The Cisco Prime NSC
GUI provides a view of the Cisco VSG security policy objects. The policy
objects shown in the Cisco Prime NSC GUI are not necessarily shown in the same
organizational path location as they appear in the Cisco VSG CLI when you enter
For example, in the
Cisco Prime NSC GUI, if the virtual data center DC1 is under the tenant and the
application APP1 is under DC1, the vnsp app1-sp in the APP1 level is pointing
to the policy set ps1 at the DC level.
The following figure
shows the Cisco Prime NSC GUI organization structure.
Figure 1. Cisco Prime NSC
Organizational Hierarchy for a Tenant, Data Center, and
custom-attribute loc "sunnyvale"
custom-attribute vnsporg "root/tenant4/dc1/app1"
The output of the
running-config command shows that the policy set and its objects
are resolved from the APP1 level where the security profile is defined. The
actual location of the objects in the Cisco Prime NSC GUI is at the DC1 level.
rule p1/r1@root/tenant4/DC1/APP1 order 101
The policy object DNs
that are shown in the Cisco VSG
running-config command output are shown with a DN relative to
where they are resolved from. The policy object DNs are not where the actual
policy objects are in the Cisco Prime NSC organizational hierarchy.
profiles are shown with the DN where the actual security profile is created on
the Cisco Prime NSC organizational hierarchy.
Policy objects are
resolved upwards from where the security profile is located in the Cisco Prime
NSC organizational hierarchy.
In the following
example, the Cisco VSG is configured with the following specifications:
profile (VNSP) sp1 has policy-set ps1 in which there is a policy p1 that
includes a rule, r1.
ps1 is located at root in the organization tree on the Cisco Prime NSC.
The policy p1 is
located at root in the organization tree on the Cisco Prime NSC.
The rule r1 is
placed in the policy p1 on the Cisco Prime NSC (the Cisco Prime NSC does not
allow you to create a rule object in and of itself).
profile sp1 is placed in tenant_d3337/dc1 on the Cisco Prime NSC.
All Cisco VSGs in
the tenant_d3337 have the following
running-config command output (this configuration is replicated
to all Cisco VSGs in the leaf path):
custom-attribute vnsporg "root/tenant_d3337/dc1"
rule p1/r1@root/tenant_d3337/dc1 order 101
The policy objects
above do not actually exist at the DC1 level of the organization tree on the
Cisco Prime NSC but are resolved from that location in the Cisco Prime NSC