Saturday, 4 November 2023

Containerlab and Juniper VSRX3.0


Juniper Virtual SRX on Containerlab







https://containerlab.dev/manual/kinds/vr-vsrx/

Setup is Juniper vSRX3 with Containerlab and two linux hosts. 


root@E5450:/home/sonicepk/clab-vsrx# clab version


                           _                   _       _     

                 _        (_)                 | |     | |    

 ____ ___  ____ | |_  ____ _ ____   ____  ____| | ____| | _  

/ ___) _ \|  _ \|  _)/ _  | |  _ \ / _  )/ ___) |/ _  | || \ 

( (__| |_|| | | | |_( ( | | | | | ( (/ /| |   | ( ( | | |_) )

\____)___/|_| |_|\___)_||_|_|_| |_|\____)_|   |_|\_||_|____/ 


    version: 0.47.2

     commit: 0b3991f0

       date: 2023-10-26T10:18:52Z

     source: https://github.com/srl-labs/containerlab

 rel. notes: https://containerlab.dev/rn/0.47/#0472

root@E5450:/home/sonicepk/clab-vsrx# 


root@E5450:/home/sonicepk/clab-vsrx# docker -v

Docker version 24.0.6, build ed223bc

root@E5450:/home/sonicepk/clab-vsrx# 


root@E5450:/home/sonicepk/vrnetlab# git branch

* (HEAD detached at v0.12.0)

  master

root@E5450:/home/sonicepk/vrnetlab# 


root@E5450:/home/sonicepk/vrnetlab/vsrx# ls

docker  junos-vsrx3-x86-64-23.2R1.13.qcow2  Makefile

root@E5450:/home/sonicepk/vrnetlab/vsrx# 


root@E5450:/home/sonicepk/vrnetlab/vsrx# docker image ls | grep srx

vrnetlab/vr-vsrx                                                     23.2R1.13           dd25f7b62ffc   2 days ago      1.67GB

root@E5450:/home/sonicepk/vrnetlab/vsrx# 


root@E5450:/home/sonicepk/clab-vsrx# cat vsrx-linux.yml 

name: vsrx1

topology:

  nodes:

    srx1:

      kind: vr-vsrx

      image: vrnetlab/vr-vsrx:23.2R1.13

      startup-config: srx1.txt 

    client1:

      kind: "linux"

      image: wbitt/network-multitool:alpine-extra

      exec:

        - ip addr add 192.168.1.2/30 dev eth1

        - ip route add 192.168.2.0/30 via 192.168.1.1

    client2:

      kind: "linux"

      image: wbitt/network-multitool:alpine-extra

      exec:

        - ip addr add 192.168.2.2/30 dev eth1

        - ip route add 192.168.1.0/30 via 192.168.2.1

  links:

    - endpoints: ["srx1:eth1", "client1:eth1"]

    - endpoints: ["srx1:eth2", "client2:eth1"]

root@E5450:/home/sonicepk/clab-vsrx# 



In my tests, the startup-config directive never worked. Containerlab did copy the contents of srx1.txt to the startup-configcfg but they never got loaded when the lab wsa started. I always had to log into the vsrx and add the commands via the Junos CLI.

root@E5450:/home/sonicepk/clab-vsrx/clab-vsrx1/srx1/config# cat startup-config.cfg 


root@E5450:/home/sonicepk/clab-vsrx# cat srx1.txt 

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/30

set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/30

set security zones security-zone trust interfaces ge-0/0/0 host-inbound-traffic system-services all

set security zones security-zone trust interfaces ge-0/0/1 host-inbound-traffic system-services all

set system services web-management https system-generated-certificate

set security forwarding-options family mpls mode packet-based


root@E5450:/home/sonicepk/clab-vsrx# 


root@E5450:/home/sonicepk/clab-vsrx# clab inspect --all

+---+-----------------+----------+--------------------+--------------+--------------------------------------+---------+---------+----------------+----------------------+

| # |    Topo Path    | Lab Name |        Name        | Container ID |                Image                 |  Kind   |  State  |  IPv4 Address  |     IPv6 Address     |

