Juniper cSRX support#3344
Conversation
| # cSRX default is 3 (management + 2 data interfaces) | ||
| # If more interfaces are required, this must be increased. | ||
| # Setting to a higher value than required will break interfaces (no arp etc) | ||
| CSRX_PORT_NUM: 3 |
There was a problem hiding this comment.
I think this can be dynamically generated by the quirk python module?
it can count the interfaces for the node and define the var for each node?
There was a problem hiding this comment.
Oh yeah I meant to ask about that. So the quirks file would be responsible? I'll see if I can figure it out.
There was a problem hiding this comment.
I think 83e54f3 should do it.
I forced an error which resulted in this output:
┌──────────────────────────────────────────────────────────────────────────────────┐
│ CREATING configuration files │
└──────────────────────────────────────────────────────────────────────────────────┘
[ERRORS] Errors found in topology.yml
[ERROR] csrx: cSRX supports a maximum of 16 interfaces. Node fw1 has 17 interfaces.
[HINT] Set defaults.devices.csrx.warnings.csrx_port_num to False to disable this check
[FATAL] Cannot proceed beyond this point due to errors, exiting
Can the hint be disabled? This check should not ever be disabled.
There was a problem hiding this comment.
If you want to have a hard (= cannot be disabled) error, use log.error and set module to csrx (device type). See "requires_plugin" in "devices/_common.py" (that one uses module=node.device because it's a generic thing that works for any device)
|
Starting with a naive question: is this beast different enough that we need a different device (and not just vSRX with provider=clab)? |
|
Aside from feature support, there are some other annoying differences:
I found it simpler to make it a new device with a couple of new templates, and not inherit from vSRX or Junos and list the features it does support rather than adding overrides for those it doesn't. This means if a user attempts to use the ospf module for example (what documentation?), lab startup will fail immediately informing them as such instead of waiting for the module to run and fail with config syntax errors. |
| mgmt_if: fxp0 | ||
| ifindex_offset: 0 | ||
| interface_name: ge-0/0/{ifindex} | ||
| loopback_interface_name: "" # Unsupported on cSRX |
There was a problem hiding this comment.
As you're not inheriting from Junos -- if the loopback is not supported, then don't define this attribute (see asav.yml)
| netlab_show_command: [ cli, -c, 'show $@' ] | ||
| netlab_check_command: who | ||
| netlab_ready: [ ssh ] | ||
| netlab_default_shebang: '#!/config/netlab/netlab-config.sh' |
There was a problem hiding this comment.
Do we want to use this or should we just use NETCONF to configure it? Or is NETCONF not working?
There was a problem hiding this comment.
I based it on cRPD. I thought the connection/deployment methods other than shell scripts relied on Ansible which I know you're not the biggest fan of.
There was a problem hiding this comment.
I thought the connection/deployment methods other than shell scripts relied on Ansible
- Configuration deployment: YES
- Connecting to the device: NO
which I know you're not the biggest fan of.
You're right ;) However, we need Ansible anyway to deploy configurations on other Junos devices, but admittedly the script-based configuration is faster. I'm OK with either one, just don't make it too complicated just to have a bash script.
My bad. I should have checked whether we already have vSRX on clab (and we do). This is clearly not the same (or would require tons of tweaks), so a new device is absolutely warranted.
Yeah, listing everything that DOES NOT work would be totally annoying. |
|
NIce job. This looks ready-to-merge to me (any thoughts @ssasso?). Just a minor detail that I can't check myself: as you map /etc/hosts into the container, do you need to include 'junos/hosts.j2' into the initial config? |
|
and I'm not sure if it's worth noting but if you ping an ipv4 address from a cSRX device, the replies are duplicated somewhere inside the host |
If I got it right: a single ICMP reply comes to the Ethernet interface of cSRX, and then cSRX magically produces two copies of it? If that's the case, leave it to Juniper to sort it out ;)) |
|
yeah, maybe it's too echoey inside the container because of all the missing |
3 participants
Juniper cSRX was added to ContainerLab 0.75.0 https://github.com/srl-labs/containerlab/releases/tag/v0.75.0. This PR adds support for it in Netlab.
There are limited features in cSRX e.g. it does not support routing protocols or VLANs. See https://www.juniper.net/documentation/us/en/software/csrx/csrx-consolidated-deployment-guide/topics/concept/security-csrx-docker-feature-support.html and https://www.juniper.net/documentation/us/en/software/csrx/csrx-consolidated-deployment-guide/csrx-consolidated-deployment-guide.pdf.
It might not be useful to many but I had to lab a weird NAT issue today and netlab would have sped it up so why not spend 20 times longer adding support than it took to do manually?!