RE: Firewall Appliance Suggestions

["Blake T. Pfankuch" <blake () pfankuch me>]

Normally I would agree with you as far as separate instances, however this will be in a situation where we pay 
ridiculous amounts for cpu and memory, so a single instance is what we are shooting for (remember those ridiculous 
requirements).  I am planning to do some further testing with vyatta and pfsense.  Thanks you all for the on list and 
off list responses!

-----Original Message-----
From: Sargun Dhillon [mailto:sargun () sargun me] 
Sent: Thursday, June 30, 2011 9:56 PM
To: George Bonser
Cc: Blake T. Pfankuch; NANOG (nanog () nanog org)
Subject: Re: Firewall Appliance Suggestions



----- Original Message -----
> From: "George Bonser" <gbonser () seven com>
> To: "Blake T. Pfankuch" <blake () pfankuch me>, "NANOG (nanog () nanog org)" 
> <nanog () nanog org>
> Sent: Thursday, June 30, 2011 11:30:53 AM
> Subject: RE: Firewall Appliance Suggestions
>
> > Willing to pay for something if need be, but looking for something 
> > that can easily handly 50-100mbit of throughput.
> >
> > Any Ideas?
> >
> > Thanks!
> >
> > Blake Pfankuch
>
>
> I might also look at Vyatta.  They have appliances or you can run the 
> software on your own hardware.

I would not go with Vyatta if you're doing anything complex. The number of random bugs I've hit with their software are 
numerous. In the right hands, it's a powerful tool. And it seems to fit your solution really well. 

If I were in your shoes, I would install two instances that would handle the "edge" of the cluster, and then an 
instance per customer (lightweight, they sell a VMWare image). Then use dynamic routing to direct traffic to the 
customer (assign each customer their own ASN, and peer with their instance). So, worse case scenario, the NOC monkey 
only breaks one customer's gear. 


--
Sargun Dhillon
VoIP (US): +1-925-235-1105