Expand all | Collapse all

SD LAN - multi tenant on same EX switch?

Jump to Best Answer
  • 1.  SD LAN - multi tenant on same EX switch?

    Posted 12-08-2019 12:19
    Hi all,

    I’m a SD LAN newbie so please bare with me; I have a network with lots of EX switches and SRX’s.

    We have lots of different departments we want to put into tenants and use Contrail for a SD LAN and DC.

    I want to be in a position where I can have a user plug into a access switch; this does a .1x authentication with their certificate and the result of that .1x determines the tenant they are placed into on the switch. The switch needs to handle multi tenants.

    Would I be right in thinking this is how contrail SD lan works? So the tenant they get put into only accesses the policy we give it?

    I might be getting mixed up between tenants and VRF’s?


  • 2.  RE: SD LAN - multi tenant on same EX switch?

    Posted 12-09-2019 13:20



    I don't have a definitive answer for you but I think what you are asking is potentially possible via CSO - but not in a unified way.


    First of all: Contrail Service Orchestrator (CSO) is the SD-WAN product where Contrail Enterprise Multicloud (CEM) is for the datacenter and cloud networking. These two products have no interaction what so ever even they are named "Contrail".


    Regarding SD-WAN/CSO:


    CSO is multi-tenant where you can deploy a "Provider HUB" which can serve multiple different CSO tenants. There is also a possibility to implement an "Enterprise HUB" which is tied to a specific CSO tenant.


    Within a tenant  you can deploy branch locations with an SRX/NFX + EX switches. The switches are only Layer2-aware so all layer3 is handled by the SRX/NFX. On the SRX/NFX you can divide the device into several different departments each put into their own respective VRF (or some departments in the same VRF - your choice). These are connected to different logical interfaces down towards the switch providing the functionality I expect you are searching for.


    There should be possibilities to do 802.1x auth via templates in CSO or maybe some integration with Forescout, but I don't have any details on that part.... but if you can create the template yourself, it should be doable.


    The enterprise HUB can provide connectivity towards your datacenter for the different VRF's but you have to manually combine them with the configuration in your CEM enviroment.


    In regards to cloud connectivity, vSRX can still be used with CSO to provide a device in AWS/Azure/GCP with the different VRFs etc.


    I hope this input at least gives you answers on some of your questions. If you need more information, please do a follow up in this thread and I will try to answer the best I can.


    If you really want to know if your use case will be doable, I recommend you to reach out to your local Juniper account team.

  • 3.  RE: SD LAN - multi tenant on same EX switch?

    Posted 12-10-2019 04:55
    Thanks for the in-depth reply, really appreciate it.

    I’m looking at Juniper and Cisco at the moment; I have to say, Cisco is bounds ahead of the unified approach to these issues.

    Do you know if juniper are planning bigger moves forward in this space?

  • 4.  RE: SD LAN - multi tenant on same EX switch?
    Best Answer

    Posted 12-11-2019 12:05

    With bigger moves, do you mean a unified solution across SD-WAN/branch, enterprise datacenter and public clouds? If this is your scope I do not expect a complete solution from Juniper spanning everything in one single solution.


    I could see some tighter integrations where SD-WAN/branch is made aware of the Contrail Enterprise Multicloud overlay and underlay services for easier integration but as the products have very different focus I do not see them merge together.


    You could do your own software offering binding some of the services together as all functionality in both solutions are fully exposed via APIs. But this is not simple to do and will require a lot of effort.


    Regarding multitenancy I see Juniper as one of the leaders as many of the offerings from other vendors are very enterprise with the limitations it often gives.


    P.S. If you find the answer useful, please mark it as a solution or a least give a kudo for others to easier find threads which can help them with similar questions 🙂

  • 5.  RE: SD LAN - multi tenant on same EX switch?

    Posted 12-11-2019 12:13
    Thanks for the honest feedback - makes sense.

    What is I had simply hundreds of separate departments that I never want to speak to each other ... but wanted to give them all access to a set of shared services; could this be easily achieved in current capability? In a scalable way where I don’t need to go round setting up lots of manual VRF links etc?