Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Understand vSRX Virtual Firewall with KVM

This section presents an overview of vSRX Virtual Firewall on KVM.

vSRX Virtual Firewall on KVM

The Linux kernel uses the kernel-based virtual machine (KVM) as a virtualization infrastructure. KVM is open source software that you can use to create multiple virtual machines (VMs) and to install security and networking appliances.

The basic components of KVM include:

  • A loadable kernel module included in the Linux kernel that provides the basic virtualization infrastructure

  • A processor-specific module

When loaded into the Linux kernel, the KVM software acts as a hypervisor. KVM supports multitenancy and allows you to run multiple vSRX Virtual Firewall VMs on the host OS. KVM manages and shares the system resources between the host OS and the multiple vSRX Virtual Firewall VMs.

Note:

vSRX Virtual Firewall requires you to enable hardware-based virtualization on a host OS that contains an Intel Virtualization Technology (VT) capable processor.

Figure 1 illustrates the basic structure of a vSRX Virtual Firewall VM on an Ubuntu server.

Figure 1: vSRX Virtual Firewall VM on UbuntuvSRX Virtual Firewall VM on Ubuntu

vSRX Virtual Firewall Scale Up Performance

Table 1 shows the vSRX Virtual Firewall scale up performance when deployed on KVM, based on the number of vCPUs and vRAM applied to a vSRX Virtual Firewall VM along with the Junos OS release in which a particular vSRX Virtual Firewall software specification was introduced.

Table 1: vSRX Virtual Firewall Scale Up Performance

vCPUs

vRAM

NICs

Release Introduced

2 vCPUs

4 GB

  • Virtio

  • SR-IOV (Intel 82599, X520/540)

Junos OS Release 15.1X49-D15 and Junos OS Release 17.3R1

5 vCPUs

8 GB

  • Virtio

  • SR-IOV (Intel 82599, X520/540)

Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1

5 vCPUs

8 GB

  • SR-IOV (Intel X710/XL710)

Junos OS Release 15.1X49-D90 and Junos OS Release 17.3R1

1 vCPU

4 GB

SR-IOV on the Mellanox ConnectX-4 and ConnectX-5 family adapters.

Junos OS Release 21.2R1

4 vCPUs

8 GB

SR-IOV on the Mellanox ConnectX-4 and ConnectX-5 family adapters.

Junos OS Release 21.2R1

8 vCPUs

16GB

SR-IOV on the Mellanox ConnectX-4 and ConnectX-5 family adapters.

Junos OS Release 21.2R1

16 vCPUs

32 GB

SR-IOV on the Mellanox ConnectX-4 and ConnectX-5 family adapters.

Junos OS Release 21.2R1

You can scale the performance and capacity of a vSRX Virtual Firewall instance by increasing the number of vCPUs and the amount of vRAM allocated to the vSRX Virtual Firewall. The multi-core vSRX Virtual Firewall automatically selects the appropriate vCPUs and vRAM values at boot time, as well as the number of Receive Side Scaling (RSS) queues in the NIC. If the vCPU and vRAM settings allocated to a vSRX Virtual Firewall VM do not match what is currently available, the vSRX Virtual Firewall scales down to the closest supported value for the instance. For example, if a vSRX Virtual Firewall VM has 3 vCPUs and 8 GB of vRAM, vSRX Virtual Firewall boots to the smaller vCPU size, which requires a minimum of 2 vCPUs. You can scale up a vSRX Virtual Firewall instance to a higher number of vCPUs and amount of vRAM, but you cannot scale down an existing vSRX Virtual Firewall instance to a smaller setting.

Note:

The number of RSS queues typically matches with the number of data plane vCPUs of a vSRX Virtual Firewall instance. For example, a vSRX Virtual Firewall with 4 data plane vCPUs should have 4 RSS queues.

vSRX Virtual Firewall Session Capacity Increase

vSRX Virtual Firewall solution is optimized to increase the session numbers by increasing the memory.

With the ability to increase the session numbers by increasing the memory, you can enable vSRX Virtual Firewall to:

  • Provide highly scalable, flexible and high-performance security at strategic locations in the mobile network.

  • Deliver the performance that service providers require to scale and protect their networks.

Run the show security flow session summary | grep maximum command to view the maximum number of sessions.

Starting in Junos OS Release 18.4R1, the number of flow sessions supported on a vSRX Virtual Firewall instance is increased based on the vRAM size used.

Starting in Junos OS Release 19.2R1, the number of flow sessions supported on a vSRX Virtual Firewall 3.0 instance is increased based on the vRAM size used.

Note:

Maximum of 28M sessions are supported on vSRX Virtual Firewall 3.0. You can deploy vSRX Virtual Firewall 3.0 with more than 64G memory, but the maximum flow sessions can still be only 28M.

Table 2 lists the flow session capacity.

Table 2: vSRX Virtual Firewall and vSRX Virtual Firewall 3.0 Flow Session Capacity Details

vCPUs

Memory

Flow Session Capacity

2

4 GB

0.5 M

2

6 GB

1 M

2/5

8 GB

2 M

2/5

10 GB

2 M

2/5

12 GB

2.5 M

2/5

14 GB

3 M

2/5/9

16 GB

4 M

2/5/9

20 GB

6 M

2/5/9

24 GB

8 M

2/5/9

28 GB

10 M

2/5/9/17

32 GB

12 M

2/5/9/17

40 GB

16 M

2/5/9/17

48 GB

20 M

2/5/9/17

56 GB

24 M

2/5/9/17

64 GB

28 M

Change History Table

Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.

Release
Description
19.2R1
Starting in Junos OS Release 19.2R1, the number of flow sessions supported on a vSRX Virtual Firewall 3.0 instance is increased based on the vRAM size used.
18.4R1
Starting in Junos OS Release 18.4R1, the number of flow sessions supported on a vSRX Virtual Firewall instance is increased based on the vRAM size used.