Tenant Management

Managing Tenants Using the Multi-Site GUI


Note

To be able to manage tenants in Cisco ACI Multi-Site, the Multi-Site Site and Tenant user account with the Schema Manager role (with complete read/write privileges) must be available.

For the procedures to create a tenant in Multi-Site, see Adding Tenants in the Multi-Site GUI.

The following tenant policies and their associations can be configured in the Multi-Site GUI:

  • VRFs

  • Bridge Domains with subnets and stretched or localized settings

  • Filters and Contracts

  • Application Network Profiles with EPGs

  • External EPGs to connect sites within a stretched tenant and VRF (but the L3Outs associated with the external EPGs (L3extInstPs) must be configured in APIC)

  • Associate EPGs with physical or VMM domains

  • Intra-EPG Isolation

  • Microsegmented EPGs

  • EPGs deployed on a port, PC, or VPC

Other tenant policies, including L3Outs must be configured in the APIC GUI.

After you create a tenant in Multi-Site, there are two ways to add tenant policies:

  • Import a fully configured tenant from an APIC site.

  • Configure the tenant policies in the Multi-Site GUI.

Adding Tenants

This section describes how to add tenants using the Multi-Site Orchestrator GUI.

Before you begin

You must have a user with either Power User or Site Manager read-write role to create and manage tenants.

Procedure

Step 1

Log in to the Cisco ACI Multi-Site Orchestrator GUI.

Step 2

From the left navigation pane, select Tenants.

Step 3

In the main pane, click Add Tenant.

Step 4

In the Display Name field, provide the tenant's name.

The tenant's Display Name is used throughout the Orchestrator's GUI whenever the tenant is shown. However, due to object naming requirements on the Cisco APIC, any invalid characters are removed and the resulting Internal Name is used when pushing the tenant to sites. The Internal Name that will be used when creating the tenant is displayed below the Display Name textbox.

You can change the Display Name of the tenant at any time, but the Internal Name cannot be changed after the tenant is created.

Step 5

(Optional) In the Description field, enter a description of the tenant.

Step 6

In the Associated Sites section, add the sites.

  1. Check all sites where you plan to deploy templates that use this tenant.

    Only the selected sites will be available for any templates using this tenant.

  2. From the Security Domains drop-down list, choose the site's security domains.

    Security domains are created using the Cisco APIC GUI and can be assigned to various Cisco APIC policies and user accounts to control their access. For more information, see the Cisco APIC Basic Configuration Guide.

Step 7

In the Associated Users section, add Orchestrator users.

Only the selected users will be able to use this tenant when creating templates.

Step 8

(Optional) Enable consistency checker scheduler.

You can choose to enable regular consistency checks. For more information about the consistency checker feature, see Cisco ACI Multi-Site Troubleshooting Guide.

Step 9

Click SAVE to finish adding the tenant.

Connect Sites Through External EPGs

In Cisco ACI Multi-Site, Release 1.0(1), site L3Out connections were connected using Network Mappings. In release 1.0(2), use the following process to link the L3Outs for each site.

In this task, you configure an EXTERNAL EPG in a site-specific template for each site, to enable the sites to connect.

Before you begin

  • On each site (in Cisco APIC), create an L3Out connection, using the following guidelines:

    • The subnet in the L3extInstP must be the same for all inter-related sites (and variable length network masks are not supported).

    • The VRF for each L3Out must be the same for all sites. Changing the VRF in APIC, after the external EPGs are deployed, resets the L3Out and requires reconfiguring and redeploying the external EPG for the site.

    • When configuring L3Outs for various sites, each L3Out must be dedicated (not shared).

    • If you plan to configure GOLF in addition to Multi-Site, they both need separate L3Out policies to the IPN, but they can share a physical interface, as long as the same interface IP address is used.

  • In Cisco ACI Multi-Site, create a tenant to be stretched to the sites.

  • Create a schema and import or create the VRF, Bridge Domain, Filters and Contracts, and an Application Profile with EPGs.

  • In a shared template, deploy the tenant and policies to multiple sites.

Procedure

Step 1

In the same schema you used to deploy a stretched tenant and VRF, start a site-specific template using the following steps, or if the schema already contains site-specific templates, click on a site-specific template and continue at the next step.

  1. Click + on the TEMPLATES field to start a new template.

  2. Click the edit button and enter the template name.

  3. Click + on the TENANT field to start configuring the schema, and choose the stretched tenant from the list.

  4. Click + on the SITES field and choose the site for the external EPG.

Step 2

Click + to create an EXTERNAL EPG.

Step 3

Enter the external EPG name.
Step 4

Add the contracts required for the external EPGs to communicate.

Note 

If you are associating a contract with the external EPG, as provider, choose contracts only from the tenant associated with the external EPG. Do not choose contracts from other tenants.

If you are associating the contract to the external EPG, as consumer, you can choose any available contract.
Step 5

Click the site-specific template.

