Cisco CloudCenter Solution: Multitenancy White Paper
Cisco CloudCenter Solution: MultitenancyWhite PaperCisco PublicCisco CloudCenter Solution:Multitenancy 2016 Cisco and/or its affiliates. All rights reserved.1
Cisco CloudCenter Solution: MultitenancyWhite PaperCisco PublicContentsExecutive SummaryMultitenancy Overview33Powerful Isolation4Flexible Sharing4Parent-Child Partial Isolation5Initial Setup ConsiderationsTenant Administrator Functions55Authenticating Users within Tenants6Model 1: Single TenantModel 2: Peer TenantModel 3: Multiple Tenants with SubtenantsComparison of Deployment ModelsConclusionFor More Information 2016 Cisco and/or its affiliates. All rights reserved.6789992
Cisco CloudCenter Solution: MultitenancyWhite PaperCisco PublicExecutive SummaryThe Cisco CloudCenter hybrid cloud management platform securely provisionsinfrastructure resources and deploys application components and data across morethan 19 data center, private cloud, and public cloud environments.It offers exceptional multitenant management capabilities that deliver complete isolationfor peer tenants, partial isolation for parent-child tenants, and flexible sharing optionsfor users within a tenant.With an enterprise-class multitenant solution, IT can avoid the need to deploy multiplemanagement tools for multiple tenants. At the same time, IT can simplify and reduceits service delivery footprint and can gain central governance capabilities that cross theboundaries of applications, clouds, and users.The Cisco CloudCenter solution delivers multitenant capabilities that are powerfulenough for many cloud service providers that deliver hybrid cloud services to fullyisolated customers. Yet the solution is also simple enough for enterprise IT to configurea variety of deployment models to meet the isolation and sharing needs of anyorganization, simple or complex.This document presents three basic multitenant models and describes tenantadministrator functions. It also provides some basic deployment considerations.Multitenancy OverviewThe Cisco CloudCenter solution is a hybrid cloudmanagement platform purposely built to managemultiple applications deployed in multiple clouds formultiple groups of users.models that give IT architects and administratorsa range of options, from simple to complex, forconfiguring and controlling both isolation and sharingwithin or between groups of users (Figure 1).It supports a wide range uses for enterpriseIT organizations, including simple applicationmigration, DevOps and continuous-deliveryautomation across various cloud environments, anddynamic capacity augmentation within or betweenclouds. It is the foundation for a comprehensivehybrid IT-as-a-service (ITaaS) strategy.Enterprise IT customers can easily use multitenantcapabilities to implement powerful isolation whenneeded. But the Cisco CloudCenter solution alsoprovides easy-to-configure detailed control over thesharing that occurs among users and groups withina tenant and between tenants and subtenants.To support the complexity and broad range ofhybrid-cloud use cases, the Cisco CloudCentersolution offers several multitenant deployment 2016 Cisco and/or its affiliates. All rights reserved.A flexible mix of isolation and sharing allows ITto balance user agility with administrative visibilityand control.3
Cisco CloudCenter Solution: MultitenancyWhite PaperCisco PublicFigure 1. Cisco CloudCenter Tenant Isolation, Partial Isolation, and SharingPeer TenantUsersSharingIsolationGroupsPeer sersPowerful IsolationWith the Cisco CloudCenter solution, each tenantcan be fully isolated from other peer tenants. In thisway, two completely independent business unitscan use a single Cisco CloudCenter instance whilebeing completely isolated from each other.Many cloud service providers already rely on CiscoCloudCenter as the backbone of their multicloudservice delivery systems, offering shared servicesto multiple completely isolated customers who aretenants in a single Cisco CloudCenter deployment.From a technical perspective, an enterprise ITorganization needs to enable tenancy only if theorganization has more than one authenticationsource. But from a business perspective, a companymay want to enable tenancy for many reasons: Multiple independent business units haveindependent IT departments. A common central IT organization delivers somecommon services to multiple IT subdepartmentsthat also have autonomous service deliveryportfolios. Some groups require a custom user interface witha unique brand or logo. Responsibilities need to be segregated to meetregulatory requirements. Strictly isolated tenancy is needed to help ensurethe highest level of information security.This powerful multitenancy capability allows multiplebusiness groups to securely use one installation ofCisco CloudCenter to reduce costs and increaseoperational efficiency, while implementing variousdegrees of isolation or sharing.Other cloud management solutions require aseparate installation for each tenant. Separateinstallations increase rollout and maintenance costs,reduce IT’s ability to centrally deliver services, andrestrict central governance and control capabilities.Flexible SharingThe Cisco CloudCenter solution facilitates sharingwithin each tenant. Powerful features for sharing 2016 Cisco and/or its affiliates. All rights reserved.SharingGroupsapplication