[j-nsp] SRX firewall virtualization

Youssef Bengelloun-Zahr youssef at 720.fr
Fri Oct 2 08:55:26 EDT 2015


Hello,

My comments inline.

BR.



2015-10-02 14:44 GMT+02:00 james list <jameslist72 at gmail.com>:

> Hi Youssef
> so you use LSYS since quite time, is there a reason why you have decided
> for that and not for VR ?
>

==> I never said that, we use them both. As stated before by Chris Jones,
L-SYS is a higher a higher level of abstraction and multitenancy that
allows to create virtual boxes with dedicated ressources, etc. You can
always create multiple VRs inside L-SYS as much as you need. These are two
very different things.


>
> LSYS as far as I understand is limited to 32, right ?
>

==> IIRC, I think the actual maximum is 32 L-SYS, submitted to licensing of
course.


>
> Which is the throughput you get among LSYS ?
>

==> I don't know, we never tested that. If I were to make a wild guess, I'd
say pretty high because it's purely internal forwarding using logical
interfaces. What kind of throughput are you looking for ?


>
>
> As far as I see now the only benefit of LSYS against VR is the separate
> management... nothing more...
> Less scalability, less features, etc...
>

==> Not true at all. Exception made for some specific limitations, you keep
the exact some set of features and all. Ressources are just split over the
multiple L-SYS plus you get seperte management.



>
> Cheers
>
> 2015-10-02 14:36 GMT+02:00 Youssef Bengelloun-Zahr <youssef at 720.fr>:
>
>> Hello,
>>
>> We've been using those in an 5600 cluster for quite some time now, no
>> major worries. As usual, you will of course run into certain limitations /
>> caveats of the technology. But hey, what did you expect ?  ;-)
>>
>> Number of L-SYS supported have increased over time with newer versions of
>> Junos. Communications between L-SYS need to use lt-interfaces and L-SYS
>> must be meshed using those in a hub-and-spoke fashion since 12.1X47.
>>
>> HTH and BR.
>>
>>
>>
>> 2015-10-02 11:22 GMT+02:00 james list <jameslist72 at gmail.com>:
>>
>>> Well indeed with SRX you can also associate zones+policies to the
>>> interface
>>> in the specific routing table
>>> I guess it's something more from my point of view....
>>>
>>> and I see also some benefit against lsys, I understand that SRX high end
>>> for example supoprt a few number of lsys...
>>> isn,'t it ?
>>>
>>>
>>>
>>> 2015-10-02 10:56 GMT+02:00 Chris Jones <ipv6freely at gmail.com>:
>>>
>>> > VR is multiple routing tables.
>>> >
>>> > Lsys is logical systems... basically one step deeper in logical
>>> > segmentation. Essentially multiple full routers in each box.
>>> >
>>> > On Fri, Oct 2, 2015 at 9:08 AM, james list <jameslist72 at gmail.com>
>>> wrote:
>>> >
>>> >> Dear experts,
>>> >>
>>> >> I’d like to know your opinion about firewall virtualization inside SRX
>>> >> boxes (high-end).
>>> >>
>>> >>
>>> >> As far as I understand there are a couple of way: Logical Systems
>>> (LSys)
>>> >> and Virtual routers (VR).
>>> >>
>>> >>
>>> >>
>>> >> From your point of view:
>>> >>
>>> >>
>>> >> 1)      Which are the main differences among Lsys and VR ?
>>> >>
>>> >> 2)      Which are pro and cons of LSys and VR ?
>>> >>
>>> >> 3)      If I need to put in communication two LSys in the same box
>>> which
>>> >> is
>>> >> the maximum throughtput I can get ? Should I use lt- interface ?
>>> >>
>>> >> 4)      If I need to put in communication two VR  in the same boz
>>> which is
>>> >> the maximum throughtput I can get ? Should I use import/export ?
>>> >>
>>> >>
>>> >>
>>> >> If  inside the feedbacks you can provide any reference URL it will be
>>> >> appreciated.
>>> >>
>>> >>
>>> >>
>>> >> Cheers
>>> >>
>>> >> James
>>> >> _______________________________________________
>>> >> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> >> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>> >
>>> >
>>> >
>>> >
>>> > --
>>> > Chris Jones
>>> > JNCIE-ENT #272
>>> > CCIE# 25655 (R&S)
>>> >
>>> _______________________________________________
>>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>>>
>>
>>
>>
>> --
>> Youssef BENGELLOUN-ZAHR
>>
>
>


-- 
Youssef BENGELLOUN-ZAHR


More information about the juniper-nsp mailing list