Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Junos OS Features Supported on vSRX

 
Summary

This topic provides details of the Junos OS features supported and not supported on vSRX.

SRX Series Features Supported on vSRX

vSRX inherits most of the branch SRX Series features with the following considerations shown in Table 1.

To determine the Junos OS features supported on vSRX, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: Feature Explorer: vSRX .

Table 1: vSRX Feature Considerations

Feature

Description

IDP

The IDP feature is subscription based and must be purchased. After purchase, you can activate the IDP feature with the license key.

For SRX Series IDP configuration details, see:

Understanding Intrusion Detection and Prevention for SRX Series

IPSec VPNs

Starting in Junos OS Release 19.3R1, vSRX supports the following authentication algorithms and encryption algorithms:

  • Authentication algorithm: hmac-sha1-96 and HMAC-SHA-256-128 authentication

  • Encryption algorithm: aes-128-cbc

Starting in Junos OS Release 20.3R1, vSRX supports 10,000 IPsec VPN tunnels.

To support the increased number of IPsec VPN tunnels, a minimum of 19 vCPUs are required. Out of the 19 vCPUs, 3 vCPUs must be dedicated to RE.

You must run the request system software add optional://junos-ike.tgz command the first time you wish to enable increased IPsec tunnel capacity. For subsequent software upgrades of the instance, the junos-ike package is upgraded automatically from the new Junos OS releases installed in the instance. If chassis cluster is enabled then run this command on both the nodes.

You can configure the number of vCPUs allocated to Junos Routing Engine using the set security forwarding-options resource-manager cpu re <value>.

Note: 64 G memory is required to support 10000 tunnels in PMI mode.

[See show security ipsec security-associations, show security ike tunnel-map, and show security ipsec tunnel-distribution.]

Table 2 lists various tunnel types and the respective number of tunnel supported.

Table 2: Tunnel Scaling on vSRX

Types of Tunnels

Number of tunnels supported

Site-Site VPN tunnels

2000

AutoVPN tunnels

10,000

IKE SA (Site-to-site)

2000

IKE SA (AutoVPN)

10,000

IKE SA (Site-to-site + AutoVPN)

10,000

IPSec SA pairs (Site-to-site)

10,000

With 2000 IKE SAs, we can have

10,000 IPSec SA.

IPSec SA pairs (AutoVPN)

10,000

Site-to-site + AutoVPN IPSec SA pairs

2000 Site-to-site 8000 AutoVPN

Site-to-site + AutoVPN tunnels

2000 Site-to-site 8000 AutoVPN

ISSU

ISSU is not supported.

Logical Systems

Starting in Junos OS Release 20.1R1, you can configure logical systems and tenant systems on vSRX and vSRX 3.0 instances.

With Junos OS, you can partition a single security device into multiple logical devices that can perform independent tasks.

Each logical system has its own discrete administrative domain, logical interfaces, routing instances, security firewall and other security features.

See Logical Systems Overview.

PowerMode IPsec

Starting in Junos OS Release 20.1R1, vSRX 3.0 instances support PowerMode IPsec that provides IPsec performance improvements using Vector Packet Processing (VPP) and Intel AES-NI instructions. PowerMode IPsec is a small software block inside the SRX PFE (SRX Packet Forwarding Engine) that is activated when PowerMode is enabled.

Supported Features in PowerMode IPsec

  • IPsec functionality

  • Traffic selectors

  • Secure tunnel interface (st0)

  • All control plane IKE functionality

  • Auto VPN with traffic selector

  • Auto VPN with routing protocol

  • IPv6

  • Stateful Layer 4 firewall

  • High-Availability

  • NAT-T

Non-Supported Features in PowerMode IPsec

  • NAT

  • IPsec in IPsec

  • GTP/SCTP firewall

  • Application firewall/AppSecure

  • QoS

  • Nested tunnel

  • Screen

  • Multicast

  • Host traffic

Tenant Systems

Starting in Junos OS Release 20.1R1, you can configure tenant systems on vSRX and vSRX 3.0 instances.

A tenant system provides logical partitioning of the SRX device into multiple domains similar to logical systems and provides high scalability.

See Tenant Systems Overview.

Transparent mode

The known behaviors for transparent mode support on vSRX are:

  • The default MAC learning table size is restricted to 16,383 entries.

For information about configuring transparent mode for vSRX, see Layer 2 Bridging and Transparent Mode Overview.

UTM

  • The UTM feature is subscription based and must be purchased. After purchase, you can activate the UTM feature with the license key.

  • Starting in Junos OS Release 19.4R1, vSRX 3.0 instances support the Avira scan engine, which is an on-device antivirus scanning engine. See On-Device Antivirus Scan Engine.

  • For SRX Series UTM configuration details, see Unified Threat Management Overview.

  • For SRX Series UTM antispam configuration details, see Antispam Filtering Overview.

  • Advanced resource management (vSRX 3.0)—Starting in Junos OS Release 19.4R1, vSRX 3.0 manages the additional system resource requirements for UTM-and IDP-specific services by reallocating CPU cores and extra memory. These values for memory and CPU cores are not user configured. Previously, system resources such as memory and CPU cores were fixed.

    You can view the allocated CPU and memory for advance security services on vSRX 3.0 instance by using the show security forward-options resource-manager settings command. To view the flow session scaling, use the show security monitoring command.