profiles, application services, deploymentenvironments multiply the speed and agility benefitsof an application-defined management solution.Examples of information that can be shared within atenant include: Cloud accountsDeployment environmentsApplication profilesApplication servicesApplication marketplaceArtifact repositoriesTags and rulesPoliciesUser groups provide a powerful sharing feature.Each user can belong to one or more groups,and different user groups, such development,testing, and production, can be supported by asingle tenant. Users within a tenant can shareapplication profiles, images, and services to providea transparent and automated systems developmentlifecycle (SDLC). However, as part of specificgroups, users can access only specific cloudaccounts, controlled by use plans or bundles anddifferent chargeback or showback mechanisms.They also may be limited in their capability topromote a deployment from the test environment tothe staging and production environments.In addition, roles can be assigned to both usersand user groups. A role is a named collection ofglobal privileges or permissions related to CiscoCloudCenter functions. Roles can be used to governthe functions that a user can perform (for example,the capability to create application profiles or add acloud account) and support an effective scheme forthe segregation of duties.In addition to user roles, the Cisco CloudCentersolution provides detailed access control lists(ACLs) and sharing permissions to objects withinCisco CloudCenter. Sharing permissions includethe capability to view a specific deploymentenvironment, share a specific application profile withother users or user groups, and so on.4
Cisco CloudCenter Solution: MultitenancyWhite PaperCisco PublicParent-Child Partial IsolationIn addition to strict isolation between peer tenantsand flexible sharing within each tenant, CiscoCloudCenter offers an option for partial isolationbetween parent and child tenants.In some cases, a central IT organization offersshared services, delivered either on the premisesor through cloud service provider, that areconsumed by various business units that areotherwise independent. For otherwise-independentIT departments, the central IT organization maywant to enforce OS image standards, requirethe use of specific artifact repositories, or havea common rules-based governance framework.In addition, IT may offer shared services that arefunded by a collection of business units. Thosebusiness units many also have IT organizations thatdeliver other IT or cloud services that are separatelyfunded. Partial isolation that is controlled through thetenant parent-child relationship enablesthese scenarios.Parent-child sharing is limited to: Cloud accounts Application services Artifact repositories Tags and rules PoliciesBy enforcing the separation of various tenantsand offering one platform and shared governancefor applications, clouds, and users, parent-childpartial isolation reduces costs and optimizesefficiency.Figure 2. Cisco CloudCenter Tenancy ModelRoot TenantPeer TenantPeer TenantPeer TenantSubtenantSubtenantInitial Setup ConsiderationsWhen the Cisco CloudCenter solution is firstinstalled, it is set up with one root tenant and withone root tenant administrator who acts as the overallplatform administrator. The root administrator isresponsible for setting up clouds, configuring initialcloud accounts, creating users, and (optionally)creating additional tenants.With the hosted delivery software-as-a-service(SaaS) model, Cisco is the root tenant and serves therole of root administrator. In this model, Cisco createsadditional tenants for each customer who uses theSaaS version of the Cisco CloudCenter solution. Thismodel is also used by cloud service providers whouse a single Cisco CloudCenter installation to delivershared services to fully isolated customers.For dedicated Cisco CloudCenter installations,customers designate a root administrator. As shown 2016 Cisco and/or its affiliates. All rights reserved.in Figure 2, the root administrator can add multiplelayers of tenants to meet the isolation and sharingrequirements of an organization.The root tenant can optionally create one ormore peer tenants. Peer tenants might becustomer organizations or business units thatrequire tenant-level isolation and their own userinterface customization, cloud management, usermanagement, application marketplace, governancemodels, and so on.Each tenant is assigned a tenant administratorwho has access to all global permissions andprivileges at the tenant level. At this level, tenantadministrators can create users and user groups,and they can create subtenant organizations asisolated tenants. Subtenants can add their ownsubtenants. There is no limit to the number ofsubtenant hierarchies that can be created.5
