[c-nsp] Hardware for 'managed firewall'
Alexander Clouter
alex at digriz.org.uk
Tue Sep 29 15:38:37 EDT 2009
Hi,
Dave Weis <djweis at internetsolver.com> wrote:
>
> We want to provide a hosted/managed firewall service for our MPLS
> customers. Is a pair of ASA's with multiple contexts the best way to do
> this or would something else work better? I'm not concerned with the
> customers being able to make changes themselves.
>
No experience in actually doing this but I would say no. :)
There is no (or it is so small I have missed it) sharing of object data
between contexts and so you will find your self spending all your time
trying to keep in sync the common parts of each context.
Instead you should apply simple RPF (if you do not have them already)
rules so that all the IP traffic coming from your custom does come from
their own allocated address space (prevent spoofing).
After you have done that, each customer can just be a raw IP range on
whatever (single instance) firewall platform you wish to purchase making
manglement of the whole thing just feel like a regular LAN.
Of course things get fun if you add multicast traffic and/or asymmetric
routing :)
Cheers
--
Alexander Clouter
.sigmonster says: <ahzz_> i figured 17G oughta be enough.
More information about the cisco-nsp
mailing list