Data Center Technologists
Showing results for 
Search instead for 
Do you mean 

Dedicated perimeter firewall for OpenStack Tenants

by Juniper Employee on ‎09-23-2016 12:24 AM


OpenStack is a cloud operating system, using which public/private/hybrid clouds can be built using commodity hardware. In order to provide higher performance and throughput various network vendors who specialize in the networking gear have utilized the plugin mechanism offered by Neutron and have moved out the L2, L3, Firewall, VPN and Load balancing services onto to their respective networking devices.


Juniper Networks provides OpenStack Neutron plugins which enable integration and orchestration of Juniper’s devices in the customer’s network. The plugins provide L2, L3 and Firewall Services. From release 2.5 onwards, the FWaaS plugin can be used to migrate the router/firewall namespaces from OpenStack network node onto a physical SRX/vSRX HA cluster, providing the tenants with enhanced performance, throughput and scalability.


Tenants may have different requirements with regards to performance and cost. Some tenants may require dedicated firewalls for better performance and compliance whereas others may prefer lower cost solution enabled by sharing network resources. There can be scenarios where a tenant requires full administrative access to his networking device so as to leverage the advanced services provided by the device. The above factors require the cloud provider to have the ability to allocate dedicated/shared network resources to the tenants.


Juniper’s Neutron plugin version 2.7 addresses this problem and enables a service provider to allocate dedicated/shared resources (physical/virtual) to his tenants. This feature opens the gates for a service provider to start creating flavors of various network offerings for his tenants.


As an example, a service provider can start creating various flavors as mentioned below:

  • Economy      :        allocate a shared SRX/vSRX for a group of tenants
  • Silver              :        allocate dedicated SRX/vSRX per tenant with default specifications
  • Gold                :        allocate high-end SRX or vSRX





As seen in the above picture, an admin can dedicate SRX/vSRX to a tenant/group of tenants. This procedure is transparent to the tenant and is done using the supplied CLI tools along with Juniper’s neutron plugin version 2.7.


Let’s take a scenario where a tenant requires a dedicated SRX Cluster. The steps required to use this feature are as follows:


  1. Install OpenStack Kilo/Liberty/Mitaka
  2. Install Juniper’s Neutron Plugin version 2.7
  3. Setup the topology using the CLI tools as per the documentation.
  4. Allocate the master SRX to the tenant using the command:

      jnpr_allocate_device add –t <tenant’s_project_id> -d <hostname/IP of the device being allocated>


  1. Define the VRRP cluster and assign it a name.

    jnpr_vrrp_pool add –d <hostname/ip of device> -p <pool name to be assigned>



As illustrated in the above example, it’s a very easy process for the system administrator to allocate SRX/vSRX devices which are in HA/non-HA mode and which are shared or exclusively given to a tenant.


This feature enables a service provider to create network flavors that can be chosen by a tenant for his deployment. It also ensures that a customer gets high availability and great performance. A customer can now be empowered with choice to choose a network security flavor based on his needs.


For any queries regarding this feature you can contact the Juniper Neutron Plugin team @



Juniper Networks Technical Books
About the Author
  • Anil Lohiya is a Principal Engineer in the Campus and Data Center Business unit in Juniper Networks. In his current role, he is leading some of the SDN and Network Virtualization initiatives.
  • I am an Engineer with expertise in Data Packet Forwarding, Software Design & Programming with major domain expertise in QoS (Quality of Services). I have worked across the domains in Data communications field. I love water and am a good swimmer too.
  • Remarkably organized stardust.
  • I have been in the networking industry for over 35 years: PBXs, SNA, Muxes, ATM, routers, switches, optical - I've seen it all. Twelve years in the US, over 25 in Europe, at companies like AT&T, IBM, Bay Networks, Nortel Networks and Dimension Data. Since 2007 I have been at Juniper, focusing on solutions and services: solving business problems via products and projects. Our market is characterized by amazing technological innovations, but technology is no use if you cannot get it to work and keep it working. That is why services are so exciting: this is where the technology moves out of the glossy brochures and into the real world! Follow me on Twitter: @JoeAtJuniper For more about me, go to my LinkedIn profile:
  • Ken Briley is Data Center TME at Juniper Networks focused on Juniper switching product lines. Prior to Juniper Networks, Ken worked at Cumulus Networks as a TME supporting the dis-aggregation movement and before that he spent 15 years at Cisco Systems working in various roles: Technical Support, Technical Marketing Engineer, Network Consulting Engineer and Product Management. Ken has an MS in Electrical Engineering and is CCIE # 9754.
  • Michael Pergament, JNCIE-SP #510, JNCIE-ENT #23, JNCIE-DC #3
  • Raj is a Sr. Cloud Technology Architect with Juniper Networks and focuses on technologies such as VMware, SDN, and OpenStack etc.
  • Rakesh Dubey is the engineering head for Campus and Data Center business unit at Juniper Networks. He has been with Juniper for past six years leading multiple switching products.
  • Sarath Chandra Mekala is a staff engineer with Juniper networks and focuses on implementing Juniper's Openstack Neutron plugins in the areas of Switching, Routing, Firewall and VPN. He is an official contributor to Openstack Neutron FWaaS v2.
  • Sriram is a Sr. Manager in the Campus and Datacenter Business Unit. He is part of the Network Director team and focuses on technologies such as VMware integration, OpenStack etc.