cSRX Docker Fundamentals

0:00 [Music]

0:13 welcome to the csrx docker fundamentals

0:16 learning byte i'm gordon mosley with the

0:18 education services department at juniper

0:20 networks let's get started

0:22 after completing this learning byte you

0:24 will be able to use docker to launch a

0:26 csrx instance

0:28 the csrx is a containerized version of

0:31 our srx series services gateway designed

0:34 primarily to protect container workloads

0:37 so the example use case i have

0:39 demonstrated at the bottom is i have an

0:42 application it's a containerized web

0:44 application and so i have several you

0:46 know web containers and every web

0:49 application always talks to a database

0:51 back in well since these are

0:52 containerized resources that i need to

0:54 secure i have traffic coming in from the

0:56 internet i want to protect my web

0:57 containers

0:58 when those web containers communicate

1:00 with my back-end database services i

1:01 also want to secure that track

1:03 and so this is a perfect example of

1:05 spinning up when i spin up these web

1:07 front ends and my database back ends i

1:09 can also orchestrate and instantiate

1:12 some csrx instances to protect secure

1:15 traffic from the internet reaching my

1:16 front-end web application and then the

1:18 communications going back to my database

1:20 back-end so full you know layer seven

1:23 advanced security services available in

1:25 a containerized format that i can deploy

1:27 in a couple of seconds

1:30 now to deploy a csrx instance

1:33 i used i have a windows laptop i

1:35 installed docker desktop for windows

1:37 there's a version for mac there's also a

1:39 linux version

1:40 and then i downloaded the csrx image

1:42 from the juniper support downloads

1:44 website i'll show you the image in a

1:45 minute

1:46 and then we will use docker commands to

1:48 create the necessary networks and launch

1:51 the csrx instance then once the csrxs is

1:54 launched to get all the functionality

1:56 out of it you're going to need a

1:57 software license and then you're going

1:59 to need to apply some configuration

2:03 here's the example csrx container we're

2:05 going to build we're going to launch a

2:07 use docker to launch a csrx instance and

2:09 we're going to create three docker

2:11 networks one of them will be the

2:13 management network we'll create use the

2:15 docker network create command we'll

2:17 create a management network

2:19 then i'm going to have two transit

2:20 networks i'm going to create one of them

2:22 i'm going to call the untrust network

2:24 you can call the network whatever you'd

2:26 like but we'll use docker network create

2:28 and create a untrust network

2:30 and a trust network and a management

2:33 network now on the interfaces that are

2:35 going to process transit traffic if you

2:37 want the csrx to perform nat functions

2:40 which is a common feature

2:42 when you create the docker networks you

2:44 must enable ipmasquerating so the csrx

2:47 is capable or it enables the csrx to

2:50 perform map functions we'll use the

2:52 docker run command to launch the

2:55 container and then we'll use the docker

2:57 network connect command to connect the

2:59 transit networks to the vsrx instance

3:02 and assign ip addresses to these two

3:04 transit interfaces

3:07 i have the commands we're going to use

3:09 to create or launch the csrx container

3:12 in this notepad document these are the

3:14 three networks where we use the docker

3:16 network create command we can create a

3:18 network called in this case mgmt

3:21 underscore net this is a variable you

3:23 can create the network you can name the

3:25 network however you choose you do not

3:27 have to specify a subnet to be

3:29 associated docker will automatically

3:31 generate or assign a

3:33 172.17

3:35 subnet to the first network that you

3:37 create but i wanted a little more

3:38 control so we're going to define the

3:40 actual management subnet range

3:43 these then i will create two transit

3:45 networks this would be the untrust

3:47 network and again you could name the

3:49 networks whatever you'd like

3:51 this is the subnet i want associated

3:53 with that untrust network here's my

3:54 trust network and the associated subnet

3:56 and since these are transit interfaces i

3:59 won't want to enable ip masquerading on

4:02 those interfaces and this will again

4:03 enable the csrx instance to perform nat

4:06 functions

4:08 the csrx instance requires a couple of

4:11 docker volumes for storage one to store

4:14 its configuration information you can

4:16 name we'll use the docker volume create

