[j-nsp] SRX firewall virtualization
damien.deville at gmail.com
Fri Oct 2 08:56:08 EDT 2015
In my opinion, Lsys has one distinct use case and one only. That use case
is when you have a requirement for multiple different groups to have
administrative control over thier own distinct security policies.
Lsys comes with a lengthy list of caveats and limitations (this is not an
all inclusive list, but here are a few items that come to mind - some of
this may have changed, my information is about a 1-2 years old)
- You're limited to 32 Lsys instances. That's unlikely to change moving
- Intra-Lsys communication can increase the session count significantly
and dramatically reduce the overall performance of the device. Each Lsys
has to keep state on the same session.
- Some HA features are not supported (NSR, NSB, ISSU)
- Multiple traffic selectors (multiple proxy ids) are not supported
- ALGs can only be configured at the root level and apply to all Lsys
- IDP DB and Policy can only be updated at the root level and applies to
- LT interfaces are required for Intra-Lsys communications.
- CoS can't be applied to an LT interface.
- You can set the bandwidth on an LT interface up to 40g (1g, 10g, 40g),
but you're limited by the speed of the back-plane (determined by the SCB or
SRE depending on your HE box)
- Trace and debug are only supported at the root level
- Commit rollback is only supported at the root level
With all that in mind, if you don't have a requirement for separation of
policy administration, I would recommend you investigate VR's and Zones as
your mechanism for vitalization on the SRX.
With VR's you would likely use Rib Groups for intra-vr communications - ,
though you could also use an LT interface (if you wanted to hamstring
On Fri, Oct 2, 2015 at 3:08 AM, james list <jameslist72 at gmail.com> wrote:
> Dear experts,
> I’d like to know your opinion about firewall virtualization inside SRX
> boxes (high-end).
> As far as I understand there are a couple of way: Logical Systems (LSys)
> and Virtual routers (VR).
> From your point of view:
> 1) Which are the main differences among Lsys and VR ?
> 2) Which are pro and cons of LSys and VR ?
> 3) If I need to put in communication two LSys in the same box which is
> the maximum throughtput I can get ? Should I use lt- interface ?
> 4) If I need to put in communication two VR in the same boz which is
> the maximum throughtput I can get ? Should I use import/export ?
> If inside the feedbacks you can provide any reference URL it will be
> juniper-nsp mailing list juniper-nsp at puck.nether.net
More information about the juniper-nsp