Step 6

Click the external EPG.
Step 7

In the external EPG details pane, L3OUT field, choose the L3Out on the site to be used for the external EPG.

Step 8

Optional. Add a subnet for the external EPG, using the following steps:

This is the same as adding a subnet under the L3extInstP in the Cisco APIC GUI.

  1. Click + to add a SUBNET.

  2. Enter the IP address and subnet mask in the GATEWAY IP field.

  3. Click SAVE.

Step 9

Optional. Associate the L3Out with a BD, using the following steps:

  1. In the site-specific template, click a BD.

  2. In the BD details pane, ckuck + to add an L3Out and choose the L3Out to associate.

  3. Click SAVE.

Step 10

Click DEPLOY TO SITES.

Step 11

Confirm the policies to be deployed and click DEPLOY.

What to do next

Repeat these steps for the other sites to be connected (where the tenant and VRF are stretched).

Configuring Global Contracts Across Tenants or VRFs

This use case is for a data center that provides services to EPGs in other tenants or VRFs. It provides contracts that enable all the EPGs to consume the services.

For more information, see the Shared Services with Stretched Provider EPG use case in the Cisco ACI Multi-Site Fundamentals Guide.

Before you begin

Create a schema (for every site that provides and consumes the services) with Tenants, VRFs, bridge domains, application profiles, EPGs, and other contracts.

The tenants, VRFs, BDs, and EPGs do not have to be stretched across the sites.

SUMMARY STEPS

  1. Open the provider schema.
  2. Create a filter (essentially an Access Control List) with the following steps:
  3. Create a contract with the following steps:
  4. Associate the EPG that provides the services with the contract, with the following actions:
  5. Associate EPGs with the contract as consumers, with the following actions:

DETAILED STEPS

Step 1

Open the provider schema.
Step 2

Create a filter (essentially an Access Control List) with the following steps:

  1. Click the + icon to add a filter.

  2. Enter the filter name.

  3. Click the + icon to add an entry.

  4. Enter the entry name.

  5. Enter the rest of the data required for the filter and click Save.

Step 3

Create a contract with the following steps:

  1. Click the + icon to add a contract.

  2. Enter the contract name.

  3. Change the contract scope to global.

    This enables the contract to be accessible to EPGs in multiple VRFs.

  4. Click the + icon to add a filter and choose the filter you created.

  5. Click Save.

Step 4

Associate the EPG that provides the services with the contract, with the following actions:

  1. Click the EPG.

  2. Click the + icon to add a contract.

  3. Choose the global contract you previously created.

  4. Set the type to provider.

  5. Click Save.

  6. Click DEPLOY TO SITES.Confirm the sites and click DEPLOY.

Step 5

Associate EPGs with the contract as consumers, with the following actions:

  1. Open each consumer schema.

  2. Click an EPG.

  3. Click the + icon to add a contract.

  4. In the Contract field, start typing the contract name. When the contract appears in the list, choose it.

  5. Set the type to consumer.

  6. Click Save.

  7. Associate the contract to any other EPGs in the schema.

  8. Click DEPLOY TO SITES.

  9. Confirm the sites and click DEPLOY.

Configuring Intra-EPG Isolation Using the Multi-Site GUI

Intra-EPG isolation is allowed between endpoints in an EPG that is operating with isolation enforced. Isolation enforced EPGs reduce the number of EPG encapsulations required when many clients access a common service but are not allowed to communicate with each other. An EPG is isolation enforced for all ACI network domains or none. While the ACI fabric implements isolation directly to connected endpoints, switches connected to the fabric are made aware of isolation rules according to a primary VLAN (PVLAN) tag.

If an EPG is configured with intra-EPG endpoint isolation enforced, these restrictions apply:

  • All Layer 2 endpoint communication across an isolation-enforced EPG is dropped within a bridge domain.

  • All Layer 3 endpoint communication across an isolation-enforced EPG is dropped within the same subnet.

  • Preserving QoS CoS priority settings is not supported when traffic is flowing from an EPG with isolation-enforced to an EPG without isolation enforced.

  • In Multi-Site, intra-EPG isolation is not supported in AVS-VLAN mode and DVS-VXLAN mode. Setting Intra-EPG isolation to be enforced may cause the ports to go into a blocked state in these domains.

  • Intra-EPG isolation is not supported if the Bridge Domain is configured as "legacy BD mode".

Before you begin

  • Create the tenant associated with the EPGs.

  • Import the tenant policies or configure a schema containing the tenant's VRF, bridge domain, and the Application Network Profile containing the EPGs that will be subject to intra-EPG isolation.

Procedure

Step 1

Open the schema and template where the EPGs to be isolated are configured.
Step 2

Click an EPG.
Step 3

Choose Enforced, read the warning, and click OK.

