Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Configuring cSRX in a Contrail Service Chain

    This section outlines the steps to install and configure the cSRX Container Firewall as a dedicated compute node in a Contrail service chain. You use Contrail to chain various Layer 2 through Layer 7 services such as firewall, NAT, and IDP through the cSRX containers.

    This section includes the following topics:

    Before You Begin

    Before you deploy the cSRX Container Firewall as an advanced security service in the Contrail Networking cloud environment, ensure that you:

    Configuring the Docker Registry and Compute Node

    This topic describes how to configure the Docker registry on the control node and install the cSRX-Contrail software package on the compute node. The cSRX-Contrail software package automates installation of the necessary software to the control node and compute node required to use the cSRX container.

    To configure the Docker registry server and the compute node:

    1. Install and configure the Docker Engine on the control node to implement the Linux container environment. Docker installation requirements vary based on the platform and the host OS (Ubuntu, Red Hat Enterprise Linux (RHEL), or CentOS).

      See Install Docker for installation instructions on the different supported Linux host operating systems.

    2. Copy the cSRX-Contrail software package to the control node and extract it.

      [root@eng-­‐shell6 ~/contrail_csrx]$ ls

       container-­‐srx-­‐contrail.tgz
      [root@eng-­‐shell6 ~/contrail_csrx]$ pwd  
      /homes/user/contrail_csrx
    3. On the control node, configure and install the cSRX-Contrail software package.

      root@ubtvm02:~/container-srx-contrail# ./configure --with-registry --registry-addr 10.208.29.2

       
      Maximum instances per node:    2
      Registry server name:          csrx-registry
      Registry server IP address:    10.208.29.2
      Registry port number:          5050
      Registry user name:            regress
      Registry password:             MaRtInI
      root@ubtvm02:~/container-srx-contrail# ./install  
      cp -rf ./etc/csrx/* /etc/csrx
      cp -f bin/csrx-configure-compute /usr/bin/
      cp -f bin/csrx-configure-control /usr/bin/
      cp -f bin/csrx-gen-cert        /usr/bin/
      cp -f bin/csrx-run-registry    /usr/bin/
      root@ubtvm02:~/container-srx-contrail# csrx-
      csrx-configure-compute  csrx-configure-control  csrx-gen-cert  csrx-run-registry
      
    4. Start the Docker registry service on the control node.

      root@ubtvm02:~/container-srx-contrail# csrx-run-registry

       
      Stop and remove existing registry ...
      ….
      Starting registry server
      ..
      root@ubtvm02:~/container-srx-contrail#  csrx-configure-control   
      Start to configure docker registry client....
      ..
      ..
      Login Succeeded
    5. Configure the cSRX compute nodes.

      Note: csrx-configure-compute enables the cSRX compute nodes to receive information from /opt/contrail/utils/fabfile/testbed/testbed.py and to configure them automatically.

      root@ubtvm02:~/container-srx-contrail# csrx-configure-compute

       
      [info][10.208.29.1]:Uploading file /etc/csrx/novadocker.patch
      [info][10.208.29.1]:Uploading file /etc/csrx/profile
      [info][10.208.29.1]:Uploading file /etc/csrx/csrx-configure-local
      [info][10.208.29.1]:Uploading file /etc/csrx/cert/csrx-registry.crt
      [info][10.208.29.1]:chmod u+x /usr/bin/csrx-configure-local
      [info][10.208.29.1]:/usr/bin/csrx-configure-local
       
      [info][10.208.29.1]:/usr/bin/csrx-configure-local
      Start to configure docker registry client....
      Updating certificates in /etc/ssl/certs... 0 added, 0 removed; done.
      Running hooks in /etc/ca-certificates/update.d....done.
      docker stop/waiting
      docker start/running, process 25081
       
      [info][10.208.29.1]:Configure registry client done.
      Now Login to csrx-registry:5050
      docker login -u regress -p MaRtInI -e xxx@juniper.net csrx-registry:5050
      WARNING: login credentials saved in /root/.dockercfg.
      Login Succeeded
      Start to configure huge page ...
      ….
      …
      Patching novadocker ...
      patching file driver.py
      /usr/bin/csrx-configure-local done!
      

