For private interface just enable the vlan tagging. when guest network is created cloudstack will configure the interface with vlan and ip.
Minimal config is. 1. set management interface with ip and use this ip for while add ing srx into cloudstack. 2. enable vlan tagging on private interface 3. set the cloudstack public vlan to the srx public interface. 4. add rules to allow traffic from trust to untrust zone. 5. set appropriate routes for the trust and untrust subnets By default guest traffic trust (guest) to untrust (public) is blocked on latest master. Add egress rules once the guest network is created. Let me know if see any issues. Thanks, Jayapal On 14-May-2013, at 10:33 PM, Francois Gaudreault <fgaudrea...@cloudops.com> wrote: > Hi Jayapal, >> To add SRX device into cloudstack, you need to preconfigure the srx. SRX >> needs 3 interfaces to add into cloudstack >> 1. management interface >> 2. private/guest network interface >> 3.public interace. > Ok. It confirms what I understood :) >> >> Please find the below config. It is bit old cloudstak config on SRX, but it >> will give you idea. >> You need to update firewall filter trust/untrust. > Which parts actually need to be there for the per-previsioning? I guess some > part of that config example has been done by CloudStack... (ie. Do we need to > create guest vlan interfaces on the private interface right at the > beginning?) In other words, what's the minimal config needed before adding > the SRX to CS? > > Thanks! >> >> set version 10.4R6.5 >> set system time-zone Asia/Calcutta >> set system root-authentication encrypted-password >> "$1$ucpHjRfH$dNkhOuzKXJxrpAtewvTu.1" >> set system name-server 208.67.222.222 >> set system name-server 208.67.220.220 >> set system name-server 10.147.28.6 >> set system name-server 4.2.2.2 >> set system services ssh >> set system services telnet >> set system services xnm-clear-text >> set system services web-management http interface vlan.0 >> set system services web-management http interface fe-0/0/0.0 >> set system services web-management https system-generated-certificate >> set system services web-management https interface vlan.0 >> set system syslog archive size 100k >> set system syslog archive files 3 >> set system syslog user * any emergency >> set system syslog file messages any critical >> set system syslog file messages authorization info >> set system syslog file interactive-commands interactive-commands error >> set system max-configurations-on-flash 5 >> set system max-configuration-rollbacks 5 >> set system license autoupdate url https://ae1.juniper.net/junos/key_retrieval >> set interfaces fe-0/0/0 description "Management Interface" >> set interfaces fe-0/0/0 unit 0 family inet address 10.147.40.3/23 >> set interfaces fe-0/0/1 description "Private network" >> set interfaces fe-0/0/1 vlan-tagging >> set interfaces fe-0/0/1 unit 929 vlan-id 929 >> set interfaces fe-0/0/1 unit 929 family inet address 10.0.64.1/20 >> set interfaces fe-0/0/1 unit 1122 vlan-id 1122 >> set interfaces fe-0/0/1 unit 1122 family inet address 10.0.32.1/20 >> set interfaces fe-0/0/4 description "Public Network" >> set interfaces fe-0/0/4 vlan-tagging >> set interfaces fe-0/0/4 unit 52 vlan-id 52 >> set interfaces fe-0/0/4 unit 52 family inet address 10.147.52.3/24 >> set interfaces fe-0/0/4 unit 52 family inet address 10.147.52.19/24 >> set interfaces vlan unit 52 family inet >> set routing-options static route 10.147.40.0/23 next-hop 10.147.40.1 >> set routing-options static route 10.147.40.0/23 install >> set routing-options static route 10.146.0.0/24 next-hop 10.147.40.1 >> set routing-options static route 10.146.0.0/24 install >> set routing-options static route 10.147.52.0/24 next-hop 10.147.52.1 >> set routing-options static route 10.147.52.0/24 install >> set routing-options static route 10.147.39.0/24 next-hop 10.147.40.1 >> set routing-options static route 10.147.29.0/24 next-hop 10.147.40.1 >> set routing-options static route 0.0.0.0/0 next-hop 10.147.52.1 >> set routing-options static route 0.0.0.0/0 install >> set routing-options static route 10.147.28.6/32 next-hop 10.147.52.1 >> set routing-options static route 10.147.28.6/32 install >> set routing-options static route 10.252.248.0/24 next-hop 10.147.52.1 >> set protocols stp >> set security nat source pool 10-147-52-113 address 10.147.52.113/32 >> set security nat source rule-set trust from zone trust >> set security nat source rule-set trust to zone untrust >> set security nat source rule-set trust rule 