Cisco Cisco Virtual Security Gateway for Nexus 1000V Series Switch Libro blanco
© 2013 Cisco and/or its affiliates. All rights reserved. This document is Cisco Public Information.
Page 14 of 33
Tenant Management
One or more instances of Cisco VSG are deployed on a per-tenant basis, which allows a highly scalable
deployment across many tenants. Tenants are isolated from each other, so that no traffic can cross tenant
boundaries. A tenant can be further divided to the following levels:
●
Virtual data center
●
Virtual application
●
Virtual tier
Each instance in a tenant tree is classified as an organization (org) level. Depending on the use case, you can
deploy a Cisco VSG at the tenant level, at the virtual data center (vDC) level, or at the virtual application (vApp)
level. Figure 11 shows how a tenant tree structure can be built in Cisco Prime Network Services Controller.
Figure 11. Cisco Prime Network Services Controller Tenant Management View
Security Policy Management
The security policy in Cisco Prime Network Services Controller uses network attributes, VMware virtual machine
attributes, and virtual machine custom attributes. You can define multiple policies for a tenant. All the policies are
published to the Cisco VSG through a security profile. These policies can be applied at any organization level
within a tenant.
A general guideline is to apply more generic policies at a higher level in the tenant hierarchy, and to apply more
specific policies closer to the organization level within a tenant, where they are more meaningful.
In Figure 12, Cisco VSG is placed at the tenant level (Tenant A), but the policies are applied at two different levels
within the tenant. Policy P1 is applied at the data center level, which means that the entire data center DC 2, and
all the sublevels within DC 2, are subjected to P1 policy evaluation. Policy P2 is specific to App 2 only and is
placed at that organization level.
The general guideline is to place more generic policies higher in the organization structure, and to place more
specific policies closer to the organization level, where they are more meaningful.