Step 4

Optional. Configure other EPGs to be isolation-enforced.
Step 5

Push the template containing the EPGs (configured for intra-EPG isolation) to the site where they will be located.
Step 6

Click the deployed site and template and click an EPG.
Step 7

Click ADD STATIC PORT.

Step 8

Choose the PATH TYPE (Port, Direct Port Channel, or Virtual Port Channel).

Step 9

Choose the LEAF.

Step 10

Choose the PATH.

Step 11

In the PORT ENCAP VLAN field, enter the VLAN number to be used for traffic for the EPG.

Step 12

On the DEPLOYMENT IMMEDIACY field, choose OnDemand or Immediate deployment.

Step 13

On the MODE field, choose Trunk.

Step 14

Optional, repeat the steps for other EPGs that will have isolation enforced.

What to do next

Push the changes to the site where the EPGs are located.

Configuring Microsegmented EPGs Using the Multi-Site GUI

You can use Cisco ACI Multi-Site to configure Microsegmentation to create an attribute-based EPG using a network-based attribute (IP, MAC, DNS) or VM-based attributes (VM ID, VM Name, VMM domain, and so forth). This enables you to isolate VMs or physical endpoints within a single base EPG or VMs or physical endpoints in different EPGs.

Only the basic options for microsegmented (uSeg) EPGs can be configured in Cisco ACI Multi-Site. For procedures for advanced options and for use cases and detailed information about Microsegmented EPGs, see the Microsegmentation with Cisco ACI chapter in Cisco ACI Virtualization Guide, Release 3.0.


Note

When creating an EPG, if you first create an application EPG and want to change it to a uSeg EPG, you must either assign the EPG a different name or remove the application EPG and add the uSeg EPG, with the following process:

  1. Delete the application EPG from the schema.

  2. Deploy the schema to the sites.

  3. Create the uSeg EPG.

  4. Redeploy the schema to the sites.

To configure a microsegmented EPG using Cisco ACI Multi-Site, perform the following steps:

Before you begin

  • Create the tenant associated with the EPGs that will be microsegmented.

  • Import the tenant policies or configure a schema containing the tenant's VRF, bridge domain, and the Application Network Profile containing the EPGs.

  • Create at least one application EPG in the tenant.

Procedure

Step 1

Open the schema where the EPGs are configured.
Step 2

Click an EPG.
Step 3

Click USEG EPG.

Step 4

Click ADD USEG ATTRIBUTES.

Step 5

On the DISPLAY NAME field, enter the name for the attribute.

Step 6

Choose the ATTRIBUTE TYPE; it can be one of the following:

  • IP

  • Mac

  • DNS

  • VM Name

  • VM Data Center

  • VM Hypervisor Identifier

  • VM Operating System

  • VM Tag

  • VM Identifier

  • VM VMM Domain

  • VM VNIC DN (vNIC domain name

Step 7

Save your changes.

What to do next

Associate the USeg EPG with a domain using the Multi-Site GUI.

Associating EPGs with Domains Using the Multi-Site GUI

Before you begin

  • Create the tenant associated with the EPGs in Cisco ACI Multi-Site.

  • Create the domain profiles (VMM, L2, L3, or Fibre Channel) in APIC.

  • Import the tenant policies from Cisco APIC or configure a schema (with template) in Multi-Site, that contains the tenant's VRF, bridge domain, and the Application Network Profile containing the EPGs that will be associated with a domain.

    Associate the template with a site.

Procedure

Step 1

In the Sites list, click the site and template for the site where the EPG and domain are configured, and click the EPG.

Step 2

Click ADD DOMAINS.

Step 3

On the DOMAIN ASSOCIATION TYPE field, choose the type, which can be:

  • VMM

  • Fibre Channel

  • L2 External

  • L3 External

  • Physical

Step 4

On the DOMAIN PROFILE field, choose a previously created profile or phys.

Step 5

On the DEPLOYMENT IMMEDIACY field, choose OnDemand or Immediate.

Step 6

On the RESOLUTION IMMEDIACY field, choose OnDemand, Immediate, or Pre-Provision.

Step 7

Save your changes.

What to do next

Push the template containing the changes to the site.

Displaying All the Tenants in an Aggregated View

Using the Multi-Site GUI Tenants tab, you can view the aggregated list of the tenants.

In the Tenants panel under the Tenants tab, the following fields are displayed in the GUI:

  • NAME: Name of the tenant.

  • DESCRIPTION: Description of each tenant.

  • ASSIGNED TO SITES: The number of the sites that the tenant is assigned to.

  • ASSIGNED TO USERS: The number of the users that the tenant is assigned to.

  • ASSIGNED TO SCHEMAS: The number of the schemas that the tenant is assigned to.

  • ACTIONS: Perform actions for each tenant, for example, Edit, Delete, or configure Network Mappings for the tenant.

Based on the Tenants chart, you can determine the resource utilization of the tenants.