[AusNOG] Virtual routers that users can manage without interfering with other tenants
Hamish McGlinn
hmcglinn at gmail.com
Wed Aug 26 14:35:37 EST 2015
Hi there,
Have you had a look at Juniper SRX's? The bigger Datacentre models allow
you to use "logical-systems" to multi-tenant a router. They allow you to
configure what commands they user can or can't use. So you could allow
changing the firewall/NAT/VPN entries but not anything else.
Cisco ASA also allow a similar feature through the use of firewall contexts.
Each have their pros and cons.
Cheers,
Hamish
On Wed, Aug 26, 2015 at 4:32 PM, Nathan Brookfield <
Nathan.Brookfield at simtronic.com.au> wrote:
> Ben,
>
> The best way to do this is as you suggested VLAN's with /31 routed
> interfaces to minimize IP use out of your subnet.
>
> This means you can separate everyone and remove the chance of someone
> think they're smarter than they actually are :)
>
> Nathan Brookfield
> Chief Executive Officer
>
> Simtronic Technologies Pty Ltd
> http://www.simtronic.com.au
>
> On 26 Aug 2015, at 14:29, Ben Thompson <ben at benthompson.id.au> wrote:
>
> Hi all,
>
>
>
> Facing a challenge and looking for some ideas to get this right.
>
>
>
> We have some customers who we want to let use some Cisco CSR1000V routers
> (or maybe Vyatta, haven’t decided exactly which to go with yet), but I am
> struggling to work out a way to ensure a customer can login to the device
> if they want to do things like configure NAT or VPN, but not be able to
> change their external interface settings in a way that be able to impact
> other customers, as these would be on a common public network segment (by
> impact I mean things like using IP’s we haven’t allocated to them, or rogue
> proxy ARP messages, etc.)
>
>
>
> I would like to try and do it in a scalable way, as we are thinking we may
> have to allocate each customer a VLAN instead of using a common VLAN, but
> just wanted to see if anyone had any thoughts on other ways to do this?
>
>
>
> Thanks,
>
> Ben
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
--
Cheers,
Hamish
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ausnog.net/pipermail/ausnog/attachments/20150826/14257821/attachment.html>
More information about the AusNOG
mailing list