4:18 you'll name the config volume whatever

4:20 you'd like and we also need another

4:22 volume for the csrx log information so

4:25 we'll use two docker volume create

4:27 commands for that

4:28 and then we use docker run and this will

4:30 launch the container instance it'll run

4:33 in detached mode which means once you

4:35 run this command you get your prompt

4:37 back

4:38 the name of the container will be csrx01

4:41 the host name in the juno cli will

4:43 automatically be set to the same value

4:46 it runs in privileged mode

4:48 when it launches it will connect itself

4:50 the management interface on this

4:51 container instance will connect to the

4:53 management network that we defined

4:55 earlier in the process

4:57 the dash v option will attach the two

5:00 volumes the config volume and the log

5:02 volume to the container this is the only

5:05 allowed

5:06 csrx image size or container size that's

5:09 permitted it's large

5:11 now this is a nice option this csrx port

5:14 number i only need three interfaces on

5:16 this container instance i need a

5:17 management interface

5:19 and a gigi zero zero zero interface that

5:22 i want to attach to the untrust network

5:25 and a gige001 interface that i want to

5:27 attach to the trust network you can

5:30 specify up to 15 transit interfaces on

5:33 each container csrx container instance

5:36 so there's a lot there but i only need

5:38 to connect to a couple of networks here

5:40 transit wise in a management network so

5:42 that's the number of ports i want in my

5:44 container instance the root password

5:46 will automatically be set to to this

5:48 value and there will be a console that

5:50 i'll be able to connect to and and then

5:52 look around low config you know perform

5:54 operations on the container once it's

5:56 launched and once it's launched i

5:58 connect my untrust network that we

6:00 defined a little bit earlier and i also

6:02 assign an ip address to the first

6:04 container interface on that network

6:07 10.0 the first ip address is reserved by

6:10 docker for the gateway ip address to

6:12 drop traffic out of this subnet and so

6:15 the first ip address available to me to

6:17 to assign to a csrx interface is dot two

6:21 and so

6:22 the we'll connect the container to the

6:23 untrust network and we'll assign the

6:25 gigi zero zero zero interface that ip

6:27 address and then we'll also connect the

6:29 trust network to that container and

6:31 we'll assign

6:32 10.10.0.2 is the ip address for the

6:35 first interface the gigi001 interface on

6:38 that container and then we'll use the

6:40 docker exec command to connect to the

6:42 container instance and look around

6:45 so first let's make the network

6:48 let me copy this

6:50 docker network create command

6:52 and we'll go to the command prompt and

6:54 we'll begin the process

6:57 here's my command prompt i already as i

6:59 mentioned earlier downloaded the docker

7:01 image

7:02 from our support website this is the

7:04 name of the image it's about 250 megs in

7:06 size

7:08 then once i've downloaded the image you

7:10 will use the docker

7:12 load dash i command

7:15 and and the image name and this will

7:17 uncompress that downloaded image

7:19 and store it in your local docker image

7:22 repository i've already done the docker

7:25 load step it took about a minute and so

7:28 it's not very fun to watch during a

7:30 learning byte but i can run the docker

7:32 image ls command to list all of my

7:34 images

7:35 and here's the csrx image that was

7:38 uncompressed and placed in my local

7:41 docker image repository so this is the

7:43 container image that we will launch

7:46 right so first i wanted to

7:51 i lost the docker network command there

7:53 let me

7:54 copy this

7:56 we'll go back and we'll create the

7:57 management network

8:01 then i'll come back and create we copy

8:03 eclipse we copy this line

8:07 and we'll create the untrust network

8:10 prompt

8:14 let's go back and get our trust network

8:18 docker network create command

8:23 paste that back in there

8:26 so now i've created the management

8:27 network the untrust network the trust

8:30 network so those are the three networks

8:31 and the three subnets i wanted to create

8:34 now i want to go back and create the

8:35 volumes there's two commands to save

8:38 time i use the double ampersands to

8:40 combine these two docker volume create

8:42 commands together so i can just copy

8:44 this line

8:46 and paste it in

8:48 to the prompt to the command prompt and

8:50 it'll automatically run both of those

8:52 for me just to save us some time there's

