Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Install and Configure Junos Device Manager for CSDS

Use this configuration example to install and configure Junos Device Manager (JDM) for vSRX orchestration in Connected Security Distributed Services (CSDS) topology.

Junos Device Manager (JDM) is a Linux container that orchestrates vSRX Virtual Firewalls for services layer in Connected Security Distributed Services (CSDS) topology. This configuration example demonstrates how to install and configure JDM for vSRX orchestration.

When you install and configure JDM, it also sets up the Junos Node Unifier (JNU) for CSDS. The same configuration for JDM also sets up JNU, provided you've not configured JNU yet. If you've already configured JNU, you can still run the commands in this example as the system ensures that the existing JNU configurations remain unchanged. If you have a single JNU controller in your topology, we've indicated the steps that you can ignore. After the installation and configuration of JDM, the configuration adds both JDM and vSRX Virtual Firewalls as JNU satellites.

Tip:
Table 1: Readability Score and Time Estimates

Reading Time

Less than an hour

Configuration Time

Less than two hours

Example Prerequisites

Table 2: Requirements for JDM

Hardware requirements

  • Intel Xeon Gold 6438N 2GHz with Ubuntu 22.04.4 LTS OS

Software requirements

  • JDM package: csds-jdm-24.4-R1.9.x86_64.deb

  • vSRX image: junos-vsrx3-x86-64-24.4.qcow2
Table 3: Requirements for JNU

Hardware requirements

  • Juniper Networks® MX304 for JNU controllers

Software requirements

  • Junos OS Release 24.4R1

  • Ensure you've installed Ubuntu OS on baremetal host server with the specified software and hardware requirements. See JDM Components for CSDS

  • Ensure you understand the modifications that the JDM installation is set to apply on the host server. See Understand vSRX Orchestration with JDM for CSDS.

  • Ensure your host server has a management IP address.

  • Ensure you’ve completed basic configuration of MX Series and the nodes can communicate with each other over the management network.

Before You Begin

Table 4: Resources, and Additional Information

Understand JDM for CSDS

Configure JDM to orchestrate the life cycle management of the vSRX Virtual Firewalls. Use JDM only when you plan to include vSRX Virtual Firewalls in your CSDS architecture. You require JNU to configure JDM. JDM is the satellite and uses the MX Series controller for its configuration. See Junos Device Manager for CSDS

Know more

Learn more

Functional Overview

Table 5: Junos Device Manager Functional Overview

Ubuntu host server

Ubuntu host server is a baremetal server for hosting JDM container and vSRX Virtual Firewalls spawned by JDM. This node is not a JNU satellite.

JDM container

JDM is a Linux Container (LXC) that runs in the host to perform vSRX orchestration. The jnud process runs in JDM. JDM is a JNU satellite node.

vSRX Virtual Firewall

JDM spawns the vSRX Virtual Firewalls for CSDS services plane. The jnud process runs in the firewall. vSRX Virtual Firewall is a JNU satellite node.

JNU controller

Even though the JNU controller doesn't belong to the JDM components, you still require the JNU controller for installing and configuring JDM. The MX Series acts as the controller.

Primary verification tasks

Verify the following:

  1. JDM status from the controller.

  2. JNU nodes and their synchronization status in JNU topology.

  3. The controller lists the JDM and vSRX Virtual Firewall as the satellites.

  4. Run the satellite's operational commands from the controller.

Topology Overview

Table 6: Devices, Role, and Functionality used in this Configuration

Hostname

Role

Function

MX1

JNU controller

JNU controller serves as a CLI touchpoint for all network devices in the JNU topology.

  • re0 IP address - 10.52.136.131/8

  • re1 IP address - 10.52.136.132/8

  • master-only IP address- 10.52.131.130/8

    The master-only IP address is an additional IP address configured on the management interface of both Routing Engines (REs). This address is active only on the primary RE and moves to the new primary RE during a graceful Routing Engine switchover (GRES).

MX2

JNU controller (second controller)

This serves as a second the controller for high availability.

  • re0 IP address - 10.52.136.112/8

  • re1 IP address - 10.52.136.113/8

  • master-only IP address- 10.52.136.111/8

Ubuntu host server

Baremetal server

The baremetal server hosts JDM and vSRX Virtual Firewalls. This host is not part of JNU topology.

  • IP address - 10.157.79.104/19

JDM

JNU satellite

Node in JNU topology that creates vSRX Virtual Firewall.

  • IP address - 10.157.80.182/19

    The system allocates the first IP address within the specified IP prefix range in ip-prefix-range option to JDM.

vSRX1

JNU satellite

Node in JNU topology that you can manage using the JNU Controller.

