Here are my study notes on the topic of ACI tenants.
- provide security by isolating what is defined under tenant A from tenant B.
- With tenants we can run many logical networks on the same physical network.
- provide a separation of the control and management plane, ie each tenant has its own control plane and management plane.
- There are default tenants already preconfigured on the APIC:
- management tenant
- infrastructure tenant
common tenant: here we can define common network policies and services that will be used across tenants. Some of these services could be DHCP, DNS, Active Directory, etc.
- in ACI, management of tenants can be performed on a per-tenant basis. And we can assign tenant management on a user or group basis.
- Infrastructure administrator vs tenant administrator
- Infrastructure administrator manages and controls VLAN namespaces for all tenants. He has access to all tenants.
- Tenant administrator has access only to his allowed tenant(s) and his/their ressources.
Single Tenant vs Multi-Tenant
There are various tenant design possibilities. We can design our fabric to run with a single tenant or with many. Possible criteria for a multi-tenant design, can be:
- department naming: Sales, Engineering, Tests
- location in the product lifecycle: Production, Test-Env,
- security zones: standard, DMZ,…
In a single tenant design, L2out and L3out can be placed in your tenant or in the tenant Common. But the recommendation is to place it in the tenant Common. Reason: you may want in the future to add further tenants and with the L2out and L3out already placed in the common tenant, you won’t be forced to redesign your tenants
In a multi-tenant design, if you want your tenants to communicate in the future, then you must design non-verlapping subnets in them. You can not let overlapping subnets in your tenants and want to have communication between your tenants because in this case you need a certain address translation function between both tenants, and ACI does not support NAT to this day.
Configuring a Tenant
Configuring a new tenant is easy. There you can also specify the Security Domain or leave it blank:
Maybe you’ve created a lot of tenant? we can go directly to a particular tenant using the search function. It is case sensitive though:
We can create networking components under the tenant either with individual component paths or visually with drag and drop:
Multi-Tenants vs Network Multi-Tenancy
Do not confuse ACI multi-tenant capability with network multi-tenancy. Network multi-tenancy refers to the ability to access and operate the network from different tiers/parties. And network multi-tenancy encompasses Data-plane multi-tenancy and Management multi-tenancy.