    Creating an Availability Zone for the cSRX Container

    Contrail creates a separate Nova availability zone (nova/docker) for compute nodes deployed with DockerDriver. An availability zone is an aggregate of the compute nodes running Docker services. You can add the compute nodes to availability zones that are running the Docker services. In this case, an availability zone is required for the cSRX container to start the cSRX services. When launching the cSRX, you specify it by the availability zone to start the container for the cSRX service.

    Note: An availability zone is necessary only when your environment includes a mixture of KVM and Docket computer nodes.

    This topic outlines how to create a new availability zone for the cSRX, and then to add the compute node to the availability zone. Availability zone can be created with the nova command or from the OpenStack Dashboard (Horizon).

    To create an availability zone for cSRX using the nova commands:

    1. Create a host aggregate that is exposed as the availability zone using the nova aggregate-create command.

      root@ubtvm02:~# source /etc/contrail/openstackrc

      root@ubtvm02:~# nova aggregate-create aggregate-docker az-docker

      root@ubtvm02:~# ……

      root@ubtvm02:~# nova aggregate-list

       
      +----+-----------------+-------------------+
      | Id | Name            | Availability Zone |
      +----+-----------------+-------------------+
      | 1  | aggregate-docker | az-docker         |
      +----+-----------------+-------------------+
      
    2. Add a host to the host aggregate using the nova aggregate-add-host command.

      root@ubtvm02:~# nova aggregate-add-host 1 ubtvm01

       
      Aggregate 1 has been successfully updated.
      
    3. Check the availability zone with the nova aggregate-details command.

      root@ubtvm02:~# nova aggregate-details 1

       
      +----+-----------------+-------------------+-----------+-------------------------------+
      | Id | Name            | Availability Zone | Hosts     | Metadata                      |
      +----+-----------------+-------------------+-----------+-------------------------------+
      | 1  | aggreate-docker | az-docker         | 'ubtvm01' | 'availability_zone=az-docker' |
      

    To create an availability zone for cSRX using the OpenStack Dashboard (Horizon):

    1. Log in to the Dashboard.
    2. Open the System tab and click the Host Aggregates category.
    3. In the Create Host Aggregate page (see Figure 1), enter or select the following values in the Host Aggregate Information tab:
      • Name: The host aggregate name. When you create a host aggregate, you have the option of providing an availability zone name.

      • Availability Zone: The cloud provider defines the default availability zone, such as us-west.

      Figure 1: Create Host Aggregate Dialog Box

      Create Host Aggregate
Dialog Box
    4. Click Create Host Aggregate to create the host aggregate.
    5. Check the availability zone on the Host Aggregates screen (see Figure 2).

      Figure 2: Host Aggregates Screen

       Host Aggregates Screen

    Importing the cSRX Image

    To launch a cSRX container based on the images stored in the Openstack Image service (or Glance), you must first add the cSRX image from the Juniper Internal Docker registry. Glance provides discovery, registration, and delivery services for disk and server images. The cSRX image is automatically pulled from the Docker registry to the compute node when a cSRX instance is initially launched.

    The cSRX image is available as a cSRX Docker file from the Juniper Internal Docker registry.

    To import the cSRX image file to the Openstack Glance image service:

    1. Login to the Juniper Internal Docker registry using the login name and password that you received as part of the sales fulfillment process when ordering cSRX.

      root@ubtvm02:~# docker login hub.juniper.net -u <username> -p <password>

    2. Pull the cSRX image from the Juniper Internal Docker registry.

      root@ubtvm02:~# docker pull hub.juniper.net/security/csrx:<version>

      For example, to pull cSRX image version 18.1R1.0:

      root@ubtvm02:~# docker pull hub.juniper.net/security/csrx:18.1R1.0

    3. Create a tag target image of the cSRX source image and push it to the Docker registry on the control node. You tag the cSRX target image to the cSRX image in the Docker registry. The cSRX registry is a service installed on the control node to help automate the distribution of the cSRX image to other compute nodes in the Contrail Networking cloud environment.

      root@ubtvm02:~# docker tag csrx:18.1R1.0 csrx-registry:5050/csrx:18.1R1.0

      root@ubtvm02:~# docker images

      REPOSITORY                TAG                 IMAGE ID            CREATED             SIZE
      csrx                      18.1R1.0            918aa1636f22        27 hours ago        799 MB
      csrx-registry:5050/csrx   18.1R1.0            918aa1636f22        27 hours ago        799 MB
      … …
      

      root@ubtvm02:~# docker push csrx-registry:5050/csrx:18.1R1.0

      ……
      096c5913d0b0: Pushed 
      
    4. Import the cSRX image to the Openstack Glance image service using the appropriate values for your Contrail environment and disk image.

