Tenants

Managing Tenants

To manage tenants, you must have either Power User or Site and Tenant Manager read-write role.

You can create Tenants and their policies in one of two ways:

  • Import a fully configured tenant from an APIC site.

  • Create a tenant and configure the policies in the Multi-Site Orchestrator GUI.

The following tenant policies and their associations can be configured in the Multi-Site Orchestrator GUI:

  • Application Profiles and EPGs

  • VRFs

  • Bridge Domains with subnets and stretched or site-local settings

  • Contracts and Filters

  • L3Outs

  • External EPGs

  • Physical or VMM domain association with EPGs

  • Intra-EPG isolation

  • Microsegmented EPGs

  • EPGs deployed on a port, PC, or VPC

Adding Tenants

This section describes how to add tenants using the Multi-Site Orchestrator GUI.

Before you begin

You must have a user with either Power User or Site Manager read-write role to create and manage tenants.

Procedure

Step 1

Log in to the Cisco ACI Multi-Site Orchestrator GUI.

Step 2

In the Main menu, select Infrastructure > Tenants.

Step 3

In the top right of the main pane, click Add Tenant.

Step 4

In the Display Name field, provide the tenant's name.

The tenant's Display Name is used throughout the Orchestrator's GUI whenever the tenant is shown. However, due to object naming requirements on the Cisco APIC, any invalid characters are removed and the resulting Internal Name is used when pushing the tenant to sites. The Internal Name that will be used when creating the tenant is displayed below the Display Name textbox.

You can change the Display Name of the tenant at any time, but the Internal Name cannot be changed after the tenant is created.

Step 5

(Optional) In the Description field, enter a description of the tenant.

Step 6

In the Associated Sites section, add the sites.

  1. Check all sites where you plan to deploy templates that use this tenant.

    Only the selected sites will be available for any templates using this tenant.

    Note

     

    If you select a site that is connected via an MPLS network, you will

  2. From the Security Domains drop-down list, choose the site's security domains.

    Security domains are created using the Cisco APIC GUI and can be assigned to various Cisco APIC policies and user accounts to control their access. For more information, see the Cisco APIC Basic Configuration Guide.

Step 7

In the Associated Users section, add Orchestrator users.

Only the selected users will be able to use this tenant when creating templates.

Step 8

(Optional) Enable consistency checker scheduler.

You can choose to enable regular consistency checks. For more information about the consistency checker feature, see Cisco ACI Multi-Site Troubleshooting Guide.

Step 9

Click SAVE to finish adding the tenant.

Configuring Global Contracts Across Tenants or VRFs

This use case is for a data center that provides services to EPGs in other tenants or VRFs. It provides contracts that enable all the EPGs to consume the services.

For more information, see the Shared Services with Stretched Provider EPG use case in the Cisco ACI Multi-Site Fundamentals Guide.

Before you begin

Create a schema (for every site that provides and consumes the services) with Tenants, VRFs, bridge domains, application profiles, EPGs, and other contracts.

The tenants, VRFs, BDs, and EPGs do not have to be stretched across the sites.

Procedure

Step 1

Open the provider schema.

Step 2

Create a filter (essentially an Access Control List) with the following steps:

  1. Click the + icon to add a filter.

  2. Enter the filter name.

  3. Click the + icon to add an entry.

  4. Enter the entry name.

  5. Enter the rest of the data required for the filter and click Save.

Step 3

Create a contract with the following steps:

  1. Click the + icon to add a contract.

  2. Enter the contract name.

  3. Change the contract scope to global.

    This enables the contract to be accessible to EPGs in multiple VRFs.

  4. Click the + icon to add a filter and choose the filter you created.

  5. Click Save.

Step 4

Associate the EPG that provides the services with the contract, with the following actions:

  1. Click the EPG.

  2. Click the + icon to add a contract.

  3. Choose the global contract you previously created.

  4. Set the type to provider.

  5. Click Save.

  6. Click DEPLOY TO SITES.Confirm the sites and click DEPLOY.

Step 5

Associate EPGs with the contract as consumers, with the following actions:

  1. Open each consumer schema.

  2. Click an EPG.

  3. Click the + icon to add a contract.

  4. In the Contract field, start typing the contract name. When the contract appears in the list, choose it.

  5. Set the type to consumer.

  6. Click Save.

  7. Associate the contract to any other EPGs in the schema.

  8. Click DEPLOY TO SITES.

  9. Confirm the sites and click DEPLOY.

Configuring Intra-EPG Isolation

Intra-EPG isolation is allowed between endpoints in an EPG that is operating with isolation enforced. Isolation enforced EPGs reduce the number of EPG encapsulations required when many clients access a common service but are not allowed to communicate with each other. An EPG is isolation enforced for all ACI network domains or none. While the ACI fabric implements isolation directly to connected endpoints, switches connected to the fabric are made aware of isolation rules according to a primary VLAN (PVLAN) tag.

If an EPG is configured with intra-EPG endpoint isolation enforced, these restrictions apply:

  • All Layer 2 endpoint communication across an isolation-enforced EPG is dropped within a bridge domain.

  • All Layer 3 endpoint communication across an isolation-enforced EPG is dropped within the same subnet.

  • Preserving QoS CoS priority settings is not supported when traffic is flowing from an EPG with isolation-enforced to an EPG without isolation enforced.

