nanog mailing list archives
RE: Multitenant FWs
From: "Stefan Fouant" <sfouant () shortestpathfirst net>
Date: Mon, 2 May 2011 00:20:55 -0400
-----Original Message----- From: christopher.morrow () gmail com [mailto:christopher.morrow () gmail com] On Behalf Of Christopher Morrow one thing to keep in mind is that as near as I can tell no vendor (not a singl eone) has actual hard limits configurable for each tenant firewall instance. So, one can use all of the 'firewall rule' resources, one can use all of the 'route memory' ... leaving other instances flailing :(
Ahem, actually ScreenOS does support just such a thing through the use of resource profiles - with this you can limit the amount of CPU, Sessions, Policies, MIPs and DIPs (used for NAT), and other user defined objects such as address book entries, etc. that each VSYS can avail. This was one of the primary drivers behind our decision to utilize the NS-5400 for Verizon's NBFW (you remember that place right Chris, heh') Stefan Fouant
Current thread:
- Multitenant FWs David Oramas (May 01)
- RE: Multitenant FWs Mark Gauvin (May 01)
- RE: Multitenant FWs Stefan Fouant (May 01)
- Re: Multitenant FWs Christopher Morrow (May 01)
- RE: Multitenant FWs Stefan Fouant (May 01)
- Re: Multitenant FWs Christopher Morrow (May 01)
- RE: Multitenant FWs Stefan Fouant (May 01)
- Re: Multitenant FWs Christopher Morrow (May 01)