Multitenant FWs

Christopher Morrow morrowc.lists at
Mon May 2 05:35:46 UTC 2011

On Mon, May 2, 2011 at 12:20 AM, Stefan Fouant
<sfouant at> wrote:
>> -----Original Message-----
>> From: christopher.morrow at
>> [mailto:christopher.morrow at] On Behalf Of Christopher Morrow
>> one thing to keep in mind is that as near as I can tell no vendor (not
>> a singl eone) has actual hard limits configurable for each tenant
>> firewall instance. So, one can use all of the 'firewall rule'
>> resources, one can use all of the 'route memory' ... leaving other
>> instances flailing :(
> Ahem, actually ScreenOS does support just such a thing through the use of
> resource profiles - with this you can limit the amount of CPU, Sessions,
> Policies, MIPs and DIPs (used for NAT), and other user defined objects such
> as address book entries, etc. that each VSYS can avail.  This was one of the

good to know... I wonder how well it isolates.

> primary drivers behind our decision to utilize the NS-5400 for Verizon's
> NBFW (you remember that place right Chris, heh')

i do, occasionally via the twitching :)

> Stefan Fouant

More information about the NANOG mailing list