We have a customer on a budget that wants to implement a multi-tenancy WAN edge, they currently have a multi-context firewall that will separate the tenants with a virtual firewall per/tenant.
Initially they are looking at implementing a pair of stacked Layer-2 switches at the WAN edge, which connect to two diverse ISP links for a single circuit, which I believe will be tracked by HSRP. The ISP will allocate a /24 public block, which will be divided into a number of /29 blocks to be used by the tenants.
The idea is that each customer would have a VLAN on the Internet Edge Switch block to segregate traffic at Layer 2. All traffic would be further isolated by an SSL tunnel connection which would be initiated from authorised end points over the internet and terminated on the outside of each tenants virtual firewall sub-interface.
Is this sufficient security given that VRF is not intended to be used? Or do we need to consider using ACL's on the switch to restrict traffic between the VLAN's on the Internet Edge switch?
Should we assign a public IP for each tenant both to the outside sub-interface of their virtual firewall, as well as the VLAN interface (SVI) for each tenant on the Internet Edge switch?
Do we need to allocate one /29 block specifically for transit between the Internet Edge switch and ISP router?
And should the default gateway be the ISP routed interface which is within the transit VLAN/subnet?