Zach Gibbs, Content Developer, Juniper Networks 

vSRX and GNS3

Learning Bytes Security
Zach Gibbs Headshot
Slide of network topology with a heading of “vSRX and GNS3.” The left side shows an Internet cloud, a user and a server icon. Text says, “Internet, Untrust Zone, vSRX-1, User Zone, Server Zone, Server-1 10.10.202.100, and User 1 10.10.201.11. Right side has a bullet list that says, “Criteria for example, GNS3 is setup to use vSRX, Connect interfaces, Configure vSRX-1, Test communication, User – 1 to Server – 1, User -1 to the Internet, Local machine SSH to vSRX-1.”

Juniper Learning Bytes: How to set up vSRX with GNS3

If you’re new to working with vSRX, check out this step-by-step demo from Juniper’s Zach Gibbs on how to set up GNS3 to use with Juniper vSRX for educational purposes. 

Show more

You’ll learn

  • How to configure the GNS3 VM with the proper resources

  • How to use the vSRX GNS3 appliance template 

  • How to route user traffic and connect to the correct interfaces 

Who is this for?

Network Professionals Security Professionals

Host

Zach Gibbs Headshot
Zach Gibbs
Content Developer, Juniper Networks 

Resources

Transcript

0:00 [Music]

0:11 hello my name is zach gibbs

0:13 and i'm a content developer within

0:16 education services

0:17 inside juniper networks and today we

0:20 will be going through the

0:21 vsrx and gns3 part 1

0:24 learning byte alright so in the topology

0:28 we have a few different devices we have

0:30 vs or x1 which

0:31 is the vsrx that we'll be using with

0:33 gns3

0:35 and then we have user one that uses that

0:37 ip address and connects in on the user

0:40 zone

0:40 and then we have server one which uses

0:42 that ip address and connects and on the

0:44 servers

0:45 zone and then vsrx1 connects to the

0:47 internet on the untrust zone and so with

0:50 this

0:50 learning byte what are we doing well we

0:52 are going to be focusing on

0:53 setting up gns3 to use vsrx

0:57 and we'll do a few different things but

0:59 the major highlights are we're going to

1:01 deploy the gns3 vm

1:03 with using the free vm player and then

1:05 we'll configure the gns3 vm with the

1:07 proper resources so we can

1:09 start up a vsrx device and then we'll

1:12 use the vsrx gns3 appliance template and

1:15 what we'll do is we'll download that

1:16 from the gns3 website

1:18 and then we'll use the vsrx qcal2 image

1:22 with that template so with that being

1:23 said let's go ahead and get started

1:27 alright so here is gns3 and here is

1:30 vmware player and gns3

1:34 is starting up and it's connecting to

1:36 the local server that i have on this

1:38 laptop

1:38 and it wants us to create a new project

1:40 we'll call this bsrx

1:44 gns3 lb

1:46 we'll create that project and if we go

1:48 to our devices

1:50 you see in routers there's nothing we

1:51 got some switches

1:53 we got some end devices nothing in

1:55 security devices

1:56 and this is where vsrx is going to show

1:59 up once we put it in here

2:00 and so the first thing we want to do is

2:02 we want to get

2:03 the gns3 vm going because what happens

2:07 is

2:08 we're going to be able to deploy vsrx

2:11 inside the gns3 vm which we'll be

2:14 running

2:14 in vm player and so that means that the

2:17 gns3 vm

2:18 will be running kvm and will launch the

2:21 vsrx qca2

2:22 image which is 4kvm inside that

2:25 gns3 vm which is in vm player so we're

2:28 going to be doing some nested

2:30 deployment with the vsrx vm

2:33 so keep that in mind and since this is a

2:36 lab scenario that you'll just be using

2:37 for testing

2:38 it's not going to matter with

2:39 performance now where you will see a

2:41 problem is

2:42 with boot up times and that can take

2:43 anywhere from 15 minutes to an

2:45 hour depending on your system resources

2:47 so if we go to

2:49 edit preferences on gns3

2:52 and then we go to gns3 vm we'll see here

2:55 that there's nothing we can select

2:58 and that's because we haven't actually

3:00 fired up the vm yet

3:01 we can go the gns3 website select this

3:04 link here that will take you right to

3:06 the website where you can download it

3:08 let's go ahead and click that and my

3:11 browser opened up on my other monitor

3:12 but you can see here we can download a

3:14 zip file that contains that and i've

3:16 already done that so i'm not going to

3:17 download that again

3:18 so let's go ahead and cancel that and

3:20 then go back to vm player

3:21 and once you've downloaded that zip file

3:23 and extracted the ova file

3:25 you want to select the open a virtual

3:27 machine option in vmware player

3:30 so let's select that option and then we

3:32 want to select the gns3 vm.ova

3:35 file that would be in that zip file and

3:38 import it and that'll take just a minute

3:41 to import

3:43 all right so it is imported and it is

3:45 powered off you don't want to power it

3:46 on here or

