vSRX

  • 1.  vSRX in EVE-NG

    Posted 11-09-2019 10:32

    Hello all. I am trying get a simple 2 device topology in EVE-NG up and running with 2 x VSRXs (evaluation version). I am new to Junos and new to EVE.

     

    For some reason once I go into the CLI I don't see the ge interfaces (e.g. ge-0/0/1) until sometime after. Why is this? Should these not show up immediately once the devices are booted up? I have attached a pic showing the toplogy.

     

    Eventually they do show and I am able to confirm this with show interfaces terse. I have configured IP addresses in unit 0 inet family on the relevant interfaces on both devices, but now I am unable to ping between devices. Are there any security settings I need to disable? I've included my config below. For conventince I have shown only info from one vSRX as both devices are configured the same, aside from IP addresses.

     

    Thanks,

    Bav

     

    root> show version
    Model: vSRX
    Junos: 19.2R1.8

     

    root> show chassis hardware
    Hardware inventory:
    Item Version Part number Serial number Description
    Chassis f0def23d5270 VSRX
    Midplane
    System IO
    Routing Engine VSRX-S
    FPC 0 FPC
    PIC 0 VSRX DPDK GE
    Power Supply 0

     

    root> show configuration
    ## Last commit: 2019-11-09 18:05:14 UTC by root
    version 20190606.224121_builder.r1033375;
    system {
    root-authentication {
    encrypted-password "$6$fmYqXH7m$.3aCwVS/i0lD/yOyha/2eLa8dARTS/D..T/MZrOn ag9qWgcpVxWiydh9ogQv.GrXp1GW2ExwHLo4tNLJ7MAGv0"; ## SECRET-DATA
    }
    services {
    ssh;
    web-management {
    http {
    interface fxp0.0;
    }
    }
    }
    syslog {
    user * {
    any emergency;
    }
    file messages {
    any any;
    authorization info;
    }
    file interactive-commands {
    interactive-commands any;
    }
    }
    license {
    autoupdate {
    url https://ae1.juniper.net/junos/key_retrieval;
    }
    }
    }
    security {
    forwarding-options {
    family {
    inet6 {
    mode packet-based;
    }
    mpls {
    mode packet-based;
    }
    iso {
    mode packet-based;
    }
    }
    }
    screen {
    ids-option untrust-screen {
    icmp {
    ping-death;
    }
    ip {
    source-route-option;
    tear-drop;
    }
    tcp {
    syn-flood {
    alarm-threshold 1024;
    attack-threshold 200;
    source-threshold 1024;
    destination-threshold 2048;
    queue-size 2000; ## Warning: 'queue-size' is deprecated
    timeout 20;
    }
    land;
    }
    }
    }
    inactive: policies {
    from-zone trust to-zone trust {
    policy default-permit {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    from-zone trust to-zone untrust {
    policy default-permit {
    match {
    source-address any;
    destination-address any;
    application any;
    }
    then {
    permit;
    }
    }
    }
    }
    zones {
    security-zone trust {
    tcp-rst;
    }
    security-zone untrust {
    screen untrust-screen;
    }
    }
    }
    interfaces {
    ge-0/0/2 {
    unit 0 {
    family inet {
    address 192.168.1.3/24;
    }
    }
    }
    fxp0 {
    unit 0;
    }
    }

    root>

     

     



  • 2.  RE: vSRX in EVE-NG

    Posted 11-09-2019 10:34

    For some reason the picture didn't attach. The topology is vSRX1 ge-0/0/1 to vSRX2 ge-0/0/2.



  • 3.  RE: vSRX in EVE-NG

    Posted 11-10-2019 11:30

    hi,

    I have very limited knowledge about EVE-NG, but I think I can pinpoint your issue 🙂

     

    Regarding the experience where your vSRX is booted but the ge- interfaces are missing until a bit later... that is per design with the seperate control plane and forwarding plane. The control-plane (routing engine) is booted first and then the forwarding plane is the initiated on your vSRX. This creates the delay.

     

    To allow ping between your devices you should ensure that 'host-inbound-services system-services ping' is allowed in your security zone. Right now nothing is allowed inbound to your vSRX. For a lab you could go with 'all' instead' of 'ping' to allow all services.

     

    I hope this helps getting your topology working.



  • 4.  RE: vSRX in EVE-NG

    Posted 12-08-2019 08:54

    Hi Jonas,

     

    Thanks for pointing me in the right direction. I've managed to get my lab going. For info this is the config I used.

     

    cli-admin@my-junos> ...n security zones security-zone trust | display set
    set security zones security-zone trust tcp-rst
    set security zones security-zone trust host-inbound-traffic system-services all
    set security zones security-zone trust host-inbound-traffic protocols all
    set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
    set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all

    cli-admin@my-junos>