Deploying Firefly Perimeter vSRX on VMWare ESXi 5.x Server

Whats the big deal?

So you’re probably wondering whats the big difference between VMWare Workstation and VMWare ESXi hypervisor and why would you want to run vSRX on VMWare ESXi?

Like most network engineers, they are big time geeks and typically have at least one server in their home which they “tinker” with. In most cases the server typically runs VMWare ESXi which can be used to virtualize multiple virtual machines on a server thus saving precious resources on your desktop for video games, video editing or whatever you like doing… Having your own VMWare ESXi server also minimizes the need for power and cooling as you can have a single physical server running 20-30 VM’s whereas before the days of Virtualization you’d have a nice rack full of servers and a nice electricity bill go go along with it.

This lab will use the same concepts as the previous lab where you deployed vSRX on VMWare Workstation however there are some significant differences in the way you configure the VMs.

For the purposes of this lab, we will be using a Dell 2950 Gen III with Dual Xeon E5420 CPU’s and 16GB of RAM with 4 72GB SAS 3Gbps drives in RAID5. This server has a fresh install of ESXi so we can demonstrate the configuration required to prepare your ESXi server for the Junos Workbook vSRX Lab. Before you can deploy the vSRX OVA there are several prerequisite configuration requirements that must be done first. This will be touched upon in the Pre-Configuration tab.

Before you get Started…

Please note that this lab will demonstrate the importation and configuration of Junos Workbook vSRX Lab. This lab will NOT demonstrate the installation of VMWare ESXi Hypervisor onto a server. You must have an existing ESXi Server running and accessible with a local or remote datastore with a minimum of 8GB of space, 8GB of RAM and a dual-core processor. Also an existing working knowledge of VMWare ESXi is recommended.

If you wish to build your own ESX Server you can download the free version of ESXi 5.5u2 by clicking the button below. You should note that in order to access console port of your vSRX Platform using a Network Connected serial port you’ll need an ESXi Enterprise license. This feature is also enabled on the Evaluation license.

Please note that you’ll need at least a dual-core 64bit processor with 8GB RAM minimum to run the Junos Workbook vSRX Lab.

Creating the VM Networks on vSwitch0

If you have read through the previous lab where you deploy vSRX on VMWare Workstation you’d notice that you needed to create 4 LAN Segments. These LAN Segments were used for communication between the vSRX VMs. on VMWare ESXi you need to create 4 Virtual Machine networks which you will give a name and a 802.1q tag.

To get started first log into your ESXi server and navigate to the Configuration tab and click on “Networking” found under Hardware shown below;

Now click on “Add Networking…” and the following box should pop up as depicted below;

You will be creating a new Virtual Machine network so just click next and you’ll be asked to Create a vSphere Switch or use vSwitch0. Select “Use vSwitch0” as shown below and click next;

Now you’ll be prompted to provide a Network Label for the newly created VM Network along with the VLAN ID. In this case we’re going to use the name “vSRX_LAN1” with the VLAN ID of 101 as shown below;

After clicking next you’ll be presented with a summary of your new VM Network as shown below. Verify that everything looks correct before clicking finish.

After clicking finish you will need to add three more VM Networks for vSRX_LAN2 using VLAN ID 102, vSRX_LAN3 using VLAN ID 103 and vSRX_LAN4 using VLAN ID 104. After you have completed adding all VM Networks it should look something like this;

Modify ESXi Firewall to allow VM Serial

So when we deploy the vSRX Virtual Machines we’re going to add a serial port to each vSRX which will give you the ability to access that vSRX using telnet over the network however you must enable VM Serial over Network under the ESXi firewall configuration.

To do this navigate to the Configuration tab and select Security Profile under Software as shown below;

Now click on Properties located to the right of Firewall and you’ll see the following window;

Now scroll down the list and select check the box next to “VM Serial over network” as shown below and click ok;

Now you’re ready to move onto deploying the vSRX OVA’s as all pre-configuration has been completed.

Deploying the vSRX OVA

Once you have completed all preconfiguration requirements you’re ready to deploy the OVA on ESXi. to do this you’ll click “File” then “Deploy OVF Template…” in your vSphere Client. You should be presented with the following wizard;

Navigate to the OVA file that you’ve downloaded from the Juniper website and click next. You’ll then be presented with the OVF Template Detals as shown below. You can just click next;

After clicking next you’ll be presented with a lovely End User License Agreement as depicted below. Read the EULA and click Accept then click next.