3:47 edit the virtual machine settings at

3:49 this point you may think to yourself

3:50 well i know

3:51 vsrx needs at least four gigabytes of

3:54 ram it's set to two gigabytes of ram

3:56 and so okay i'll go ahead and edit the

3:58 vm settings and change that right

4:00 no you don't want to do that because

4:02 gns3 will configure the vm for you

4:04 if you change it here then gns3 will

4:07 change it back and you'll be

4:08 completely confused and not to mention

4:10 it has one cpu as well

4:12 you need more than one cpu for vsrx

4:15 so let's go ahead and click cancel there

4:16 and you want to close this because gns3

4:18 will start at vm player and then try to

4:20 start the virtual machine and if you

4:21 have this open

4:22 you're going to run into some ownership

4:24 problems by doing that so let's go ahead

4:26 and close vm player

4:29 and then we go to edit preferences

4:32 gns3 vm we can see that okay we have it

4:35 enabled

4:36 that looks good and i already have it

4:38 configured the default is actually one

4:41 and i think it's uh two gigs

4:45 and i already had that configured from

4:46 before so you want to set that higher

4:49 you need at least two but this laptop

4:51 i'm using has four cores so let's go

4:53 ahead and do that

4:54 and then you might think to yourself

4:55 well let's go ahead and set it to four

4:57 gigs right and no the actual vm will

5:01 need some

5:01 ram itself and if you fire up anything

5:04 else that uses the vm it'll need more as

5:06 well

5:07 so you want to set that at a gig higher

5:09 what you actually really need

5:11 because the host vm is going to use a

5:13 gig itself

5:14 and so if we set that at five gigs we'll

5:16 be okay so we'll click

5:18 apply click ok there then let's go ahead

5:20 and close gns3 and reopen it

5:24 and it's open and connecting to the

5:27 local host for the server

5:28 and let's go ahead and cancel that and

5:30 we'll open up our project

5:32 that we created just a few minutes ago

5:34 and what it's doing right now is i'm

5:35 going to pull up the vmware player that

5:37 gns3 launched

5:39 it's starting that uh gns3

5:42 vm right now so we'll have to wait for

5:44 that to start and you'll see here in

5:45 gns3

5:46 you'll want this gns3 vm is starting

5:49 you'll see it turn green over here so

5:50 it'll give you a little status update on

5:51 what it's doing and we want to see this

5:53 turn green before we can actually use it

5:56 and so what i'll do here is this will

5:57 take a minute or so so i'm going to

5:59 pause the video

6:00 and i'll start it back up after the vm

6:02 is done booting and you'll be able to

6:03 see here on the left and

6:04 actually that booted up really quick so

6:07 forgot how quickly that did boot up

6:09 and so great it turned green as well

6:10 over here so we can see it's running we

6:12 can see the usage as well

6:13 and things look good so didn't need to

6:15 pause the video that actually starts up

6:16 really quick

6:17 and so okay great so what do we need to

6:19 do next

6:20 what we need to do is we need to open a

6:22 web browser and i've got one right here

6:24 we're going to go to the gns3 website

6:28 and then we need to go to the

6:29 marketplace up top you'll see the links

6:31 and let's go to marketplace and then

6:33 appliances

6:35 and it should be under the most popular

6:36 section pretty close to the top i'm just

6:38 going to do

6:39 oh there it is i was going to do a quick

6:40 search on the page but no need to do

6:41 that

6:42 it's right here juniper vs rex you can

6:44 see it was last updated march 21st 2020

6:47 so

6:48 that is was yesterday for me so this

6:50 gets updated pretty frequently

6:52 so we can select that and you can see

6:54 some information here you can see

6:55 required ram

6:56 is set to four gigs and remember we

6:58 needed to set the

7:00 gns3 vm to five gigs

7:03 and then it gives you some links to

7:05 where you can go download the files

7:07 and notice how it's the qcal2 files we

7:09 talked about that

7:10 and so you can use those links you'll

7:12 need to sign in to do that

7:14 and this is for vsrx2 this is for vsrx3

7:17 i highly recommend you use vsrx3

7:19 it'll run a lot better especially since

7:21 we're doing nested

7:22 uh vsrx2 already does this kind of weird

7:25 nesting thing

7:26 so you'll be doing double nesting if you

7:28 use vsrx2 so use vsx3 so you want to use

7:30 this link down here with the qcad 2 file

7:33 and so just click download

7:37 and we just save that file

7:40 and one thing to keep in mind here is

7:42 when you download this you can leave

7:43 this in the downloads folder gns3 will

7:45 look in there for that image file

7:47 so keep that in mind okay so we

7:49 downloaded that let's go ahead and go

7:50 back to gns3

7:51 and then we'll go to file import

7:54 appliance

7:57 and then we'll import that gns3

