Dell EMC Networking + Big Switch Cloud Fabric : Firewall Service Insertion – Part 3

Continued from Part 2: The last part.

Dedicated Tenant for Firewall Services, System Tenant for Inter-Tenant Traffic & Policy.

This option looks like the following:

  • The switch has multiple tenants. Blue and red in this case.
  • Each tenant has VLANs 10 and 20, in their own respective ranges.
  • Each tenant connects to the system tenant, which is used for inter-tenant routing.
  • System tenant connects to a third tenant – Services. This tenant hosts the firewall, which has onward links to Edge/Core Routers.
  • All VLANs have local SVIs on switches. These switch SVIs are the gateways for all VLANs.
  • The traffic received from the vlan/subnet on each tenant, is forwarded via the system router, to the dedicated Services Tenant that hosts the firewall (
  • The tenant dedicated firewall will have route entries for tenant subnets. The next hop it uses will be switch SVI on FW vlan for that tenant.
  • After firewall treatment, traffic could be external routed or internal inter-VLAN routed.

SI 5


This option applies the service insertion at the System logical router – traffic from internal VLANs hits the respective interfaces (i.e. interface tenant user_VLAN under the “Tenant System” Stanza) where it is policy routed to the Firewall interface, within the Services Tenant.

As the firewall is hosted on a dedicated tenant, independent of any User tenants, and the policy is being applied at the System router – it allows this model to scale very well, with clear lines of demarcation and handover.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s