07-08-2021 07:20 AM
What's the correct way to do multi-tenancy in SD-Access? I haven't been able to find anything about it. Is it just using separate VN's? - but that doesn't seem like real multi-tenancy, as a single organisation/tenant could have multiple VNs for their macro-segmentation...
07-08-2021 07:34 AM
Madura,
Can you please describe in a little more detail the use case you wish for multi-tenancy ? This term can mean different things to different people, so I want to be clear on your ask before providing and answer.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking and Cloud Group
07-08-2021 07:46 AM
Say, completely separate organisations that will utilize a single common campus fabric, along with a common NAC. It seems this would be just assigning a VN to each organisation - tenant1_VN, tenant2_VN, etc, then using SGTs for micro-segmentation within a tenant VN? Or is there other ways to do it?
07-13-2021 02:29 PM
Hey Madura, correct, currently we have L3VNs. Network tenants could be placed in L3VNs and I have worked on SD-Access networks designed as such, one with around 90x L3VNs representing different business entities. We're developing L2VNs and some level of support for overlapping IP ranges , which was announced at Cisco Live a few months back. Some details can be found in BRKENS-2008, some information can be found here, https://www.ciscolive.com/global/on-demand-library.html?search=dolphin#/session/16106298294090015TSm , HTH, Jerome
08-03-2022 02:56 PM
Hi Scott
Yea this term is little bit confuse
Could I have mult tenants usinf the same fabric?
Which means different organizations login to DNA to manage thier own logical fabric?
Example, we build physical campus network, then create different tenants to manage their own logical fabric over the same physical network devices
Or its only just VNs to configure this multi tenants
08-04-2022 09:05 AM
@Madura Malwatte , We do not support that level of granularity of Roles Based Access Control with DNA Center at this time. If a fabric site has many tenants separated by L2 or L3 VNs, then we cannot limit someone from seeing the other VNs (or other site constructs) in that site. Currently we cannot even do that on a per-site basis, but that is being worked on.
Cheers,
Scott Hodgdon
Senior Technical Marketing Engineer
Enterprise Networking and Cloud Group
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide