Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Requirements for vSRX on Nutanix

These topics provide an overview of requirements for deploying a vSRX 3.0 instance on Nutanix.

System Requirements for Nutanix

This topic provides the system requirement details.

Table 1 lists the system requirements for a vSRX 3.0 instance deployed on Nutanix.

Table 1: System Requirements for vSRX 3.0

Component

Specification and Details

Hypervisor support

AHV 5.9

Memory

4 GB

Disk space

16 GB

vCPUs

2

vNICs

Up to 8

vNIC type

Virtio

Interface Mapping for vSRX 3.0 on Nutanix

Table 2 shows the vSRX 3.0 and Nutanix interface names. The first network interface is used for the out-of-band management (fxp0) for vSRX 3.0.

Table 2: vSRX 3.0 and Nutanix Interface Names

Interface

Number

vSRX 3.0 Interface

Nutanix Interface

1

fxp0

eth0

2

ge-0/0/0

eth1

3

ge-0/0/1

eth2

4

ge-0/0/2

eth3

5

ge-0/0/3

eth4

6

ge-0/0/4

eth5

7

ge-0/0/5

eth6

8

ge-0/0/6

eth7

We recommend putting revenue interfaces in routing instances as a best practice to avoid asymmetric traffic/routing, because fxp0 is part of the default (inet.0) table by default. With fxp0 as part of the default routing table, there might be two default routes needed: one for the fxp0 interface for external management access, and the other for the revenue interfaces for traffic access. Putting the revenue interfaces in a separate routing instance avoids this situation of two default routes in a single routing instance.

Note:

Ensure that interfaces belonging to the same security zone are in the same routing instance. See KB Article - Interface must be in the same routing instance as the other interfaces in the zone.

vSRX 3.0 Default Settings on Nutanix

vSRX 3.0 requires the following basic configuration settings:

  • Interfaces must be assigned IP addresses.

  • Interfaces must be bound to zones.

  • Policies must be configured between zones to permit or deny traffic.

Table 3 lists the factory-default settings for security policies on the vSRX 3.0.

Table 3: Factory-Default Settings for Security Policies

Source Zone

Destination Zone

Policy Action

trust

untrust

permit

trust

trust

permit

CAUTION:

Do not use the load factory-default command on a vSRX 3.0 Nutanix instance. The factory-default configuration removes the Nutanix preconfiguration. If you must revert to factory default, ensure that you manually reconfigure Nutanix preconfiguration statements before you commit the configuration; otherwise, you will lose access to the vSRX 3.0 instance. See Configure vSRX Using the CLI for Nutanix preconfiguration details.

Best Practices for Improving vSRX 3.0 Performance

Refer the following deployment practices to improve vSRX 3.0 performance:

  • Disable the source/destination check for all vSRX 3.0 interfaces.

  • Limit public key access permissions to 400 for key pairs.

  • Ensure that there are no contradictions between Nutanix security groups and your vSRX 3.0 configuration.

  • Use vSRX 3.0 NAT to protect your instances from direct Internet traffic.

Reference Requirements

Requirements for vSRX 3.0 with different types of Hypervisors are: