Part 16: Security Domains in Cisco ACI

Security Domains in Cisco ACI

To ensure proper performance of ACI fabric, the concept of security domains is critical. Users can be grouped according to their permissions through security domains, which are most commonly used for tenants.

The ACI fabric provides the capabilities of tenancy, which when combined with properly configured security domains can allow the separation of workload configuration, while maintaining access control for those who require it.

When configuring security domains, it is important to keep in mind that the settings only apply to tenants. In Cisco's recommendation, tenants should be configured with security domains and rights levels before being deployed.

Modifying permissions of the "all" domain is not recommended for providing access configuration. The access permissions for all users are affected by changes in the "all" domain. Set up a separate user access policy for communications that fall outside of a user's security domain if you have to make selective changes.

Steps to creating the Security domains in Cisco ACI APIC
Step 1: Login to the ACI APIC console and on the menu bar, choose Admin > AAA. 

Fig 1.1- ACI APIC login Screen

Step 2: In the Navigation pane, choose Security > Security Domains. 

Step 3: In the Work pane, choose Actions > Create a Security Domain. 

Fig 1.2- Security Domains in ACI

Step 4: In the Create a Security Domain dialog box, perform the following actions, give the security domain a name and an optional description. 

The ACI fabric is default configured with three security domains: “all”, “common” and “mgmt”. The “all” security domain typically contains access to everything in the management information tree (MIT).The term "common" is usually used in cases where tenants are sharing resources. Security domains relating to traffic management are in “mgmt”.

Domains for security can be added as needed. If there is more than one tenant in a network, each tenant has its own security domain. A user is subsequently assigned to a specific security domain or tenant