[j-nsp] SRX firewall virtualization
james list
jameslist72 at gmail.com
Fri Oct 2 09:12:05 EDT 2015
Thanks Damien
very good explaination.
Regards
James
2015-10-02 14:56 GMT+02:00 Damien DeVille <damien.deville at gmail.com>:
> In my opinion, Lsys has one distinct use case and one only. That use case
> is when you have a requirement for multiple different groups to have
> administrative control over thier own distinct security policies.
>
> Lsys comes with a lengthy list of caveats and limitations (this is not an
> all inclusive list, but here are a few items that come to mind - some of
> this may have changed, my information is about a 1-2 years old)
>
> - You're limited to 32 Lsys instances. That's unlikely to change
> moving forward.
> - Intra-Lsys communication can increase the session count
> significantly and dramatically reduce the overall performance of the
> device. Each Lsys has to keep state on the same session.
> - Some HA features are not supported (NSR, NSB, ISSU)
> - Multiple traffic selectors (multiple proxy ids) are not supported
> - ALGs can only be configured at the root level and apply to all Lsys
> instances.
> - IDP DB and Policy can only be updated at the root level and applies
> to all instances
> - LT interfaces are required for Intra-Lsys communications.
> - CoS can't be applied to an LT interface.
> - You can set the bandwidth on an LT interface up to 40g (1g, 10g,
> 40g), but you're limited by the speed of the back-plane (determined by the
> SCB or SRE depending on your HE box)
> - Trace and debug are only supported at the root level
> - Commit rollback is only supported at the root level
>
> With all that in mind, if you don't have a requirement for separation of
> policy administration, I would recommend you investigate VR's and Zones as
> your mechanism for vitalization on the SRX.
>
> With VR's you would likely use Rib Groups for intra-vr communications - ,
> though you could also use an LT interface (if you wanted to hamstring
> yourself).
>
>
>
>
> - Damien
>
> On Fri, Oct 2, 2015 at 3:08 AM, james list <jameslist72 at gmail.com> wrote:
>
>> Dear experts,
>>
>> I’d like to know your opinion about firewall virtualization inside SRX
>> boxes (high-end).
>>
>>
>> As far as I understand there are a couple of way: Logical Systems (LSys)
>> and Virtual routers (VR).
>>
>>
>>
>> From your point of view:
>>
>>
>> 1) Which are the main differences among Lsys and VR ?
>>
>> 2) Which are pro and cons of LSys and VR ?
>>
>> 3) If I need to put in communication two LSys in the same box which
>> is
>> the maximum throughtput I can get ? Should I use lt- interface ?
>>
>> 4) If I need to put in communication two VR in the same boz which is
>> the maximum throughtput I can get ? Should I use import/export ?
>>
>>
>>
>> If inside the feedbacks you can provide any reference URL it will be
>> appreciated.
>>
>>
>>
>> Cheers
>>
>> James
>> _______________________________________________
>> juniper-nsp mailing list juniper-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/juniper-nsp
>
>
>
More information about the juniper-nsp
mailing list