Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?


Multidepartment CPE Device Support

Support for multiple departments in a CPE device enables sites (branch, cloud spoke, and enterprise hubs) to be mapped to serve across multiple departments within a single tenant. An overlay tunnel [generic routing encapsulation (GRE) or GRE over IPsec] is used to carry traffic from all departments in a site, to another site, an enterprise hub or a provider hub,) by separating the traffic for each department through MPLS-based traffic separation.

Support for multiple departments in a single CPE device is a cost-effective approach where the cost of a device and its maintenance is shared among multiple departments in a tenant.

For more information about departments, see About the Departments Page.

A tenant administrator can perform the following tasks related to departments:

  • View all departments configured on an activated CPE device.

  • Manage and monitor all policies and dashboards for all departments in a site.

  • Create SD-WAN and security policies and monitor the dashboard at the site level or at the department level.

    Add traffic-based steering profiles and map them to SD-WAN policies for traffic management.

  • View the shared CPE device and its services and networks even though the WAN links might be shared by multiple departments.

Overlapping IP Addresses Across Departments

Starting from CSO Release 5.4.0, you can use same IP addresses across multiple departments in a network segmentation-enabled tenant. When network segmentation is enabled for a tenant, each department has its own VRFs. This allows overlapping IP addresses to be used across different departments.

When network segmentation is not enabled for a tenant, all departments in the tenant use the same VRFs. Therefore, the IP addresses used across the departments should be unique.

The following are some scenarios for using overlapping IP addresses across departments in a tenant:

  • The HR department in site Chicago and the Sales department in site Boston can have overlapping IP addresses.

  • The HR department and Sales department in site Chicago can have overlapping IP addresses.

The HR department when used in both Chicago and Boston sites cannot have overlapping IP addresses as the same VRFs are used by both the sites. In this case, the IP addresses used by the HR department in Chicago should be different from IP addresses used by the HR department in Boston.

When you use overlapping IP addresses across departments, you must configure an IP pool-based source NAT rule for Zscaler breakout.

  • When traffic from a site (spoke or enterprise hub) is breaking out to Zscaler at the site, the NAT rule should have the source as the department zones that have overlapping IP addresses and destination as untrust zone. This NAT rule should be deployed at the site where the traffic is originating.

  • When traffic from a spoke site is breaking out to the Zscaler tunnel at an enterprise hub site, the NAT rule should have source as trust zone and the destination as untrust zone. This NAT rule should be deployed at the enterprise hub.

For information about creating NAT rules, see Creating NAT Policy Rules.

  • Firewall policy intents will use VRF groups of a department in intent rules for allowing site-to-site traffic.

  • NAT rules created automatically for Internet traffic from spoke to enterprise hub (flowing from overlay to underlay) will use VRF groups to egress interface instead of trust zone.