8:53 the config

8:55 and the var log volume

8:57 now once the networks and the volumes

8:59 are created we can run which means we're

9:01 going to launch

9:03 our container so we'll copy this

9:07 paste that command in

9:12 and it takes a about a second or two for

9:14 the container to launch and it's up and

9:15 running you can run a docker

9:18 container ls it's how you can see your

9:21 running containers

9:23 and here's our csr csrx01 you know

9:26 container instance here's the id here's

9:28 the image that was used to to load it

9:30 you know it's been up about seven

9:31 seconds right

9:33 and then now i need to

9:35 now that it's up and running i can

9:36 attach those two transit networks to

9:38 this csrx01 container so let's go back

9:42 to the

9:43 notepad document and i've got two

9:45 commands connected here two docker

9:47 network connect commands

9:50 join together with the double ampersand

9:52 let's just paste that in there and this

9:54 will you know connect

9:55 the csrx01 instance to the untrust

9:58 network and this will be the ip address

10:00 assigned to the first interface in that

10:02 network and the same thing with the

10:03 trust network

10:05 so let's connect it

10:08 and now i have a running instance that's

10:10 connected to networks so there's one

10:12 other command i mentioned where we'll do

10:14 the docker exec

10:18 and this command will connect us to our

10:20 running container and we'll log in as

10:22 root the password was lab 123 and the

10:25 hostname was set to csrx01 for me so now

10:28 for example if i run a show

10:31 interfaces here's my gigi00 right this

10:35 was assigned to the trust

10:38 the untrust excuse me docker network and

10:40 it's up and running i know i don't have

10:42 any configuration

10:44 i can do configure if if you'd like

10:48 load set

10:51 you know terminal

10:52 and then i have some configuration that

10:54 will work

10:56 it's in set commands in this file

10:59 it'll create a you know it'll assign the

11:01 same ip addresses to the interfaces that

11:04 the docker used it sets a a nat rule

11:07 that gnats you know from the trust zone

11:09 to the untrust zone it'll perform source

11:11 nat and destination that there's you

11:13 know some security policies

11:16 so i can copy that

11:18 come back

11:21 paste it in

11:24 use the control d and then i do a commit

11:29 and then so now my interface is well i

11:31 forgot to set system often you have to

11:33 set the root password uh set system

11:36 root authentication plain text password

11:40 set the root password you you have to

11:42 when you load a config on there set the

11:44 root password before it'll accept a

11:45 commit

11:48 okay my commit process is complete now

11:50 if i do uh

11:54 i'll put a run in front of that since

11:55 i'm in configuration mode i'll actually

11:57 see more information about the

11:59 interfaces that i have configured on the

12:00 platform here's the logical unit here's

12:02 the ip address that's been assigned to

12:04 it i should have internet

12:08 connectivity you have to type it right

12:10 every time let me let me try that ping

12:12 command again

12:20 there's my ping replies coming back

12:22 now when i'm done i can exit you know

12:25 configuration mode i use exit to get

12:27 back to my local command prompt

12:29 and i can run a docker stop

12:32 c

12:33 srx01 command and stop that container i

12:37 still have the existing volumes i still

12:39 have the networks created so then once i

12:42 launch more containers i can simply

12:43 attach them to those existing objects i

12:45 don't have to build the network every

12:47 time and create the volumes every time i

12:49 do have to attach them once the

12:51 container is running now the uh when you

12:55 stop the container it seems to take

12:56 around 10 to 11 seconds for the

12:58 container to fully shut down they spin

13:00 up really quickly a second or two the

13:02 containers up and running

13:04 it does take a few seconds for it to

13:05 successfully stop

13:07 and then that's this learning bite

13:10 so in this learning by we used docker to

13:13 launch a csrx instance thank you very

13:15 much

13:18 visit the juniper education services

13:20 website to learn more about courses

13:23 view our full range of classroom online

13:26 and e-learning courses

13:28 learning paths

13:30 industry segment and technology-specific

13:32 training paths

13:34 juniper networks certification program

13:37 the ultimate demonstration of your

13:39 competence and the training community

13:42 from forums to social media join the

13:44 discussion

13:51 you