Juniper Firefly Perimeter on OpenStack

Juniper recently announced the General Availability of Firefly Perimeter (also known as JunosV Firefly), a virtual firewall based on the Juniper's SRX Services Gateway code. Firefly Perimeter runs as a virtual machine and delivers similar networking and security features as the branch SRXes, such as Routing, NAT and VPN. It allows you to secure business applications and services in private and public cloud environments. As of version 12.1X46, it support two hypervisors, namely VMware ESXi and Linux KVM. Each instances of the virtual appliance can support up to ten Gigabit Ethernet vNICs. As I already had an OpenStack lab up and running, I decided to give Firefly Perimeter a try.

Unfortunately, the current Juniper documentation doesn't include any details or installation instructions for OpenStack. Juniper actually provide two packages, one is intended for VMware installations, and is distributed in a 'OVA/OVF' file format. The second package is intended for KVM installations and is distributed as a .JVA file; merely an executable script with an embedded binary payload.

The installation script output a libvirt xml configuration file which describes the VM hardware, and also an image file in Qcow2 format. The latter can be easily imported into Openstack Glance, so it can be used to spin up new instances of the virtual appliance. Here's a way to extract and import the Juniper Firefly image directly from the console.

Log into an Openstack host and load the necessary credentials:
[root@host2 eprom]# source /etc/contrail/openstackrc
Extract the Juniper Firefly Perimeter image from the .jva file:
[root@host2 eprom]# cd /var/tmp/
[root@host2 tmp]# chmod 755 junos-vsrx-12.1X46-D10.2-domestic.jva
[root@host2 tmp]# ./junos-vsrx-12.1X46-D10.2-domestic.jva -x
[root@host2 tmp]# cd junos-vsrx-12.1X46-D10.2-domestic-1387348130/
Create a new image inside Glance:
[root@host2 junos-vsrx-12.1X46-D10.2-domestic-1387348130]# glance image-create --name "Juniper Firefly Perimeter (12.1X46-D10)" --disk-format qcow2 --container-format bare --is-public True --file junos-vsrx-12.1X46-D10.2-domestic.img
| Property         | Value                                   |
| checksum         | 0624c3578c1db6bfa726b7c867bce717        |
| container_format | bare                                    |
| created_at       | 2014-01-29T14:34:22                     |
| deleted          | False                                   |
| deleted_at       | None                                    |
| disk_format      | qcow2                                   |
| id               | b6fef2d1-7b41-4d69-9a38-5d8e06d02622    |
| is_public        | True                                    |
| min_disk         | 0                                       |
| min_ram          | 0                                       |
| name             | Juniper Firefly Perimeter (12.1X46-D10) |
| owner            | e75c57bb8334465093c13164f02aa91a        |
| protected        | False                                   |
| size             | 271843328                               |
| status           | active                                  |
| updated_at       | 2014-01-29T14:34:23                     |
Verify the image has been properly loaded into Glance.
[root@host2 tmp]# glance image-list
| ID                                   | Name                                       | Disk Format | Container Format | Size      | Status |
| 2731667e-91f5-4662-9a43-40740debd6e1 | CirrOS 0.3.0                               | qcow2       | bare             | 9761280   | active |
| b6fef2d1-7b41-4d69-9a38-5d8e06d02622 | Juniper Firefly Perimeter (12.1X46-D10)    | qcow2       | bare             | 271843328 | active |
| 5ae9bc37-8fef-4cdc-a112-c952cbf7ca02 | Ubuntu Server 12.04 LTS (Precise Pangolin) | qcow2       | bare             | 255066112 | active |

Once the image has been imported into Glance, it will show up on the OpenStack dashboard as a regular image. For Firefly Perimeter to work correctly, each instances must have at least 2 vCPUs, in fact, without them, the virtual Ethernet interfaces cannot be properly detected by Junos. To ensure you always provision these two vCPUs, the best practice is to create a new instance flavor. To do so, log in as the admin user into the OpenStack dashboard, and create a new flavor with the following parameters, so it can match the minimum requirements:

  • VCPUS: 2
  • RAM MB: 2048
  • Root Disk GB: 2
  • Ephemeral Disk GB: 0
  • Swap Disk: 0

You can now spin up an instance inside your project, as I quickly demonstrated in this video:

The instance flavor created could also be used inside Juniper Contrail's Service templates. These service templates can then be used to activate service chaining.

Openstack: Edit Flavor

As a standalone appliance, or as a true NFV enabler, Juniper Firefly Perimeter will certainly get popular attention in the forthcoming months. In the meantime, Juniper is among the few vendors with Cisco, Brocade and F5 Networks to provide virtual appliances. What is really interesting here, is the new possibilities introduced by virtualization of network functions, including but not limited to easier upgrades using images snapshots, high-availability clustering, more flexible licensing models, and better use of spare computing resources.

About the author Nicolas Chabbey

Nicolas Chabbey is a Network Engineer certified with Cisco Systems and Juniper Networks. He has begun his career in 2003, and has designed, implemented and maintained networks for enterprises and service providers. When he is not behind a computer, he is riding his mountain bike across the Swiss alps.

Previous Home Next


blog comments powered by Disqus