Using Vagrant to Install Juniper Firefly Perimeter (vSRX) in VirtualBox and GNS3

In a previous post, I showed how to create a Virtual Box VM of a Juniper Firefly Perimeter.  It worked great, but some steps where quite difficult for some users and there seemed to be many that had issues with getting interfaces to appear and connect.  Also, converting VM disk images was a pain.  Fortunately, I found another extremely simple way to create the VM in only a few steps, and that was Vagrant.  I had not used Vagrant before today, so it was a bit of a learning curve about what this tool does, but turned out to be very simple for what I needed it for.  After installing Vagrant it was as simple as two Vagrant commands and I had my VM up and running.

Many of the steps below were taken from my previous post with a few minor modifications and the replacement of the VM creation steps.

Note: These instructions are run on this system.

1. Create a directory to store the vagrant files.

md "d:\VirtualBox VMs\vagrant\boxes\juniper.ffp-12.1X47-D15.4"
cd "d:\VirtualBox VMs\vagrant\boxes\juniper.ffp-12.1X47-D15.4"

2. Create the Juniper Firefly Perimeter VM

vagrant init juniper/ffp-12.1X47-D15.4
vagrant up

Once it finishes downloading, booting and configuring, it will print out the details on how you can SSH to the vSRX.  Try it out by logging in as root with default password Juniper.  Be patient, the configuration might take a minute to connect to the VM.

3. Turn off the vSRX VM.

root@% cli
root> request system power-off

4. If you look in Virtual Box now, you will see a new VM with a really long strange name.  This is your new vSRX VM.  First thing is to rename the VM to something more recognizable like juniper.ffp-12.1X47-D15.4.

Now to do some more testing, I am going to use GNS3 and add the vSRX in.

1. Start GNS3

2. Add the vSRX VM to the VirtualBox VM list in preferences.
Edit->Preferences->VirtualBox->VirtualBox VMs->New

3. Select the juniper.ffp-12.1X47-D15.4  VM from the list and click finish.

4. Choose the juniper.ffp-12.1X47-D15.4 in the VM list in the preferences and click on the Edit button

  • General settings:
    • Start VM in headless mode
  • Network:
    • Adapters: 4
    • Start at: 0
    • Type: ‘Paravirtualized Network (virt-io net)’

5. Add the juniper.ffp-12.1X47-D15.4 and four VPCS to the canvas.
vSRX e0(ge0/0/0.0) -> PC2 e0
vSRX e1(ge0/0/1.0) -> PC1 e0
vSRX e2(ge0/0/2.0) -> PC4 e0
vSRX e3(ge0/0/3.0) -> PC3 e0

vsrx-vagrant

6. Start the vSRX and connect to console.

7. Login and configure the interfaces. For this test, I am configuring ge-0/0/0 as the outside untrust interface(which is the config default) and the other three interfaces will be added to the trust zone.

 root@%
 root@% cli
 root> edit
 Entering configuration mode

[edit]
 root# delete interfaces ge-0/0/0 unit 0 family inet dhcp
 root# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
 root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
 root# set interfaces ge-0/0/2 unit 0
 root# set interfaces ge-0/0/3 unit 0
 root# set system services web-management http interface ge-0/0/1.0
 root# set security zones security-zone trust host-inbound-traffic system-services http
 root# set security zones security-zone trust host-inbound-traffic system-services https
 root# set security zones security-zone trust host-inbound-traffic system-services ping
 root# set security zones security-zone trust host-inbound-traffic system-services ssh
 root# set security zones security-zone trust interfaces ge-0/0/1.0
 root# set security zones security-zone trust interfaces ge-0/0/2.0
 root# set security zones security-zone trust interfaces ge-0/0/3.0

9. Commit config

 root# commit

10. Configure two VPCS using their consoles

 PC1> ip 192.168.2.2 192.168.2.1 24
 PC2> ip 192.168.1.2 192.168.1.1 24

11. Test that PC1 can get out but PC2 can’t get in.

#PC1 on trust zone pinging out to PC2
PC1> ping 192.168.1.2
192.168.1.2 icmp_seq=1 ttl=63 time=0.500 ms
192.168.1.2 icmp_seq=2 ttl=63 time=0.500 ms

#PC2 on untrust zone pinging in to PC1
PC2> ping 192.168.2.2
192.168.2.2 icmp_seq=1 timeout
192.168.2.2 icmp_seq=2 timeout

So that is it for this alternative to creating a Juniper Firefly Perimeter (vSRX).  Hope this way is a lot less troublesome than the previous method of converting VM images.

