cisco ucs manuals

File Name:cisco ucs manuals.pdf
Size:1203 KB
Type:PDF, ePub, eBook, fb2, mobi, txt, doc, rtf, djvu
Category:Book
Uploaded14 May 2019, 22:35 PM
InterfaceEnglish
Rating4.6/5 from 576 votes
StatusAVAILABLE
Last checked9 Minutes ago!

cisco ucs manuals

Comprehensive configuration guides can be found at the following location: This document assumes basic knowledge of the various UCS components, including: UCS 6100 series Fabric Interconnects UCS 2100 series Fabric Extenders UCS 5100 series Blade Chassis UCS B-Series Blade Servers UCS Network Adapters An elementary understanding of Local Area Network (LAN) and Storage Area Network (SAN) technologies is also assumed. Introduction Cisco UCS is a next-generation data center platform that: Unites computing, networking, storage access, and virtualization into a cohesive system Integrates a low-latency, lossless 10 Gb Ethernet unified network fabric with enterprise-class, x86-architecture servers Information about UCS features and functionality can be found at. Prerequisites The following tasks should be completed, and all information collected prior to beginning: Physical installation of the UCS components, including Blade Server Chassis and Fabric Interconnects. Cisco UCS Manager runs within the Fabric Interconnects. You can use any of the interfaces available within this management service to access, configure, administer, and monitor the network and server resources for each chassis connected to the Fabric Interconnects. Cisco UCS Manager includes the following interfaces you can use to manage a Cisco UCS instance: Cisco UCS Manager GUI (Accessible via HTTP and HTTPS) Cisco UCS Manager CLI (Accessible via Telnet, SSH, or Console) XML API Almost all tasks can be performed in any of the interfaces, and the results of tasks performed in one interface are automatically displayed in another. Console Connection The console port is an RS-232 port with an RJ-45 interface. The console port is an asynchronous (async) serial port; any device connected to this port must be capable of asynchronous transmission. The following figure shows how to connect to the console port on the Cisco UCS 6100 Fabric Interconnect.

The console port parameters on the computer terminal (or console server) attached to the console port are as follows: 9600 baud 8 data bits No parity 1 stop bit UCS Manager GUI Cisco UCS Manager GUI is the Java application that provides a GUI interface to Cisco UCS Manager. You can launch and access Cisco UCS Manager GUI from any computer that runs a supported operating system and has HTTP or HTTPS access to the UCS 6100 series Fabric Interconnect. Overview of Cisco UCS Manager GUI This section provides a brief overview of the Cisco UCS Manager GUI. The most commonly used areas include: Navigation Pane—The Navigation pane provides a centralized navigation point for all components in the Cisco UCS system. When you choose a component in the Navigation pane, the object displays in the Work Pane. Navigation Pane The Navigation Pane has six tabs; Equipment, Servers, LAN, SAN, VM, and Admin. Each tab includes these elements: A Filter list of values that you can use to restrict the Navigation Pane display to a certain type of objects. An expandable navigation tree that you can use to access all of the objects on that tab. Work Pane—The Work Pane displays details about the object selected in the Navigation Pane. Work Pane The Work Pane includes these elements: A navigation bar that displays the path from the main object of the tab in the Navigation Pane to the selected object. You can click on any object in this path in order to display that object in the Work Pane. A content area that displays tabs with information related to the object selected in the Navigation Pane. The tabs displayed in the content area depend upon the selected object. You can use these tabs in order to view information about the object, create new objects, modify properties of the objects, and examine the chosen object. While performing configuration steps in the UCS Manager GUI, you will find that there are often multiple ways to perform the same task.

For example, you can right-click on an object in the Navigation Pane and select an action or you may be able to select that same action from the corresponding view in the Work Pane. In many cases, you may also have the ability to drag and drop objects within the Navigation Pane. As you get comfortable with the UCS Manager GUI, you can choose the method that best suits your work habits. If you would like additional information on the UCS Manager GUI, see the document entitled “ Use UCS Manager GUI to Manage Cisco UCS ” on CCO. UCS Manager CLI The UCS Manager CLI is organized into a hierarchy of command modes, which often correspond to managed objects. Managed objects represent physical and logical components within UCS, such as servers, processors, Service Profiles, and policies. The create, enter, scope, and exit commands are used to navigate the object hierarchy. More detailed information on navigating the UCS Manager CLI can be found in the Cisco UCS Manager CLI Configuration Guide, Release 1.x. Initial Setup Steps The first time that you access a Fabric Interconnect in a Cisco UCS instance, a setup wizard prompts you for the following information required to configure the system: Installation method (GUI or CLI) Setup mode (restore from full system backup or initial setup) System configuration type (standalone or cluster configuration) System name Admin password Management port IP address and subnet mask Default gateway IP address DNS Server IP address Default domain name Setup Mode System Configuration Type Management Port IP Address Setup Wizard (Management IP), etc. Performing an Initial System Setup for the First Fabric Interconnect The following procedure is used for the initial setup of the first Cisco UCS 6100 Fabric Interconnect. Connect to the console port. Power on the Fabric Interconnect. You will see the power on self test messages as the Fabric Interconnect boots. When the unconfigured system boots, it prompts you for the setup method to be used.

