Hi, Dave Weis <djw...@internetsolver.com> wrote: > > We want to provide a hosted/managed firewall service for our MPLS > customers. Is a pair of ASA's with multiple contexts the best way to do > this or would something else work better? I'm not concerned with the > customers being able to make changes themselves. > No experience in actually doing this but I would say no. :)
There is no (or it is so small I have missed it) sharing of object data between contexts and so you will find your self spending all your time trying to keep in sync the common parts of each context. Instead you should apply simple RPF (if you do not have them already) rules so that all the IP traffic coming from your custom does come from their own allocated address space (prevent spoofing). After you have done that, each customer can just be a raw IP range on whatever (single instance) firewall platform you wish to purchase making manglement of the whole thing just feel like a regular LAN. Of course things get fun if you add multicast traffic and/or asymmetric routing :) Cheers -- Alexander Clouter .sigmonster says: <ahzz_> i figured 17G oughta be enough. _______________________________________________ cisco-nsp mailing list cisco-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp archive at http://puck.nether.net/pipermail/cisco-nsp/