[j-nsp] SRX firewall virtualization

Damien DeVille damien.deville at gmail.com
Fri Oct 2 08:56:08 EDT 2015

In my opinion, Lsys has one distinct use case and one only.  That use case
is when you have a requirement for multiple different groups to have
administrative control over thier own distinct security policies.

Lsys comes with a lengthy list of caveats and limitations (this is not an
all inclusive list, but here are a few items that come to mind - some of
this may have changed, my information is about a 1-2 years old)

   - You're limited to 32 Lsys instances.  That's unlikely to change moving
   - Intra-Lsys communication can increase the session count significantly
   and dramatically reduce the overall performance of the device.  Each Lsys
   has to keep state on the same session.
   - Some HA features are not supported (NSR, NSB, ISSU)
   - Multiple traffic selectors (multiple proxy ids) are not supported
   - ALGs can only be configured at the root level and apply to all Lsys
   - IDP DB and Policy can only be updated at the root level and applies to
   all instances
   - LT interfaces are required for Intra-Lsys communications.
   - CoS can't be applied to an LT interface.
   - You can set the bandwidth on an LT interface up to 40g (1g, 10g, 40g),
   but you're limited by the speed of the back-plane (determined by the SCB or
   SRE depending on your HE box)
   - Trace and debug are only supported at the root level
   - Commit rollback is only supported at the root level

With all that in mind, if you don't have a requirement for separation of
policy administration, I would recommend you investigate VR's and Zones as
your mechanism for vitalization on the SRX.

With VR's you would likely use Rib Groups for intra-vr communications - ,
though you could also use an LT interface (if you wanted to hamstring

- Damien

On Fri, Oct 2, 2015 at 3:08 AM, james list <jameslist72 at gmail.com> wrote:

> Dear experts,
> I’d like to know your opinion about firewall virtualization inside SRX
> boxes (high-end).
> As far as I understand there are a couple of way: Logical Systems (LSys)
> and Virtual routers (VR).
> From your point of view:
> 1)      Which are the main differences among Lsys and VR ?
> 2)      Which are pro and cons of LSys and VR ?
> 3)      If I need to put in communication two LSys in the same box which is
> the maximum throughtput I can get ? Should I use lt- interface ?
> 4)      If I need to put in communication two VR  in the same boz which is
> the maximum throughtput I can get ? Should I use import/export ?
> If  inside the feedbacks you can provide any reference URL it will be
> appreciated.
> Cheers
> James
> _______________________________________________
> juniper-nsp mailing list juniper-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/juniper-nsp

More information about the juniper-nsp mailing list