This post ‘Installing Juniper Firefly (vSRX) in VirtualBox using Vagrant’ first appeared on https://techandtrains.com/.

Advertisements

Installing Arista vEOS in VirtualBox and GNS3

Something that I have been looking for, for a while, has been a nice software switch that I can use that support not just switching but VLANs as well. Yes, there is Open vSwitch, but I was looking for something more traditional, if that’s the right way to say it. I heard about Arista’s vEOS switch a while back, but back then you could only download it if you were already an Arista customer. But recently I ran across another great blog post at Radovan Brezula’s blog again that shows how to setup Arista’s vEOS and that’s when I found out that I could download vEOS to try without being an already Arista customer. I swear, this guy likes playing with virtual networking as much as I do.

So below I’ll walk through my steps for setting up vEOS in VirtualBox and then putting it into GNS3 to do some basic VLAN tests.

1. Download vEOS from https://www.arista.com/en/support/software-download . You will need to create an account.
Aboot-veos-serial-2.1.0.iso
vEOS-4.14.2F.vmdk

2. Create a base vEOS VM in VirtualBox

  • General:
    • Name: base-vEOS
    • Type: Linux
    • Version: Other Linux (64bit)
  • System:
    • Memory: 1024MB
    • CPU: 1
  • Hard Drive:
    • IDE Controller
      • HD: Use downloaded vmdk
      • CD: Use downloaded iso
  • Network:
    • Enable all 4 adapters and set the ‘Adapter Type’ to ‘PCNet-FAST III’
  • Audio:
    • Off
  • Serial Ports:
    • Enable Serial Port 1
    • Port Number: COM1
    • Port Mode: Disconnected

3. Boot it up.
The boot is a little slow to start the first time. Just wait a minute or so. When it finishes and you have the Login: prompt and you can login with ‘admin’ with no password.

Now that we have vEOS able to boot up into VirtualBox, lets add it into GNS3 for testing,

4. Make two vEOS VMs for use in GNS3

  • Make sure the base-vEOS is shutdown and remove the Aboot-veos-serial-2.1.0.iso from the CD. I had issues cloning while the CD was still attached.
  • My test is going to use two switches, so I cloned(linked clone) base-vEOS two times. vEOS-1 and vEOS-2.
  • Add Aboot-veos-serial-2.1.0.iso back in to each cloned VM.

5. Add to GNS3
Add both new vEOS clones to GNS3 VirtualBox list following
GNS3->Edit->Preferences->VirtualBox->VirtualBox VMs->New

6. After adding both VMs, choose the each VM one at a time in the VM list in the preferences and click on the Edit button to set the following.

  • General settings:
    • Start VM in headless mode
  • Network:
    • Adapters: 4 (Adapter0 will be used for the Management1 interface. So when you set the number of adapter you need, add one extra.)
    • Start at: 0
    • Type: ‘PCNet-FAST III’

7. Add both switches to the GNS3 canvas along with four VPCS.
Create links between them
PC1 — vEOS-1 e2
PC2 — vEOS-1 e3
PC3 — vEOS-2 e2
PC4 — vEOS-2 e3
vEOS-2 e1 — vEOS-1 e1

vEOS-GNS3

8. Startup and configure

Now start up all the VPCS and vEOS switches.  After they start up, configure the switches to have a trunk between them and set the interfaces to the VPCS to be access.  To test VLANs, I’ll put PC1 and PC3 in one VLAN and I’ll put PC2 and PC4 in another.
vEOS-1:

hostname vEOS-1
enable secret arista
username admin secret arista
!
vlan 10
exit
vlan 20
exit
!
interface Ethernet1
switchport mode trunk
switchport trunk allowed vlan 10,20
no shutdown
exit
!
interface Ethernet2
switchport mode access
switchport access vlan 10
no shutdown
exit
!
interface Ethernet3
switchport mode access
switchport access vlan 20
no shutdown
exit

vEOS-2:

hostname vEOS-2
enable secret arista
username admin secret arista
!
vlan 10
exit
vlan 20
exit
!
interface Ethernet1
switchport mode trunk
switchport trunk allowed vlan 10,20
no shutdown
exit
!
interface Ethernet2
switchport mode access
switchport access vlan 10
no shutdown
exit
!
interface Ethernet3
switchport mode access
switchport access vlan 20
no shutdown
exit