8:00 appliance and the only option we can

8:02 select here is to install the appliance

8:04 on gns3 vm

8:05 we talked about that earlier why we need

8:07 to do that because the nest in nature

8:09 and it uses kvm with that and so it's

8:11 scanning directories are

8:12 for files and this scans the downloads

8:14 directory and also the gns3

8:16 directory and anything that pops up is

8:19 ready to install

8:20 these are the different versions it

8:21 supports so great we have the 28.4 r1

8:24 vsrx 3.0 so you just go ahead and select

8:26 that click

8:27 next and it asks us if we want to

8:29 actually install this yes we do

8:31 and then it goes ahead and uploads the

8:34 qca

8:35 2 file to gns3 so it's going to take a

8:38 little bit of time to do that

8:40 and you can see here in the template

8:41 it's giving some information

8:43 it says here it'll be available in the

8:44 firewall category and that was the case

8:46 with older versions of gns3

8:49 however it's in the security category

8:52 now they've changed that the template

8:54 obviously hasn't been

8:55 updated for the vsrx appliance with that

8:58 information

8:59 but just keep that in mind and then we

9:01 have the information of

9:02 initial username as root with no

9:03 password that's important to know

9:05 because when we fire that up we'll want

9:06 to be able to log in to be able to

9:07 configure this thing and

9:09 we need to know what we need to log in

9:11 with right so

9:12 and that's just vs rex in general and so

9:15 yeah we're almost done here

9:16 and look at that it's done well it's

9:18 almost done just goes

9:19 finishing up some tasks all right so you

9:22 can see up top here it's been

9:23 successfully uploaded that's great

9:25 let's click finish and it lets us know

9:28 that it created the template

9:30 and that's going to be under security

9:31 devices here we can see it under

9:33 security devices

9:34 and now we're ready to use this in a

9:36 gns3 topology

9:38 all right so here is our topology let's

9:40 go over our devices real quick

9:43 in here we have vsrx1 and that connects

9:45 to the users

9:46 zone and we have user one at the

9:48 10.10.201

9:50 ip address and then it connects to

9:52 server one in the servers

9:54 zone and server one has an ip address of

9:58 10.10.202.100

9:59 and then vsrx1 connects into the

10:01 internet on the untrust

10:03 zone and the criteria on the right we

10:05 see that gns3 is set up to use the s or

10:08 x1

10:08 we did that in the previous learning

10:10 byte that is a part of this learning

10:12 byte series and so what we need to do is

10:14 we need to connect

10:15 interfaces we need to configure vs or x1

10:18 and then we'll test communication and so

10:20 with that let's go ahead and jump to

10:22 gns3 and get this going

10:26 all right so here is gns3 and you can

10:29 see here we have vsrx

10:31 20.4 r1 3.0 already added we did that

10:35 with the last learning byte we did that

10:38 is a part of this learning byte series

10:40 and then we have the gns3 vm running in

10:44 vmware player and again that was done in

10:46 the last learning byte of this learning

10:48 byte series

10:49 and so let's go ahead and start doing

10:52 this let's move vsrx

10:54 out to the middle and we can rename that

10:57 called vsrx-1

11:00 and then let's add some in hosts

11:03 add one we'll add a second one

11:07 let's name these we'll call this user1

11:12 call this server one and then we need to

11:16 add

11:16 an internet cloud and we'll just rename

11:21 this to

11:22 call this internet and then let's click

11:24 on the connections

11:25 button and start connecting these we

11:27 have ethernet 0 on user 1. let's connect

11:29 it to vs or x1

11:31 now we have a list of interfaces we have

11:33 fxp0 which we know

11:35 as the management interface we don't

11:37 want to connect it to that we want to be

11:38 able to route this traffic so let's go

11:39 ahead and connect it to gige00

11:43 and then same thing with server1 we'll

11:46 connect that to gigi001

11:49 and then we'll connect gigi002

11:52 to the internet now notice we have two

11:54 different interfaces here so you might

11:56 be unsure of which interface to connect

11:58 to

11:59 in this scenario we want to connect it

12:01 to ethernet 3.

12:02 i don't know what happened to ethernet 1

12:04 2 or whatever but we have ethernet and

12:06 ethernet 3.

12:08 and so we want to connect it to ethernet

12:09 3 and i'll show you the reason behind

12:11 that

12:12 so remember that there was two

12:13 interfaces here on the internet cloud

12:16 and that is actually the interfaces on

12:19 the gns3 vm

12:21 and so we jump back to the gns3 vm and

12:24 we look at the settings

12:26 of this vm we can see here we have two

12:29 network adapters

12:31 network adapter and then network adapter

12:33 2.

