Junos OS Features Supported on vSRX
This topic provides details of the Junos OS features supported and not supported on vSRX.
SRX Series Features Supported on vSRX
vSRX inherits most of the branch SRX Series features with the following considerations shown in Table 1.
To determine the Junos OS features supported on vSRX, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: Feature Explorer: vSRX .
Table 1: vSRX Feature Considerations
The IDP feature is subscription based and must be purchased. After purchase, you can activate the IDP feature with the license key.
For SRX Series IDP configuration details, see:
Starting in Junos OS Release 19.3R1, vSRX supports the following authentication algorithms and encryption algorithms:
Starting in Junos OS Release 20.3R1, vSRX supports 10,000 IPsec VPN tunnels.
To support the increased number of IPsec VPN tunnels, a minimum of 19 vCPUs are required. Out of the 19 vCPUs, 3 vCPUs must be dedicated to RE.
You must run the request system software add optional://junos-ike.tgz command the first time you wish to enable increased IPsec tunnel capacity. For subsequent software upgrades of the instance, the junos-ike package is upgraded automatically from the new Junos OS releases installed in the instance. If chassis cluster is enabled then run this command on both the nodes.
You can configure the number of vCPUs allocated to Junos Routing Engine using the set security forwarding-options resource-manager cpu re <value>.
Note: 64 G memory is required to support 10000 tunnels in PMI mode.
Table 2 lists various tunnel types and the respective number of tunnel supported.
Table 2: Tunnel Scaling on vSRX
ISSU is not supported.
Starting in Junos OS Release 20.1R1, you can configure logical systems and tenant systems on vSRX and vSRX 3.0 instances.
With Junos OS, you can partition a single security device into multiple logical devices that can perform independent tasks.
Each logical system has its own discrete administrative domain, logical interfaces, routing instances, security firewall and other security features.
Starting in Junos OS Release 20.1R1, vSRX 3.0 instances support PowerMode IPsec that provides IPsec performance improvements using Vector Packet Processing (VPP) and Intel AES-NI instructions. PowerMode IPsec is a small software block inside the SRX PFE (SRX Packet Forwarding Engine) that is activated when PowerMode is enabled.
Supported Features in PowerMode IPsec
Non-Supported Features in PowerMode IPsec
Starting in Junos OS Release 20.1R1, you can configure tenant systems on vSRX and vSRX 3.0 instances.
A tenant system provides logical partitioning of the SRX device into multiple domains similar to logical systems and provides high scalability.
The known behaviors for transparent mode support on vSRX are:
For information about configuring transparent mode for vSRX, see Layer 2 Bridging and Transparent Mode Overview.
Some Junos OS software features require a license to activate
the feature. To understand more about vSRX Licenses, see, Licenses for vSRX. Please refer to the Licensing Guide for general information about License Management.
Please refer to the product Data Sheets
SRX Series Features Not Supported on vSRX
vSRX inherits many features from the SRX Series device product line. Table 3 lists SRX Series features that are not applicable in a virtualized environment, that are not currently supported, or that have qualified support on vSRX.
Table 3: SRX Series Features Not Supported on vSRX
SRX Series Feature
|Application Layer Gateways|
|Authentication with IC Series devices|
Layer 2 enforcement in UAC deployments
Note: UAC-IDP and UAC-UTM also are not supported.
Note: Support for chassis clustering to provide network node redundancy is only available on a vSRX deployment in Contrail, VMware, KVM, and Windows Hyper-V Server 2016.
Chassis cluster for VirtIO driver
Only supported with KVM
Note: The link status of VirtIO interfaces is always reported as UP, so a vSRX chassis cluster cannot receive link up and link down messages from VirtIO interfaces.
Dual control links
In-band and low-impact cluster upgrades
LAG and LACP (Layer 2 and Layer 3)
Layer 2 Ethernet switching
|Class of service|
High-priority queue on SPC
Only GRE and IP-IP tunnels supported
Note: A vSRX VM deployed on Microsoft Azure Cloud does not support GRE and multicast.
|Data plane security log messages (stream mode)|
Flow monitoring cflowd version 9
Ping Ethernet (CFM)
Traceroute Ethernet (CFM)
|Ethernet link aggregation|
LACP in standalone or chassis cluster mode
Layer 3 LAG on routed ports
Static LAG in standalone or chassis cluster mode
|Ethernet link fault management|
Physical interface (encapsulations)
|Flow-based and packet-based processing|
End-to-end packet debugging
Network processor bundling
Aggregated Ethernet interface
IEEE 802.1X dynamic VLAN assignment
IEEE 802.1X MAC bypass
IEEE 802.1X port-based authentication control with multisupplicant support
Interleaving using MLFR
PPPoE-based radio-to-router protocol
Note: Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, the vSRX supports Point-to-Point Protocol over Ethernet (PPPoE) interface.
Promiscuous mode on interfaces
Only supported if enabled on the hypervisor
|IPSec and VPNs|
Acadia - Clientless VPN
Hardware IPsec (bulk crypto) Cavium/RMI
IPsec tunnel termination in routing instances
Supported on virtual router only
Multicast for AutoVPN
DS-Lite concentrator (also called Address Family Transition Router [AFTR])
DS-Lite initiator (aka B4)
Enhanced routing configuration
New Setup wizard (for new configurations)
Remote VPN wizard
Rescue link on dashboard
UTM configuration for Kaspersky antivirus and the default Web filtering profile
|Log file formats for system (control plane) logs|
Binary format (binary)
Note: Starting in Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1, vSRX supports GPRS.
Remote instance access
Crcuit cross-connect (CCC) and translational cross-connect (TCC)
Layer 2 VPNs for Ethernet connections
Only if promiscuous mode is enabled on the hypervisor
|Network Address Translation|
Maximize persistent NAT bindings
Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on redundant Ethernet interfaces (reth).
BGP extensions for IPv6
BGP route reflector
Layer 3 Q-in-Q VLAN tagging
|Unified threat management|
|Upgrading and rebooting|
Boot instance configuration
Boot instance recovery
Junos Space Virtual Director
Only supported with VMware