Cisco UCS Administration and RBACd2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKCOM-2006.pdf ·...
Transcript of Cisco UCS Administration and RBACd2zmdbbm9feqrf.cloudfront.net/2014/usa/pdf/BRKCOM-2006.pdf ·...
Cisco UCS Administration and RBAC
BRKCOM-2006
Jose Martinez
Technical Leader Services
@jose_at_csco
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Agenda
• UCS Management Introduction
• SNMP and the UCS
• Smart Call Home
• XML and the UCS
• Authentication Methods
• Two Factor Authentication
• Organization & Locales
• Role-Based Access Control
3
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Agenda
• Multi-UCS Management
• UCS in VMware Environments
• Collection & Threshold Policies
• Backups
• Conclusion
4
Cisco UCS Management Introduction
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Management Introduction
• Remote access to UCSM available via
– HTTP (Port 80)
– HTTPS (Port 443)
– SSH (Port 22)
– Telnet (Port 23 , disabled by default)
– SNMP (Port 161, disabled by default)
– CIM-XML (Port 5988 , disabled by default)
• Multiple remote authentication mechanisms available
6
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Management Introduction
• Reduction of GUI JAR file size in 2.1(2) release
– Original size 52.3MB New size 8.2MB (overall 84% reduction)
• Better CIMC management added in 2.1(2) release
– More visibility
– Ability to terminate sessions
New Features in 2.1(2)
7
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Management Introduction
• Direct KVM access via URL :
– http://<CIMC_IP_Address>
– https://<CIMC_IP_Address>
• Server admins have KVM access without requiring to go thru UCSM
• Supported only over out-of-band (FI mgmt port)
New Features in 2.2(1)
8
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Management Introduction
• CIMC In-band Management Option
– CIMC traffic takes same path as data traffic
– CIMC traffic separate now from UCSM management traffic
– Supports both IPv4 and IPv6 traffic
– It is only supported in M3 and newer compute blades
• A new Inband Profile is available : LAN Tab LAN Cloud Global Policies
– Inband VLAN Group : List of VLANs available for inband communication
– Network : denotes the default Inband vlan that will be used to configure Inband on servers if user has not explicitly configured them
– IP Pool Name : Pool from where the IP addresses for the CIMC come from
New Features in 2.2(1)
9
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Management Introduction New Features in 2.2(1)
10
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
UCS Management Introduction Model-Based Framework
11
GUI
Available
Comprehensive
Modular Reliable
Serviceable
CLI Standards
(SNMP, IPMI, etc)
Secure
Module Base
Open
XML API
Management
Information Tree
Data Management
Engine (DME)
Application
Gateways (AG)
Managed Endpoints
Cisco UCS SNMP Support
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCSM SNMP Evolution
• UCSM 1.0(1) thru 1.2(1) releases
– UCS Networking (NX-OS) MIBs support
• UCSM 1.3(1) release
– Reports equipment and logical faults
– CISCO-UNIFIED-COMPUTING-MIB
– Sends SNMP Traps or Informs when UCSM fault is raised or cleared
• UCSM 1.4(1) thru 2.2(1) releases
– 100% UCSM data model coverage via private MIBs
13
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCSM SNMP Features
• Support for SNMPv1, SNMPv2c and SNMPv3
• Cisco UCS supports read-only access to MIBs
• If using SNMPv3 the following authentication protocols are available
– HMAC-MD5-96 (MD5)
– HMAC-SHA-96 (SHA)
• If using SNMPv3 the privacy password offers a choice of DES or 128-bit AES encryption
• Starting with UCSM 2.0(2m) SNMP defaults to v3 when enabled
• Starting with UCSM 2.0(2m) non-secure SNMPv1/v2c access can be disabled while SNMP is still enabled
14
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCSM SNMP GUI Configuration
15
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCSM SNMP Fault Notification (Traps)
• UCSM supports two Traps
– cucsFaultActiveNotif – Generated whenever a fault is active and the fault state changes
– cucsFaultClearNotif – Generated whenever a fault is cleared
• Traps notifications include
– cucsFaultDescription
– cucsFaultAffectedObjectId
– cucsFaultCreationTime
– cucsFaultSeverity
– cucsFaultId
• Traps are defined in the CISCO-UNIFIED-COMPUTING-NOTIFS-MIB
16
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS SNMP MIB Files
• ftp://ftp.cisco.com/pub/mibs/supportlists/ucs/ucs-manager-supportlist.html
17
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS SNMP Traps Example
18
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCSM SNMP & Fault Suppression
