nanog mailing list archives
Re: Multitenant FWs
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Mon, 2 May 2011 01:35:46 -0400
On Mon, May 2, 2011 at 12:20 AM, Stefan Fouant <sfouant () shortestpathfirst net> wrote:
-----Original Message----- From: christopher.morrow () gmail com [mailto:christopher.morrow () gmail com] On Behalf Of Christopher Morrow one thing to keep in mind is that as near as I can tell no vendor (not a singl eone) has actual hard limits configurable for each tenant firewall instance. So, one can use all of the 'firewall rule' resources, one can use all of the 'route memory' ... leaving other instances flailing :(Ahem, actually ScreenOS does support just such a thing through the use of resource profiles - with this you can limit the amount of CPU, Sessions, Policies, MIPs and DIPs (used for NAT), and other user defined objects such as address book entries, etc. that each VSYS can avail. This was one of the
good to know... I wonder how well it isolates.
primary drivers behind our decision to utilize the NS-5400 for Verizon's NBFW (you remember that place right Chris, heh')
i do, occasionally via the twitching :)
Stefan Fouant
Current thread:
- Multitenant FWs David Oramas (May 01)
- RE: Multitenant FWs Mark Gauvin (May 01)
- RE: Multitenant FWs Stefan Fouant (May 01)
- Re: Multitenant FWs Christopher Morrow (May 01)
- RE: Multitenant FWs Stefan Fouant (May 01)
- Re: Multitenant FWs Christopher Morrow (May 01)
- RE: Multitenant FWs Stefan Fouant (May 01)
- Re: Multitenant FWs Christopher Morrow (May 01)