[j-nsp] SRX firewall virtualization

james list jameslist72 at gmail.com
Fri Oct 2 09:12:05 EDT 2015 

Thanks Damien
very good explaination.

Regards
James

2015-10-02 14:56 GMT+02:00 Damien DeVille <damien.deville at gmail.com>:

> In my opinion, Lsys has one distinct use case and one only.  That use case
> is when you have a requirement for multiple different groups to have
> administrative control over thier own distinct security policies.
>
> Lsys comes with a lengthy list of caveats and limitations (this is not an
> all inclusive list, but here are a few items that come to mind - some of
> this may have changed, my information is about a 1-2 years old)
>
>    - You're limited to 32 Lsys instances.  That's unlikely to change
>    moving forward.
>    - Intra-Lsys communication can increase the session count
>    significantly and dramatically reduce the overall performance of the
>    device.  Each Lsys has to keep state on the same session.
>    - Some HA features are not supported (NSR, NSB, ISSU)
>    - Multiple traffic selectors (multiple proxy ids) are not supported
>    - ALGs can only be configured at the root level and apply to all Lsys
>    instances.
>    - IDP DB and Policy can only be updated at the root level and applies
>    to all instances
>    - LT interfaces are required for Intra-Lsys communications.
>    - CoS can't be applied to an LT interface.
>    - You can set the bandwidth on an LT interface up to 40g (1g, 10g,
>    40g), but you're limited by the speed of the back-plane (determined by the
>    SCB or SRE depending on your HE box)
>    - Trace and debug are only supported at the root level
>    - Commit rollback is only supported at the root level
>
> With all that in mind, if you don't have a requirement for separation of
> policy administration, I would recommend you investigate VR's and Zones as
> your mechanism for vitalization on the SRX.
>
> With VR's you would likely use Rib Groups for intra-vr communications - ,
> though you could also use an LT interface (if you wanted to hamstring
> yourself).
>
>
>
>
> - Damien
>
> On Fri, Oct 2, 2015 at 3:08 AM, james list <jameslist72 at gmail.com> wrote:
>
>> Dear experts,
>>
>> I’d like to know your opinion about firewall virtualization inside SRX
>> boxes (high-end).
>>
>>
>> As far as I understand there are a couple of way: Logical Systems (LSys)
>> and Virtual routers (VR).
>>
>>
>>
>> From your point of view:
>>
>>
>> 1)      Which are the main differences among Lsys and VR ?
>>
>> 2)      Which are pro and cons of LSys and VR ?
>>
>> 3)      If I need to put in communication two LSys in the same box which
>> is
>> the maximum throughtput I can get ? Should I use lt- interface ?
>>
>> 4)      If I need to put in communication two VR  in the same boz which is
>> the maximum throughtput I can get ? Should I use import/export ?
>>
>>
>>
>> If  inside the feedbacks you can provide any reference URL it will be
>> appreciated.
>>
>>
>>
>> Cheers
>>
>> James
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>

More information about the juniper-nsp mailing list