• Fault Suppression Introduced in 2.1(1)
• Traps can be suppressed during a specific time periods
• Suppression of transient faults for physical and logical entities
19
Cisco UCS Smart Call Home Support
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Smart Call Home
• Provides email-based notifications
• Email format can be text or XML
• Configuration dictates which faults or events generate alerts
• Alert messages can be delivered to specific person or email alias
• UCSM executes appropriate CLI commands to attach to message automatically
• Some messages result in automatic Service Request creation
– http://www.cisco.com/en/US/docs/unified_computing/ucs/ts/faults/reference/TS_CallHomeFaults.html
21
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Smart Call Home Architecture
22
Internet
Customer
Secure Authenticated
Access to Hosted Portal
Device Diagnostic
Library
Remediation
Recommendation
Engine
Diagnostics &
Parsing Engine
Smart Call Home Portal TAC
Automatic
SR
Remediation
Recommendation
Intelligent Monitoring
& Collection Engine
Secure Transport
Cisco
HTTPS Encryption & Certificate-
based authentication
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Smart Call Home GUI Configuration
23
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Smart Call Home GUI Configuration
24
Cisco UCS XML Support
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCSM XML API
• Programmatic interface
• Communicates over HTTP/HTTPS
• Standard Request/Response cycle
• Role Based Authentication
• Object Model Hierarchy
• Build-in Object Browser
• Published Schema
• High Availability
26
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Copying the XML
• The UCSM GUI allows administrators to copy the XML used to create any object
• This can be helpful when developing scripts or creating applications with the XML API
27
Right-click
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Copying the XML
28
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCSM Developer Network
• Downloads
– UCS Platform Emulator
– goUCS Automation Tool
– XML API, Perl, Powershell code samples
• Documentation
– Programming & Developer Guides
– White papers
– Reference Guides
• Collaboration
– Blogs
– Videos
– Peer to peer forums
http://developer.cisco.com/web/unifiedcomputing/
29
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
UCS Case Examples for UCS XML API
• Manage Multiple UCS Systems
• Monitor and Integrate the Event Stream
• Automate Issue Remediation
• Automate Deployment
• Automate Backup
• Firmware Image Management
30
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
UCS Case Examples for UCS XML API
• Total of 29 domains
• Need an easy way to locate hardware or find particular software used
Cisco TAC
31
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
UCS Case Examples for UCS XML API Cisco TAC
32
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
UCS Case Examples for UCS XML API Cisco TAC
33
Cisco UCS Authentication Methods
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Authentication Services
• During user-login the UCSM
– Queries the local or remote authentication server
– Validates the user
– Checks for Roles and Locales assigned to user
• A custom user attribute can be used to extend the schema of the remote authentication provider
– LDAP : CiscoAVPair customer attribute ; ID 1.3.6.1.4.1.9.287247.1
– RADIUS : The vendor ID for the Cisco RADIUS implementation is 009, the vendor ID for the attribute is 001. Multiple roles or locales can be passed via the cisco-avpair with the following syntax – shell:roles=“operations,network” shell:locales=“Exec,Finance”
– TACACS+ : The cisco-av-pair name is the string that provides the attribute ID for the provider. The following syntax can be use to pass multiple roles and locales – cisco-av-pair=shell:roles=“operations network” shell:locales*”Engineering”
35
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCSM Multiple Authentication Model
36
LDAP
RADIUS
TACACS+
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Providers and Provider Groups
• Providers
– Servers used by UCSM to authenticate users
– A total of 16 servers per authentication method
– Defined by IP or Hostname
37
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Providers and Provider Groups
• Release 2.1(2) added the support for nested LDAP groups
• Before 2.1(2) to process the nested group membership, admin had to configure all the groups in the hierarchy
• User would end up configuring many LDAP groups at UCSM level and execute large inefficient queries
• May lead to insufficient number of groups allowed
Nested LDAP Groups
38
