Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Understand vSRX Orchestration with JDM for CSDS

In this topic, you'll learn about using Junos Device Manager (JDM) for vSRX orchestration and how you can manage JDM with Junos Node Unifier (JNU) in Connected Security Distributed Services (CSDS) architecture.

You can orchestrate vSRX Virtual Firewalls using Junos Device Manager (JDM). Ensure that the Ubuntu baremetal host meets the necessary hardware and software requirements. See JDM Components for CSDS.

Before installing and configuring JDM, read this topic to understand and prepare your environment. You'll see details about:

  • JDM package download and JDM software installation on the host server.

  • Managing JDM from JNU controller

  • Configuring JDM for vSRX orchestration

Familiarize yourself with the JDM package, the installation process, and the changes that will occur on the Ubuntu host server as part of the installation.

JDM Installation Requirements

If your CSDS architecture services plane includes vSRX Virtual Firewall, you need JDM. We recommend that you use JNU controller to centrally manage JDM, which is the JNU satellite in JNU topology. If you already manage the SRX Series Firewall satellites in your CSDS architecture using the jnud process, you can add JDM and vSRX Virtual Firewall as satellites to the MX Series controller. If not, you must configure JNU before configuring JDM.

Familiarize yourself with the specific JDM package for CSDS. You can download the JDM software package (e.g., csds-jdm-jdm-<release-number>.x86_64.deb) from the Juniper Networks Downloads page at https://support.juniper.net/support/downloads/. Save the package on your MX Series router that acts as the JNU controller. During JDM installation, the MX Series router copies the JDM package to the Ubuntu host for installation of the JDM LXC container that runs the JDM software.

You can install or uninstall JDM from the controller, provided that the SSH keys are exchanged between the MX Series and the Ubuntu host server.

To know about the JDM installation process, see Host Configuration Changes Post JDM Installation and JDM Installation Workflow for vSRX Orchestration. See Install and Configure Junos Device Manager for CSDS to follow the step-by-step procedure for JDM installation and configuration.

Host Configuration Changes Post JDM Installation

In this section, you'll see the modifications that the JDM software makes to the host server as part of the JDM installation. Make sure you understand these modifications before you install JDM.

OS Configuration Changes

When installing JDM, the software modifies the OS configuration on the host using GRUB. See Table 1 for the list of changes.

Table 1: OS Configuration Changes on Host After JDM Software Installation

Description

Expected Configuration

CPU Isolation Isolcpus

Reserves socket ID 0 (socket.id 0) and core ID 0 (core id 0) for JDM, host server and emulator Pin

Hugepages Size

1 G

Hugepages Count

1 G x 16

Input–Output Memory Management Unit (IOMMU)

intel_iommu=on on Intel server

amd_iommu=on on AMD server

Iommu passthrough

iommu=pt on Intel server

amd_iommu=pt on AMD server

AppArmour

Disabled

Directory Structure

JDM software installation creates a new directory, /juniper. This directory contains all the JDM binaries, installation packages and temporary files created during installation.

Cgroups Configuration

JDM LXC container uses cgroups to limit its resources footprint on the host. JDM limits its primary memory to 2 GB. It changes the following controller groups for the machine.slice settings:

  • Cpuset

  • Memset

Network Interfaces

JDM installation creates the required JDM network interfaces. Table 2 shows the list of network interfaces created after JDM installation.

Table 2: Network Interfaces After JDM Software Installation

Interface Type

Interface Name

Interface Description

JDM Management Interface

jmgmt0

  • Connects to external facing customer’s management network.

  • Connects host server’s physical management interface.

  • In CSDS, JNU controller communicates with JDM satellite over this interface.

vSRX Management Interface

fxp0

  • Macvlan-based bridged network interface.

  • Colocates with jmgmt0 over host server’s physical management interface.

  • In CSDS, JNU controller communicates with vSRX satellite over this interface.

vSRX Datapath Interface

SR-IOV VFs vf-1, vf-2

  • Service plane datapath is over SR-IOV VFs for the firewall's inbound and outbound traffic.

  • JDM creates these interfaces over host server’s physical interfaces.

  • Creates two virtual functions (VFs) per vSRX Virtual Firewall with each VF over a separate physical function (PF).

  • Host with two NUMA nodes spawn's two vSRX Virtual Firewalls. JDM creates four VFs over four PFs. Each PF has separate PCIe address.

Figure 1 illustrates the internal networking in the host server.

