Junos OS Features Supported on vSRX

 

This section presents an overview of the Junos OS features on vSRX. It includes

SRX Series Features Supported on vSRX

vSRX inherits most of the branch SRX Series features with the following considerations shown in Table 1.

To determine the Junos OS features supported on vSRX, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer here:

Feature Explorer: vSRX

Table 1: vSRX Feature Considerations

Feature

Description

Chassis cluster

Generally, on SRX Series instances, the cluster ID and node ID are written into EEPROM. For the vSRX VM, the IDs are saved in boot/loader.conf and read during initialization.

IDP

The IDP feature is subscription based and must be purchased. After purchase, you can activate the IDP feature with the license key.

For SRX Series IDP configuration details, see:

Understanding Intrusion Detection and Prevention for SRX Series

In J-Web, use the following steps to add or edit an IPS rule:

  1. Click Security>IDP>Policy>Add.

  2. In the Add IPS Rule window, select All instead of Any for the Direction field to list all the FTP attacks.

ISSU

ISSU is not supported on vSRX.

Transparent mode

The known behaviors for transparent mode support on vSRX are:

  • The default MAC learning table size is restricted to 16,383 entries.

  • VMware vSwitch does not support MAC learning. It also floods traffic to the secondary node. The traffic is silently dropped by the flow on the secondary node.

For information on configuring transparent mode vSRX, see:

Layer 2 Bridging and Transparent Mode Overview

UTM

The UTM feature is subscription based and must be purchased. After purchase, you can activate the UTM feature with the license key.

For SRX Series UTM configuration details, see:

Unified Threat Management Overview

For SRX Series UTM antispam configuration details, see:

Antispam Filtering Overview

SRX Series Features Not Supported on vSRX

vSRX inherits many features from the SRX Series device product line. Table 2 lists SRX Series features that are not applicable in a virtualized environment, that are not currently supported, or that have qualified support on vSRX.

Table 2: SRX Series Features Not Supported on vSRX

                                              

SRX Series Feature

vSRX Notes

Application Layer Gateways

Avaya H.323

Not supported

Authentication with IC Series Devices

Layer 2 enforcement in UAC deployments

Not supported

Note: UAC-IDP and UAC-UTM also are not supported.

Chassis Cluster Support

Note: Support for chassis clustering to provide network node redundancy is only available on a vSRX deployment in Contrail, VMware, KVM, and Windows Hyper-V Server 2016.

Chassis cluster for VirtIO driver

Only supported with KVM

Note: The link status of VirtIO interfaces is always reported as UP, so a vSRX chassis cluster cannot receive link up and link down messages from VirtIO interfaces.

Dual control links

Not supported

In-band and low-impact cluster upgrades

Not supported

LAG and LACP (Layer 2 and Layer 3)

Not supported

Layer 2 Ethernet switching

Not supported

Low-latency firewall

Not supported

PPPoE over redundant Ethernet interface

Note: Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, the vSRX supports Point-to-Point Protocol over a redundant Ethernet interface (PPPoE).

Not supported

SR-IOV interfaces

Not supported (see the Known Behavior section of the vSRX Release Notes for more information about SR-IOV limitations).

Class of Service

High-priority queue on SPC

Not supported

Tunnels

Only GRE and IP-IP tunnels supported

Note: A vSRX VM deployed on Microsoft Azure Cloud does not support GRE and Multicast.

Data Plane Security Log Messages (Stream Mode)

TLS protocol

Not supported

Diagnostics Tools

Flow monitoring cflowd version 9

Note: Starting in Junos OS Release 15.1X49-D80, the vSRX supports J-Flow version 9 flow monitoring on a chassis cluster.

Not supported

Ping Ethernet (CFM)

Not supported

Traceroute Ethernet (CFM)

Not supported

DNS Proxy

Dynamic DNS

Not supported

Ethernet Link Aggregation

LACP in standalone or chassis cluster mode

Not supported

Layer 3 LAG on routed ports

Not supported

Static LAG in standalone or chassis cluster mode

Not supported

Ethernet Link Fault Management

Physical interface (encapsulations)

ethernet-ccc

ethernet-tcc

Not supported

extended-vlan-ccc

extended-vlan-tcc

Not supported

Interface family

ccc, tcc

Not supported

ethernet-switching

Not supported

Flow-Based and Packet-Based Processing

End-to-end packet debugging

Not supported

Network processor bundling

Not supported

Services offloading

Not supported

Interfaces

Aggregated Ethernet interface

Not supported

IEEE 802.1X dynamic VLAN assignment

Not supported

IEEE 802.1X MAC bypass

Not supported

IEEE 802.1X port-based authentication control with multisupplicant support

Not supported

Interleaving using MLFR

Not supported

PoE

Not supported

PPP interface

Not supported

PPPoE-based radio-to-router protocol

Not supported

PPPoE interface

Note: Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, the vSRX supports Point-to-Point Protocol over Ethernet (PPPoE) interface.

Not supported

Promiscuous mode on interfaces

Only supported if enabled on the hypervisor

IP Security and VPNs

Acadia - Clientless VPN

Not supported

DVPN

Not supported

Hardware IPsec (bulk crypto) Cavium/RMI

Not supported

IPsec tunnel termination in routing instances

Supported on virtual router only

Multicast for AutoVPN

Not supported

IPv6 Support

DS-Lite concentrator (aka AFTR)

Not supported

DS-Lite initiator (aka B4)

Not supported

J-Web

Enhanced routing configuration

Not supported

New Setup Wizard (for new configurations)

Not supported

PPPoE Wizard

Not supported

Remote VPN Wizard

Not supported

Rescue link on dashboard

Not supported

UTM configuration for Kaspersky antivirus and the default Web filtering profile

Not supported

Log File Formats for System (Control Plane) Logs

Binary format (binary)

Not supported

WELF

Not supported

Miscellaneous

GPRS

Note: Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, the vSRX supports GPRS.

Not supported

Hardware acceleration

Not supported

Logical systems

Not supported

Outbound SSH

Not supported

Remote instance access

Not supported

USB modem

Not supported

Wireless LAN

Not supported

MPLS

CCC and TCC

Not supported

Layer 2 VPNs for Ethernet connections

Only if promiscuous mode is enabled on the hypervisor

Network Address Translation

Maximize persistent NAT bindings

Not supported

Packet Capture

Packet capture

Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on redundant Ethernet interfaces (reth).

Routing

BGP extensions for IPv6

Not supported

BGP Flowspec

Not supported

BGP route reflector

Not supported

Bidirectional Forwarding Detection (BFD) for BGP

Not supported

CRTP

Not supported

Switching

Layer 3 Q-in-Q VLAN tagging

Not supported

Transparent Mode

UTM

Not supported

Unified Threat Management

Express AV

Not supported

Kaspersky AV

Not supported

Upgrading and Rebooting

Autorecovery

Not supported

Boot instance configuration

Not supported

Boot instance recovery

Not supported

Dual-root partitioning

Not supported

OS rollback

Not supported

User Interfaces

NSM

Not supported

SRC application

Not supported

Junos Space Virtual Director

Only supported with VMware