[AusNOG] Virtual routers that users can manage without interfering with other tenants
yaleman at ricetek.net
Thu Aug 27 09:03:39 EST 2015
Palo Alto firewalls are also perfect for this, complete virtualisation
of router/firewalls per segment and a pretty damn good orchestration
system which is cheap.
On Thu, 27 Aug 2015, at 07:09, Tom Storey wrote:
> Thats essentially what logical systems do on Juniper, provide a
> virtualised router instance in to which the admin of the box can
> assign interfaces (or subints) - the user does not have the ability to
> configure new interfaces, just the parameters of interfaces they have
> been assigned. There is a limit to the number of logical systems you
> are supposed to be able to configure which is 15 for a router
> platform, and potentially less on the SRX (and only the higher end
> SRXs, which may also require additional licenses last I read.)
> Ive not yet tried to configure a logical system on a vMX router, will
> have to play with that at some point.
> There are some cons to using logical systems, for example you lose
> some of the configuration management abilities that makes JunOS really
> great (i.e. the ability to rollback), but they do allow the user to
> configure their own instances of routing protocols and other things in
> such a way that wont interfere with anyone else on the same box. And a
> user can be configured to log directly in to their own logical system
> instance, so theres less chance of them fat fingering and messing up
> another logical system or the host router itself.
> On 26 August 2015 at 15:41, Mark Smith <markzzzsmith at gmail.com> wrote:
> > So I don't know the pricing or specs of any of the routers mentioned, but
> > isn't one of the theoretical benefits of virtualization that you can run as
> > many instances as you like, which also means you can also "right-size"?
> > In other words, don't try to share a single virtual router between many
> > people, give them each their own.
> > On 26 Aug 2015 23:54, "Chris Bennett" <chris at ceegeebee.com> wrote:
> >> > I would like to try and do it in a scalable way, as we are thinking
> >> > we may have to allocate each customer a VLAN instead of using a
> >> > common VLAN, but just wanted to see if anyone had any thoughts on
> >> > other ways to do this?
> >> Assuming you have it or can afford it, you can do private vlans with
> >> the Nexus 1000V (on KVM or VMware), or VMware's vNetwork Distributed
> >> Switch (VDS).
> >> Otherwise you could implement ACL's on virtual firewall products that
> >> sit between the vNIC and vSwitch (there are a few to choose from).
> >> Regards,
> >> Chris
> >> _______________________________________________
> >> AusNOG mailing list
> >> AusNOG at lists.ausnog.net
> >> http://lists.ausnog.net/mailman/listinfo/ausnog
> > _______________________________________________
> > AusNOG mailing list
> > AusNOG at lists.ausnog.net
> > http://lists.ausnog.net/mailman/listinfo/ausnog
> AusNOG mailing list
> AusNOG at lists.ausnog.net
More information about the AusNOG