12:34 the first network adapter is set to a

12:37 host only network which is a private

12:39 network we don't want to use that

12:40 that is used to route traffic for

12:43 anything internally in our topology

12:46 the second adapter you see here is set

12:49 to net

12:50 now that is that ethernet 3 adapter and

12:52 that will allow us

12:54 to get out of our local topology and

12:57 reach

12:57 hosts on the local network or host on

13:00 the internet

13:01 and it will also allow us to

13:04 go in to our topology from our local

13:07 machine here and that'll

13:08 allow us to use something like ssh and

13:11 manage it

13:12 through ssh manage the vsrx1 device

13:14 through ssh instead of using the console

13:16 to manage the

13:17 srx1 device or any other devices in our

13:19 topology for that matter

13:21 okay so with that let's go ahead and

13:22 cancel that and go back to gns3

13:24 and the first thing we want to do is we

13:26 want to start

13:27 vs or x1 and so we just right click

13:31 select start there

13:32 saw that i did that earlier and we have

13:34 a whole bunch of different options

13:37 and one thing i want to point out is now

13:38 that we've started it

13:40 it's booting right and it takes some

13:42 time to boot

13:43 and so we'll go into the console select

13:45 the console option

13:46 and that'll pop up the console and the

13:48 thing i want to point out as we're doing

13:49 this

13:50 is that this is going to take a little

13:52 bit of time in the last learning bite i

13:54 talked about

13:55 how this is a nested vm environment

13:59 the gns3 vm is a vmware running in vm

14:02 player

14:03 and then we're deploying the

14:06 vsrx qcal2 file in kvm

14:10 in the gns3 vm and so we're having a

14:13 nested vm scenario

14:14 and that means it's going to take a

14:15 little bit longer to boot and it will

14:17 take anywhere between

14:19 uh 15 minutes to an hour to

14:22 boot this vsrx device and so

14:26 this is a great time if you're doing

14:27 this to go take a break

14:30 go walk the dog do something else it

14:32 will take some time to boot

14:34 and so but once it's booted it runs fast

14:37 commits fast there's no problem so

14:40 it's just the long wait time when

14:42 booting so with that being said

14:44 i'm going to pause this video right now

14:46 and

14:47 start it back up once the vs1 has booted

14:53 alright so the vsrx

14:56 device has booted let's go ahead and log

14:59 in just root no password

15:02 and the first thing we want to check is

15:04 to make sure that

15:06 the fpc is up and running that we can

15:09 see the pic

15:10 and we don't see anything yet just show

15:12 slot zero

15:13 present that's not what we want to see

15:15 but that just means it's still booting

15:17 we can just look at the fpc we see

15:19 nothing's there and we can see

15:21 some other messages showing up it's just

15:24 still going even though we can log in

15:26 we can't actually do much with that

15:29 yet and if we do show interface test

15:32 gigi

15:32 there'll be nothing and because there's

15:35 no fpc

15:36 that is online it shows fpc xero present

15:39 but it doesn't show anything online and

15:41 we could do the show

15:43 chassis hardware command

15:46 and you can see here that it shows an

15:49 fpc

15:50 and yeah you know that's that's fine we

15:52 just got to wait a little longer for it

15:54 to finish

15:54 completely booting so i'm gonna pause

15:56 this video again

15:58 and then once it's finished completely

16:00 booting i'll start it back up

16:04 all right it's been about five minutes

16:06 let's go ahead and check that again

16:10 and much better slot zero shows online

16:12 for fpc

16:13 and then pick zero shows online as well

16:16 and we see vs or xdp

16:17 dk ge for that and we look at chassis