Enter console to continue the initial setup using the console CLI. Enter setup to continue as an initial system setup. Enter y to confirm that you want to continue the initial setup. Enter the password for the admin account. To confirm, re-enter the password for the admin account. Enter yes to continue the initial setup for a cluster configuration. Enter the Fabric Interconnect fabric (either A or B). Enter the system name. Enter the IP address for the management port on the Fabric Interconnect. Enter the subnet mask for the management port on the Fabric Interconnect. Enter the IP address for the default gateway. Enter the virtual IP address. Enter yes if you want to specify the IP address for the DNS server, or no if you do not. (Optional) Enter the IP address for the DNS server. Enter yes if you want to specify the default domain name, or no if you do not. (Optional) Enter the default domain name. Review the setup summary and enter yes to save and apply the settings, or enter no to go through the setup wizard again to change some of the settings. If you choose to go through the setup wizard again, it will automatically provide the values you previously entered, and the values will appear in brackets. To accept previously-entered values, press the Enter key. Performing an Initial System Setup for the Second Fabric Interconnect The following procedure is used for the initial setup of the second Cisco UCS 6100 Fabric Interconnect. Connect to the console port. Power on the Fabric Interconnect. You will see the power on self test messages as the Fabric Interconnect boots. When the unconfigured system boots, it prompts you for the setup method to be used. Enter console to continue the initial setup using the console CLI. Note: The Fabric Interconnect should detect the peer Fabric Interconnect in the cluster.

If it does not, check the physical connections between the L1 and L2 ports, and verify that the peer Fabric Interconnect has been enabled for a cluster configuration. Enter y to add the subordinate Fabric Interconnect to the cluster. Enter the admin password of the peer Fabric Interconnect. Enter the IP address for the management port on the subordinate Fabric Interconnect. Review the setup summary and enter yes to save and apply the settings, or enter no to go through the setup wizard again to change some of the settings. If you choose to go through the setup wizard again, it will automatically provide the values you previously entered, and the values will appear in brackets. To accept previously-entered values, press the Enter key. Login to UCS Manager GUI through HTTPS Complete the following steps to access the UCS Manager GUI through HTTPS: In your web browser, type or choose the web link for Cisco UCS Manager GUI. The default web link is. If a Security Alert dialog box displays, click Yes in order to accept the security certificate and continue. On the Cisco UCS Manager page, click Launch. You can be prompted to download or save the.JNLP file, depending on your browser configuration. If a Security dialog box displays, click Yes in order to accept the certificate and continue. If desired, you can check the box in order to accept all content from Cisco. In the Login dialog box, enter your User Name and Password. Click Login. Configure Network Connectivity After launching UCS Manager for the first time, you will see the Fabric Interconnects appear in the Navigation Pane. In order to have a view into the chassis, you will need to properly configure the Server Ports. Once you have properly configured the Server Ports using the information in this document, the next step is configuring your VLANs and VSANs, and finally the Uplink Ports to the rest of your LAN.

The type of network connectivity that is supported is dependent on the adaptor that is installed on your individual blade servers. Table 1 describes the available adaptors and their capabilities. This is a mandatory step in the initial UCS configuration. The Server Ports are what connect to the Fabric Extender on the chassis, and the Uplink ports are what connect to the upstream switch (the LAN). For more detailed information on establishing this connectivity, please see the CCO TechNote entitled “ Set up Connectivity between Fabric Extender and Fabric Interconnect in UCS ”. It is possible to create VLANs that are unique to either Fabric Interconnect. However, for the purposes of this document, we will create a Global VLAN, which is a VLAN that resides on both Fabric Interconnects. A unique VLAN ID is required for each named VLAN. Note that VLANs with IDs from 3968 to 4048 are reserved. SAN If you are utilizing VSANs within your Storage Area Network, you must create a VSAN in UCS Manager, and later associate it to a vHBA. Similar to a VLAN, a VSAN can either be Global or individual to a Fabric Interconnect. VLANs and VSANs differ in that each fiber uplink from UCS to its upstream SAN switch supports only one VSAN. This is specified as a property of the Uplink FC Port. While vNICs can support multiple VLANs, each vHBA can support only one VSAN. This needs to match an ID in your Core SAN. Uplink Ports Uplink Ethernet ports connect your Fabric Interconnects to the upstream LAN switches. Uplink Fibre Channel ports connect your Fabric Interconnects to the upstream SAN switches. The procedure to configure Uplink Ports is similar to configuring Server Ports. Perform Initial System Validation Once you have configured Server and Uplink ports, it is a good idea to validate the hardware has been properly discovered and that you are running the desired version of firmware.

