Set Up OpenStack Firewall as a Service Plugin for SRX/vSRX
Juniper's OpenStack Neutron Plugin 2.5 has been released recently. The 2.5 release includes support for Firewall-as-a-Service for SRX and vSRX platforms. You can download the plugin and its installation instructions from Juniper’s website. In addition to configuring Juniper’s Neutron plugin, the installation process requires that you configure various Openstack operations.
In a previous article, we showed you how the FWaaS plugin handles different OpenStack operations. In this article, we show you how to set up and configure the FWaaS plugin, and the Layer 2 (VLAN) and Layer 3 (routing) plugins. A reference topology is used to walk you through the steps required to configure Openstack and Juniper’s Neutron plugin. After the installation procedure completes, you should have a working Openstack setup enabled to use Layer 2, Layer 3, and security (firewall) with Juniper’s EX/QFX switches and SRX firewalls. In addition to the configuration aspects, before using Juniper’s Neutron plugin, you must also determine how to set up and scale this infrastructure.
Installing the plugin
Download the plugin from here and install it by entering the following commands:
Ubuntu : dpkg -i python-neutron-plugin-juniper_2.5-R1-181-1_all.deb
RHEL : rpm -ivh neutron-plugin-juniper-2.5_R1_181-1.noarch.rpm
The following diagram is used as the reference topology for this article:
Juniper’s FWaaS plugin works in conjunction with Juniper’s Layer 2 (ML2 mechanism driver) and Layer 3 neutron plugins to create the underlying network. As a result, you should configure the Layer 2 and Layer 3 plugins before you configure the FWaaS plugin.
Initial Configuration
In the reference topology, there are three switches (Switch1, Switch2, and Aggregation Switch) and one SRX device.
- At the Aggregation Switch, set all of the necessary ports to Trunk All mode.
- Similarly, you should also set Switch1: ge-0/0/2 and Switch2: ge-0/0/1 to Trunk All mode.
- Enable vlan-tagging on the port ge-0/0/10 of the SRX
Configuring the Juniper Layer 2 (ML2) plugin
You can find the configuration information for the Juniper Layer 2 plugin here.
IMPORTANT: Before beginning the installation process, please read through the instructions and install the necessary prerequisites.
Step 1: Configuring Openstack for ML2
Configure Openstack to use VLAN type driver. On Openstack Controller, open the file /etc/neutron/neutron.conf, and update as follows:
core_plugin = neutron.plugins.ml2.plugin.Ml2Plugin
Step 2: Setting the Juniper ML2 Plugin as a mechanism driver
On Openstack Controller, update the ML2 configuration file /etc/neutron/plugins/ml2/ml2_conf.ini and set Juniper’s ML2 plugin as the mechanism driver:
[ml2]
type_drivers = vlan
mechanism_drivers = openvswitch,juniper
tenant_network_types = vlan
#additionally, mention the VLAN range and the Physical network alias to be used.
[ml2_type_vlan]
network_vlan_ranges = physnet1:1001:1200
Step 3: Adding switches to the topology
When the Juniper Plugin is installed, it supplies certain CLI commands that you can use to configure the topology. To add a device to the topology, enter the following command:
jnpr_device add -d <device_name (or) IP>
-c {switch, router, firewall}
-u <username>
-p <devicepassword>
In the reference topology, the two switches (Switch1 and Switch2) are connected to the hypervisors. Enter the following statements to add and list the switches:
Adding Switch1:
Adding Switch2:
Listing the added switches:
Step 4: Defining the NIC to the physical_network mapping for each hypervisor
In OpenStack, you generally define an alias for the physical network and its associated bridge by using the following configuration in /etc/neutron/plugins/ml2/ml2_conf.ini on the NetworkNode, and for all the compute nodes:
[ovs]
tenant_network_type = vlan
bridge_mappings = physnet1:br-eth1
Because you can connect the bridge br-eth1 to any physical interface, you must add the link between the bridge br-eth1 and the physical interface to the topology by entering following command:
jnpr_nic_mapping add -H <Compute hostname>
-b <physical_network alias name>
-n NIC
Adding Hypervisor1
Adding Hypervisor 2
Adding Hypervisor 5 (Note that it is mapped to physnet1-- br-eth1 -- eth2)
Adding Hypervisor 6
Adding Network Node
Listing all the Mappings
Step 5: Defining the mapping from the compute to the switch
To configure the VLANs on the switches, the ML2 plugin must determine the port of the switch on which the hypervisor is connected through its Ethernet interface. This provides the plugin an overall view of the topology between physnet1 -- br-eth1 -- eth1 -- Switch-x: ge-0/0/x. You can determine this information by either enabling LLDP, or by configuring it using the provided CLI. For this article, we use the provided CLI.
jnpr_switchport_mapping add -h <compute hostname>
-n NIC
-s <Switch IP/Name>
-p <Switch Port>
Mapping Hypervisor 1 to Switch 1
Mapping Hypervisor 2 to Switch 1
Mapping Hypervisor 5 to Switch 2
Mapping Hypervisor 6 to Switch 2
Mapping Network Node to Switch 2
Listing all the Mappings
Configuring the Neutron Layer 3 plugin
Step 1: Configuring Neutron to use Juniper’s Layer 3 service plugin
Update the Neutron configuration file /etc/neutron/neutron.conf file with the following:
service_plugins = neutron.services.juniper_l3_router.dmi.l3.JuniperL3Plugin
Step 2: Adding the router to the topology
The plugin expects the SRX device to provide both the routing and firewall services. As shown in the previous reference topology, enter the following command to add the router:
IMPORTANT: To avoid future misconfiguration issues, when you configure an SRX device as a router, you must configure it as a firewall.
Step 3: Defining the downlink port on the SRX device on which the RVI is created by the plugin
Update the plugin database with the port on the SRX device to which the Aggregation Switch is connected.
Jnpr_device_port -d <SRX device name/ip>
-p <port on the SRX>
-t <port_type: Downlink>
Adding the downlink port of the SRX device to the topology
Configuring the FWaaS plugin
To access the FWaaS plugin configuration documentation, click here.
Step 1: Configuring Neutron to use Juniper’s Layer 3 service plugin
Update the Neutron configuration file /etc/neutron/neutron.conf file with the following:
Service_plugins = neutron.services.juniper_l3_router.dmi.l3.JuniperL3Plugin,
neutron.services.juniper_fwaas.dmi.fwaas.JuniperFwaaS
Step 2: Adding the firewall to the topology
The plugin expects the SRX device to provide both the routing and firewall services. If you previously completed step 2 of Configuring the Layer 3 plugin instructions, a firewall would have already been added to the topology.
Step 3: Enabling the Horizon user interface to show the Firewall panel
To dispaly the Firewall panel under the Networks group in the Horizon user interface, open /usr/share/openstack-dashboard/openstack_dashboard/local/local_settings.py, and update the following configuration:
enable_firewall: True
After you have completed the Layer 2, Layer 3, and FWaaS plugin configurations, restart the following:
- Neutron-Server
- Ubuntu : service neutron-server restart
- CentOS : systemctl restart neutron-server
- Apache (restarts Horizon)
- Ubuntu : service apache2 restart
- CentOS : systemctl restart httpd
You should now have a fully functioning installation with Juniper’s Layer 2 mechanism driver, Layer 3, and FWaaS plugins successfully configured. For any questions or for more information, contact the plugin team on quantum-plugin-support quantum-plugin-support@juniper.net.