Thanks Damien very good explaination. Regards James
2015-10-02 14:56 GMT+02:00 Damien DeVille <damien.devi...@gmail.com>: > In my opinion, Lsys has one distinct use case and one only. That use case > is when you have a requirement for multiple different groups to have > administrative control over thier own distinct security policies. > > Lsys comes with a lengthy list of caveats and limitations (this is not an > all inclusive list, but here are a few items that come to mind - some of > this may have changed, my information is about a 1-2 years old) > > - You're limited to 32 Lsys instances. That's unlikely to change > moving forward. > - Intra-Lsys communication can increase the session count > significantly and dramatically reduce the overall performance of the > device. Each Lsys has to keep state on the same session. > - Some HA features are not supported (NSR, NSB, ISSU) > - Multiple traffic selectors (multiple proxy ids) are not supported > - ALGs can only be configured at the root level and apply to all Lsys > instances. > - IDP DB and Policy can only be updated at the root level and applies > to all instances > - LT interfaces are required for Intra-Lsys communications. > - CoS can't be applied to an LT interface. > - You can set the bandwidth on an LT interface up to 40g (1g, 10g, > 40g), but you're limited by the speed of the back-plane (determined by the > SCB or SRE depending on your HE box) > - Trace and debug are only supported at the root level > - Commit rollback is only supported at the root level > > With all that in mind, if you don't have a requirement for separation of > policy administration, I would recommend you investigate VR's and Zones as > your mechanism for vitalization on the SRX. > > With VR's you would likely use Rib Groups for intra-vr communications - , > though you could also use an LT interface (if you wanted to hamstring > yourself). > > > > > - Damien > > On Fri, Oct 2, 2015 at 3:08 AM, james list <jameslis...@gmail.com> wrote: > >> Dear experts, >> >> I’d like to know your opinion about firewall virtualization inside SRX >> boxes (high-end). >> >> >> As far as I understand there are a couple of way: Logical Systems (LSys) >> and Virtual routers (VR). >> >> >> >> From your point of view: >> >> >> 1) Which are the main differences among Lsys and VR ? >> >> 2) Which are pro and cons of LSys and VR ? >> >> 3) If I need to put in communication two LSys in the same box which >> is >> the maximum throughtput I can get ? Should I use lt- interface ? >> >> 4) If I need to put in communication two VR in the same boz which is >> the maximum throughtput I can get ? Should I use import/export ? >> >> >> >> If inside the feedbacks you can provide any reference URL it will be >> appreciated. >> >> >> >> Cheers >> >> James >> _______________________________________________ >> juniper-nsp mailing list juniper-nsp@puck.nether.net >> https://puck.nether.net/mailman/listinfo/juniper-nsp > > > _______________________________________________ juniper-nsp mailing list juniper-nsp@puck.nether.net https://puck.nether.net/mailman/listinfo/juniper-nsp