Cisco CloudCenter Solution: MultitenancyWhite PaperCisco PublicTenant Administrator Functions Create and assign groups. Create and assign roles.A root administrator can create tenant organizationsand assign a tenant administrator for each one.Authenticating Users within TenantsAn important aspect of a multitenant setup is userauthentication. Authentication is configured andmanaged at the tenant level. Each tenant can use apersonal authentication scheme.When creating a tenant, the root administrator can: Label the tenant user interface with a tenant logo Change the tenant user interface look and feel(colors and fonts) Enable all or a subset of parent tenant clouds forthe tenantThe root administrator controls the following globalpermissions for each tenant organization and tenantadministrator:Cisco CloudCenter supports Security AssertionMarkup Language 2.0 (SAML 2.0)–based integrationwith an existing user directory such as LightweightDirectory Access Protocol (LDAP) or MicrosoftActive Directory. The solution also supportsindirect Active Directory authentication using singlesign-on (SSO) access between Cisco CloudCenteras a service provider and a customer’s identityprovider (IDP) such as Active Directory FederationServices (ADFS). The root administrator can allow the tenantadministrator to add tenant-specific orchestrators. Ifthis permission is not granted, tenant organizationscan access clouds only through orchestrators thatare set up by the platform administrator. The root administrator can allow tenantadministrators to set up their own cloud accounts.If this permission is not granted, tenants can useonly the cloud accounts that are set up and sharedby the root administrator. The root administrator can allow the tenantadministrator to create and maintain a privateapplication marketplace. The root administrator can set permissions forpublishing application profiles to the platformpublic marketplace.Activation profiles offer a fast and easy way toadd new users. Activation profiles are predefinedmappings of Cisco CloudCenter groups, roles,and cloud settings to Cisco CloudCenterrole-based access control (RBAC) settings.Mappings can be created based on properties thatare associated with users in an LDAP or ActiveDirectory server. When a directory is imported intoCisco CloudCenter, the appropriate activation profileis used to activate that user in Cisco CloudCenter.Model 1: Single TenantTenants are treated as independent “customer”organizations, and tenant administrators havecomplete independence in managing their usersand user groups. Each tenant administrator canperform the following user management functions:In the single-tenant deployment model, theroot tenant is the only tenant for all users andgroups. This model is appropriate for a centralizedorganization that doesn’t need isolation betweenusers and user groups. Create, deactivate, or delete a user. Change a user password.In this model, shown in Figure 3, all users wholog in to the system come from one SAML SSOauthentication source. These users can be mappedto zero, one, or many groups.Figure 3. Single Tenant with Sharing between Users and GroupsRoot TenantTenant AdminCo-AdminUsersGroupsUser1DevUser2TestUser3IT AdminsUser4 2016 Cisco and/or its affiliates. All rights reserved.6
Cisco CloudCenter Solution: MultitenancyWhite PaperCisco PublicThe main benefit of deploying Cisco CloudCenterwith the single-tenant model is that all users andobjects can be managed collectively. Role-basedaccess, object-level sharing, and control across thetenant provide the following capabilities: RBAC----- Set access for users for specific applications.-- Apply roles to any user or group.-- Enforce least-restrictive aggregatedpermissions. Object-level sharing and permission controlwithin the tenant-- Set access for users to perform actions suchas deploying applications to specific clouds.-- Create and share deployment environments---with specific users. (A deploymentenvironment is a specific cloud, cloud region,and cloud account combination.)Make all services available to users to modelapplication profiles in the topology modeler.Share code repositories when deployingapplication profiles.Share application profiles with other uses.Allow users to publish applications to theirtenant private marketplaces.The disadvantage of the single-tenant model is thatadministrators have access to every user, cloud,and governance policy. This access may not beappropriate in larger organizations that have multipleIT teams with resources that they pay for andmanage independently.Figure 4. No Sharing between Independent Peer TenantsRoot TenantPlatform AdminUsersGroupsBU1 TenantTenant AdminUsersBU2 TenantGroupsCo-AdminModel 2: Peer TenantIn the peer-tenant deployment model, the roottenant‘s only role is administering the platform.Individual tenant administrators are fully responsiblefor configuring and supporting their own tenantenvironment and delivering IT services.This model is appropriate for an enterprise ITorganization that: Has a decentralized IT structure and wants to gaincost and operational efficiencies by using oneplatform to manage applications, clouds, and users Doesn’t need sharing between tenantsthat each independently manage their ownservice portfolio or has a compelling reasonto prohibit sharing between tenants forreasons such as regulatory complianceIn this model, shown in Figure 4, all users who login to the system authenticate against different SAMLSSO sources. These users can be mapped to zero,one, or many groups within their tenants. 2016 Cisco and/or its affiliates. All rights reserved.Tenant AdminUsersGroupsCo-AdminThe main benefit of deploying a Cisco CloudCentersolution with multiple peer tenants is that oneplatform can be used for managing applications,clouds, and users, but each tenant can bemanaged independently as a completely separateentity. RBAC and object-level sharing are restrictedto users within each tenant and provide thefollowing capabilities: RBAC-- Limit user access to specific applicationprofiles within the tenant.-- Apply unique roles to any user or group withinthe tenant.-- Enforce least-restrictive aggregated permissions. Object-level sharing and permission control-- No object-level sharing and permissionsbetween tenants is allowed.7
