes it suitable for a lot of different scenarios that do not require too much IPsec (figures came from the vSRX datasheet):



To really get into the SRX, I can recommend ‘Juniper SRX Series’ or the older 'Junos Security' from the O'Reilly Media. Other than those books, just check the Juniper website for the evaluation download here and start labbing yourself.

1-8-2015