a few thoughts about firewall virtualization...
first of all: firewall virtualization is one of the topics i just can't resist
;D
it begun when i discovered the VRF capabilities in openbsd (guess since 4.7 or
so...)
the first experiments were using routing domain coupled with different vlans
but vlans are limited to 4k+
...this means a limitation if you want to put 2k+ users with multiple L2
segements onto one firewall
*hmmm*
know i just found out hat isakmpd has the ability to 'tag' ipsec tunnels which
sounds pretty nice to me
just thinking of replacing the routing domain stuff with tagging as with
tagging overlapping subnets at the customer side will not be a problem
(sessions are tagged and this should permit 'putting' the reply packet into
the correct tunnel (?)
has anybody some experience with replacing routing domain based firewall
virtualization with 'tagging'?
i need to ensure traffic isolation for each customer also with 'tagging' of
course..
thank you
/pat
