Cisco ACI Cookbook
上QQ阅读APP看书,第一时间看更新
上一章目录下一章

How to do it...

  1. We need to create another tenant for this recipe. Repeat the previous recipes from this chapter using the following settings:
    • Name: TenantB
    • Bridge Domain Name: TenantB-BD
    • VRF Name: TenantB_VRF
    • Subnet: 10.0.1.1/24
    • Application Profile Name: TenantB_AP1
    • EPG Name: TenantB_EPG1 
  1. This has created another tenant, but at the moment, the two will be unable to communicate. We need to edit the subnets we have created and set them to Shared between VRFs. Navigate to Tenants | TenantA | Networking | Bridge Domains | TenantA-BD | Subnets | 10.0.0.1/24, and tick the Shared Between VRFs checkbox. Click on SUBMIT and apply the changes. Repeat the process for the TenantB 10.0.1/24 subnet.
  2. We are going to create a very basic contract. TenantA will be the provider and TenantB will be the consumer. We start by selecting the Security Policies option from the left-hand side menu for TenantA:
  1. From here, we select Create Contract from the Actions dropdown.
  1. We need to give the contract a name and click on the plus sign to create a new subject of the contract:
  1. In the new window, we need to specify the subject. We assign it a name:
  1. The next step is to create a filter chain. Filter chains are where we classify our traffic (according to which attributes between layer 2 and layer 4 we decide upon). Clicking on the plus sign next to Filters gives us a list of filters that exist within the common tenant.

Clicking on the plus sign above the word Tenant will allow us to create a custom one.

  1. Click on the plus sign next to Entries to create an entry for HTTP:

Name the entry and set the EtherType to IP, the IP Protocol to tcp, and the destination port range to http.

  1. Click on UPDATE.
  2. Click on SUBMIT.
  3. Back on the Create Contract Subject window, click on UPDATE.
  1. Click on OK.
  2. Click on SUBMIT.
  1. Once we click on SUBMIT, we can see the contract listed in the security policies.
  1. The next step is to attach it to the EPG. We do this from the Contracts option under the tenant application profile: TenantA | Application profiles | TenantA_EPG1 | Contracts.
  1. We click on Actions and then on Add Provided Contract and select the contract we previously created.

We can add contract labels and subject labels.

These labels are optional and are used to increase granularity during policy enforcement.

  1. Once we hit SUBMIT, our contract is connected to our EPG.
  1. We need to do the same with TenantB, this time setting it as a consumed contract:

If you try and add the previously created contract, you will not find it in the drop-down list.

This is because the scope is set to VRF. We need the scope to be set to Global so that other tenants can see it.

  1. Return to TenantA, and navigate to Security Policies | Contracts | TenantA_Contract. Click on the Policy tab on the right-hand side.
  1. Change the scope to Global, and click on SUBMIT at the bottom right-hand corner. Click on SUBMIT CHANGES.
  2. We need to export the contract now. From TenantA | Security Policies, right-click on Contracts and select Export Contract.
  1. Set the name for the export, select the contract created earlier, and select TenantB.
  1. Click on SUBMIT.
  2. We should now be able to see the exported contract being imported into TenantB.
  1. Navigate to Contracts, right-click on it, and select Add Consumed Contract Interface
  1. Select TenantB/TenantA_Export.
  1. Click on SUBMIT.
  2. We can now see the contract listed.
上一章目录下一章