EMAIL SUPPORT
dclessons@dclessons.comLOCATION
AFCommon Tenant for Shared Services
Common Tenant for Shared Services
Shared services designs are always challenging in terms of keeping security while allowing flexibility for those services that should be shared across different organizations, departments, and for Cisco ACI tenants.
In here, “shared service” implies a commonly used service such as Domain Name System (DNS) that is shared across multiple tenants (organizations). In Cisco ACI, shared service can be typically provided by using either one of the following options depending on the network design:
- The common tenant where the shared service and its consumers in other tenants are in the same common VRF.
- The VRF route leaking where the shared service and its consumers are in the different VRFs.
The common tenant is a preconfigured tenant that shares objects across all other tenants on Cisco ACI. It provides a method to share a particular endpoint in the common tenant that provides a CiscoWorks Common Service such as Cisco DNS to other endpoints in other tenants, or it provides a common Cisco ACI policy such as a contract filter that other tenants can reuse.
First, you will review how other tenants can use the policies in the common tenant. As shown in the figure, the contract that is configured in the common tenant can be selected from the drop-down menu as if it’s part of the user tenant, allowing you to define a common security rule such as ICMP in the common tenant and reused by any EPGs in the fabric.
Hence, the recommendation for this example particularly is to use a filter that is defined in the common tenant and create a contract in each tenant by reusing the filter, by which you can avoid providing and consuming the same contract with two intended EPGs.
Just like a contract or a filter, other tenants can use a VRF, a BD, and even an L3Out in the common tenant, and are typically used to provide a shared service such as DNS from the common tenant.
Before discussing how to use the common tenant to share services on Cisco ACI, it is recommended to review some VRF design considerations.
There are mainly two different ways to use the common tenant for shared services.
- Share the common VRF with multiple tenants
- Share the common BD with multiple tenants
In case the Layer 3 reachability is required for the shared service such as DNS in the common tenant (as in the shared service and EPGs in each tenant are in different subnets), creating a common VRF and sharing it from the common tenant is enough so that Layer 2 flooding domains can be kept local to each tenant. In this case, the shared service itself can belong to either a L3Out or a BD/EPG in the common tenant.
Comment
TABLE OF CONTENTS
RECENT POSTS
- Cisco UCS Solutions — Unified Computing Knowledge
- Navigating the SD-WAN Revolution: Insights for Modern Network Architects
- Cisco Data Center Career: Getting Started with Nexus Training
- Lock Down Your Networks in a Digital World: The Ultimate Guide to Learning Mastering Cisco Identity Services Engine (ISE)
- How to Become an AWS Solution Architect — Your Ultimate Guide to Cloud Mastery
- The Docker Training Course Outline - Your Guide to Becoming a Docker Expert
- Develop Next-Level Azure Networking Skills with AZ-700 Training
- Reasons to Choose DClessons for Your SD-WAN Velocloud Training Needs
- Learn to Network: Get More Out Of Cisco ACI and DCACIA with DClessons
- Learn Cisco CCIE Data Center, Certified data center professional with DClessons in Data Center Technologies
LEAVE A COMMENT
Please login here to comment.