Multitenant FWs

Christopher Morrow morrowc.lists at gmail.com
Mon May 2 00:35:46 CDT 2011


On Mon, May 2, 2011 at 12:20 AM, Stefan Fouant
<sfouant at shortestpathfirst.net> wrote:
>> -----Original Message-----
>> From: christopher.morrow at gmail.com
>> [mailto:christopher.morrow at gmail.com] On Behalf Of Christopher Morrow
>>
>> one thing to keep in mind is that as near as I can tell no vendor (not
>> a singl eone) has actual hard limits configurable for each tenant
>> firewall instance. So, one can use all of the 'firewall rule'
>> resources, one can use all of the 'route memory' ... leaving other
>> instances flailing :(
>
> Ahem, actually ScreenOS does support just such a thing through the use of
> resource profiles - with this you can limit the amount of CPU, Sessions,
> Policies, MIPs and DIPs (used for NAT), and other user defined objects such
> as address book entries, etc. that each VSYS can avail.  This was one of the

good to know... I wonder how well it isolates.

> primary drivers behind our decision to utilize the NS-5400 for Verizon's
> NBFW (you remember that place right Chris, heh')

i do, occasionally via the twitching :)

> Stefan Fouant
>
>
>




More information about the NANOG mailing list