Validate Hardware The Hybrid Display provides an excellent visual depiction of the components within your UCS deployment, including the connected ports. Make note of the Adaptor. Validate Software While not mandatory, it may be desirable to note the firmware versions that are running on the various components within UCS. Stateless computing refers to the ability to move the “identity” of one server to another using the concept of Service Profiles. In order to take advantage of stateless computing, traditionally derived (burned-in) addresses would need to be individually assigned to each Service Profile, which functions as a type of abstraction layer between the hardware and the Operating System. This assignment can either be done on a per-Service Profile basis or by creating a Pool of addresses and allowing UCS to decide which address to assign. Examples of resources that can be pooled include Management IP Addresses, MAC Addresses, WWNN, WWPN, and UUID values. Additional information about pools can be found in the CCO TechNote entitled “ Create Pools to Simplify Blade Management in Cisco UCS ”. Management IP Address Pools The Management IP Address pool facilities the assignment of a management IP address to an individual blade server. The Management IP Address is used for Serial Over LAN (SOL) or IPMI access. Note that the Management IP Address pool currently has to be on the same subnet as the Management interface of the UCS Manager. In a typical UCS deployment, you would create fairly large WWN pools. After they are assigned to a Service Profile, which is then assigned to a blade server, you would note the WWN assignment and configure your SAN accordingly. However, it is important to be aware that there are various Policies that can be created and applied to Service Profiles. For detailed information about this feature, please see the CCO TechNote entitled “ Configure Chassis and Server Discovery Policies for Cisco UCS ”.

The Service Profile, or logical server, is the fundamental backbone of the stateless capabilities within UCS. The Service Profile represents a logical view of a single blade server, without the detailed knowledge of the underlying hardware. The profile object contains the server personality, for example, the values contained in the pools that were created in the previous steps. Service Profiles can be created manually, cloned from an existing Service Profile, or created in batch using a Service Profile Template. This guide will focus on the manual creation of a Service Profile. For more detailed information on Service Profiles, please see the following CCO TechNotes: Create Multiple Service Profiles through Template Create Service Profile for Cisco UCS Blade Service Profile Creation and Association This document will guide you through the creation and association of a single Service Profile to a blade server. Please note that this process should be repeated for each blade server in the chassis. Create a Service Profile using the Expert Wizard While a Service Profile can exist that inherits the identity of the blade server, we will focus on creating a Service Profile that overrides the server’s identity, which is required for stateless computing. This applies to the local disks (if applicable) Leave the Scrub Policy as If applicable, choose the WWNN Pool you created in the previous step from the WWNN Pool drop-down list If applicable, name your vHBAs and select the VSANs that were created in the previous step Click Next Networking vNIC Definition Select the Expert option as shown Click Add Create exactly one vNIC in the profile for each port you would like to make accessible to your blade server’s operating system. Use Table 1 in the Configure Network Connectivity section of this document to determine the maximum number of vNICs that are supported with your exact hardware configuration.

This step of the setup wizard is only applicable on the B250 full width blade server, which has multiple mezzanine cards. You can choose to boot first from CD Rom, Local Disk, or your SAN. On the Server Assignment screen, leave Server Assignment set to Assign Later Click Next Leave the settings on the Operational Policies page set to their default Click Finish to create the Service Profile. Associate Service Profiles to Server Blade A 1:1 mapping of Service Profiles to blade servers can exist. You cannot assign a Service Profile to more than one blade server at any given time. DNS Configure a DNS server that will be used to resolve hostnames to IP addresses within UCS. More detailed information on configuring DNS can be found in the following CCO TechNote: Configure the DNS Server for Cisco UCS. UCS supports SNMP Version 2c and Version 3, but this document will guide you through configuring Version 2c. More detailed information on configuring Syslog can be found in the following CCO TechNote: Set up Syslog for Cisco UCS. Use the following procedure to configure this feature. Note that the TACACS request will be sourced from the individual IP address of each Fabric Interconnect. For more details on configuring UCS for TACACS authentication, as well as the corresponding configuration required on the CiscoSecure ACS Server (if applicable), see the CCO TechNote entitled Setup TACACS Authentication for Cisco UCS. Note that the RADIUS request will be sourced from the individual IP address of each Fabric Interconnect. For more details on configuring UCS for RADIUS authentication, as well as the corresponding configuration required on the CiscoSecure ACS Server (if applicable), see the CCO TechNote entitled Set up RADIUS Authentication for Cisco UCS. The backup can be performed while the system is up and running. The backup operation only saves information from the management plane. It does not have any impact on the server or network traffic.