    [See show security monitoring and show security forward-options resource-manager settings.]

Some Junos OS software features require a license to activate the feature. To understand more about vSRX Licenses, see, Licenses for vSRX. Please refer to the Licensing Guide for general information about License Management. Please refer to the product Data Sheets   for further details, or contact your Juniper Account Team or Juniper Partner.

SRX Series Features Not Supported on vSRX

vSRX inherits many features from the SRX Series device product line. Table 3 lists SRX Series features that are not applicable in a virtualized environment, that are not currently supported, or that have qualified support on vSRX.

Table 3: SRX Series Features Not Supported on vSRX

SRX Series Feature

vSRX Notes

Application Layer Gateways

Avaya H.323

Not supported

Authentication with IC Series devices

Layer 2 enforcement in UAC deployments

Not supported

Note: UAC-IDP and UAC-UTM also are not supported.

Chassis cluster support

Note: Support for chassis clustering to provide network node redundancy is only available on a vSRX deployment in Contrail, VMware, KVM, and Windows Hyper-V Server 2016.

Chassis cluster for VirtIO driver

Only supported with KVM

Note: The link status of VirtIO interfaces is always reported as UP, so a vSRX chassis cluster cannot receive link up and link down messages from VirtIO interfaces.

Dual control links

Not supported

In-band and low-impact cluster upgrades

Not supported

LAG and LACP (Layer 2 and Layer 3)

Not supported

Layer 2 Ethernet switching

Not supported

Low-latency firewall

Not supported

Class of service

High-priority queue on SPC

Not supported

Tunnels

Only GRE and IP-IP tunnels supported

Note: A vSRX VM deployed on Microsoft Azure Cloud does not support GRE and multicast.

Data plane security log messages (stream mode)

TLS protocol

Not supported

Diagnostic tools

Flow monitoring cflowd version 9

Not supported

Ping Ethernet (CFM)

Not supported

Traceroute Ethernet (CFM)

Not supported

DNS proxy

Dynamic DNS

Not supported

Ethernet link aggregation

LACP in standalone or chassis cluster mode

Not supported

Layer 3 LAG on routed ports

Not supported

Static LAG in standalone or chassis cluster mode

Not supported

Ethernet link fault management

Physical interface (encapsulations)

  • ethernet-ccc

  • ethernet-tcc

  • extended-vlan-ccc

  • extended-vlan-tcc

Not supported

Interface family

  • ccc, tcc

  • ethernet-switching

Not supported

Flow-based and packet-based processing

End-to-end packet debugging

Not supported

Network processor bundling

Services offloading

Interfaces

Aggregated Ethernet interface

Not supported

IEEE 802.1X dynamic VLAN assignment

Not supported

IEEE 802.1X MAC bypass

Not supported

IEEE 802.1X port-based authentication control with multisupplicant support

Not supported

Interleaving using MLFR

Not supported

PoE

Not supported

PPP interface

Not supported

PPPoE-based radio-to-router protocol

Not supported

PPPoE interface

Note: Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, the vSRX supports Point-to-Point Protocol over Ethernet (PPPoE) interface.

Not supported

Promiscuous mode on interfaces

Only supported if enabled on the hypervisor

IPSec and VPNs

Acadia - Clientless VPN

Not supported

DVPN

Not supported

Hardware IPsec (bulk crypto) Cavium/RMI

Not supported

IPsec tunnel termination in routing instances

Supported on virtual router only

Multicast for AutoVPN

Not supported

IPv6 support

DS-Lite concentrator (also called Address Family Transition Router [AFTR])

Not supported

DS-Lite initiator (aka B4)

Not supported

J-Web

Enhanced routing configuration

Not supported

New Setup wizard (for new configurations)

Not supported

PPPoE wizard

Not supported

Remote VPN wizard

Not supported

Rescue link on dashboard

Not supported

UTM configuration for Kaspersky antivirus and the default Web filtering profile

Not supported

Log file formats for system (control plane) logs

Binary format (binary)

Not supported

WELF

Not supported

Miscellaneous

GPRS

Note: Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, vSRX supports GPRS.

Not supported

Hardware acceleration

Not supported

Logical systems

Not supported

Outbound SSH

Not supported

Remote instance access

Not supported

USB modem

Not supported

Wireless LAN

Not supported

MPLS

Crcuit cross-connect (CCC) and translational cross-connect (TCC)

Not supported

Layer 2 VPNs for Ethernet connections

Only if promiscuous mode is enabled on the hypervisor

Network Address Translation

Maximize persistent NAT bindings

Not supported

Packet capture

Packet capture

Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on redundant Ethernet interfaces (reth).

Routing

BGP extensions for IPv6

Not supported

BGP Flowspec

Not supported

BGP route reflector

Not supported

CRTP

Not supported

Switching

Layer 3 Q-in-Q VLAN tagging

Not supported

Transparent mode

UTM

Not supported

Unified threat management

Express AV

Not supported

Kaspersky AV

Not supported

Upgrading and rebooting

Autorecovery

Not supported

Boot instance configuration

Not supported

Boot instance recovery

Not supported

Dual-root partitioning

Not supported

OS rollback

Not supported

User interfaces

NSM

Not supported

SRC application

Not supported

Junos Space Virtual Director

Only supported with VMware