The Cisco VNMC GUI provides a view of the Cisco VSG security policy objects. The policy objects shown in the Cisco VNMC GUI are not necessarily shown in the same organizational path location as they appear in the Cisco VSG CLI when you enter the show running-config command.
For example, in the Cisco VNMC GUI, if the virtual data center DC1 is under the tenant and the application APP1 is under DC1, the vnsp app1-sp in the APP1 level is pointing to the policy set ps1 at the DC level.
The following figure shows the Cisco VNMC GUI organization structure.
Figure 1. Cisco VNMC Organizational Hierarchy for a Tenant, Data Center, and Application
The output of the show running-config command shows that the policy set and its objects are resolved from the APP1 level where the security profile is defined. The actual location of the objects in the Cisco VNMC GUI is at the DC1 level.
rule p1/r1@root/tenant4/DC1/APP1 order 101
The policy object DNs that are shown in the Cisco VSG show running-config command output are shown with a DN relative to where they are resolved from. The policy object DNs are not where the actual policy objects are in the Cisco VNMC organizational hierarchy.
However, security profiles are shown with the DN where the actual security profile is created on the Cisco VNMC organizational hierarchy.
Policy objects are resolved upwards from where the security profile is located in the Cisco VNMC organizational hierarchy.
In the following example, the Cisco VSG is configured with the following specifications:
The security profile (VNSP) sp1 has policy-set ps1 in which there is a policy p1 that includes a rule, r1.
The policy-set ps1 is located at root in the organization tree on the Cisco VNMC.
The policy p1 is located at root in the organization tree on the Cisco VNMC.
The rule r1 is placed in the policy p1 on the Cisco VNMC (the Cisco VNMC does not allow you to create a rule object in and of itself).
The security profile sp1 is placed in tenant_d3337/dc1 on the Cisco VNMC.
All Cisco VSGs in the tenant_d3337 have the following show running-config command output (this configuration is replicated to all Cisco VSGs in the leaf path):
rule p1/r1@root/tenant_d3337/dc1 order 101
The policy objects above do not actually exist at the DC1 level of the organization tree on the Cisco VNMC but are resolved from that location in the Cisco VNMC organization tree.