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Providers and Provider Groups
• Supported only for Microsoft AD
• No change when choosing Open LDAP as vendor
Nested LDAP Groups
39
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Providers and Provider Groups
• Provider Groups
– Providers can be separated into groups
– A single Provider can be present in more than one Provider Group
– A total of 16 Provider Groups can be defined per authentication method
– The administrator can set the order the Providers are queried
– If all Providers are unavailable or unreachable, then UCSM automatically falls back to the local authentication method using the local credentials
– Change in 2.1 : Changing the order requires auth-domain to be set to local to complete without error
40
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Authentication Domain and Realms
• Domains
– Allows UCSM to leverage multiple authentication systems
– Up to eight (8) different domains per system
– Domains are always tied to a Realm
– Provider groups can be assigned
– If no provider group listed, then all servers within the Realm are used
• Realms
– Defines the authentication protocol for a particular Domain
– Type : Local, Radius, TACACS+ or LDAP
41
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Default and Console Authentication
• Default and Console Authentication accessed via Native Authentication option
• Default Authentication used when user login via SSH/Telnet/GUI/XML, but no domain was specified
• Console Authentication used when user login via Console port in FI
• Valid Realm are Local, RADIUS, TACACS+, LDAP and None
• Role policy defines what roles to assign if Provider didn’t supply roles
42
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Login using Authentication Domain
• For SSH, Telnet or XML the username should include the domain for it to be qualified properly
– XML : <aaaLogin inName="ucs-server-mgmt\ciscolive" inPassword="Cisco12345" />
– Telnet : ucs-network-mgmt\ciscolive
– ssh ucs-network-mgmt\\[email protected]
• For GUI a list of Domains can be selected from a pull down menu
43
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Troubleshooting Provider Connection
• Test command for individual server executed from NXOS CLI
44
F340-31-17-FI-A-A(nxos)# test aaa server ldap 14.17.111.100 jason passwd
user has failed authentication
Invalid credentials
F340-33-16-FI-B(nxos)# test aaa server ldap 14.17.111.110 jomartin passwd
can not find the LDAP server
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Troubleshooting Provider Connection
• Test command for server executed from NXOS CLI
45
F340-31-17-FI-A-A(nxos)# test aaa server ldap 14.17.111.100 jason password
user has been authenticated
Attributes downloaded from remote server:
User Groups:
CN=ucsadmin,OU=CiscoUCS,DC=jlill,DC=lab
Roles:
admin
F340-31-17-FI-A-A(nxos)# test aaa server ldap 14.17.111.100 jason password
user has been authenticated
Attributes downloaded from remote server:
User Groups:
CN=ucskvm,OU=CiscoUCS,DC=jlill,DC=lab
Roles:
kvm-only
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Troubleshooting Provider Connection
• Test command for Provider Group executed from NXOS CLI
46
F340-31-17-FI-A-A(nxos)# test aaa group jlill-dc jason password
Problem in validating the group
F340-31-17-FI-A-A(nxos)# test aaa group jlill-dc1 jason password
user has been authenticated
Attributes downloaded from remote server:
User Groups:
CN=ucsadmin,OU=CiscoUCS,DC=jlill,DC=lab
Roles:
admin
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Troubleshooting Provider Connection
• Debug output executed from the NXOS CLI
– debug <radius | tacacs+ | ldap>
– debug aaa all
• Usually done with TAC assistance
• Always turn all debugs OFF after troubleshooting
– undebug all
47
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Troubleshooting Provider Connection
• Ethanalyzer tool usage from NXOS level
– Selecting the mgmt interface we can sniff all traffic to/from the management port
– Cannot be used to sniff the 10GE ports in the motherboard
– Can be saved as pcap file to open in Wireshark
48
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Active Directory Integration using LDAP
• Release 1.4(1) introduced the ability to configure LDAP to an Active Directory environment without the need for AD schema changes
• Pre-1.4(1) configurations need to be removed first
• The use of editors, like ADSI Edit, makes it easier to collect information and edit the CiscoAVPair attribute
• When using Active Directory as LDAP server you need to create a user account to bind to UCS. It should be given a non-expiring password.