  • IP address - 10.157.80.183/19

    The system allocates the second and the subsequent IP addresses within the specified IP prefix range in ip-prefix-range option to vSRX Virtual Firewalls.

The nodes use fxp0 management interface for communication between the controller and the satellites.

Topology Illustration

Figure 1: JDM Topology for CSDS JDM Topology for CSDS

Step-By-Step Controller Configuration on MX1

Ensure you meet the following prerequisites:

  • Download the following software from the Juniper Networks Support portal:

    • Search for Connected Security Distributed Services Architecture to download the CSDS CLI Install software package (csds-jdm-jdm-<release-number>.x86_64.deb).

    • vSRX Virtual Firewall KVM image (junos-vsrx3-x86-64-24.4.qcow2)

  • Enable NETCONF and SSH services.

Configure JNU controller on MX1 and install JDM on the host. Run the following steps.

Note:

For complete sample configurations on the DUT, see:
  1. Configure the controller role on all REs. Run the command on re0.
  2. Configure the controller auto-login for the jnuadmin user.
  3. Configure JNU management features on JNU controller.
    1. Enable feature-rich mode.
    2. Associate jnuadmin user for JNU management tasks.
  4. Configure the host instance ID of the Ubuntu host server.

    The system allocates the first IP address to the JDM and the subsequent IP addresses to the vSRX Virtual Firewalls, within the specified IP prefix range in ip-prefix-range option.

  5. Configure dual RE settings if your controller has two Routing Engines.
    1. Configure commit synchronization on the REs by default, enable graceful switchover to the other RE in the event of failure of active RE, and enable non-stop routing (NSR).
    2. Configure master-only settings for re0 and re1.

      Ensure to commit the configuration at this step.

  6. Authenticate host server from the controller.

    For the first time, when prompted for password, enter yes and the host server's password.

    Every host server and its associated JDM and vSRX Virtual Firewall instances are referred in the option csds-instance-id. If you have multiple host servers, use a unique instance ID for each of the host servers. The command performs the controller's one-way key exchange with the host. This allows passwordless SSH access to the host from the controller. This enables the controller to remotely run commands for managing JDM in CSDS architecture.

  7. Install JDM on the host server.

    You'll notice that the system identifies the server profile based on Intel or AMD configuration and installs the JDM. Installing JDM for the first time on the host server prompts the system to request a reboot with the message KERNAL CMDLINE ARGUMENTS ARE MODIFIED !!! Host requires reboot Kindly confirm the reboot on host? Confirm (y/n). Type yes to reboot the host server.

  8. Initiate the creation of vSRX Virtual Firewalls on the host server.

    Wait for approximately 10 minutes for the vSRX Virtual Firewall installation. You'll notice that the command creates VNFs and restarts the CLI. Wait until you see the message Satellite has been added, Please restart the CLI session. Type yes to restart the CLI. All the Junos OS CLI sessions that you open on your terminal displays this message. But the shell prompt doesn't show the message. Use the command show virtual-network-functions device-list jdm-ip-address to see the status of the vnf0. You'll notice that the vnf0 is running.

  9. Extract the public keys of vSRX Virtual Firewall.

    Wait for 5-6 minutes for the vSRX Virtual Firewall to synchronize with the controller. Wait until you see the message Satellite has been added, Please restart the CLI session. Type yes to restart the CLI. All the Junos OS CLI sessions that you open on your terminal displays this message. But the shell prompt doesn't show the message.

Step-By-Step Controller Configuration on MX2

Ensure you meet the following prerequisites:

  • Ignore the controller configuration on MX2 if you have a single controller in your JNU topology.

  • Ensure that you have configured MX1.

  • Enable NETCONF and SSH services.

Configure JNU controller on MX2 and synchronize with the other controller. Run the following steps.

Note:

For complete sample configurations on the DUT, see

  1. Configure dual RE settings if your controller has two Routing Engines.
    1. Configure commit synchronization on the REs by default, enable graceful switchover to the other RE in the event of failure of active RE, and enable non-stop routing (NSR).
    2. Configure master only settings for re0 and re1.

      Ensure to commit the configuration.

  2. Configure JNU controller role on all REs. Run the command on re0.
  3. Configure JNU controllers synchronization.

    Ignore this step if you have single controller in your JNU topology.

Verification

This section provides a list of show commands that you can use to verify the feature in this example. Run these commands from the controller in operational mode.