This step is not covered in this document, but great detail on this topic can be found in the following in the chapter entitled “Installing an OS on a Server” within the Cisco UCS Manager GUI Configuration Guide, Release 1.x on CCO. As a result, they are always exploring enhancements to exist.Both solutions look promising; however, I am not sure which one is supported greater on Cisco Nexus and Catalyst switches. Does anyone have stories or what product supports.Could VPC be used with traditional STP without the need of VXLAN and BGP. I have a very small spin and leaf topology, and it seems that VXLAN with BGP is a overkill for my s. For example, you can manage a general deployment with a pairThis can be a combination of blades and rack mount servers to support theAs you add more servers, you can continue to perform server provisioning, device discovery,You can alsoService profiles. You cannot use The backup operation only savesIt does not have any impact on theYou can maintain only oneChange the backupWe recommend that you change theHowever, you must manually run the backup from the You cannot use this file for an import. You can use the file generated from this backup toYou cannot use this file for a system restore.You can use the file generatedYou cannot use this fileThis can be one of the following: Enter a name for the backup file in.xml format. The file is downloaded and saved to a location depending on your browser settings. This can be a server, storage array, local drive, or anyThis field can contain the filenameIf you omit the filename, the backup procedure assigns aThis field does not apply if theTherefore, you do notThe backup operation displays inTo view the progress, re-openThe backup operation displays inTo view the progress, re-openYou cannot use this file for an import. You can use the file generated from this backup toYou cannot use this file for a system restore.

You can use the file generatedYou cannot use this fileThis field does not apply if theThis field can contain the filename as well asThe defaultEnter an integerThis field does not apply if theThis field can contain the filename asEnter an integerIf there areYou can perform an import while the system is up andYou can import anyHowever, you must manually run the import from the If there are conflicts, the system replaces theThis can be one of the following:This field does not apply if theTherefore, you do notTo view the progress, re-openYou can import anyIf the import operation is in a disabled state, the fields are dimmed.When restoring using a backup file thatYou cannot import a full stateYou cannot perform a system restore withThis field does not apply if the. Structured around the three planes by which the functions of a network device are categorized, this document provides an overview of each Cisco UCS Software feature and references related documentation. Discrete software components (subsystems) are implemented as separate software processes that run in their own protected memory address spaces. This implementation enables true fault isolation and compartmentalization in the event of a security incident by preventing faults in one subsystem from negatively affecting others. Management plane traffic is always destined to the local Cisco UCS. Control plane traffic is always destined to the local Cisco UCS device. Data plane traffic is mainly forwarded in the fast path and is never destined to the local Cisco UCS device. However, in cases where it does not, the feature is explained to allow administrators to evaluate whether additional attention to the feature is required. Where possible and appropriate, this document contains recommendations that, if implemented, will help secure a Cisco UCS deployment. Figure 1 shows the structure of a Cisco UCS device.

Although most of this document is devoted to the secure configuration of a Cisco UCS device, configurations alone do not completely secure a network. The operational procedures in use on the network, as well as the people who administer the network, contribute as much to security as the configuration of the underlying devices. These sections highlight specific critical areas of network operations and are not comprehensive. Security advisories are available at. Detailed knowledge of the vulnerability is required before evaluating the threat that the vulnerability can pose to a network. For assistance with this evaluation process, see Risk Triage for Security Vulnerability Announcements. The AAA framework provides authentication of management sessions, limits users to specific, administrator-defined commands, and logs all commands entered by all users. Radius only encrypts the password.To encrypt the LDAP authentication exchange, use the CLI option to use SSL. This strategy must leverage logging from all network devices and use prepackaged and customizable correlation capabilities. Based on the needs of the organization, this approach can range from a simple diligent review of log data to an advanced rule-based analysis. Secure protocols should be used whenever possible. A secure protocol choice includes the use of SSH instead of Telnet so that both authentication data and management information are encrypted. In the context of a Cisco UCS, there are configure commit point records for each configuration change. These records can be used to determine what security changes were made and when these changes occurred. In conjunction with AAA log data, this information can assist in the security audit of network devices. The repository used to archive Cisco UCS device configurations should be secured and access should be restricted to only those roles and functions that require access. Insecure access to this information can undermine the security of the entire network.