PC1:

ip 192.168.1.2 /24

PC3:

ip 192.168.1.3 /24

PC2:

ip 192.168.2.2 /24

PC4:

ip 192.168.2.3 /24

9. Test it out
PC1 ping PC3

PC1> ping 192.168.1.3
192.168.1.3 icmp_seq=1 ttl=64 time=59.008 ms
192.168.1.3 icmp_seq=2 ttl=64 time=26.003 ms
192.168.1.3 icmp_seq=3 ttl=64 time=28.504 ms
192.168.1.3 icmp_seq=4 ttl=64 time=27.003 ms
192.168.1.3 icmp_seq=5 ttl=64 time=26.504 ms

PC2 ping PC4

PC2> ping 192.168.2.3
192.168.2.3 icmp_seq=1 ttl=64 time=26.004 ms
192.168.2.3 icmp_seq=2 ttl=64 time=26.503 ms
192.168.2.3 icmp_seq=3 ttl=64 time=26.004 ms
192.168.2.3 icmp_seq=4 ttl=64 time=26.003 ms
192.168.2.3 icmp_seq=5 ttl=64 time=25.503 ms

Well, it works great and does what I need it to do for a special test I want to try out, which I hope to post within the next month.

Enjoy everyone and thanks again to Radovan Brezula.

This post ‘Installing Arista vEOS in VirtualBox and GNS3’ first appeared on https://techandtrains.com/.

Installing Juniper Firefly Perimeter (vSRX) in VirtualBox and GNS3

Note: I have a followup post about doing the same thing but using Vagrant to create the initial VM instead of doing vmdk conversions for those having issues converting the vmdk.

=============================

The following instructions are how I was able to install a Juniper Firefly Perimeter (vSRX) into Virtual Box and then into GNS3 to test it.  There are many similar articles out there that say similar instructions, this one at Radovan Brezula’s blog was the most helpful, but these are the steps I took and am recording them here for my safe keeping.  The Firefly Perimeter, also called vSRX is a virtual firewall of Juniper’s SRX product line, which are security and firewall devices.  My basic test is to try and set up a basic network where a PC on the inside(trusted zone) can ping out, but a PC on the outside(untrusted zone) can’t ping in.

Note: These instructions are run on my Windows 7 Desktop.  If you are running any other OS, the instructions should be similar except for the path to the binaries.

1. Get OVA file from http://www.juniper.net/support/downloads/?p=firefly#sw

2. Extract contents of OVA file using 7-zip or other extracting tool. You should see something like the following.

certchain.pem
junos-vsrx-12.1X46-D25.7-domestic.cert
junos-vsrx-12.1X46-D25.7-domestic.mf
junos-vsrx-12.1X46-D25.7-domestic.ovf
junos-vsrx-12.1X46-D25.7-domestic-disk1.vmdk

3. Convert the vmdk virtual drive to vdi so it can be used by Virtual Box.

"c:\Program Files\Oracle\VirtualBox\VBoxManage.exe" clonehd -format VDI junos-vsrx-12.1X46-D25.7-domestic-disk1.vmdk junos-vsrx-12.1X46-D25.7-domestic-disk1.vdi

4. Create new VM in VirtualBox.  These are the settings I used and work for me.

  • General:
    • Name: base-vSRX
    • Type: Linux
    • Version: Other Linux (32bit)
  • System:
    • Memory: 1024MB
    • CPU: 2  (very important it is not 1 CPU)
    • Enable PAE/NX
    • Enable I/O APIC
  • Hard Drive: IDE Primary master
    • Use an existing virtual hard Drive file (Choose the junos-vsrx-12.1X46-D25.7-domestic-disk1.vdi you converted)
  • Network: (You can choose if you want each interface to be NAT, BIND, LocalHost, etc.)
    • Enable all 4 adapters and set the ‘Adapter Type’ to ‘Paravirtualized Network (virt-io net)’
    • I’m going to set Adapter 1 to Host Only to test connectivity
  • Audio:
    • Off
  • Serial Ports:
    • Enable Serial Port 1
    • Port Number: COM1
    • Port Mode: Disconnected

5. Boot up the VM.

6. The default login is ‘root’ with no password.

7. Test connectivity

 Amnesiac (ttyd0)

login: root

--- JUNOS 12.1X46-D25.7 built 2014-09-06 01:40:34 UTC
 root@% ping -c 2 192.168.56.1
 PING 192.168.56.1 (192.168.56.1): 56 data bytes
 64 bytes from 192.168.56.1: icmp_seq=0 ttl=128 time=6.971 ms
 64 bytes from 192.168.56.1: icmp_seq=1 ttl=128 time=0.875 ms

--- 192.168.56.1 ping statistics ---
 2 packets transmitted, 2 packets received, 0% packet loss
 round-trip min/avg/max/stddev = 0.875/3.923/6.971/3.048 ms

This shows that I can ping from the vSRX to the Virtual Box host only device on the outside.