      root@ubtvm02:~# source /etc/contrail/openstackrc

      root@ubtvm02:~# docker save csrx-registry:5050/csrx:18.1R1.0 | glance image-create --container-format=docker --disk-format=raw --name csrx-registry:5050/csrx:18.1R1.0

    5. Check the Openstack Glance image using the nova image-list command.

      root@ubtvm02:~# nova image-list

      ..
      …
      | | fd4532bc-edfe-4fe6-835f-20304f53c115 | csrx-registry:5050/csrx:18.1R1.0 | ACTIVE |    
      

      You can also check the Glance image from the Images page (see Figure 3) of the OpenStack Dashboard (Horizon).

      Figure 3: Images Screen

       Images Screen

    Creating Virtual Networks in Contrail

    The cSRX container requires three virtual networks: one virtual network for out-of-band management sessions, and the other two virtual networks to receive and transmit in-band data traffic. You create a left, right, and management virtual network on Contrail, and then connect the cSRX to the virtual networks. You create networks and network policies at the user dashboard of Contrail, then associate policies with each network. The trusted and untrusted interfaces required by a cSRX connector are connected to eth1 and eth2.

    Note: If there is already a virtual network created in your Contrail Networking cloud environment, the cSRX container can be launched and attached to the existing virtual networks. Virtual networks can be shared across different tenants.

    This topic summarizes how to create the three virtual networks required by the cSRX container: mgt-vn (eth0), west-vn (eth1), and east-vn (eth2). mgt-vn is used by the cSRX for out-of-band management to the accept management sessions and traffic, and west-vn and east-vn are both used by the cSRX as the two revenue ports to process in-band data traffic (the ge-0/0/0 and ge-0/0/1 interfaces).

    Figure 4 illustrates three virtual networks used by a cSRX in an East West firewall.

    Figure 4: cSRX Virtual Networks in an East West Firewall Use Case

    For the procedure on creating a virtual network in Contrail, see Creating a Virtual Network with Juniper Networks Contrail.

    Note: This procedure assumes that “left” and “right” VMs exist in your Contrail virtual network.

    To create the virtual networks required by cSRX:

    1. Before creating a virtual network, ensure that you have IP Address Management (IPAM) set up for your project. Select Configure > Networking > IP Address Management, and then click the Create button.
    2. From the Contrail GUI, select Configure > Networking > Networks to access the Configure Network page. The list of existing networks appears.
    3. Click the Create Network (+) icon. The Create Network page appears (see Figure 5).

      Figure 5: Create Network Page

       Create Network Page
    4. Enter a name for the virtual network (mgt-vn (eth0), west-vn (eth1), or east-vn (eth1)).

      Do not select a network policy yet. You create the network policy after you create the service instance and then you update this virtual network to add the policy.

    5. Expand Subnet and click + to add IPAM to this virtual network.
    6. Select the appropriate IPAM from the list.
    7. Set the CIDR and Gateway fields. Depending on the virtual network you are creating, ensure that the eth0 network address is assigned to the mgt-vn, the ge-0/0/0 network address is assigned to the “left” network, and the ge-0/0/1 network address is assigned to the “right” network.
    8. Expand Advanced Options and select appropriate options for your network.

      Note: When creating a virtual network for west-vn (eth1) and east-vn (eth2), ensure that you enable Advanced Options. This is a requirement for Layer 2 forwarding.

    9. Click Save. The new virtual network appears in the list of configured networks.
    10. Repeat this procedure for the remaining virtual networks required by the cSRX container.
    11. Verify the completed virtual networks for the cSRX container in the Networks page (see Figure 6).

      Figure 6: Completed Virtual Networks for cSRX

       Completed
Virtual Networks for cSRX

    Launching the cSRX Container

    Launch the cSRX container in Openstack using the nova boot CLI command. You have a series of cSRX environment variables that enable you to modify operating characteristics of the cSRX container when it is launched.