Cisco CloudCenter Solution: MultitenancyWhite PaperCisco PublicModel 3: Multiple Tenantswith SubtenantsThe multiple tenants with subtenants deploymentmodel provides a mix of the benefits of the othertwo models. With this model, the root tenant caneither just administer the platform or administershared services.This model supports a shared-service approachin which one central IT group may offer sharedservices to other subtenants. Those subtenantsalso have the flexibility to offer additional IT servicesto their respective organizations. But because thesubtenants are peers, they are otherwise isolated.In this model, shown in Figure 5, all users wholog in to the system authenticate against differentSAML SSO sources. These users can be mappedto zero, one, or many groups within their owntenants or subtenants.The main benefit of deploying Cisco CloudCenterusing the multiple tenants with subtenants model isthat each tenant can be managed independently,but still share both centrally managed cloudaccounts and rolled-up cost reporting from alltenants lower in the hierarchy.For example, a banking conglomerate may havemultiple divisions that follow enterprise architecturestandards and consume shared IT services, butwithin the investment banking tenant, sell-sideand buy-side resources, applications, and usersare strictly segregated and isolated in subtenantorganizations.In this model, RBAC and object-level sharing andcontrol are blends of the functions of the other twomodels and provide the following capabilities: RBAC-- Set access for users to access specificapplications within the tenant.-- Apply roles to any user or group withinthe tenant.-- Enforce least-restrictive aggregatedpermissions. Object-level sharing and permission control-- Share common code repositories for modelingapplications.-- Create and share cloud accounts with users ofa tenant and subtenants.-- Make services available to users of both atenant and subtenants to model applications inthe topology modeler.Figure 5. Limited Sharing Between Business Unit and Department TenantsRoot TenantPlatform AdminUsersGroupsBU1 TenantTenant AdminUsersGroupsDept1 TenantCo-AdminTenant AdminCo-Admin 2016 Cisco and/or its affiliates. All rights reserved.UsersDept2 TenantGroupsTenant AdminUsersGroupsCo-Admin8
Cisco CloudCenter Solution: MultitenancyWhite PaperCisco PublicComparison of Deployment ModelsTable 1 provides a comparison of the three Cisco CloudCenter multitenancy deployment models.Table 1.Comparison of Multitenancy Deployment ModelsFeatureSingle TenantMultiple TenantsMultiple Tenants withSubtenantsSample use cases Centralized IT Decentralized IT One organization Each IT departmentmanages its ownresources Centralized IT deliversshared services Each IT departmentoffers additional servicesSeparated SSONoYesYesSeparated groupsNoYesYesRBACAcross tenantWithin tenantWithin tenantSharingWithin tenant Within tenant Within tenant None between peertenants Parent-to-child sharing None between peertenantsApplication profilesharingYesOnly with command-lineinterface (CLI) import andexport or through publicmarketplaceOnly with CLI import andexport or through publicmarketplaceAdvantages All objects and users inone tenantUsers, applications, cloudaccounts, and so on arecompletely separateShared service deliverywith additional tenantautonomyCannot share with othertenants Cannot share with peertenants Can easily sharecloud accounts andapplicationsDisadvantages Administrators cannotindependently managethe infrastructure orcloud accounts they own Can share only withchild tenantsConclusionWith Cisco CloudCenter IT can simplify and centralize an IT service delivery strategy while givingvarious tenant organizations flexibility to add their own services. The solution provides powerful isolationwhen needed. But also provides easy-to-configure control over the sharing within and between tenantsand subtenants.For More Informationwww.cisco.com/go/cloudcenter 2016 Cisco and/or its affiliates. All rights reserved. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S.and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks. Third-party trademarks mentioned are the property oftheir respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (1110R)C11-737223-00 05/16
When creating a tenant, the root administrator can: Label the tenant user interface with a tenant logo Change the tenant user interface look and feel (colors and fonts) Enable all or a subset of parent tenant clouds for the tenant The root administrator controls the following global permissions for each tenant organization and tenant
In the same way that Cisco UCS Director can consume Cisco UCS management APIs, Cisco UCS Director APIs can be consumed by Cisco CloudCenter , and Cisco UCS Director can just as easily sit side-by-side with Cisco CloudCenter. The end goal is automation and orchestration of data center resources, and potentially others as well (Figure 4).
