[140104] in North American Network Operators' Group
Re: Multitenant FWs
daemon@ATHENA.MIT.EDU (Christopher Morrow)
Mon May 2 01:35:56 2011
In-Reply-To: <00c301cc0880$55526100$fff72300$@net>
Date: Mon, 2 May 2011 01:35:46 -0400
From: Christopher Morrow <morrowc.lists@gmail.com>
To: Stefan Fouant <sfouant@shortestpathfirst.net>
Cc: nanog@nanog.org
Errors-To: nanog-bounces+nanog.discuss=bloom-picayune.mit.edu@nanog.org
On Mon, May 2, 2011 at 12:20 AM, Stefan Fouant
<sfouant@shortestpathfirst.net> wrote:
>> -----Original Message-----
>> From: christopher.morrow@gmail.com
>> [mailto:christopher.morrow@gmail.com] On Behalf Of Christopher Morrow
>>
>> one thing to keep in mind is that as near as I can tell no vendor (not
>> a singl eone) has actual hard limits configurable for each tenant
>> firewall instance. So, one can use all of the 'firewall rule'
>> resources, one can use all of the 'route memory' ... leaving other
>> instances flailing :(
>
> Ahem, actually ScreenOS does support just such a thing through the use of
> resource profiles - with this you can limit the amount of CPU, Sessions,
> Policies, MIPs and DIPs (used for NAT), and other user defined objects su=
ch
> as address book entries, etc. that each VSYS can avail. =A0This was one o=
f the
good to know... I wonder how well it isolates.
> primary drivers behind our decision to utilize the NS-5400 for Verizon's
> NBFW (you remember that place right Chris, heh')
i do, occasionally via the twitching :)
> Stefan Fouant
>
>
>
