cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
297
Views
5
Helpful
1
Replies
Highlighted
Beginner

Multi-Tenant with Shared L3Out

Dears,
We have Multi-Tenant design, I want to introduce Cisco FTD to control Inter-Tenant/External communication.

Please I need to understand the below 2 approaches.

1- Single shared L3Out to Cisco FTD.

2- Each Tenant separate L3Out to Cisco FTD  (Separate zone/sub-interface).

1 REPLY 1
Highlighted
Cisco Employee

Hello.  Because you say in your original question that you want this firewall to handle "Inter-Tenant/External communication", I interpret that as you want it to handle what we term "East-West" traffic, i.e. traffic between EPGs inside ACI, and you also want it to handle what we term "North-South" traffic, or traffic from EPGs to the outside world.  With that in mind, my suggestion would be for you to investigate using PBR (Policy Based Redirect).  With a design using PBR, you can have one firewall interface handle E-W and another interface on the same FW handle N-S.  Or, if you prefer, you can have multiple FWs, each handling one role.  I say one-interface, because I am referring to a 'one-armed' design, but you can opt for a traditional two-armed design too (especially if you are using NAT with that firewall). Or you can mix one-armed and two-armed on the same FW (different interfaces of course).  There is a lot of flexibility depending on what your desired outcome is.

Anyway, have a look here for solid info on what you can do with PBR.

https://www.cisco.com/c/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/white-paper-c11-739971.html