[AusNOG] Virtual routers that users can manage without interfering with other tenants

Tom Storey tom at snnap.net
Thu Aug 27 07:09:18 EST 2015


Thats essentially what logical systems do on Juniper, provide a
virtualised router instance in to which the admin of the box can
assign interfaces (or subints) - the user does not have the ability to
configure new interfaces, just the parameters of interfaces they have
been assigned. There is a limit to the number of logical systems you
are supposed to be able to configure which is 15 for a router
platform, and potentially less on the SRX (and only the higher end
SRXs, which may also require additional licenses last I read.)

Ive not yet tried to configure a logical system on a vMX router, will
have to play with that at some point.

There are some cons to using logical systems, for example you lose
some of the configuration management abilities that makes JunOS really
great (i.e. the ability to rollback), but they do allow the user to
configure their own instances of routing protocols and other things in
such a way that wont interfere with anyone else on the same box. And a
user can be configured to log directly in to their own logical system
instance, so theres less chance of them fat fingering and messing up
another logical system or the host router itself.

On 26 August 2015 at 15:41, Mark Smith <markzzzsmith at gmail.com> wrote:
> So I don't know the pricing or specs of any of the routers mentioned, but
> isn't one of the theoretical benefits of virtualization that you can run as
> many instances as you like, which also means you can also "right-size"?
>
> In other words, don't try to share a single virtual router between many
> people, give them each their own.
>
> On 26 Aug 2015 23:54, "Chris Bennett" <chris at ceegeebee.com> wrote:
>>
>> > I would like to try and do it in a scalable way, as we are thinking
>> > we may have to allocate each customer a VLAN instead of using a
>> > common VLAN, but just wanted to see if anyone had any thoughts on
>> > other ways to do this?
>>
>> Assuming you have it or can afford it, you can do private vlans with
>> the Nexus 1000V (on KVM or VMware), or VMware's vNetwork Distributed
>> Switch (VDS).
>>
>> Otherwise you could implement ACL's on virtual firewall products that
>> sit between the vNIC and vSwitch (there are a few to choose from).
>>
>> Regards,
>>
>> Chris
>> _______________________________________________
>> AusNOG mailing list
>> AusNOG at lists.ausnog.net
>> http://lists.ausnog.net/mailman/listinfo/ausnog
>
>
> _______________________________________________
> AusNOG mailing list
> AusNOG at lists.ausnog.net
> http://lists.ausnog.net/mailman/listinfo/ausnog
>


More information about the AusNOG mailing list