How to run Juniper Firefly (vSRX) on KVM -- SRX in a box setup

Juniper has released a virtual form factor SRX called Firefly Perimeter (vSRX). It provides security and networking features of the SRX Series Gateways in a virtual machine format. It can be spawned as a VM on a KVM+QEMU/VMWare hypervisor running on a X86 server.


This post will give details on how to set it up as a standalone SRX box which can be used in any of your network deployments just like a normal SRX.

Pre-requisites

1. Have an X86 server with atleast 4 GB ram, 4 GB harddisk space and two ethernet ports.
2. Install Ubuntu 14.04 on it (Centos should also work provided KVM related changes are taken care of)
3. Assumption: You have logged into the system as root user.

Get the Software

Firefly Perimeter can be download as a part of Juniper's software evaluation program and can be tried out for 60 days. You will need a Juniper account to download it here. For the purpose of this post I will be using the appliance at "Firefly KVM Appliance - FOR EVALUATION^".

Configure the Server

Firefly needs the following software to be installed in order to work properly:

• qemu-kvm
• Libvirt
• OpenvSwitch
• Virtual Machine Manager
• Bridge utils

You can install all of the above by running the command:
 

apt-get install qemu-kvm libvirt-bin bridge-utils \
                virt-manager openvswitch-switch

Firefly Perimeters requires a storage pool configured on the KVM and virtual networks defined before it could be spawned.

Creating a Storage Pool on KVM

 I am using a directory based storage pool for my example. If you want to try out other option you can check them out here.

mkdir /guest_images
chown root:root /guest_images
chmod 700 /guest_images
virsh pool-define-as guest_images dir - - - - "/guest_images"
virsh pool-build guest_images
virsh pool-autostart guest_images
virsh pool-start guest_images

Creating the virtual Networks

As shown in the figure for this deployment, I will be creating two virtual networks and assigning them to Firefly. For this purpose, we will create two XML files with the corresponding network description and then will execute virsh commands to create these networks.

dut.xml

<network>
  <name>data</name>
  <bridge name="br_data" />
  <forward mode="bridge" />
  <virtualport type='openvswitch'/>
</network>

mgmt.xml

<network>
  <name>mgmt</name>
  <bridge name="br_mgmt" />
  <forward mode="bridge" />
</network>

After creating the xml, execute the following commands:

bash# virsh
virsh# net-define mgmt.xml
virsh# net-autostart mgmt
virsh# net-start mgmt

virsh# net-define dut.xml
virsh# net-autostart dut
virsh# net-start dut

Create the bridges

We need to create two bridges: br_mgmt and br_data and add eth0 and eth1 to them as shown in the figure above. 

br_mgmt (linux bridge)

brctl addbr br_mgmt

brctl addif br_mgmt eth0

br_data (Ovs Bridge)

ovs-vsctl add-br br_data

ovs-vsct add-port br_data eth1

Now we need to move the server host ip from eth0 to br_mgmt

vi /etc/network/interfaces
auto eth0
iface eth0 inet manual

auto eth1
iface eth1 inet manual

auto br_mgmt
iface br_mgmt inet static
address xx.xx.xx.xx
netmask 255.255.xxx.0
gateway xx.xx.xx.xx
dns-nameservers xx.xx.xx.xx
#pre-up ip link set eth0 down
pre-up brctl addbr br_mgmt
pre-up brctl addif br_mgmt eth0
post-down ip link set eth0 down
post-down brctl delif br_mgmt eth0
post-down brctl delbr br_mgmt

Restart the networking service by calling /etc/init.d/networking restart

Spawn the VM

Once the storage pool and necessary virtual networks are ready, we can spawn the Firefly VM on the hypervisor using the command:

bash -x junos-vsrx-12.1X47-D10.4-domestic.jva MySRX -i 2::mgmt,data -s guest_images
virsh# start MySRX

You can also use Virtual Machine Manger to start the VM, like so:

In the next post, I will continue on this and give details on initial SRX setup and testing it out.