Juniper SRX 在 kvm 中的部署方法与测试
作者:侯明明 2020-06-30 08:06:45云计算虚拟化 虚拟化的 SRX 支持 dns 代理、ip in ip tunnel、ipsec VPN 等功能,在要求不高的情况下,可以部署在虚拟化环境中使用。
[[331638]]
说明
虚拟化的 SRX 支持 dns 代理、ip in ip tunnel、ipsec VPN 等功能,在要求不高的情况下,可以部署在虚拟化环境中使用。
本文介绍如何在 kvm 中部署,并且测试了部分功能。
主要涉及知识点 openvswitch、kvm、junos 的基本配置
环境部署
拓扑
拓扑描述
- 需要一台 Linux 主机,安装好 kvm 和 openvswitch(以下简称 ovs)两台 srx 部署在 kvm 中,每台使用 2 个端口连接 ovs添加两个 namespace,使用 iperf3 测试稳定性
kvm 部署 srx
ovs 与 kvm 网络的配置
1.添加 ovs 网桥
ovs-vsctladd-brexample-ovsbr0
定义 kvm 网络
编辑 xml 文件如下
vimexample-ovsbr0.xml<network><name>example-ovsbr0</name><forwardmode='bridge'/><bridgename='example-ovsbr0'/><virtualporttype='openvswitch'/><portgroupname='VLAN11'><vlan>¡<tagid='11'/></vlan></portgroup><portgroupname='VLAN12'><vlan><tagid='12'/></vlan></portgroup><portgroupname='VLAN13'><vlan><tagid='13'/></vlan></portgroup><portgroupname='VLAN14'><vlan><tagid='14'/></vlan></portgroup></network>
3.创建 kvm 网络
virshnet-defineexample-ovsbr0.xml
4.启动网络并设置为自动启动
virshnet-startexample-ovsbr0virshnet-autostartexample-ovsbr0
注意事项
- 将网卡类型改为 e1000,否则会不识别需要添加 3 个网卡,分别对应 srx 的端口 ge0/0/0、ge0/0/1、ge0/0/2,其中 ge0/0/0 不使用命令如下所示
virt-install 命令
virt-install\--virt-type=kvm\--name=srx-A\--vcpus=2\--memory=2048\--network=network=example-ovsbr0,portgroup=VLAN11,model=e1000\--network=network=example-ovsbr0,portgroup=VLAN11,model=e1000\--network=network=example-ovsbr0,portgroup=VLAN13,model=e1000\--diskpath=/data/example/vmfiles/srx-A.qcow2,size=40,format=qcow2\--import\--graphicsnone\--force#另外一台virt-install\--virt-type=kvm\--name=srx-B\--vcpus=2\--memory=2048\--network=network=example-ovsbr0,portgroup=VLAN12,model=e1000\--network=network=example-ovsbr0,portgroup=VLAN12,model=e1000\--network=network=example-ovsbr0,portgroup=VLAN14,model=e1000\--diskpath=/data/example/vmfiles/srx-B.qcow2,size=40,format=qcow2\--import\--graphicsnone\--force
srx 配置
为了方便,我这里将所有使用到的网口都放在了 trust 区域
srx-A
#基本信息配置setsystemservicessshsetrouting-optionsstaticroute0.0.0.0/0next-hop172.19.11.254setinterfacesge-0/0/1unit0familyinetaddress172.19.11.100/24setsystemroot-authenticationplain-text-password#这里会提示设置两遍密码setrouting-optionsstaticroute0.0.0.0/0next-hop172.19.11.254#dnsproxy配置setsystemservicesdnsforwarders114.114.114.114setsystemservicesdnsdns-proxyinterfacege-0/0/1.0setsystemservicesdnsdns-proxycachetest.houm01.cninet99.99.99.99#本地DNSA记录配置#ipiptunnel配置setinterfacesip-0/0/0unit0tunnelsource172.19.11.100setinterfacesip-0/0/0unit0tunneldestination172.19.12.100setinterfacesip-0/0/0unit0familyinetaddress1.1.1.1/30setrouting-optionsstaticroute172.19.14.0/24next-hopip-0/0/0.0#接口区域配置setsecurityzonessecurity-zonetrustinterfacesge-0/0/1.0host-inbound-trafficsystem-servicesallsetsecurityzonessecurity-zonetrustinterfacesip-0/0/0.0host-inbound-trafficsystem-servicesallsetsecurityzonessecurity-zonetrustinterfacesge-0/0/0.0host-inbound-trafficsystem-servicesall#提交配置commit
srx-B