  • In Multi-Site, intra-EPG isolation is not supported in AVS-VLAN mode and DVS-VXLAN mode. Setting Intra-EPG isolation to be enforced may cause the ports to go into a blocked state in these domains.

  • Intra-EPG isolation is not supported if the Bridge Domain is configured as "legacy BD mode".

Before you begin

  • Create the tenant associated with the EPGs.

  • Import the tenant policies or configure a schema containing the tenant's VRF, bridge domain, and the Application Network Profile containing the EPGs that will be subject to intra-EPG isolation.

Procedure

Step 1

Open the schema and template where the EPGs to be isolated are configured.

Step 2

Click an EPG.

Step 3

Choose Enforced, read the warning, and click OK.

Step 4

Optional. Configure other EPGs to be isolation-enforced.

Step 5

Push the template containing the EPGs (configured for intra-EPG isolation) to the site where they will be located.

Step 6

Click the deployed site and template and click an EPG.

Step 7

Click ADD STATIC PORT.

Step 8

Choose the PATH TYPE (Port, Direct Port Channel, or Virtual Port Channel).

Step 9

Choose the LEAF.

Step 10

Choose the PATH.

Step 11

In the PORT ENCAP VLAN field, enter the VLAN number to be used for traffic for the EPG.

Step 12

On the DEPLOYMENT IMMEDIACY field, choose OnDemand or Immediate deployment.

Step 13

On the MODE field, choose Trunk.

Step 14

Optional, repeat the steps for other EPGs that will have isolation enforced.

What to do next

Push the changes to the site where the EPGs are located.

Configuring Microsegmented EPGs

You can use Cisco ACI Multi-Site to configure microsegmentation to create an attribute-based EPG using a network-based attribute (IP, MAC, DNS) or VM-based attributes (VM ID, VM Name, VMM domain, and so forth). This enables you to isolate VMs or physical endpoints within a single base EPG or VMs or physical endpoints in different EPGs.

Only the basic options for microsegmented (uSeg) EPGs can be configured in Cisco ACI Multi-Site. For procedures for advanced options and for use cases and detailed information about Microsegmented EPGs, see the Microsegmentation with Cisco ACI chapter in Cisco ACI Virtualization Guide.


Note

When creating an EPG, if you first create an application EPG and want to change it to a uSeg EPG, you must either assign the EPG a different name or remove the application EPG and add the uSeg EPG, with the following process:

  1. Delete the application EPG from the schema.

  2. Deploy the schema to the sites.

  3. Create the uSeg EPG.

  4. Redeploy the schema to the sites.

To configure a microsegmented EPG using Cisco ACI Multi-Site, perform the following steps:

Before you begin

  • Create the tenant associated with the EPGs that will be microsegmented.

  • Import the tenant policies or configure a schema containing the tenant's VRF, bridge domain, and the Application Network Profile containing the EPGs.

  • Create at least one application EPG in the tenant.

Procedure

Step 1

Open the schema where the EPGs are configured.

Step 2

Click an EPG.

Step 3

Click USEG EPG.

Step 4

Click ADD USEG ATTRIBUTES.

Step 5

On the DISPLAY NAME field, enter the name for the attribute.

Step 6

Choose the ATTRIBUTE TYPE; it can be one of the following:

  • IP

  • Mac

  • DNS

  • VM Name

  • VM Data Center

  • VM Hypervisor Identifier

  • VM Operating System

  • VM Tag

  • VM Identifier

  • VM VMM Domain

  • VM VNIC DN (vNIC domain name

Step 7

Save your changes.

What to do next

Associate the USeg EPG with a domain using the Multi-Site GUI.

Associating EPGs with Domains

Before you begin

  • Create the tenant associated with the EPGs in Cisco ACI Multi-Site.

  • Create the domain profiles (VMM, L2, L3, or Fibre Channel) in APIC.

  • Import the tenant policies from Cisco APIC or configure a schema (with template) in Multi-Site, that contains the tenant's VRF, bridge domain, and the Application Network Profile containing the EPGs that will be associated with a domain.

    Associate the template with a site.

Procedure

Step 1

In the Sites list, click the site and template for the site where the EPG and domain are configured, and click the EPG.

Step 2

Click ADD DOMAINS.

Step 3

On the DOMAIN ASSOCIATION TYPE field, choose the type, which can be:

  • VMM

  • Fibre Channel

  • L2 External

  • L3 External

  • Physical

Step 4

On the DOMAIN PROFILE field, choose a previously created profile or phys.

Step 5

On the DEPLOYMENT IMMEDIACY field, choose OnDemand or Immediate.

Step 6

On the RESOLUTION IMMEDIACY field, choose OnDemand, Immediate, or Pre-Provision.

Step 7

Save your changes.

What to do next

Push the template containing the changes to the site.

Displaying All the Tenants in an Aggregated View

Using the Multi-Site GUI Tenants tab, you can view the aggregated list of the tenants.

In the Tenants panel under the Tenants tab, the following fields are displayed in the GUI:

  • NAME: Name of the tenant.

  • DESCRIPTION: Description of each tenant.

  • ASSIGNED TO SITES: The number of the sites that the tenant is assigned to.

  • ASSIGNED TO USERS: The number of the users that the tenant is assigned to.

  • ASSIGNED TO SCHEMAS: The number of the schemas that the tenant is assigned to.

  • ACTIONS: Perform actions for each tenant, for example, Edit, Delete, or configure Network Mappings for the tenant.

Based on the Tenants chart, you can determine the resource utilization of the tenants.