Hi,
I am trying to redesign our data center. Currently we have 2 small data centers - let’s call them DC1 and DC2 - and we are getting adding a new one DC3.
The situation is this. The location of DC1 is on site A and DC2 is on site B. The Internet access is done on site A and site B is connected to site A.
The new data center will be on site B. DC2 is a multi-tenant data center and each tenant has a dedicated public IP and we allocated resources to each tenant such as storage, vcpu, RAM, VLAN, etc. Also, each tenant deploys their own firewall within VMware. The new DC3 will be connected to the same firewall which is SRX5400 in active/passive cluster. DC3 should be isolated from DC2, but may need some access and it is going to be a multi-tenant setup.
Currently, I created a zone for DC2 and put all the tenant on the same zone. By default, SRX does not allow intrazone routing, so this works perfectly for me. However, I can see that the issue now is VLAN. I am limited to 4094 VLANs. By default, we provide 100 VLANs for each tenant and we are keep getting new tenants for DC2. The reason we provision VLAN for each tenant is just in case they want to extend their virtual network to physical network. We provide VLANs for them so that each tenant won’t overlap.
What I have for DC3 is EX4300 with EFL license and the same SRX5400. I am thinking to create a new virtual-router instance for DC3 on the SRX5400 to isolate it from DC2 completely and leak the 0.0.0.0/0 for the Internet access. Not sure if this is a good idea, and not sure how to solve the VLAN problem.
No comments:
Post a Comment