Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
559
Views
0
Helpful
2
Replies

Controlling where tenants can be deployed

alanjames9
Level 1
Level 1

‎10-24-2020 05:32 PM

Hey Guys,

Is it possible to police a leaf to only allow defined tenants to be configured?

e.g. LEAF101 will only allow common, management, dev tenants deployed, any configuration associated with production tenants will be restricted?

 

 

Labels:
0 Helpful
2 Replies 2

Robert Burns
Cisco Employee
Cisco Employee

‎10-25-2020 06:03 PM - edited ‎10-25-2020 06:05 PM

Yes its possible.  It's not super straight forward, but it can be done.  Unless there's some compliance need to do this, I'd avoid it.  The whole point of ACI is to separate policy from Networking constructs.  A huge benefit of ACI is to be able to deploy multi-tenant policies anywhere in the fabric without limiting yourself - but what you ask, can be done.

 

1. Create the security domain and include the objects necessary to perform the actions.
Navigate to Admin -> AAA -> Security -> Security Domains -> Right-click, Create Security Domain.

This domain will be an available option in the Security Domains box of the tenants and access domains. Associate the security domain with the respective tenant, physical and/or VMM domain.  In this example we'll use 'tenant_secDom' for our name.

2. Create a User account, and assign to the security domain and role

In this case we want the user to have full access to the Tenant, so we'll use the 'tenant-admin' role.

3. Assign the security domain to your user tenant.

Navigate to Tenantx-> Policy tab -> Security Domains.

Click the "+" and add your tenant_secDom security domain to the tenant.

4. Create a RBAC rule to expose the switch and physical paths to the security domain. 

Without explicit RBAC rules, the User you create will have full admin access over the tenant and child objects, but it will not have access to any of the infrastructure such as your leaf interfaces.  In this case we'll expose specific switches and interfaces to our Security Domain which will allow users associated to this security domain access to the ports, VPCs and Port Channels for purposes of static path binding.  In this example we'll be exposing Leaf with nodeID 101, and eth1/1.

4a - Create RBAC rule for Leaf(s)

Navigate to Admin -> AAA -> Security -> RBAC Rules tab -> Create RBAC Rule

DN: topology/pod-1/node-101

Domain: tenant_secDom

Allow Writes: Yes

4b - Create RBAC rule for physical paths (interfaces)

DN: topology/pod-1/paths-101/pathep-[eth1/1]

Domain: tenant_secDom

Allow Writes: Yes

**Repeat above for every interface & leaf you want to allow this tenant user to access.

It can be a tedious process to do this via the GUI, but if you're capable this can be scripted or done via the API with relative ease.

 

Robert

0 Helpful

alanjames9
Level 1
Level 1
In response to Robert Burns

‎10-25-2020 06:22 PM

Thanks Robert,

This is a OT/IT compliance thing, as the environment should be on discrete switching.

Thanks again!

 

 

 

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents

Save 25% on Day-2 Operations Add-On License