#基本信息配置setsystemservicessshsetrouting-optionsstaticroute0.0.0.0/0next-hop172.19.12.254setinterfacesge-0/0/1unit0familyinetaddress172.19.12.100/24setsystemroot-authenticationplain-text-password#这里会提示设置两遍密码setrouting-optionsstaticroute0.0.0.0/0next-hop172.19.12.254#ipiptunnel配置setinterfacesip-0/0/0unit0tunnelsource172.19.12.100setinterfacesip-0/0/0unit0tunneldestination172.19.11.100setinterfacesip-0/0/0unit0familyinetaddress1.1.1.2/30setrouting-optionsstaticroute172.19.14.0/24next-hopip-0/0/0.0#接口区域配置setsecurityzonessecurity-zonetrustinterfacesge-0/0/1.0host-inbound-trafficsystem-servicesallsetsecurityzonessecurity-zonetrustinterfacesip-0/0/0.0host-inbound-trafficsystem-servicesallsetsecurityzonessecurity-zonetrustinterfacesge-0/0/0.0host-inbound-trafficsystem-servicesall#提交配置commit
namespace 配置
#添加nsipnetnsaddns1ipnetnsaddns2#添加两条网线#以下命令会创建两对,分别是veth0~veth1、veth2~veth3iplinkaddtypevethiplinkaddtypeveth#将两条网线的两端添加到namespace中iplinksetveth1netnsns1iplinksetveth3netnsns2#配置地址ipnetnsexecns1ipaddradd172.19.13.200/24devveth1ipnetnsexecns2ipaddradd172.19.14.200/24devveth3#up端口ipnetnsexecns1iplinksetdevveth1upipnetnsexecns2iplinksetdevveth3up#添加默认路由#下一跳指向srx的内网口ipnetnsexecns1iprouteadddefaultvia172.19.13.100ipnetnsexecns2iprouteadddefaultvia172.19.14.100
功能测试
DNS 解析测试
在其他主机使用 dig 命令测试
digwww.baidu.com@172.19.11.100;<<>>DiG9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.3<<>>www.baidu.com@172.19.11.100;;globaloptions:+cmd;;Gotanswer:;;->>HEADER<<-opcode:QUERY,status:NOERROR,id:40389;;flags:qrrdra;QUERY:1,ANSWER:3,AUTHORITY:13,ADDITIONAL:1;;OPTPSEUDOSECTION:;EDNS:version:0,flags:;udp:4096;;QUESTIONSECTION:;www.baidu.com.INA;;ANSWERSECTION:www.baidu.com.1038INCNAMEwww.a.shifen.com.www.a.shifen.com.146INA163.177.151.110www.a.shifen.com.146INA163.177.151.109;;AUTHORITYSECTION:.2276INNSj.root-servers.net..2276INNSf.root-servers.net..2276INNSc.root-servers.net..2276INNSk.root-servers.net..2276INNSl.root-servers.net..2276INNSg.root-servers.net..2276INNSm.root-servers.net..2276INNSe.root-servers.net..2276INNSd.root-servers.net..2276INNSi.root-servers.net..2276INNSa.root-servers.net..2276INNSh.root-servers.net..2276INNSb.root-servers.net.;;Querytime:55msec;;SERVER:172.19.11.100#53(172.19.11.100);;WHEN:SunMay1716:56:14CST2020;;MSGSIZErcvd:312--------------------------------digtest.houm01.cn@172.19.11.100;<<>>DiG9.11.4-P2-RedHat-9.11.4-16.P2.el7_8.3<<>>test.houm01.cn@172.19.11.100;;globaloptions:+cmd;;Gotanswer:;;->>HEADER<<-opcode:QUERY,status:NOERROR,id:49291;;flags:qraardra;QUERY:1,ANSWER:1,AUTHORITY:1,ADDITIONAL:1;;OPTPSEUDOSECTION:;EDNS:version:0,flags:;udp:4096;;QUESTIONSECTION:;test.houm01.cn.INA;;ANSWERSECTION:test.houm01.cn.86400INA99.99.99.99;;AUTHORITYSECTION:test.houm01.cn.86400INNStest.houm01.cn.;;Querytime:8msec;;SERVER:172.19.11.100#53(172.19.11.100);;WHEN:SunMay1716:57:01CST2020;;MSGSIZErcvd:73
可以看到,解析公网域名和自定义的域名都没有问题
ip ip tunnel 测试
从 ns1 ping ns2
ipnetnsexecns1ping172.19.14.200PING172.19.14.200(172.19.14.200)56(84)bytesofdata.64bytesfrom172.19.14.200:icmp_seq=1ttl=62time=66.5ms64bytesfrom172.19.14.200:icmp_seq=2ttl=62time=51.7ms^C---172.19.14.200pingstatistics---2packetstransmitted,2received,0%packetloss,time1002msrttmin/avg/max/mdev=51.769/59.155/66.542/7.390ms
性能测试
iperf 测试
执行如下命令测试
#将ns1作为服务器端侦听ipnetnsexecns1iperf3-s#将ns2作为客户端,测试半小时ipnetnsexecns2iperf3-c172.19.13.100-t1800
参考资料
http://www.iwan.wiki/Virtual_router_instances_Juniper_vSRX,_Juniper_vMX_and_GNS3
https://kb.juniper.net/InfoCenter/index?page=content&id=KB23986