These goals include interactive management sessions using SSH, as well as statistics gathering with SNMP or NetFlow. When considering the security of a network device, it is critical that the management plane is protected. If a security incident undermines the functions of the management plane, network recovery or stabilization may not be possible. The management plane receives and sends traffic for operations of these functions. Both the management plane and control plane of a device must be secured, because operations of the control plane directly affect operations of the management plane. The following list includes protocols that are used by the management plane: If one of these planes is successfully exploited, all planes can be compromised. When a request is received for access to a resource or device, the request is challenged for verification of the password and identity, and access can be granted, denied, or limited based on the result. A device can also have other password information present within its configuration, such as an NTP key, a SNMP community string. Ensure Password Strength Check is enabled and do not disable it. The passwords are stored securely on the Cisco UCS using password hashing. Figure 2 shows the configuration settings for locally authenticated users. Strong passwords must meet the following requirements: For example, the password must not be based on a standard dictionary word. When a request for access to a resource or device is received, the request is challenged for verification of the password and identity, and access can be granted, denied, or limited based on the result. Cisco UCS Manager Software provides tools to allow for multiple levels of permissions using the concepts of task and user groups. User groups are defined to have access to a certain set of capabilities. Some of these capabilities are debug commands, show commands, and configuration commands.

Different user groups have configuration access to different parts of the Cisco UCS. These requests all use the standard role-based access control (RBAC); however, the Intelligent Platform Management Interface (IPMI) user list is downloaded to each blade on startup of the CIMC and registers with the Fabric Interconnect. This user list is separate from the normal RBAC, and IPMI privileges must be assigned separately. If this information is disclosed to a malicious user, the device can become the target of an attack or used as a source of additional attacks. Anyone with privileged access to a Cisco UCS device has the capability for full administrative control of the device. It is imperative to secure management sessions to prevent information disclosure and unauthorized access. Most services are disabled by default in Cisco UCS Manager Software; however, these services can be enabled by issuing their respective configuration commands. Common examples of these types of connections are SMTP, SSH, and SNMP. After the required connections have been permitted, all other traffic to the infrastructure is explicitly denied. All transit traffic that crosses the network and is not destined to infrastructure devices is explicitly permitted. The implementation of ACLs can be made easier with distinct addressing for network infrastructure devices. The iACL will be attached to a router upstream of the Cisco UCS system. Encrypting the traffic allows a secure remote access connection to the device. If the traffic for a management session is sent over the network in plain text, an attacker could obtain sensitive information about the device and the network. Key strengths options are RSA 768-2048, DSA 1024 with Ciphers of 3des-cbc, aes-128-cbc, aes-192-cbc, aes256-cbc, aes128-ctr, aes192-ctr, aes256-ctr, arcfour128, arcfour256, arcfour, blowfish-cbc, cast128-cbc. There can be a 32 maximum of SSHv2 concurrent sessions Cinetd listens on a well-known port on behalf of the server program.

When a service request is received on the particular port, Cinetd notifies the server program that is associated with the service request. By default, Cinetd is not configured to listen for any services. If telnet is enabled, issue the disable telnet-server command to disable the Telnet service on a Cisco UCS device. Use a strong password chosen at Cisco UCS Manager installation. The system does not ship with a predefined default password. Users not actively administrating should have their Account Status in a status inactive. Accounts can be set to expire at certain time intervals using the Expire Account Timeframe configuration option. This allows the administrator to selectively expire accounts that may be setup for short durations. Figure 3 shows how to expire the account at a certain date. Multiple privileges can be assigned to a single user. Additionally, locales (UCS domains) can be assigned to users to manage different locations. There are two public key formats?OpenSSH and SECSH. Both provide good security. It is suggested to limit the session to one. Use the Password Strength Option Enabled, which is enabled by default. Strong passwords must meet the following requirements: For example, the password must not be based on a standard dictionary word. Use SSH for maximum security when accessing the Cisco UCS device. Numerous authentication methods provide enhanced security. There is a maximum of 48 local user accounts.Furthermore, authentication grouping uses a maximum of 16 groups and a maximum 8 providers per group. The provider authentication ordering method provides flexibility on what providers use and what backups will be in place. The default authentication ports are configurable. Additionally, roles can be customized by creating new roles and assigning privileges. To employ a more secure method, use trusted third-party certificates from a trusted source that affirms the identity of the Cisco UCS device.