Home > Storage > Unity XT > Storage Admin > Dell Unity: NAS Capabilities > IP multi-tenancy
Dell Unity supports the ability to host multiple tenants on a single system, such as for service providers. Each NAS server has its own independent configuration which can be tailored to each tenant’s requirements. File systems cannot be accessed from any other NAS server, other than the one that they are associated with. Dell Unity’s flexible pool-based architecture also enables the ability to separate each tenant onto their own pools for separation at the drive level, if necessary.
OE version 4.1 includes support for IP multi-tenancy, which adds the ability to provide network isolation for tenants. This feature separates network traffic at the kernel level on the SP, enabling the ability to provide dedicated network resources for each tenant. Each tenant has its own dedicated network namespace including VLAN domain, routing table, firewall, interfaces, DNS and more. This also enables the ability for multiple tenants to use the same or overlapping IP network configuration, so IPs can be duplicated across tenants. This avoids network interference between tenants and enhances security. The separate network VLAN can only be maintained if the routers connected to those VLANs are also separate, or if there is a common router, it must have separated or partitioned routing tables that do not route across tenant’s VLANs. This feature is only available on purpose-built Dell Unity systems and is not available on Dell UnityVSA.
To leverage IP multi-tenancy, switches need to be configured for VLAN tagging. Once VLANs are configured, tenant objects must be created in the File à Tenants page. When creating a tenant, enter the following information:
After tenants are created, create NAS servers and hosts (for NFS access) and associate them with the appropriate tenant. By default, NAS servers and hosts do not have any tenant association so one must be assigned if you want to use this feature. Each NAS server or host can only be associated with a single tenant and this can only be done at creation. After creation, the tenant configuration cannot be modified in any way. This is intentionally prohibited for security purposes.
If a NAS server is created with a tenant association, its interfaces must be created on one of the VLANs that’s assigned to the tenant. For example, if Tenant_Finance has VLANs 500 and 501 assigned, interfaces on any NAS servers associated with this tenant must reside on these VLANs. Each VLAN can only be associated with one tenant at a time, but the assigned VLANs for each tenant can be modified at any time. The system ensures each tenant has unique VLAN assignments to provide isolation from other tenants. It is important to note that the network infrastructure must also be configured with the appropriate VLANs to enable communication.
After IP multi-tenancy is configured, the system can be configured to use duplicate IPs across multiple tenants. This enables each tenant to use any IP schema they want, without worrying about interference with other tenants. Although multiple tenants may share the same IP address, they remain separated since they are on different VLANs. Because of this, each tenant can only access the NAS servers that are assigned to their tenant.
If a single tenant has multiple NAS servers, all NAS server interfaces must still be unique since it is within the same IP namespace. This feature only enables duplicating IP addresses with other tenants. If IP multi-tenancy is not used, all interfaces on the entire system must be unique since the default IP namespace is shared across the entire system.
With IP multi-tenancy enabled, external services such as DNS, LDAP, or NIS can be dedicated or shared. If each tenant provides their own external services, each NAS server can be configured to use these dedicated servers. However, for tenants that do not provide this, their NAS servers can also be configured to use the service provider’s shared external services. This provides additional flexibility by allowing each tenant to configure external services depending on their use case.
If a NAS server is being replicated, the destination NAS server must have a matching tenant configuration. For example, you cannot replicate a non-tenanted NAS server to a tenanted NAS server. Tenants must be created on the target system using the same UUID as on the source system.
Also, note that IP multi-tenancy only supports file systems. Using NFS datastores and vVols on a NAS server with IP multi-tenancy enabled is not supported. You are prohibited from enabling the vVol protocol endpoint on a NAS server that has a tenant association. To use vVols, you must use a NAS server that does not have a tenant assigned.
On OE version 4.1, total bandwidth historical metrics are available at a tenant-level granularity. This provides the total amount of I/O requests in KB/s for the selected tenant. OE version 4.2 also adds real-time read/write bandwidth metrics at a tenant-level granularity. This displays the amount of read or write I/O requests, in KB/s, for the selected tenant.