Requirements for vSRX on Nutanix
These topics provide an overview of requirements for deploying a vSRX 3.0 instance on Nutanix.
System Requirements for Nutanix
This topic provides the system requirement details.
- #system-requirements-for-nutanix__d18289e30
- Interface Mapping for vSRX 3.0 on Nutanix
- vSRX 3.0 Default Settings on Nutanix
- Best Practices for Improving vSRX 3.0 Performance
Table 1 lists the system requirements for a vSRX 3.0 instance deployed on Nutanix.
Component |
Specification and Details |
|---|---|
Hypervisor support |
AHV 5.9 |
Memory |
4 GB |
Disk space |
16 GB |
vCPUs |
2 |
vNICs |
Up to 8 |
vNIC type |
Virtio |
Interface Mapping for vSRX 3.0 on Nutanix
Table 2 shows the vSRX 3.0 and Nutanix interface names. The first network interface is used for the out-of-band management (fxp0) for vSRX 3.0.
InterfaceNumber |
vSRX 3.0 Interface |
Nutanix Interface |
|---|---|---|
1 |
fxp0 |
eth0 |
2 |
ge-0/0/0 |
eth1 |
3 |
ge-0/0/1 |
eth2 |
4 |
ge-0/0/2 |
eth3 |
5 |
ge-0/0/3 |
eth4 |
6 |
ge-0/0/4 |
eth5 |
7 |
ge-0/0/5 |
eth6 |
8 |
ge-0/0/6 |
eth7 |
We recommend putting revenue interfaces in routing instances as a best practice to avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by default. With fxp0 as part of the default routing table, there might be two default routes needed: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance.
Ensure that interfaces belonging to the same security zone are in the same routing instance. See KB Article - Interface must be in the same routing instance as the other interfaces in the zone.
vSRX 3.0 Default Settings on Nutanix
vSRX 3.0 requires the following basic configuration settings:
Interfaces must be assigned IP addresses.
Interfaces must be bound to zones.
Policies must be configured between zones to permit or deny traffic.
Table 3 lists the factory-default settings for security policies on the vSRX 3.0.
Source Zone |
Destination Zone |
Policy Action |
|---|---|---|
trust |
untrust |
permit |
trust |
trust |
permit |
Do not use the load factory-default command on a
vSRX 3.0 Nutanix instance. The factory-default configuration removes
the Nutanix preconfiguration. If you must revert to factory default,
ensure that you manually reconfigure Nutanix preconfiguration statements
before you commit the configuration; otherwise, you will lose access
to the vSRX 3.0 instance. See Configure
vSRX Using the CLI for Nutanix preconfiguration details.
Best Practices for Improving vSRX 3.0 Performance
Refer the following deployment practices to improve vSRX 3.0 performance:
Disable the source/destination check for all vSRX 3.0 interfaces.
Limit public key access permissions to 400 for key pairs.
Ensure that there are no contradictions between Nutanix security groups and your vSRX 3.0 configuration.
Use vSRX 3.0 NAT to protect your instances from direct Internet traffic.
Reference Requirements
Requirements for vSRX 3.0 with different types of Hypervisors are:
Requirements for vSRX on VMware—See Requirements for vSRX on VMware
Requirements for vSRX on KVM-Based Hypervisor—See Requirements for vSRX on KVM
Requirements for vSRX with Hype-V-Based Hypervisor—See Requirements for vSRX on Microsoft Hyper-V