Tenant Management

Managing Tenants Using the Multi-Site GUI


Note

To be able to manage tenants in Cisco ACI Multi-Site, the Cisco APIC administrative user account (with complete read/write privileges) must be available.

For tenants to configure their own policies, you must create the tenant user accounts in APIC (with read/write privileges limited to their tenant policies). For more information about creating local site user accounts, see the User Access, Authentication, and Accounting chapter in Cisco APIC Basic Configuration Guide, Release 3.x

For the procedures to create a tenant in Multi-Site, see Adding Tenants in the Multi-Site GUI.

The following tenant policies and their associations can be configured in the Multi-Site GUI:

  • VRFs

  • Bridge Domains with subnets and stretched or localized settings

  • Filters and Contracts

  • Application Network Profiles with EPGs

  • Associate EPGs with physical or VMM domains

  • Intra-EPG Isolation

  • Microsegmented EPGs

  • EPGs deployed on a port, PC, or VPC

  • Links between L3Outs of different tenants

Other tenant policies, including L3Outs must be configured in the APIC GUI.

After you create a tenant in Multi-Site, there are two ways to add tenant policies:

  • Import a fully configured tenant from an APIC site.

  • Configure the tenant policies in the Multi-Site GUI.

For other tenant related tasks, see the following topics in the Cisco ACI Multi-Site Configuration Guide:

  • Configuring Intra-EPG Isolation

  • Configuring Microsegmented EPGS

  • Associating EPGs with Domains

  • Linking Site L3Outs

  • Deploying an EPG on a Specific Port, PC, or VPC

Adding Tenants Using the Multi-Site GUI

This section describes how to add tenants using the Multi-Site GUI.

Before You Begin

To enable configuring tenants, the APIC administrative user account (with complete read/write privileges) must be available.

Before tenant administrators can configure their tenants, you must create the tenant user accounts in APIC (with read/write privileges limited to their tenant policies). For more information about creating local site user accounts, see the User Access, Authentication, and Accounting chapter in Cisco APIC Basic Configuration Guide, Release 3.x.

Procedure
    Step 1   Log in to the Multi-Site GUI, in the Main menu, click Tenants.
    Step 2   In the Tenants List area, click ADD TENANTS.
    Step 3   In the Tenant Details pane, perform the following actions:
    1. In the DISPLAY NAME field, enter the tenant name.
    2. In the DESCRIPTION field, enter the a brief description of the tenant.
    3. In the Associated Sites section, choose the sites.
    4. In the Select Security Domain(s) field, from the drop-down list, choose the security domains.
      Note   

      Security domains are created using the APIC GUI and can be assigned to various APIC policies and user accounts to control their access. For more information, see the Cisco APIC Basic Configuration Guide, Release 3.x.

    5. In the Associated Users section, choose the users.
    6. Click SAVE.

    Configuring Intra-EPG Isolation Using the Multi-Site GUI

    Intra-EPG isolation is allowed between endpoints in an EPG that is operating with isolation enforced. Isolation enforced EPGs reduce the number of EPG encapsulations required when many clients access a common service but are not allowed to communicate with each other. An EPG is isolation enforced for all ACI network domains or none. While the ACI fabric implements isolation directly to connected endpoints, switches connected to the fabric are made aware of isolation rules according to a primary VLAN (PVLAN) tag.

    If an EPG is configured with intra-EPG endpoint isolation enforced, these restrictions apply:

    • All Layer 2 endpoint communication across an isolation-enforced EPG is dropped within a bridge domain.

    • All Layer 3 endpoint communication across an isolation-enforced EPG is dropped within the same subnet.

    • Preserving QoS CoS priority settings is not supported when traffic is flowing from an EPG with isolation-enforced to an EPG without isolation enforced.

    • In Multi-Site, intra-EPG isolation is not supported in AVS-VLAN mode and DVS-VXLAN mode. Setting Intra-EPG isolation to be enforced may cause the ports to go into a blocked state in these domains.

    • Intra-EPG isolation is not supported if the Bridge Domain is configured as "legacy BD mode".

    Before You Begin

    • Create the tenant associated with the EPGs.

    • Import the tenant policies or configure a schema containing the tenant's VRF, bridge domain, and the Application Network Profile containing the EPGs that will be subject to intra-EPG isolation.