16:20 hardware you can see fpc

16:22 0 and pixel underneath that that looks

16:25 good

16:26 and just look at the fpc we can see that

16:30 it's online

16:31 things look good there so if we do show

16:34 interface gigi

16:35 star terse we can see we have

16:38 gigi 0 through 2 up

16:41 and those are the interfaces we've

16:43 connected so perfect that's exactly what

16:45 we want to see

16:46 and so let's start configuring vs or x1

16:50 set the hostname to v srx-1

16:54 set uh root authentication

17:02 we'll need to set uh the services

17:06 ssh root login allow

17:10 that way we can log in with root with

17:13 using ssh

17:14 and then we'll need to configure

17:16 interfaces and first i want to delete

17:18 what we have for interfaces delete what

17:20 we have for security we'll be

17:21 configuring that separately

17:22 and so let's go ahead and go into

17:24 interfaces

17:25 and set gige00.0 family inet

17:30 and we're going to set the address

17:36 that puts us in the same subnet as user

17:38 one

17:44 and then same subnet as server one

17:50 then we want to set gigi to

17:55 with an iip address that is going to be

17:57 on the same network as our local network

17:59 that our device

18:00 is running on this will allow us to be

18:01 able to communicate with hosts on the

18:03 local network and host on the internet

18:05 and things like that

18:10 and then let's configure the security

18:12 zones

18:20 very set the interface for that user

18:22 security zone

18:29 and then for the servers the geeky001

18:33 and we'll set some host inbound traffic

18:35 so we can communicate

18:37 with the interface directly and then the

18:40 security zone on trust

18:43 interface is gigi002 and here we would

18:47 want to at least set

18:49 system services ssh we could say any

18:51 services this is just a lab but i'm just

18:53 going to do ssh because we will be

18:55 coming in

18:56 on this device using ssh

19:00 everything looks good there and for ti

19:03 saket time

19:06 i'm just going to set the default policy

19:08 to permit all let's go

19:10 ahead and commit that and we should be

19:12 done configuring vsrx1

19:14 and that's committed so let's go back to

19:15 gns3 topology

19:17 and we do need to start

19:20 user1 and server1

19:23 and then we go to the console for user

19:26 one and we'll configure it

19:28 so here is user one we'll configure the

19:30 ip

19:33 slash 24 then specify the gateway

19:38 then we'll specify a dns server as well

19:43 and then let's go ahead and do the same

19:44 for server one

19:49 so here is server one we'll set the ip

19:55 and subnet mask and then the gateway

20:02 and then we'll set the dns

20:06 and we should be good there so let's go

20:08 ahead and let's jump back to user1

20:11 and oh there's one other quick thing i

20:13 forgot to configure not

20:15 on srx1 so let's do that real quick

20:36 we'll configure the rule

20:43 figure any source address

20:46 and configure source net of interface

20:49 and that will allow

20:50 uh these user one and server one to be

20:53 added when

20:54 going out towards the internet or

20:57 anything on the local network

20:58 okay so let's go ahead and attempt to

21:01 ping let's say

21:02 google market type

21:08 and i did forget one other thing on vs

21:10 or x1 we need to configure the default

21:14 route

21:21 this should help all right so let's go

21:23 back to user one let's try that again

21:25 ah much better much better so we can

21:27 reach stuff on the internet perfect

21:29 now can we ping

21:34 server one

21:38 all right and let's try that again it

21:39 might have just been something like an

21:41 arp resolution issue

21:44 and great it's working now so the art

21:47 just had to resolve

21:48 things are looking good uh let's go

21:49 ahead and attempt

