Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1795
Views
10
Helpful
3
Replies

Multi-Tenancy PBR/Service Graphs

KatherineTran
Level 1
Level 1

‎03-09-2022 04:54 PM

Hello!

I have been investigating into using service graphs in our environment where multiple tenants exist. In our case we have a test , preprod and prod environment which are completely isolated.

 

Our Fortigates use VDOMs for each environment. What I'd like to do is use service graphs for each tenant and PBR certain traffic and allow the rest to be line rate and ignore firewalls! But what I can't wrap my head around or easily test right now is if it would be supported with multiple tenants on the one interface arm to the firewall.

 

We are not using VMM integration and intend to use unmanaged service graph device configuration. We want to ideally use the same physical interface and use vlan encapsulation for each tenant/VDOM to direct traffic with service graph/PBR to the right place.

 

Am I overthinking this? I could not find many multi tenant examples like this. 

 

Thanks in advance,

KT

 

 

 

1 person had this problem
Labels:
3 Replies 3

abourges
Level 1
Level 1

‎06-07-2022 12:27 AM

Hi Kathrine,

 

...we are currently looking at a very similar design and are not sure, if it's supported. Have you been successful in implementing this?

 

Thanks,

 

Andreas

0 Helpful

Marcel Zehnder
Spotlight
Spotlight

‎06-15-2022 10:57 PM

Hi KT

This will work. Per Tenant you need to define one logical L4-L7 device using the same interface(s) but a different vlan-encapsulation.

/Marcel

0 Helpful

Sergiu.Daniluk
VIP Alumni
VIP Alumni

‎06-15-2022 11:48 PM - edited ‎06-16-2022 12:37 AM

One configuration option is exactly like @Marcel Zehnder mentioned: in each tenant define the service node with different encap over the same interface.

A second valid option would be to configure the node in one tenant with multiple vlans over the same interface and then export it to the other tenants.

Both options are perfectly ok. The difference is that first one is separating completely the tenants and their service graphs, while the second one gives you an option (if required in the future) to perform inter-vrf/inter-tenant PBR.

 

EDIT: both options described here: https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-2491213.html#DesignforsharingL4L7appliances

 

Cheers,

Sergiu

0 Helpful
Customers Also Viewed These Support Documents

Review Cisco Networking for a $25 gift card

Save 25% on Day-2 Operations Add-On License