Solved: When you create policies

pquartz01 · ‎09-08-2016

Implementation example:

Bare metal configured with vlan interfaces 200 to 210 connected to leaf101 on port 10.

Creating two tenants "PROD" (assign vlan 200 to 205) and "DEV" (assign vlan 200 to 205)

Create user with role tenant-admin for each tenant so that they can create EPG with tagged vlans

ACI configuration:

Create static vlan pools 200 to 205 for "PROD_vpool" and 206 to 210 for DEV_vpool

Attach vpool "PROD_vpool" to physical domain "PROD_PD" and "DEV_vpool" to DEV_PD"

Configure interface policy group e.g. "PROD_PGR" for leaf101/port10 and attach it to aep "PROD_AEP"

It seems, cant do the same for "DEV", when i select port 10 again for DEV_PGR below message is reported

error "Server Error:400 - Validation failed: (Dn0) interfaces are not mutually exclusive Dn0=uni/infra/accportprof-SP_LEAF1_ifselector,"

Is this achievable with ACI?

Robert Burns · ‎09-08-2016

You can't assign Multiple Policy Groups (PG) to the same interfaces.

Think of your PG as how the physical interfaces need to be configured. (Speed, Duplex, Channeling etc).

Your PGs maps to your AEP, which in turn maps to the Domain(s).

For what you state above, you need a single PG, with a single AEP, attached to your two Domains.

The domains is what separates the VLAN pools/ranges between your tenants, but they tie-into the same physical interface.

Robert

View solution in original post

Robert Burns · ‎09-08-2016

You can't assign Multiple Policy Groups (PG) to the same interfaces.

Think of your PG as how the physical interfaces need to be configured. (Speed, Duplex, Channeling etc).

Your PGs maps to your AEP, which in turn maps to the Domain(s).

For what you state above, you need a single PG, with a single AEP, attached to your two Domains.

The domains is what separates the VLAN pools/ranges between your tenants, but they tie-into the same physical interface.

Robert

pquartz01 · ‎09-08-2016

Much Thanks Robert. I've progressed.

Now after i login as user "PROD01" (attached to tenant PROD), able to create AP. Next when I try to create an EPG, I don't see anything under Domain Profile (here I should see physical domain "PROD_PD")

Just to see how further it goes without hurdles, logged in as admin and created Prod_AP against tenant "PROD" and attached physical domain "PROD_PD".

Logged in back as user "PROD01", tried to deploy static EPG, using Direct port channel. Even here I don't see anything against "Path".

Robert Burns · ‎09-08-2016

When you create policies under the "admin" user, they are assigned to the "all" security domain by default. This means if you log in with a Tenant-admin user, to which the tenant has a tenant-specific security domain assigned, you will not have access to read/use this policy.

Since you have a "shared" AEP and two tenant-specific domains, you will need to create some policies with the global admin so the tenant admin can use them.

First, the global admin would need to assign the "PROD" security domain to the "PROD_PD" physical domain. Then the global admin would need to link the PROD_PD to the shared AEP. Rinse & repeat for each separate Tenant account/security domain.

For the static path bindings, that will need to be done by the global admin (or a role with higher permissions than tenant-admin) since this is a physical resource object (interface) and can directly affect shared resources across the fabric.

Robert

pquartz01 · ‎09-09-2016

To sum up, only the global admin can configure static path in this configuration example.
Is there any alternate way to implement same setup with ACI?

Multiple tenants each having their own AEP but attached to same switch port