Now to do some more testing, I am going to use GNS3 and add the vSRX in.
1. Create a clone of the base-vSRX.  I want to keep a clean base for cloning.

  • Name: vSRX-1
  • Check the ‘Reinitialize the MAC address of all network cards’.
  • Linked Clone

2. Start GNS3

3. Add the vSRX-1 VM to the VirtualBox VM list in preferences.
Edit->Preferences->VirtualBox->VirtualBox VMs->New

4. Select the vSRX-1 VM from the list and click finish.

5. Choose the vSRX-1 in the VM list in the preferences and click on the Edit button

  • General settings:
    • Start VM in headless mode
  • Network:
    • Adapters: 4
    • Start at: 0
    • Type: ‘Paravirtualized Network (virt-io net)’

6. Add the vSRX-1 and four VPCS to the canvas.
vSRX e0(ge0/0/0.0) -> PC2 e0
vSRX e1(ge0/0/1.0) -> PC1 e0
vSRX e2(ge0/0/2.0) -> PC4 e0
vSRX e3(ge0/0/3.0) -> PC3 e0

vsrx

7. Start the vSRX and connect to console.

8. Login and configure the interfaces. For this test, I am configuring ge-0/0/0 as the outside untrust interface(which is the config default) and the other three interfaces will be added to the trust zone.

 root@%
 root@% cli
 root> edit
 Entering configuration mode

[edit]
 root# set system host-name vSRX-1
 root# set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/24
 root# set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/24
 root# set interfaces ge-0/0/2 unit 0
 root# set interfaces ge-0/0/3 unit 0
 root# set system services web-management http interface ge-0/0/1.0
 root# set security zones security-zone trust host-inbound-traffic system-services http
 root# set security zones security-zone trust host-inbound-traffic system-services https
 root# set security zones security-zone trust host-inbound-traffic system-services ping
 root# set security zones security-zone trust host-inbound-traffic system-services ssh
 root# set security zones security-zone trust interfaces ge-0/0/1.0
 root# set security zones security-zone trust interfaces ge-0/0/2.0
 root# set security zones security-zone trust interfaces ge-0/0/3.0

9. Add a new local user and set root password

 root# set system login user admin class super-user
 root# set system login user admin authentication plain-text-password
 root# set system root-authentication plain-text-password

10. Commit config

 root# commit

11. Configure two VPCS using their consoles

 PC1> ip 192.168.2.2 192.168.2.1 24
 PC2> ip 192.168.1.2 192.168.1.1 24

12. Test that PC1 can get out but PC2 can’t get in.

#PC1 on trust zone pinging out to PC2
PC1> ping 192.168.1.2
192.168.1.2 icmp_seq=1 ttl=63 time=0.500 ms
192.168.1.2 icmp_seq=2 ttl=63 time=0.500 ms

#PC2 on untrust zone pinging in to PC1
PC2> ping 192.168.2.2
192.168.2.2 icmp_seq=1 timeout
192.168.2.2 icmp_seq=2 timeout

So my basic network works for this basic test.  So when you use the vSRX in your testing, remember that this is not just a plain router.  This is a security firewall. So if you are just hooking it up as a router and can’t figure out why nothing works, remember that there are trust and untrust zones.  Check which zone your interface is in.

One note.  I tried to configure the other two port for switching and create a SVI using the following configuration.
vSRX-1:

 set vlans vlan-trust vlan-id 3
 set vlans vlan-trust l3-interface vlan.0
 set interfaces vlan unit 0 family inet address 192.168.3.1/24
 set interfaces interface-range interfaces-trust member ge-0/0/2
 set interfaces interface-range interfaces-trust member ge-0/0/3
 set interfaces interface-range interfaces-trust unit 0 family ethernet-switching vlan members vlan-trust
 set security zones security-zone trust interfaces vlan.0

VPCS:

PC4> ip 192.168.3.2 192.168.3.1 24
PC3> ip 192.168.3.3 192.168.3.1 24

But I found out after, that the vSRX(Firefly Perimeter) platform does not yet support Ethernet switching.

Anyway, I had fun trying this out and will keep playing with it.  Enjoy.

This post ‘Installing Juniper Firefly (vSRX) in VirtualBox’ first appeared on https://techandtrains.com/.