[c-nsp] [j-nsp] Firewalls "as-a-service" in an MPLS infrastructure...

Stefan Fouant sfouant at shortestpathfirst.net
Fri Jul 8 09:21:10 EDT 2011


On 7/8/2011 9:15 AM, Keegan Holley wrote:
> I never said it's not possible, just that I've rarely seen it done
> correctly.  Not everyone has your level of skill.  Just for arguments
> sake how did you handle shared bandwidth?  In other words how did you
> keep a DDOS attack on one customers's segment from using up all
> available bandwidth in some shared segment upstream from the firewall.

Oh no worries Keegan, I was just pointing out that it can in fact be done...

In my case, the way we designed it was that individual customers were 
assigned to unique VLANs on the ingress interface on the Firewall.  Each 
VLAN was mapped to a unique customer VSYS.  Upstream routers had 
specific routes for each customer pointing to those unique VLANs. 
Rate-limiters were applied on said upstream router for each customer 
VLAN to restrict starvation of the entire pipe.

Make sense?

Stefan Fouant
JNCIE-ER #70, JNCIE-M #513, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant


More information about the cisco-nsp mailing list