21:51 to open an ssh session to

21:54 vsrx1 now that we've set that up

21:56 correctly and one thing i do want to

21:57 point

21:58 out is that the console session is also

22:00 available

22:02 using the information seen on the right

22:04 here you can open a talent session to

22:06 192 168 178.128 with port 5000 to get to

22:10 vsrx1

22:11 and also console sessions to these other

22:13 devices if you want to use

22:15 say secure crt or something so let's go

22:19 ahead and pull

22:20 up secure crt and attempt to connect

22:23 with ssh to vsrx1 we'll go ahead and

22:26 grab

22:27 a secure crt window and start a new

22:30 connection

22:31 and that was 10.10.1.50

22:35 username of root and we could configure

22:37 a separate username

22:39 and instead of root but yeah things work

22:41 great wherever the login is root

22:43 and we could configure it using secure

22:46 crt with ssh

22:47 from our local machine

22:51 so that does bring us to the end of this

22:53 learning byte series

22:54 and in this learning byte series we

22:56 demonstrated how to set up and configure

22:58 vsrx with gns3 so as always

23:02 thanks for watching visit the juniper

23:06 education

23:06 services website to learn more about

23:09 courses

23:10 view our full range of classroom online

23:13 and e-learning courses learning paths

23:17 industry segment and technology specific

23:19 training paths

23:21 juniper networks certification program

23:24 the ultimate

23:25 demonstration of your confidence and the

23:27 training community

23:29 from forums to social media join the

23:34 discussion

23:38 you

Show more

Next in the series

Watch
4:56
A computer-generated whiteboard image showing 10 letter-sized envelops and six mailboxes below.
Explainable AI Whiteboard Technical Series: Decision Trees Learning Bytes AI & ML
SaveRemove
Watch
16:05
The still image shown is of a black background with white type from a computer programming page. It is a still from the demo showing how to configure data center EVPN-VXLAN. It shows paths and many numbers.
Configuring Data Center EVPN-VXLAN Learning Bytes Data Center
SaveRemove
Watch
13:39
The still image is from the demo and shows a black computer screen with white computer code from top to bottom of the page.
Configuring Data Center ESI LAG Learning Bytes Data Center
SaveRemove
Watch
16:23
Screenshot is from Zach Gibbs demo, showing white code on top of a black screen, as the EVPN-VXLAN verification process is taking place. Words like “input packets” and “output packets” and “VXLAN endpoint type” are shown with data. The bottom paragraph is highlighted in blue.
Seamless EVPN-VXLAN Stitching – Verification Learning Bytes Data Center
SaveRemove
Watch
7:58
A screenshot of a terminal window with code.
Automating Junos Using BASH Scripts Learning Bytes Operations
SaveRemove
Watch
8:08
Screenshot showing a command line interface connected to a Juniper VMX device. 
Passwordless Public Key-based Encrypted SSH Authentication on Junos Learning Bytes Operations
SaveRemove
Watch
14:41
Image is of a black computer screen with lines and lines of code in white.
Deploying vRR on EVE-NG Community Edition Learning Bytes Operations
SaveRemove
Watch
14:34
The still image is a screenshot of the MAC VRF configuration process on a desktop computer. It’s a black computer screen with white code from top to bottom.
Configuring MAC VRF – Isolated Tenants External Interconnect Route Leaking Learning Bytes Data Center
SaveRemove
Watch
13:41
The still image is a screenshot of the MAC VRF verification process on a desktop computer. It’s a black computer screen with white code from top to bottom. Part of the parameters have been highlighted in blue by the presenter, Zach Gibbs, Content Developer, Juniper Networks.
Verifying MAC VRF – Isolated Tenants External Interconnect Route Leaking Learning Bytes Data Center
SaveRemove