10-147-52-113-10-0-32-0-20 match >> source-address 10.0.32.0/20 >> set security nat source rule-set trust rule 10-147-52-113-10-0-32-0-20 then >> source-nat pool 10-147-52-113 >> set security nat proxy-arp interface fe-0/0/4.52 address 10.147.52.116/32 >> set security nat proxy-arp interface fe-0/0/4.52 address 10.147.52.113/32 >> set security zones security-zone trust address-book address 10-0-78-206 >> 10.0.78.206/32 >> set security zones security-zone trust address-book address 10-0-33-27 >> 10.0.33.27/32 >> set security zones security-zone trust address-book address 10-0-35-239 >> 10.0.35.239/32 >> set security zones security-zone trust host-inbound-traffic system-services >> all >> set security zones security-zone trust interfaces fe-0/0/1.929 >> set security zones security-zone trust interfaces fe-0/0/1.1122 >> set security zones security-zone untrust host-inbound-traffic >> system-services ssh >> set security zones security-zone untrust host-inbound-traffic >> system-services ping >> set security zones security-zone untrust interfaces fe-0/0/4.52 >> set security zones security-zone MGMT host-inbound-traffic system-services >> all >> set security zones security-zone MGMT interfaces fe-0/0/0.0 >> set security policies from-zone trust to-zone untrust policy >> trust-to-untrust match source-address any >> set security policies from-zone trust to-zone untrust policy >> trust-to-untrust match destination-address any >> set security policies from-zone trust to-zone untrust policy >> trust-to-untrust match application any >> set security policies from-zone trust to-zone untrust policy >> trust-to-untrust then permit >> set security policies from-zone trust to-zone trust policy accept-all match >> source-address any >> set security policies from-zone trust to-zone trust policy accept-all match >> destination-address any >> set security policies from-zone trust to-zone trust policy accept-all match >> application any >> set security policies from-zone trust to-zone trust policy accept-all then >> permit >> set security policies from-zone MGMT to-zone trust policy MGMT-to-trust >> match source-address any >> set security policies from-zone MGMT to-zone trust policy MGMT-to-trust >> match destination-address any >> set security policies from-zone MGMT to-zone trust policy MGMT-to-trust >> match application any >> set security policies from-zone MGMT to-zone trust policy MGMT-to-trust then >> permit >> set security policies from-zone MGMT to-zone MGMT policy accept-mgmt match >> source-address any >> set security policies from-zone MGMT to-zone MGMT policy accept-mgmt match >> destination-address any >> set security policies from-zone MGMT to-zone MGMT policy accept-mgmt match >> application any >> set security policies from-zone MGMT to-zone MGMT policy accept-mgmt then >> permit >> set firewall filter untrust term 10-147-52-116 from destination-address >> 10.147.52.116/32 >> set firewall filter untrust term 10-147-52-116 then count 10-147-52-116 >> set firewall filter untrust term 10-147-52-116 then accept >> set firewall filter untrust term 10-147-52-113 from destination-address >> 10.147.52.113/32 >> set firewall filter untrust term 10-147-52-113 then count 10-147-52-113 >> set firewall filter untrust term 10-147-52-113 then accept >> set firewall filter trust term 10-147-52-113 from source-address 10.0.32.0/20 >> set firewall filter trust term 10-147-52-113 then count 10-147-52-113 >> set firewall filter trust term 10-147-52-113 then accept >> set applications application tcp-22-22 protocol tcp >> set applications application tcp-22-22 destination-port 22 >> set vlans test vlan-id 52 >> set vlans test l3-interface vlan.52 >> >> Thanks, >> Jayapal >> >> On 14-May-2013, at 7:36 PM, Francois Gaudreault <fgaudrea...@cloudops.com> >> wrote: >> >>> Hi, >>> >>> I saw in the wiki there is a page for SRX configuration to integrate with >>> CloudStack. However, the steps are not really clear, and the example >>> config link is kinda broken. Does someone have a copy of this example >>> config somewhere? >>> >>> Thanks! >>> >>> -- >>> Francois Gaudreault >>> Architecte de Solution Cloud | Cloud Solutions Architect >>> fgaudrea...@cloudops.com >>> 514-629-6775 >>> - - - >>> CloudOps >>> 420 rue Guy >>> Montréal QC H3J 1S6 >>> www.cloudops.com >>> @CloudOps_ >>> >> >> > > > -- > Francois Gaudreault > Architecte de Solution Cloud | Cloud Solutions Architect > fgaudrea...@cloudops.com > 514-629-6775 > - - - > CloudOps > 420 rue Guy > Montréal QC H3J 1S6 > www.cloudops.com > @CloudOps_ >
