Understand vSRX Virtual Firewall with Contrail
This section presents an overview of vSRX Virtual Firewall on Contrail
vSRX Virtual Firewall on Juniper Networks Contrail
Juniper Networks Contrail is an open, standards-based software solution that delivers network virtualization and service automation for federated cloud networks. It provides self-service provisioning, improves network troubleshooting and diagnostics, and enables service chaining for dynamic application environments across enterprise virtual private cloud (VPC), managed Infrastructure as a Service (IaaS), and Networks Functions Virtualization (NFV) use cases.
You can use Contrail with open cloud orchestration systems such as OpenStack or CloudStack to instantiate instances of vSRX Virtual Firewall in a virtual environment. Contrail with vSRX Virtual Firewall provides network services such as firewall, NAT, and load balancing to virtual networks.
vSRX Virtual Firewall on a KVM hypervisor requires you to enable hardware-based virtualization on a host OS that contains an Intel Virtualization Technology (VT) capable processor.
vSRX Virtual Firewall Scale Up Performance
Table 1 shows the vSRX Virtual Firewall scale up performance based on the number of vCPUs and vRAM applied to a vSRX Virtual Firewall VM along with the Junos OS release in which a particular vSRX Virtual Firewall software specification was introduced.
vCPUs |
vRAM |
NICs |
Release Introduced |
|---|---|---|---|
2 vCPUs |
4 GB |
|
Junos OS Release 15.1X49-D20 |
5 vCPUs |
8 GB |
|
Junos OS Release 15.1X49-D70 and Junos OS Release 17.3R1 |
You can scale the performance and capacity of a vSRX Virtual Firewall instance by increasing the number of vCPUs and the amount of vRAM allocated to the vSRX Virtual Firewall. The multi-core vSRX Virtual Firewall automatically selects the appropriate vCPUs and vRAM values at boot time, as well as the number of Receive Side Scaling (RSS) queues in the NIC. If the vCPU and vRAM settings allocated to a vSRX Virtual Firewall VM do not match what is currently available, the vSRX Virtual Firewall scales down to the closest supported value for the instance. For example, if a vSRX Virtual Firewall VM has 3 vCPUs and 8 GB of vRAM, vSRX Virtual Firewall boots to the smaller vCPU size, which requires a minimum of 2 vCPUs. You can scale up a vSRX Virtual Firewall instance to a higher number of vCPUs and amount of vRAM, but you cannot scale down an existing vSRX Virtual Firewall instance to a smaller setting.
The number of RSS queues typically matches with the number of data plane vCPUs of a vSRX Virtual Firewall instance. For example, a vSRX Virtual Firewall with 4 data plane vCPUs should have 4 RSS queues.