• Caveat – In 1.4 and 2.0 UCSM releases there was no way to map LDAP group to Read-Only Role. This was resolved in 2.1 release. There is a work-around available for 1.4 and 2.0 releases.
49
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Active Directory Integration using LDAP
• The following information is needed to configure the LDAP communication
– Hostname or IP of server. If encryption over SSL is used, then the FQDN is needed
– Bind DN. This is the distinguishedName attribute of the account.
– Base DN. This is the distinguishedName of the domain.
– Filter. This is the sAMAccountName attribute. Format is attribute=$userid
– Attribute. This is the CiscoAVPair attribute. Can be left alone if you don’t want to modify the schema. Instead us the LDAP Group in UCSM.
– Password. This is the Bind’s user password
• If using SSL the port can be kept at the default of 389. The endpoints will negotiate a TLS session on port 636.
50
Two Factor Authentication
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Two Factor Authentication
• The UCS Manager originally supported only logins with username and password
• Sometimes weak passwords are selected which can be easily cracked
• There are constant phishing attacks that trick people daily into revealing their password
• Users using unsecured networks can have their password sniffed/stolen
• Malicious viruses and spyware can capture passwords when entered by user
• Conclusion – Passwords are not enough for protecting critical applications from unauthorized access
Why?
52
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Two Factor Authentication
• Starting in release 2.2(1) the Cisco UCS Manager supports two factor authentication
• Having a second factor for authentication prevents unauthorized users from accessing systems even in cases where password is compromised
• The Cisco UCS Manager considers a TOKEN as second factor
• There is an option under authentication domains that allows for enabling this feature
• Only authentication domains that are defined with an authentication realm of RADIUS or TACAC+ are supported
Introduction
53
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Two Factor Authentication
• Passwords are stored in the AAA server
• Users have to enter their user name, then enter a token and password combination in the password field
• Requests are sent to the token server to retrieve a vendor specific attribute
• Cisco UCS Manager expects the token server to be integrated with the AAA server so it forwards the request to the AAA server
• The password and token are validated at the same time by the AAA server
• Users need to enter the token and password sequence in the same order as it is configured in the AAA server.
Introduction
54
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Two Factor Authentication
• This feature is currently validated with the following two vendors :
– RSA SecurID
– Symantec VIP EG
Introduction
55
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Two Factor Authentication
• Only available for Realms Radius or TACACs
Configuration
56
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Two Factor Authentication
• No changes to the login dialog for GUI or KVM launch manager
• The Cisco UCS Manager does not reveal any info on the two factor authentication domains
• This is the same for CLI login
57
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Two Factor Authentication
• Authentication Domains created prior to an upgrade will remain the way they were before == No two factor authentication
• New Domains created after the upgrade will have two factor authentication if selected during creation
• If a downgrade is performed, then any Domains that are configured for two factor authentication need to be changed to not use it or deleted
• The following fault is reported during downgrades if two factor authentication domain is configured
– Error: Update failed: [Before downgrade, remove auth-domains having two-factor enabled.]
58
Cisco UCSM Organizations and Locales
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Organizations
• Allows dividing the infrastructure into logical entities
• Extremely helpful in multi-tenancy environments
• Multiple levels of sub-organizations can be created. Up to a maximum of 5 levels under Root.
60
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Organizations
• Resources, pools, service-profiles in one organization are not available to other organizations
• In multi-level configurations if a resource or policy is not found, then the system moves up the hierarchy looking for the same name until found. If UCSM cannot find an applicable policy or available resource in the hierarchy, then it returns an allocation error.