Command Verification Task

show version device-list jdm-satellite-ip

Verify the JDM's version.

show system cpu| memory| network| storage device-list jdm-satellite-ip

Verify the infrastructure (CPU, memory, network and storage) details of JDM.

show virtual-network-functions device-list jdm-satellite-ip

Verify the virtual network function (VNF) status on JDM.

show chassis jnu satellites

Verify the satellite nodes synchronization in JNU topology.

show configuration chassis jnu-management

Verify the nodes in JNU topology.

show version device-list satellite-ip

Verify that you are able to run the satellite's (vSRX Series Virtual Firewall) operational commands from the controller.

set chassis satellite satellite-ip

Verify that you are able to configure the satellite's (vSRX Series Virtual Firewall) using the configuration commands from the controller.

Verify Satellite Version

Purpose

Run the command to check version of the satellite.

Action

From operational mode, run the command show version device-list jdm-satellite-ip on the controllers, MX1 or MX2.

Meaning

The controller displays the JDM satellite's version details.

Verify Satellite Infrastructure Details

Purpose

Run the commands to fetch CPU, memory, network and storage details of JDM.

Action

From operational mode, run the command show system network storage device-list jdm-satellite-ip on the controllers, MX1 or MX2.

Similarly, you can run the following commands on JDM:

  • show system cpu device-list jdm-satellite-ip

  • show system memory device-list jdm-satellite-ip

  • show system storage device-list jdm-satellite-ip

Meaning

The controller displays the JDM satellite's CPU, memory, network and storage details.

Verify Satellite VNF Status

Purpose

Run the command to check VNF status of the satellite. Though the device-list option shows the JDM IP address, you'll not see the output of JDM as it doesn't have VNFs.

Action

From operational mode, run the command show virtual-network-functions device-list jdm-ip-address on the controllers, MX1 or MX2.

Meaning

The controller lists the satellite's running and liveliness status. If the status of the VNF is running and liveliness is unavailable, wait until the MX controller extracts the vSRX Virtual Firewall public keys.

Verify JNU Nodes Synchronization

Purpose

Run the command to check that JDM and vSRX Virtual Firewalls are synchronized with the controller. Both the controllers, MX1 and MX2, list the satellites that you add. Satellites push their schema to the controller during the initial synchronization. Although JDM is added as a satellite, JDM doesn’t send its configuration to the controller during the initial synchronization, unlike the other satellites.

Action

From operational mode, run show chassis jnu satellites command on the MX1 or MX2 controller to verify that the satellites are added to the controllers.

Meaning

The controller lists the satellite's name, status, model, and Junos OS version. It takes approximately 5-6 minutes for synchronization per controller per satellite.

Verify Nodes in JNU Topology

Purpose

Run the command on the controllers to know the details of nodes in JNU topology.

Action

From operational mode, run show configuration chassis jnu-management command on the MX1 or MX2 controllers to verify the nodes in JNU topology.

Meaning

The command shows the details of the controller and the satellite nodes.

Verify the Satellite's Operational Commands from the Controller

Purpose

Run the satellite's (vSRX Virtual Firewall) operational commands on the controller.

Action

From the controller's operational mode, run the show version device-list satellite-name satellite's operational command.

Meaning

The command shows the details of the vSRX Virtual Firewall's Junos OS version. You can run the satellite's other operational commands from the controller.

Verify the Satellite's Configuration Commands from the Controller

Purpose

Run the satellite's (vSRX Virtual Firewall) configuration commands from the controller. Note that JDM is a non-configurable satellite.

Action

From the controller's configuration mode, run the satellite's configuration command set snmp description "Monitor vSRX". This SNMP description configuration serves as an example to demonstrate how to configure the satellite from the MX controller.

Perform top commit operation to commit the configuration command on the satellite.

Meaning

The configuration schema of the satellite is available in the controller. The command configures SNMP description for the satellite being managed. You can run the satellite's other configuration commands from the controller.

Appendix 1: Set Commands on All Devices

Set command output on all devices.

Set Commands on MX1

Set Commands on MX2

Appendix 2: Show Configuration Output on All Devices

Show command output on all devices.

Show Command on MX1

Show Command on MX2

Appendix 3: Commands to Delete JNU Satellites

Ensure that you know the CSDS instance ID for the vSRX Series Virtual Firewall and the JDM satellites that you plan to delete.

To delete all the satellites, first remove the vSRX Series Virtual Firewalls, followed by the JDM. You can delete an existing vSRX Series Virtual Firewall and add a new one without deleting JDM. Note that you must delete all firewalls running on the host server before you can delete the JDM.

To delete the satellites, run the following steps:

  1. Delete vSRX Series Virtual Firewall.
  2. Delete JDM.

See Also