[j-nsp] [c-nsp] Firewalls "as-a-service" in an MPLS infrastructure...
Stefan Fouant
sfouant at shortestpathfirst.net
Fri Jul 8 09:21:10 EDT 2011
On 7/8/2011 9:15 AM, Keegan Holley wrote:
> I never said it's not possible, just that I've rarely seen it done
> correctly. Not everyone has your level of skill. Just for arguments
> sake how did you handle shared bandwidth? In other words how did you
> keep a DDOS attack on one customers's segment from using up all
> available bandwidth in some shared segment upstream from the firewall.
Oh no worries Keegan, I was just pointing out that it can in fact be done...
In my case, the way we designed it was that individual customers were
assigned to unique VLANs on the ingress interface on the Firewall. Each
VLAN was mapped to a unique customer VSYS. Upstream routers had
specific routes for each customer pointing to those unique VLANs.
Rate-limiters were applied on said upstream router for each customer
VLAN to restrict starvation of the entire pipe.
Make sense?
Stefan Fouant
JNCIE-ER #70, JNCIE-M #513, JNCI
Technical Trainer, Juniper Networks
http://www.shortestpathfirst.net
http://www.twitter.com/sfouant
More information about the juniper-nsp
mailing list