Now you’ll be asked to provide a name for the Virtual Machine that you’re deploying using the given OVA file. In this case we’re going to use vSRX_R1 as shown below;

After providing a name you’ll be asked to select the Disk Format. Please note that if you have multiple datastores you’ll be asked to select a datastore first. We’re just going to leave the default of “Thick Provisioned Lazy Zeroed” as shown below and click next;

Now you should be presented with the Network Mapping as shown below. There are no configurable options at this point so just click next.

Now you’re ready to complete the OVF Deployment. Review the deployment settings as shown below before clicking finish.

Adding the Network Adapters

Before you power on the device you add two more network adapters and configure those adapters to the correct Virtual Machine network.

Edit the settings on your newly deployed vSRX_R1 virtual machine and you should be presented with the following window;

Click on the “Add…” button and you’ll be presented with an “Add Hardware” wizard as shown below.

Select “Ethernet Adapter” and click next. At this point you’ll be ask to select the Adapter Type and Network Connection as shown below. Leave the Adapter type as e1000 and change the Network Connection to vSRX_LAN3. Because when you deploy the vSRX it will automatically have 2 Network Adapters. Adding a new one will become Network Adapter 3 which ultimately becomes Ge-0/0/2 in the vSRX VM.

After selecting the correct Network Connection and clicking next you’ll be prompted to review the options before clicking finished as shown below;

Once you have added the third adapter you will need to add another Network Adapter and assign that Network Adapter to the vSRX_LAN4 network.

You will also need to modify the first and second Network Adapters so they are attached to the correct VM Networks.

After you have successfully added the two additional Network Adapters and configured all adapters to be their correct networks your Virtual Machine settings should look something like this;

Adding the Console Serial Port

NOTICE: In order for the Remote Serial functionality to work you’ll need to use the ESXi Evaluation License or have a valid Enterprise licensed installed.

After you have all the network adapter properties configured correctly you’ll need to add one more thing. A serial port for console mgmt via telnet. This is done by clicking “Add…” under VM Settings and Serial Port from the list. After which you’ll asked for the Serial port Type as shown below;

The default is “Output to file” but for us to manage our vSRX via Console using telnet we’re going to need to select “Connect via Network” and click next.

Now you should be presented with the Network Serial Port Settings. Here you’ll need to select “Server (VM Listens for Connection)” and type in the Port URI telnet://172.16.22.16:2001 whereas 172.16.22.16 is the IP Address of YOUR VMWare ESXi Server. Shown below is an example;

After providing the correct Network Serial Port settings and clicking next you’ll be prompted to review your settings as shown below before clicking finish;

You’ll need to add the Serial Ports to the other vSRX VM’s using ports 2002 for vSRX_R2, 2003 for vSRX_R3 and 2004 for vSRX_R4.

Now you’re ready to power on the vSRX_R1 Virtual Machine.

Keep in mind that you must perform the same process to deploy vSRX_R2, vSRX_R3 and vSRX_R4 before you have a complete Junos Workbook vSRX Lab.

Once you have powered on all vSRX Virtual Machines you can then connect to with Putty or SecureCRT using telnet.

Connect to your vSRX VM via Putty

After you have deployed your vSRX VM’s and the serial port is configured correctly and you have the correct license you’ll be able to connect to the console port of the vSRX VM’s using the IP address and port number specified during the serial port wizard.

Looking back to vSRX_R1 serial port configuration we used the IP address of 172.16.22.16 and the port number of 2001. This is what we’ll use to connect to the console port of vSRX_R1 as demonstrated below;

Once you have added the configuration and clicked open you’ll be presented with a login prompt as shown below;

Connect to your vSRX VM via SecureCRT

Most engineers use a terminal Emulator called SecureCRT which is $99 bucks. Commonly companies will buy this software for their engineers to use as it provides huge benefits over Putty.

However the basic configuration to connect to the vSRX console port remains the same as shown below in a quick connect box.

Once connecting, your sessions will be placed into tabs. Putty also supports tabs with the use of a third parter session manager. SecureCRT supports tabs natively.

As with any session on SecureCRT you can save the session in the Session Manager and name it to vSRX_R1 or whatever you like.