vSRX
Highlighted
vSRX

vSRX in EVE-NG

‎11-09-2019 10:32 AM

Hello all. I am trying get a simple 2 device topology in EVE-NG up and running with 2 x VSRXs (evaluation version). I am new to Junos and new to EVE.

 

For some reason once I go into the CLI I don't see the ge interfaces (e.g. ge-0/0/1) until sometime after. Why is this? Should these not show up immediately once the devices are booted up? I have attached a pic showing the toplogy.

 

Eventually they do show and I am able to confirm this with show interfaces terse. I have configured IP addresses in unit 0 inet family on the relevant interfaces on both devices, but now I am unable to ping between devices. Are there any security settings I need to disable? I've included my config below. For conventince I have shown only info from one vSRX as both devices are configured the same, aside from IP addresses.

 

Thanks,

Bav

 

root> show version
Model: vSRX
Junos: 19.2R1.8

 

root> show chassis hardware
Hardware inventory:
Item Version Part number Serial number Description
Chassis f0def23d5270 VSRX
Midplane
System IO
Routing Engine VSRX-S
FPC 0 FPC
PIC 0 VSRX DPDK GE
Power Supply 0

 

root> show configuration
## Last commit: 2019-11-09 18:05:14 UTC by root
version 20190606.224121_builder.r1033375;
system {
root-authentication {
encrypted-password "$6$fmYqXH7m$.3aCwVS/i0lD/yOyha/2eLa8dARTS/D..T/MZrOn ag9qWgcpVxWiydh9ogQv.GrXp1GW2ExwHLo4tNLJ7MAGv0"; ## SECRET-DATA
}
services {
ssh;
web-management {
http {
interface fxp0.0;
}
}
}
syslog {
user * {
any emergency;
}
file messages {
any any;
authorization info;
}
file interactive-commands {
interactive-commands any;
}
}
license {
autoupdate {
url https://ae1.juniper.net/junos/key_retrieval;
}
}
}
security {
forwarding-options {
family {
inet6 {
mode packet-based;
}
mpls {
mode packet-based;
}
iso {
mode packet-based;
}
}
}
screen {
ids-option untrust-screen {
icmp {
ping-death;
}
ip {
source-route-option;
tear-drop;
}
tcp {
syn-flood {
alarm-threshold 1024;
attack-threshold 200;
source-threshold 1024;
destination-threshold 2048;
queue-size 2000; ## Warning: 'queue-size' is deprecated
timeout 20;
}
land;
}
}
}
inactive: policies {
from-zone trust to-zone trust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
from-zone trust to-zone untrust {
policy default-permit {
match {
source-address any;
destination-address any;
application any;
}
then {
permit;
}
}
}
}
zones {
security-zone trust {
tcp-rst;
}
security-zone untrust {
screen untrust-screen;
}
}
}
interfaces {
ge-0/0/2 {
unit 0 {
family inet {
address 192.168.1.3/24;
}
}
}
fxp0 {
unit 0;
}
}

root>

 

 

3 REPLIES 3
Highlighted
vSRX

Re: vSRX in EVE-NG

‎11-09-2019 10:33 AM

For some reason the picture didn't attach. The topology is vSRX1 ge-0/0/1 to vSRX2 ge-0/0/2.

Highlighted
vSRX

Re: vSRX in EVE-NG

‎11-10-2019 11:29 AM

hi,

I have very limited knowledge about EVE-NG, but I think I can pinpoint your issue 🙂

 

Regarding the experience where your vSRX is booted but the ge- interfaces are missing until a bit later... that is per design with the seperate control plane and forwarding plane. The control-plane (routing engine) is booted first and then the forwarding plane is the initiated on your vSRX. This creates the delay.

 

To allow ping between your devices you should ensure that 'host-inbound-services system-services ping' is allowed in your security zone. Right now nothing is allowed inbound to your vSRX. For a lab you could go with 'all' instead' of 'ping' to allow all services.

 

I hope this helps getting your topology working.


--
Best regards,

Jonas Hauge Klingenberg
Juniper Ambassador & Technology Architect, SEC DATACOM A/S (Denmark)
Highlighted
vSRX

Re: vSRX in EVE-NG

‎12-08-2019 08:54 AM

Hi Jonas,

 

Thanks for pointing me in the right direction. I've managed to get my lab going. For info this is the config I used.

 

cli-admin@my-junos> ...n security zones security-zone trust | display set
set security zones security-zone trust tcp-rst
set security zones security-zone trust host-inbound-traffic system-services all
set security zones security-zone trust host-inbound-traffic protocols all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all
set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all

cli-admin@my-junos>

Feedback