Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
ON THIS PAGE
 

Add vSRX Virtual Firewall Interfaces

The network adapter for each interface uses SR-IOV or VMXNET 3 as the adapter type. The first network adapter is for the management interface (fxp0) and must use VMXNET 3. All additional network adapters should have the same adapter type. The three network adapters created by default use VMXNET 3.

Note:

Starting in Junos OS Release 18.4R1:

  • SR-IOV (Mellanox ConnectX-3/ConnectX-3 Pro and Mellanox ConnectX-4 EN/ConnectX-4 Lx EN) is required if you intend to scale the performance and capacity of a vSRX Virtual Firewall VM to 9 or 17 vCPUs and 16 or 32 GB vRAM.

  • The DPDK version has been upgraded from 17.02 to 17.11.2 to support the Mellanox Family Adapters .

Starting in Junos OS Release 19.4R1, DPDK version 18.11 is supported on vSRX Virtual Firewall. With this feature the Mellanox Connect Network Interface Card (NIC) on vSRX Virtual Firewall now supports OSPF Multicast and VLANs.

The network adapters are mapped sequentially to the vSRX Virtual Firewall interfaces, as shown in Requirements for vSRX on VMware.

Note:

If you have used the interface mapping workaround required for prior Junos releases, you do not need to make any changes when you upgrade to Junos Release 15.1X49-D70 for vSRX Virtual Firewall.

The following procedures describe how to add more network adapters:

Add SR-IOV Interfaces

SR-IOV interfaces must be added as PCI devices on VMware. To add an SR-IOV interface as a PCI Device, you must first select an available Virtual Function (VF) on the device.

Note:

For fresh vSRX Virtual Firewall installations with SR-IOV on VMWare, the vSRX Virtual Firewall must be first deployed without adding SR-IOV or modifying the VMXNET3 NICs. Later vSRX Virtual Firewall can be powered off and new SR-IOV adaptor can be added.

Use the following procedure to locate available VFs and add PCI devices:

  1. To locate one or more VFs:
    1. Use SSH to log in to the ESXi server and enter the following command to view the VFs for vmnic6 (or another vNIC):

      # esxcli network sriovnic vf list -n vmnic6

      Choose one or more VF IDs that are not active, such as 3 through 6. Note that a VF assigned to a VM that is powered off is shown as inactive.

    2. Enter the lspci command to view the VF number of the chosen VF IDs. In the following example, find the entry that ends with [vmnic6], scroll down to the next entry ending in VF_3, and note the associated VF number 05:10.6. Note that the next VF_3 entry is for vmnic7.

      # lspci

  2. To add SR-IOV interfaces to the vSRX Virtual Firewall VM:
    1. Power off the vSRX Virtual Firewall VM and open the Edit Settings page. By default there are three network adapters using VMXNET 3.
    2. Add one or more PCI devices on the Virtual Hardware page. For each device, you must select an entry with an available VF number from Step 1. For example:

      05:10.6 | Intel Corporation 82599 Ethernet Controller Virtual Function

    3. Click OK and open the Edit Settings page to verify that the new network adaptors are shown on the Virtual Hardware page (one VMXNET 3 network adapter and up to nine SR-IOV interfaces as PCI devices).

      To view the SR-IOV interface MAC addresses, select the VM Options tab, click Advanced in the left frame, and then click Edit Configuration. In the parameters pciPassthruN.generatedMACAddress, N indicates the PCI device number (0 through 9).

    4. Power on the vSRX Virtual Firewall VM and log in to the VM to verify that VMXNET 3 network adapter 1 is mapped to fxp0, PCI device 0 is mapped to ge-0/0/0, PCI device 1 is mapped to ge-0/0/1, and so on.
Note:

A vSRX Virtual Firewall VM with SR-IOV interfaces cannot be cloned. You must deploy a new vSRX Virtual Firewall VM and add the SR-IOV interfaces as described here.

Add VMXNET 3 Interfaces

Use the following procedure to add VMXNET 3 interfaces:

  1. Power off the vSRX Virtual Firewall VM and open the Edit Settings page on vSphere Web Client.
  2. Add network adapters on the Virtual Hardware page. For each network adapter, select Network from New device list at the bottom of the page, expand New Network, and select VMXNET 3 as the adapter type.
  3. Click OK and open the Edit Settings page to verify that the new network adaptors are shown on the Virtual Hardware page.
  4. Power on the vSRX Virtual Firewall VM and log in to the VM to verify that network adapter 1 is mapped to fxp0, network adapter 2 is mapped to ge-0/0/0, and so on. Use the show interfaces terse CLI command to verify that the fxp0 and ge-0/0/n interfaces are up.