Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

Junos OS Features Supported on vSRX with Nutanix

SRX Series Features Supported on vSRX

vSRX inherits most of the branch SRX Series features with the following considerations shown in Table 1.

To determine the Junos OS features supported on vSRX, use the Juniper Networks Feature Explorer, a Web-based application that helps you to explore and compare Junos OS feature information to find the right software release and hardware platform for your network. Find Feature Explorer at: Feature Explorer: vSRX .

Table 1: vSRX Feature Considerations

Feature

Description

Application firewall

Supported

Deep packet inspection

Supported

IDP

The IDP feature is subscription based and must be purchased. After purchase, you can activate the IDP feature with the license key.

For SRX Series IDP configuration details, see: Understanding Intrusion Detection and Prevention for SRX Series

In J-Web, use the following steps to add or edit an IPS rule:

  1. Click Security>IDP>Policy>Add.

  2. In the Add IPS Rule window, select All instead of Any for the Direction field to list all the FTP attacks.

J-Web

Supported

Layer 3 Routed Mode

Supported

Layer 2 Transparent mode

Supported

Screens

Supported

Secure wire

Supported

GPRS

Supported

Transparent mode

The known behaviors for transparent mode support on vSRX are:

  • The default MAC learning table size is restricted to 16,383 entries.

  • VMware vSwitch does not support MAC learning. It also floods traffic to the secondary node. The traffic is silently dropped by the flow on the secondary node.

For information on configuring transparent mode vSRX, see: Layer 2 Bridging and Transparent Mode Overview.

UTM

The UTM feature is subscription based and must be purchased. After purchase, you can activate the UTM feature with the license key.

For SRX Series UTM configuration details, see:

Unified Threat Management Overview

For SRX Series UTM antispam configuration details, see: Antispam Filtering Overview.

SRX Series Features Not Supported on vSRX

vSRX inherits many features from the SRX Series device product line. Table 2 lists SRX Series features that are not applicable in a virtualized environment, that are not currently supported, or that have qualified support on vSRX.

Table 2: SRX Series Features Not Supported on vSRX

SRX Series Feature

vSRX Notes

Application Layer Gateways

Avaya H.323

Not supported

Authentication with IC Series devices
 

Layer 2 enforcement in UAC deployments

Not supported

Note:

UAC-IDP and UAC-UTM also are not supported.

Chassis cluster support
 

Chassis cluster for VirtIO driver

Not supported

Note:

The link status of VirtIO interfaces is always reported as UP, so a vSRX chassis cluster cannot receive link up and link down messages from VirtIO interfaces.

Dual control links

Not supported

In-band and low-impact cluster upgrades

Not supported

LAG and LACP (Layer 2 and Layer 3)

Not supported

Layer 2 Ethernet switching

Not supported

Low-latency firewall

Not supported

SR-IOV interfaces

Not supported

Class of service
 

High-priority queue on SPC

Not supported

Tunnels

Only GRE and IP-IP tunnels supported

Data plane security log messages (stream mode)
 

TLS protocol

Not supported

Diagnostic tools
 

Flow monitoring cflowd version 9

Not supported

Ping Ethernet (CFM)

Not supported

Traceroute Ethernet (CFM)

Not supported

DNS proxy
 

Dynamic DNS

Not supported

Ethernet link aggregation
 

LACP in standalone or chassis cluster mode

Not supported

Layer 3 LAG on routed ports

Not supported

Static LAG in standalone or chassis cluster mode

Not supported

Ethernet link fault management
 

Physical interface (encapsulations)

ethernet-ccc

ethernet-tcc

Not supported

extended-vlan-ccc

extended-vlan-tcc

Not supported

Interface family

ccc, tcc

Not supported

ethernet-switching

Not supported

Flow-based and packet-based processing
 

End-to-end packet debugging

Not supported

Network processor bundling

Not supported

Services offloading

Not supported

Interfaces
 

Aggregated Ethernet interface

Not supported

IEEE 802.1X dynamic VLAN assignment

Not supported

IEEE 802.1X MAC bypass

Not supported

IEEE 802.1X port-based authentication control with multisupplicant support

Not supported

Interleaving using MLFR

Not supported

PoE

Not supported

PPP interface

Not supported

PPPoE-based radio-to-router protocol

Not supported

PPPoE interface

Note:

Starting in Junos OS Release 15.1X49-D100 and Junos OS Release 17.4R1, the vSRX supports Point-to-Point Protocol over Ethernet (PPPoE) interface.

Not supported

Promiscuous mode on interfaces

Only supported if enabled on the hypervisor

IP Sec and VPNs
 

Acadia - Clientless VPN

Not supported

DVPN

Not supported

Hardware IPsec (bulk crypto) Cavium/RMI

Not supported

IPsec tunnel termination in routing instances

Supported on virtual router only

Multicast for AutoVPN

Not supported

IPv6 support
 

DS-Lite concentrator (also called Address Family Transition Router [AFTR])

Not supported

DS-Lite initiator (also called Basic Bridging Broadband [B4])

Not supported

ISSU  

Not supported

J-Web
 

Enhanced routing configuration

Not supported

New Setup wizard (for new configurations)

Not supported

PPPoE wizard

Not supported

Remote VPN wizard

Not supported

Rescue link on dashboard

Not supported

UTM configuration for Kaspersky antivirus and the default Web filtering profile

Not supported

Log File formats for system (control plane) logs
 

Binary format (binary)

Not supported

WELF

Not supported

Miscellaneous
 

Hardware acceleration

Not supported

Logical systems

Not supported

Outbound SSH

Not supported

Remote instance access

Not supported

USB modem

Not supported

Wireless LAN

Not supported

MPLS
 

circuit cross-connect (CCC) and translational cross-connect (TCC)

Not supported

Layer 2 VPNs for Ethernet connections

Only if promiscuous mode is enabled on the hypervisor

Network Address Translation
 

Maximize persistent NAT bindings

Not supported

Packet capture
 

Packet capture

Only supported on physical interfaces and tunnel interfaces, such as gr, ip, and st0. Packet capture is not supported on redundant Ethernet interfaces (reth).

Routing
 

BGP extensions for IPv6

Not supported

BGP Flowspec

Not supported

BGP route reflector

Not supported

Bidirectional Forwarding Detection (BFD) for BGP

Not supported

CRTP

Not supported

Switching
 

Layer 3 Q-in-Q VLAN tagging

Not supported

Transparent mode
 

UTM

Not supported

Unified threat management
 

Express AV

Not supported

Kaspersky AV

Not supported

Upgrading and rebooting
 

Autorecovery

Not supported

Boot instance configuration

Not supported

Boot instance recovery

Not supported

Dual-root partitioning

Not supported

OS rollback

Not supported

User interfaces
 

NSM

Not supported

SRC application

Not supported

Junos Space Virtual Director

Not supported