    Procedure
      Step 1   Open the schema and template where the EPGs to be isolated are configured.
      Step 2   Click an EPG.
      Step 3   Choose Enforced, read the warning, and click OK.
      Step 4   Optional. Configure other EPGs to be isolation-enforced.
      Step 5   Push the template containing the EPGs (configured for intra-EPG isolation) to the site where they will be located.
      Step 6   Click the deployed site and template and click an EPG.
      Step 7   Click ADD STATIC PORT.
      Step 8   Choose the PATH TYPE (Port, Direct Port Channel, or Virtual Port Channel).
      Step 9   Choose the LEAF.
      Step 10   Choose the PATH.
      Step 11   In the PORT ENCAP VLAN field, enter the VLAN number to be used for traffic for the EPG.
      Step 12   On the DEPLOYMENT IMMEDIACY field, choose OnDemand or Immediate deployment.
      Step 13   On the MODE field, choose Trunk.
      Step 14   Optional, repeat the steps for other EPGs that will have isolation enforced.
      What to Do Next

      Push the changes to the site where the EPGs are located.

      Configuring Microsegmented EPGs Using the Multi-Site GUI

      You can use Cisco ACI Multi-Site to configure Microsegmentation to create an attribute-based EPG using a network-based attribute (IP, MAC, DNS) or VM-based attributes (VM ID, VM Name, VMM domain, and so forth). This enables you to isolate VMs or physical endpoints within a single base EPG or VMs or physical endpoints in different EPGs.

      Only the basic options for microsegmented EPGs can be configured in Cisco ACI Multi-Site. For procedures for advanced options and for use cases and detailed information about Microsegmented EPGs, see the Microsegmentation with Cisco ACI chapter in Cisco ACI Virtualization Guide, Release 3.0.

      To configure a microsegmented EPG using Cisco ACI Multi-Site, perform the following steps:

      Before You Begin

      • Create the tenant associated with the EPGs that will be microsegmented.

      • Import the tenant policies or configure a schema containing the tenant's VRF, bridge domain, and the Application Network Profile containing the EPGs.

      • Create at least one application EPG in the tenant.

      Procedure
        Step 1   Open the schema where the EPGs are configured.
        Step 2   Click an EPG.
        Step 3   Click USEG EPG.
        Step 4   Click ADD USEG ATTRIBUTES.
        Step 5   On the DISPLAY NAME field, enter the name for the attribute.
        Step 6   Choose the ATTRIBUTE TYPE; it can be one of the following:

        • IP

        • Mac

        • DNS

        • VM Name

        • VM Data Center

        • VM Hypervisor Identifier

        • VM Operating System

        • VM Tag

        • VM Identifier

        • VM VMM Domain

        • VM VNIC DN (vNIC domain name

        Step 7   Save your changes.
        What to Do Next

        Associate the USeg EPG with a domain using the Multi-Site GUI.

        Associating EPGs with Domains Using the Multi-Site GUI

        Before You Begin

        • Create the tenant associated with the EPGs in Cisco ACI Multi-Site.

        • Create the domain profiles (VMM, L2, L3, or Fibre Channel) in APIC.

        • Import the tenant policies from Cisco APIC or configure a schema (with template) in Multi-Site, that contains the tenant's VRF, bridge domain, and the Application Network Profile containing the EPGs that will be associated with a domain.

          Associate the template with a site.

        Procedure
          Step 1   In the Sites list, click the site and template for the site where the EPG and domain are configured, and click the EPG.
          Step 2   Click ADD DOMAINS.
          Step 3   On the DOMAIN ASSOCIATION TYPE field, choose the type, which can be:

          • VMM

          • Fibre Channel

          • L2 External

          • L3 External

          • Physical

          Step 4   On the DOMAIN PROFILE field, choose a previously created profile or phys.
          Step 5   On the DEPLOYMENT IMMEDIACY field, choose OnDemand or Immediate.
          Step 6   On the RESOLUTION IMMEDIACY field, choose OnDemand, Immediate, or Pre-Provision.
          Step 7   Save your changes.
          What to Do Next

          Push the template containing the changes to the site.

          Displaying All the Tenants in an Aggregated View

          Using the Multi-Site GUI Tenants tab, you can view the aggregated list of the tenants.

          In the Tenants panel under the Tenants tab, the following fields are displayed in the GUI:

          • NAME: Name of the tenant.

          • DESCRIPTION: Description of each tenant.

          • ASSIGNED TO SITES: The number of the sites that the tenant is assigned to.

          • ASSIGNED TO USERS: The number of the users that the tenant is assigned to.

          • ASSIGNED TO SCHEMAS: The number of the schemas that the tenant is assigned to.

          • ACTIONS: Perform actions for each tenant, for example, Edit, Delete, or configure Network Mappings for the tenant.

          Based on the Tenants chart, you can determine the resource utilization of the tenants.