Continued from Part 2: The last part.
Dedicated Tenant for Firewall Services, System Tenant for Inter-Tenant Traffic & Policy.
This option looks like the following:
- The switch has multiple tenants. Blue and red in this case.
- Each tenant has VLANs 10 and 20, in their own respective ranges.
- Each tenant connects to the system tenant, which is used for inter-tenant routing.
- System tenant connects to a third tenant – Services. This tenant hosts the firewall, which has onward links to Edge/Core Routers.
- All VLANs have local SVIs on switches. These switch SVIs are the gateways for all VLANs.
- The traffic received from the vlan/subnet on each tenant, is forwarded via the system router, to the dedicated Services Tenant that hosts the firewall (10.100.0.2)
- The tenant dedicated firewall will have route entries for tenant subnets. The next hop it uses will be switch SVI on FW vlan for that tenant.
- After firewall treatment, traffic could be external routed or internal inter-VLAN routed.
This option applies the service insertion at the System logical router – traffic from internal VLANs hits the respective interfaces (i.e. interface tenant user_VLAN under the “Tenant System” Stanza) where it is policy routed to the Firewall interface, within the Services Tenant.
As the firewall is hosted on a dedicated tenant, independent of any User tenants, and the policy is being applied at the System router – it allows this model to scale very well, with clear lines of demarcation and handover.