Introduction

The Juniper firewall is a truly scalable device. On the high-end firewalls, you can divide the firewall into multiple virtual firewalls or virtual systems. A virtual system (vsys) is a logical firewall that is contained in a single physical firewall. Firewalls that support virtual systems enable you to create as many virtual systems as you are licensed for. Each virtual system can share components with other virtual systems or the root system.

Internet service providers (ISPs) or large organizations are the typical users of virtual systems. Both of these groups use virtual systems because of the need for many firewalls in a single location. For these users it would be impractical for them to have large numbers of firewalls. ISPs use the VSYS technology as a way to give customers access to their very own firewall while maintaining hundreds of virtual systems without the need for dedicated firewalls for each customer. Large organizations that require the use of many separate firewalls would benefit from the technology as well. The cost to use virtual systems is not an inexpensive proposition, but compared to maintaining many physical firewalls it can provide some cost benefits.

In this chapter, we will explore the virtual system technology and how to implement it. Together, we first look at the virtual system technology and what it provides. Next, we explore how virtual systems work. Looking deeply into how one physical device can differentiate traffic to dozens, if not hundreds, of different virtual systems. This is by...