    You can modify:

    • Initial root account password to log in to the cSRX container using SSH

    • cSRX container size (small, medium, or large)

    • Packet I/O driver (polled or interrupt)

    • CPU affinity for cSRX control and data daemons

    • Address Resolution Protocol (ARP) and Neighbor Discovery Protocol (NDP) entry timeout values

    Note: Specification of an environment variable is not mandatory when launching the cSRX container; most environment variables have a default value as shown in cSRX Initiation Configuration and Environment Variables. You can launch the cSRX using the default environment variable settings.

    To launch the cSRX container:

    1. Use the nova boot command to launch the cSRX container. If you intend to log into the cSRX container using SSH, you must specify an initial root password when launching the cSRX.

      Metadata is the key value pair that can be specified when you launch a compute instance in Openstack. For the cSRX container, the metadata is used to pass one or more environment variables when you launch the cSRX. Any environment variable supported by the cSRX container can be passed to the cSRX by including the –meta option in the nova boot command.

      cSRX Initiation Configuration and Environment Variables summarizes the list of available cSRX environment variables along with a link to the topic that outlines its usage.

      For example:

      root@csrx-ubuntu3:~/csrx# nova boot --image csrx-registry:5050/csrx:18.1R1.0 --flavor m1.small --availability-zone az-docker --nic net-id=039e73e4-6033-4851-8379-21e1cedf1a30 --nic net-id=326eb329-1e66-46b7-8438-a8f41c88bec9 --nic net-id=3e744a74-2579-455f-aea9-92e0655abec6 --meta CSRX_SIZE=middle --meta CSRX_ROOT_PASSWORD=<password> --meta CSRX_PACKET_DRIVER=interrupt --meta csrx-fw

    2. Confirm that the cSRX container is listed as a running Docker container.

      root@csrx-ubuntu3:~/csrx# nova list

      CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES

      35e33e8aa4af csrx "/etc/rc.local init" 7 minutes ago Up 7 minutes 22/tcp, 830/tcp csrx2

    3. Confirm that the cSRX container is up and running. You should see the expected Junos OS processes, such as nsd, srxpfe, and mgd.

      root@csrx-ubuntu3:~/csrx# docker top csrx2

       
      UID                 PID                 PPID                C                   STIME               TTY                 TIME                CMD
      root                1809                1788                0                   07:51               pts/0               00:00:00            /bin/bash -e /etc/rc.local init
      root                2271                1809                0                   07:51               ?                   00:00:00            /usr/sbin/rsyslogd -M/usr/lib/rsyslog
      root                2290                1809                0                   07:51               ?                   00:00:00            /usr/sbin/sshd
      root                2308                1809                0                   07:51               ?                   00:00:00            /usr/bin/monit
      root                2314                1809                0                   07:51               ?                   00:00:00            /usr/sbin/nstraced
      root                2325                1809                0                   07:51               ?                   00:00:00            /usr/sbin/nsd
      root                2335                1809                14                  07:51               ?                   00:00:02            /usr/sbin/appidd -N
      root                2349                1809                0                   07:51               ?                   00:00:00            /usr/sbin/idpd -N
      root                2358                1809                0                   07:51               ?                   00:00:00            /usr/sbin/wmic -N
      root                2366                1809                0                   07:51               ?                   00:00:00            /usr/sbin/useridd -N
      root                2380                1809                0                   07:51               ?                   00:00:00            /usr/sbin/mgd
      root                2439                1809                96                  07:51               ?                   00:00:17            /usr/sbin/srxpfe -a -d
      root                2467                1809                0                   07:51               ?                   00:00:00            /usr/sbin/utmd -N
      root                2488                1809                0                   07:51               ?                   00:00:00            /usr/sbin/kmd
      root                2623                1809                0                   07:51               pts/0               00:00:00            /bin/bash
      
      

    Creating a Service Template for the cSRX

    Creation of a service template (version 2) in Contrail is a critical step in adding the cSRX container to a service chain. The Contrail service template is used in a service instance to launch the cSRX as part of a service chain.

    To create a cSRX service template:

    1. From the Contrail GUI, select Configure > Services > Service Templates. The list of existing service templates appears.
    2. Click the Create (+) button on Service Templates. The Create Service Template page appears (see Figure 7).