+---+-----------------+----------+--------------------+--------------+--------------------------------------+---------+---------+----------------+----------------------+

| 1 | vsrx-alpine.yml | vsrx1    | clab-vsrx1-client1 | f06a4997ac1b | wbitt/network-multitool:alpine-extra | linux   | running | 172.20.20.4/24 | 2001:172:20:20::4/64 |

| 2 |                 |          | clab-vsrx1-client2 | c77b68244805 | wbitt/network-multitool:alpine-extra | linux   | running | 172.20.20.3/24 | 2001:172:20:20::3/64 |

| 3 |                 |          | clab-vsrx1-srx1    | 85e3251a27c1 | vrnetlab/vr-vsrx:23.2R1.13           | vr-vsrx | running | 172.20.20.2/24 | 2001:172:20:20::2/64 |

+---+-----------------+----------+--------------------+--------------+--------------------------------------+---------+---------+----------------+----------------------+

root@E5450:/home/sonicepk/clab-vsrx# 



Takes approx 5 minutes to boot the vsrx on my old laptop. Intel i5/8G of ram. My laptop does not have enough grunt to run two instances, but one works fine. 

root@E5450:/home/sonicepk/clab-vsrx# docker container ls

CONTAINER ID   IMAGE                                  COMMAND                  CREATED          STATUS                    PORTS                                        NAMES

85e3251a27c1   vrnetlab/vr-vsrx:23.2R1.13             "/launch.py --userna…"   10 minutes ago   Up 10 minutes (healthy)   22/tcp, 830/tcp, 5000/tcp, 10000-10099/tcp   clab-vsrx1-srx1

f06a4997ac1b   wbitt/network-multitool:alpine-extra   "/bin/sh /docker-ent…"   10 minutes ago   Up 10 minutes             80/tcp, 443/tcp, 1180/tcp, 11443/tcp         clab-vsrx1-client1

c77b68244805   wbitt/network-multitool:alpine-extra   "/bin/sh /docker-ent…"   10 minutes ago   Up 10 minutes             80/tcp, 443/tcp, 1180/tcp, 11443/tcp         clab-vsrx1-client2

root@E5450:/home/sonicepk/clab-vsrx#




admin> show configuration | display set 

set version 23.2R1.13

set system root-authentication encrypted-password "$6$B5eNOTgy$Ty5MUZ7GaiTlN33doSrH4dP/mPNiyprXnnglpHeL9.HYcIL5bqtcPzIPVIKAEl0ExcyoMEOvsvH5/a3NH1Nnt1"

set system login user admin uid 2000

set system login user admin class super-user

set system login user admin authentication encrypted-password "$6$TUXLlZlu$.E9gHo.sljNzZCRdgsc1aAW5vkJb2VliIoZBbvqhHTuRXqfkp8PwhjLHT6Sfhm7lm6sht7Zl5zjD7nK3dJ.SJ0"

set system services ssh

set system services netconf ssh

set system services web-management https system-generated-certificate

set system management-instance

set security forwarding-options family mpls mode packet-based

set security zones security-zone trust interfaces ge-0/0/0.0 host-inbound-traffic system-services all

set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all

set interfaces ge-0/0/0 unit 0 family inet address 192.168.1.1/30

set interfaces ge-0/0/1 unit 0 family inet address 192.168.2.1/30

set interfaces fxp0 unit 0 family inet address 10.0.0.15/24

set routing-instances mgmt_junos routing-options static route 0.0.0.0/0 next-hop 10.0.0.2

set routing-instances mgmt_junos description management-instance


admin> 


Traceroute from client1---eth1------ge-0/0/0---VSRX---ge-0/0/1----eth1---client2


root@E5450:/home/sonicepk/clab-vsrx# docker exec -it clab-vsrx1-client1 ash

/ # ip a show dev eth1

131: eth1@if132: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9500 qdisc noqueue state UP group default 

    link/ether aa:c1:ab:ac:1b:19 brd ff:ff:ff:ff:ff:ff link-netnsid 1

    inet 192.168.1.2/30 scope global eth1

       valid_lft forever preferred_lft forever

    inet6 fe80::a8c1:abff:feac:1b19/64 scope link 

       valid_lft forever preferred_lft forever

/ # ip route

default via 172.20.20.1 dev eth0 

172.20.20.0/24 dev eth0 proto kernel scope link src 172.20.20.4 

192.168.1.0/30 dev eth1 proto kernel scope link src 192.168.1.2 

192.168.2.0/30 via 192.168.1.1 dev eth1 

/ # traceroute 192.168.2.2

traceroute to 192.168.2.2 (192.168.2.2), 30 hops max, 46 byte packets

 1  192.168.1.1 (192.168.1.1)  0.397 ms  0.347 ms  0.290 ms

 2  192.168.2.2 (192.168.2.2)  0.263 ms  0.374 ms  0.762 ms

/ #