[j-nsp] srx advice

Chen Jiang ilovebgp4 at gmail.com
Sun Jul 24 04:17:12 EDT 2011


You can put two or more logical interface from one routing-instance jut into
one security zone and control the flow traffic through security policy such
as "set security policy from-zone vr1 to-zone vr1 ... ".

The security zone concept is just for management purpose and has nothing to
do with the security policy implementation.

LSYS in JUNOS 11.2 is first come to SRX HE not SRX branch.

On Sat, Jul 23, 2011 at 1:13 AM, Farid Bouzemarene <
Farid.Bouzemarene at magirus.com> wrote:

> Just as a reminder : LSYS ( screenos vsys equivalent ) are arriving in 11.2
> on srx ....
>
>
>
> ----- Message d'origine -----
> De : Ben Dale [bdale at comlinx.com.au]
> Envoyé : 22.07.2011 22:11 ZE10
> À : Richard Zheng <rzheng at gmail.com>
> Cc : juniper-nsp at puck.nether.net
> Objet : Re: [j-nsp] srx advice
>
>
>
> Hi Richard,
>
> Depending on your topology you can scale this out by having a common
> "Untrust" zone for all customers (which is has interfaces in the inet.0
> instance) and simply leaking routes (interface(s), default or otherwise)
> into specific customer VRs.
>
> Cheers,
>
> Ben
>
> On 22/07/2011, at 5:54 PM, Richard Zheng wrote:
>
> > Hi,
> >
> > I am trying to compare different models of srx. The application is to
> setup
> > virtual firewalls for several customers. The virtual router instance
> should
> > do it. The maximum number of security zones seems to be the limitation of
> > srx. For example, SRX220 has maximum 24 zones and 15 virtual routers.
> > Considering one virtual router needs at least 2 zones, one trusted and
> one
> > untrusted, how can you get more than 12 virtual routers with 24 zones?
> >
> > Am I missing something here?
> >
> > Thanks,
> > Richard
> > _______________________________________________
> > juniper-nsp mailing list juniper-nsp at puck.nether.net
> > https://puck.nether.net/mailman/listinfo/juniper-nsp
> >
>
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp
>



-- 
BR!



           James Chen


More information about the juniper-nsp mailing list