      Figure 7: Create Service Template Page

      Create Service Template
Page
    3. Add a name for the service template in the Name box.
    4. Select v2 in the Version field
    5. Select Virtual Machine as Virtualization Type from the list.
    6. Select In-Network as Service Mode and Firewall as Service Type from the lists.
    7. Under Interface(s), click + to add three interfaces. Select Management for the first interface type, Left for the second interface type, and Right for the third interface type. You associate the left and right interfaces with the left and right virtual networks when you create the service instance. Any additional interfaces must be of type Other.
    8. Click Save to save the new service template. The cSRX service template appears on the Service Templates page.
    9. Confirm the cSRX service template settings from the Service Templates page.

    Creating and Launching the Service Instance

    You are now ready to create and launch the service instance from the Docker registry.

    To create and launch the service instance:

    1. From the Contrail GUI, configure a service instance for an in-network service template. Navigate to Configure > Services > Service Instances and then click Create on the Service Templates window. The Create Service Instance page appears (see Figure 8).

      Figure 8: Create Service Instance Page

       Create Service
Instance Page
    2. Enter a name for the cSRX service instance.

      Note: Do not use white space in the service instance name.

    3. Select the service template you created for cSRX from the Service Template list.
    4. Under Virtual Network. select the virtual network for the management, left, and right interfaces.
    5. Under Port Tuples, select the port tuples from Tuples list. Ports for the cSRX container are created as part of the cSRX container launch in Openstack using the nova boot CLI command. With a port-tuple object, you can create ports and pass the port information when creating the service instance. The ports are linked to a port-tuple object that is a child of a service instance.
    6. Click Save to save this service instance. Contrail launches the cSRX container for this service instance.
    7. Confirm that the service instance status is Active .
    8. Check the cSRX compute node. Confirm that the cSRX image was automatically pulled from the Docker registry and that the Docker instance is running.

      Note: It might take longer for the first cSRX instance to launch because it has to pull the image from the Docker registry server.

      root@ubtvm02:~# nova image list

      REPOSITORY                           TAG             IMAGE ID            CREATED             VIRTUAL SIZE
      csrx-­‐registry:5050/-­‐csrx         18.1R1.0        4b7fcaf7f30d        39 hours ago        551.1 MB
      ubuntu                               trusty          bec964527be1        7 weeks ago 			188 MB
      csrx-­‐registry:5000/ubuntu-­‐14     1.0             a4c8a0f2f25f        16 months ago       589 MB

      root@ubtvm02:~# nova list

      CONTAINER  ID       IMAGE                                  COMMAND              CREATED
      STATUS              PORTS              NAMES
      b4002acca1ac        csrx-­‐registry:5050/-­‐csrx:18.1R1.0 "/etc/rc.local init"  11 minutes ago Up
      11 minutes                           nova-­‐85d5f949-­‐97e7-­‐4f46-­‐b18f-­‐0ddf227fe4fe

    Creating a Network Policy (Optional)

    (Optional) To create a network policy to allow traffic between virtual networks and the service instance:

    1. From the Contrail GUI, select Configure > Networking > Policies. The table of policies appears.
    2. Click + to create a new policy. The Create Policy page appears, as shown in Figure 9.

      Figure 9: Creating a Network Policy in Contrail

      Creating a Network Policy in
Contrail
    3. Name the policy.
    4. Click + to create a new rule for this policy.
    5. Select the left virtual network you created from the Source list and select the right virtual network from the Destination list.
    6. Select the appropriate protocol from the Protocol list and select the source and destination ports for this policy.
    7. Select Services and select the cSRX instance you want to apply this policy to.
    8. Optionally, add more policy rules to this policy.
    9. Click Save to create this policy.

    See Creating a Network Policy—Juniper Networks Contrail for more details.

    Adding a Network Policy to a Virtual Network (Optional)

    (Optional) To add a network policy to a virtual network:

    1. From the Contrail GUI, select Configure > Networking, and select the settings icon to the right of the virtual network you want to add a network policy to, as shown in Figure 10.

      Figure 10: Networks Window Page

       Networks Window Page
    2. Click Edit. The Edit Networks page appears, as shown in Figure 11.

      Figure 11: Adding a Network Policy to a Virtual Network

      Adding a Network Policy to
a Virtual Network
    3. Select the appropriate policy from the Network Policy(s) list.
    4. Click Save to save this change.
    5. Repeat this procedure for the other virtual network in this service chain.

    See Associating a Network to a Policy—Juniper Networks Contrail for more details.

    Modified: 2018-06-19