Figure 1: Internal Networking in the Ubuntu Host Server Internal Networking in the Ubuntu Host Server

JDM Installation Workflow for vSRX Orchestration

The procedure below outlines the installation and configuration of JDM for vSRX orchestration:

  1. Ensure all your nodes have a management IP address. Ensure you've downloaded the JDM image and the vSRX Virtual Firewall image in MX Series JNU controller.

  2. Add the management IP address of the Ubuntu host server in the MX Series for JDM management. Every host server is referred with a node-instance ID.

  3. Set up the MX Series as the JNU controller. If you have already setup JNU controller, skip this step.

  4. Install JDM from the JNU controller. During installation, the system will:

    1. Create the Linux known_hosts file in JDM for both root and jnuadmin user accounts to store the host's public keys that the users access.

    2. Set up two-way SSH keys between the MX Series and JDM for the jnuadmin user.

    3. Provision the JNU controller IP address in JDM.

    4. Assign an IP address for the JNU satellite in JDM.

    5. Launch JDM. JDM uses the management interface of the host server. During the installation of JDM, MX Series allocates a pool of IP addresses to JDM. JDM designates the first IP address from the pool to itself. The installation process also provisions JDM with controller and satellite IP addresses for jnud process.

  5. Spawn vSRX Virtual Firewall instances from the JNU controller. During this process, the system will:

    1. Copy the vSRX Virtual Firewall installer image from the MX Series to JDM.

    2. Use the baseline configuration to initiate the vSRX Virtual Firewall instance in JDM.

    3. Copy the SSH keypair to the home directories of the firewall's root and jnuadmin user accounts from JDM.

    4. Send the second IP in the IP-prefix-range for spawning the firewall from JDM. The system assigns the IP addresses in sequence order based on the number of instances it spawns.

    5. Apply the baseline configuration, that includes the controller IP address, the controller's public SSH key, and the jnud process-specific settings. The MX controller adds its jnuadmin user’s public SSH key to the firewall. This allows the JNU controller to securely manage the firewall once it has an IP address. The controller also establishes a one-way trust relationship with the firewall.

    6. Wait for approximately 10 minutes for the instances to spawn. JDM spawns the instances based on the server hardware you choose for the Ubuntu host. Based on server configuration, JDM assigns a pair of 100 or 200 GB interfaces for the firewall's SR-IOV VFs.

  6. With one-way SSH key access to the firewall granted to the jnuadmin user on MX Series, the JNU controller retrieves the public key from the firewall and adds it to the local authorized_keys file of the MX Series. The MX Series uses the IP address of the firewall and starts the jund process to make the firewall a satellite node.

  7. Wait for approximately 10 minutes for the satellites to synchronize with the controller.

The names of all satellites are listed in [edit chassis jnu-management] hierarchy level. The satellite schema for a particular satellite is available in [edit chassis satellites satellite-name] hierarchy level.

For step-by-step configuration, see Install and Configure Junos Device Manager for CSDS

JDM and vSRX Virtual Firewall Upgrade Process

Follow the sequence below to upgrade JDM and vSRX Virtual Firewall.

  1. Upgrade both the controllers including both the Routing Engines (REs). Follow the Junos OS upgrade process. See Junos® OS Software Installation and Upgrade Guide.

  2. Upgrade JDM from the controller using the following command.

  3. Upgrade the vSRX Virtual Firewalls using the following commands to copy the image and SSH login to run the Junos OS installation command.

    or

    and

Follow the same sequence to downgrade. Ensure to use the correct Junos OS image for the downgrade process.

JDM and vSRX Virtual Firewall Deletion Process

Delete vSRX Virtual Firewall Without Deleting JDM

  1. Delete vSRX Virtual Firewall from the controller using the following command. Note that this command doesn't delete the JDM.

Delete JDM

  1. Use the following command to delete an existing JDM instance.

    CAUTION:

    Proceed with caution when using the command request csds jdm delete csds-instance-id csds-instance-id to delete a JDM instance. The command also removes any vSRX Virtual Firewall instances that the JDM has created. As a results, you must reinstall JDM and vSRX Virtual Firewalls. Ensure that you do not manually delete JDM from the host. Doing so may cause JDM or vSRX Virtual Firewall deployments to fail due to known-host entries on the controller.

    To retain vSRX Virtual Firewall, perform only JDM add operation to either upgrade or downgrade JDM. See JDM and vSRX Virtual Firewall Upgrade Process.

Related Documentation