Requirements for vSRX Virtual Firewall on Microsoft Hyper-V
This section presents an overview of requirements for deploying a vSRX Virtual Firewall instance on Microsoft Hyper-V.
Software Requirements
Table 1 lists the software requirements for the vSRX Virtual Firewall instance on Microsoft Hyper-V.
Only the vSRX Virtual Firewall small flavor is supported on Microsoft Hyper-V. vSRX Virtual Firewall 3.0 multi-CPU versions are supported on Microsoft Hyper-V.
Component |
Specification |
|---|---|
Hypervisor support |
|
Memory |
4 GB |
Disk space |
16 GB (IDE or SCSI drives) |
vCPUs |
2 |
Virtual network adapters |
8 Hyper-V specific network adapters |
Component |
Specification |
|---|---|
Hypervisor support |
|
Memory |
4 GB |
Disk space |
18 GB (IDE) |
vCPUs |
2 |
Virtual network adapters |
8 Hyper-V specific network adapters |
Starting in Junos OS Release 19.1R1, the vSRX Virtual Firewall 3.0 instance supports guest OS with 2 vCPUs, 4-GB virtual RAM, and a 18-GB disk space on Microsoft Hyper-V and Azure for improved performance.
Hardware Requirements
Table 3 lists the hardware specifications for the host machine that runs the vSRX Virtual Firewall VM.
Component |
Specification |
|---|---|
Host memory size |
Minimum 4 GB |
Host processor type |
x86 or x64-based multicore processor Note:
DPDK requires Intel Virtualization VT-x/VT-d support in the CPU. See About Intel Virtualization Technology. |
Gigabit (10/100/1000baseT) Ethernet adapter |
Emulates the multiport DEC 21140 10/100TX 100 MB Ethernet network adapter with one to four network connections. |
Best Practices for Improving vSRX Virtual Firewall Performance
Review the following practices to improve vSRX Virtual Firewall performance.
NUMA Nodes
The x86 server architecture consists of multiple sockets and multiple cores within a socket. Each socket also has memory that is used to store packets during I/O transfers from the NIC to the host. To efficiently read packets from memory, guest applications and associated peripherals (such as the NIC) should reside within a single socket. A penalty is associated with spanning CPU sockets for memory accesses, which might result in nondeterministic performance. For vSRX Virtual Firewall, we recommend that all vCPUs for the vSRX Virtual Firewall VM are in the same physical non-uniform memory access (NUMA) node for optimal performance.
The Packet Forwarding Engine (PFE) on the vSRX Virtual Firewall will become unresponsive if the NUMA nodes topology is configured in the hypervisor to spread the instance’s vCPUs across multiple host NUMA nodes. vSRX Virtual Firewall requires that you ensure that all vCPUs reside on the same NUMA node.
We recommend that you bind the vSRX Virtual Firewall instance with a specific NUMA node by setting NUMA node affinity. NUMA node affinity constrains the vSRX Virtual Firewall VM resource scheduling to only the specified NUMA node.
Interface Mapping for vSRX Virtual Firewall on Microsoft Hyper-V
Each network adapter defined for a vSRX Virtual Firewall is mapped to a specific interface, depending on whether the vSRX Virtual Firewall instance is a standalone VM or one of a cluster pair for high availability.
Starting in Junos OS Release 15.1X49-D100 for vSRX Virtual Firewall, support for chassis clustering to provide network node redundancy is only available on Microsoft Hyper-V Server 2016 and higher.
Note the following:
In standalone mode:
fxp0 is the out-of-band management interface.
ge-0/0/0 is the first traffic (revenue) interface.
In cluster mode:
fxp0 is the out-of-band management interface.
em0 is the cluster control link for both nodes.
Any of the traffic interfaces can be specified as the fabric links, such as ge-0/0/0 for fab0 on node 0 and ge-7/0/0 for fab1 on node 1.
Table 4 shows the interface names and mappings for a standalone vSRX Virtual Firewall VM.
Network Adapter |
Interface Name in Junos OS |
|---|---|
1 |
fxp0 |
2 |
ge-0/0/0 |
3 |
ge-0/0/1 |
4 |
ge-0/0/2 |
5 |
ge-0/0/3 |
6 |
ge-0/0/4 |
7 |
ge-0/0/5 |
8 |
ge-0/0/6 |
Table 5 shows the interface names and mappings for a pair of vSRX Virtual Firewall VMs in a cluster (node 0 and node 1).
Network Adapter |
Interface Name in Junos OS |
|---|---|
1 |
fxp0 (node 0 and 1) |
2 |
em0 (node 0 and 1) |
3 |
ge-0/0/0 (node 0)ge-7/0/0 (node 1) |
4 |
ge-0/0/1 (node 0)ge-7/0/1 (node 1) |
5 |
ge-0/0/2 (node 0)ge-7/0/2 (node 1) |
6 |
ge-0/0/3 (node 0)ge-7/0/3 (node 1) |
7 |
ge-0/0/4 (node 0)ge-7/0/4 (node 1) |
8 |
ge-0/0/5 (node 0)ge-7/0/5 (node 1) |
vSRX Virtual Firewall Default Settings on Microsoft Hyper-V
vSRX Virtual Firewall requires the following basic configuration settings:
Interfaces must be assigned IP addresses.
Interfaces must be bound to zones.
Policies must be configured between zones to permit or deny traffic.
Table 6 lists the factory-default settings for security policies on the vSRX Virtual Firewall.
Source Zone |
Destination Zone |
Policy Action |
|---|---|---|
trust |
untrust |
permit |
trust |
trust |
permit |
untrust |
trust |
deny |
Change History Table
Feature support is determined by the platform and release you are using. Use Feature Explorer to determine if a feature is supported on your platform.