Cisco ASA 5505 Cisco ASA 5505SP Cisco ASA 5510 Cisco ASA 5510SP Cisco ASA 5520 Cisco ASA 5520 VPN Cisco ASA 5540 Cisco ASA 5540 VPN Premium Cisco ASA 5540 VPN Cisco ASA 5550 Cisco ASA 5580-20 Cisco ASA 5580-40 Cisco ASA 5585-X Cisco ASA w/ AIP-SSM Cisco ASA w/ CSC-SSM Cisco C7600 Ser
Supported Devices - Cisco SiSi NetFlow supported Cisco devices Cisco Catalyst 3560 Cisco 800 Cisco 7200 Cisco Catalyst 3750 Cisco 1800 Cisco 7600 Cisco Catalyst 4500 Cisco 1900 Cisco 12000 Cisco Catalyst 6500 Cisco 2800 Cisco ASR se
Cisco Nexus 1000V Cisco Nexus 1010 Cisco Nexus 4000 Cisco MDS 9100 Series Cisco Nexus 5000 Cisco Nexus 2000 Cisco Nexus 6000 Cisco MDS 9250i Multiservice Switch Cisco MDS 9700 Series Cisco Nexus 7000/7700 Cisco Nexus 3500 and 3000 CISCO NX-OS: From Hypervisor to Core CISCO DCNM: Single
Cisco Nexus 7706 Cisco ASR1001 . Cisco ISR 4431 Cisco Firepower 1010 Cisco Firepower 1140 Cisco Firepower 2110 Cisco Firepower 2130 Cisco FMC 1600 Cisco MDS 91485 Cisco Catalyst 3750X Cisco Catalyst 3850 Cisco Catalyst 4507 Cisco 5500 Wireless Controllers Cisco Aironet Access Points .
Sep 11, 2017 · Note: Refer to the Getting Started with Cisco Commerce User Guide for detailed information on how to use common utilities for a record in Cisco Commerce. See Cisco Commerce Estimates and Configurations User Guide for more information.File Size: 664KBPage Count: 5Explore furtherSolved: Cisco Serial Number Lookups - Cisco Communitycommunity.cisco.comHow to view and/or update your CCO profilewww.cisco.comSolved: How do I associate a contract to my Cisco.com .community.cisco.comHow do I find my Cisco Contract Number? - Ciscowww.cisco.comPower calculator tool - Cisco Communitycommunity.cisco.comRecommended to you b
Apr 05, 2017 · Cisco 4G LTE and Cisco 4G LTE-Advanced Network Interface Module Installation Guide Table 1 Cisco 4G LTE NIM and Cisco 4G LTE-Advanced NIM SKUs Cisco 4G LTE NIM and Cisco 4G LTE-Advanced NIM SKUs Description Mode Operating Region Band NIM-4G-LTE-LA Cisco 4G LTE NIM module (LTE 2.5) for LATAM/APAC carriers. This SKU is File Size: 2MBPage Count: 18Explore furtherCisco 4G LTE Software Configuration Guide - GfK Etilizecontent.etilize.comSolved: 4G LTE Configuration - Cisco Communitycommunity.cisco.comCisco 4G LTE Software Configuration Guide - Ciscowww.cisco.comCisco 4G LTE-Advanced Configurationwww.cisco.com4G LTE Configuration - Cisco Communitycommunity.cisco.comRecommended to you b
Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unified Computing System (Cisco UCS), Cisco UCS B-Series Blade Servers, Cisco UCS C-Series Rack Servers, Cisco UCS S-Series Storage Servers, Cisco UCS Manager, Cisco UCS
