Logical System and Virtual Routing and Forwarding Instance Overview
Starting in Policy Enforcer Release 20.1R1, you can create a tenant representing an enterprise and you can assign a Virtual Routing and Forwarding (VRF) instance to a tenant. The custom feed sends feeds to Policy Enforcer at the logical system (LSYS) and VRF instance levels on the MX Series device. The VRF instance is dedicated to handling traffic within the tenant's private network. You can route the traffic on the tenant’s private network from the VRF instance on the MX Series device at one site to the same VRF instance on another MX Series device at a different site. The MX Series device supports multiple VRF instances assigned to different tenants. Therefore, a device can be shared with multiple tenants.
In Policy Enforcer Release 20.1R1, only MX Series devices support LSYS and VRF instance. Also, only root logical system is supported. All the sites of a realm are either with tenants or without tenants.
When a tenant is created, a VRF instance is assigned to the tenant. When a site is associated with the tenant, only those devices that have the VRF instance associated with the tenant can be added to the site. When you associate a site with a realm in Juniper ATP Cloud/JATP, the tenant receives the feeds configured for the realm. The MX Series device performs policy enforcement based on tenant system and the associated Juniper ATP Cloud/JATP realm.
On an MX Series device, VRF instance based feeds such as C&C, allowlist, and blocklist are supported through custom feeds as shown in Figure 1.
If you want to use the C&C global feed from ATP Cloud/JATP, then custom feed for C&C should not be configured in Policy Enforcer.
For, example: VRFx and VRFy are associated with tenants on MX device 1. Custom feed for tenant 1 (VRFx) and custom feed for tenant 2 (VRFy) are associated to each tenant. The custom feed provides LSYS and VRF instance information. When the device requests for a feed, Policy Enforcer provides all the feed data associated with the device (global without VRF instance information) in addition to all the data for the VRF instances configured on the device that are associated with the tenants configured on Policy Enforcer.