61
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Locales
• Locales work in conjunction with Organizations in a multi-tenancy environment to restrict access
• Locales tie one or multiple Organizations to a user
• More than one Local can be assigned to a single user
• Users assigned an Organization has access to all Sub-Organizations in that particular hierarchy
• A UCS system can contain up to 48 locales
• Users with aaa, admin or operations privileges cannot be assigned a Locale
62
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Locales Configuration
• Locales are created under the Admin tab in the User Management User Services menu
• Creating the locale is as simple as drag/drop the Organization from the list to the pane
63
Cisco UCSM Role-Based Access Control (RBAC)
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Role-Based Access Control (RBAC)
• RBAC is a method of restricting or authorizing system access for a particular user
• Utilizes Roles and Locales
• A Role consist of one or more Privileges that will be assigned to the user
• Privileges are very granular
• There are a total of 11 default Roles (as of 2.2.1c)
• Administrators can create custom Roles by selecting specific Privileges
– Example : A custom Role for KVM-Only access can be created by assigning only the Service Profile Ext Access to the new Role.
• Privileges cannot be modified
65
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Role-Based Access Control (RBAC)
66
Default Roles Network Role Privileges
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Role-Based Access Control (RBAC)
67
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Role-Based Access Control (RBAC)
68
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
RBAC via LDAP Group Maps
• LDAP Group Maps allows administrator to associate Active Directory group role with UCS role
• If the organization already uses LDAP groups to define authorization policies, then UCSM is expected to use Group membership information to assign the authorization policy (Roles and Locales)
• This eliminates the need to define this information for individual users in LDAP
• This also helps in scenarios where customers do not like to modify the Active Directory while deploying the UCS
69
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
RBAC via LDAP Group Maps
• A maximum of 28 LDAP Group Maps
• Support for nested LDAP groups expected in 2.1 Maintenance Release
70
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
LDAP Integration Workflow
71
UCS Admin define Roles and Locales
UCS Admin maps Roles and Locales into LDAP groups
User logs into UCSM
UCSM authenticates user with LDAP
UCSM reads user’s group membership
UCSM applies Roles and Locales based on LDAP Group Map
LDAP Admin defines users
LDAP Admin put user into group
Multi-UCS Management – UCS Central
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Central Overview
• External VM based application
• Requires UCSM 2.1(1) or above
• VM available for VMware and Hyper-v hypervisors
• Allow multiple UCS systems to be managed from a single management tool
• Simplifies large scale UCS deployments
• Extension of management paradigm
• Similar hierarchical presentation to UCSM
– Domains, Domain Groups, Sub-Domains
• License done per Domain (pair of Fabric Interconnects)
73
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Central Overview
• First five (5) Domains do not require a license
• 1.0 feature highlights
– Inventory
– Global ID Pools, Domain Groups and Global Administrative Policies
– Audit, Fault and Event Log Aggregation
– Firmware Upgrades, Backup
– UCS Manager and KVM Launch
• 1.1 feature highlights
– Global Service Profiles and Templates
– Global Domain Specific Identifiers
– Enhanced Inventory of UCS
– Globalization of Local Policies and Localization of Global Policies
74
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Centralized Inventory
75
Faults on selected resources
Selected status and details
Global inventory of all components of UCS organized by Domain
Refreshes on customizable schedule
Tree view of devices similar to UCSM
Domains grouped in tree under the
Domain Groups
Overall status and details
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Centralized Usage & Availability Summary
76
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Centralized Fault Summary
77
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Central Overview
• Supports SNMP versions v1, v2c and v3.
• Supports only system MIBs. Selected tables under:
– UCD-SNMP-MIB
– HOST-RESOURCES-MIB
– IF-MIB, IP-MIB
– SNMP-FRAMEWORK MIB
– DISMAN-EVENT-MIB
• No support for IPV6 MIB.
• Read only access is supported – No set operation.
• No support for UCS Central MIBs.
• Trap generation (system load, disk usage).
SNMP Support with 1.1
78
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Central Overview SNMP Support with 1.1
79
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Automated
Scheduled
Downloads from
Cisco.com
Cisco.com
UCS Central Firmware Library Global Firmware Policies
Firmware Auto Install
Centralized Firmware Upgrade
80
Cisco UCS VMware Interaction
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Plugin for VMware vCenter
• Allows admins to view, manage and monitor various aspects of Cisco UCS physical infrastructure
• Single pane of glass for vCenter users to get both physical and virtual infrastructure information
• Latest vCenter Plugin == 0.9.4
– Support for vCenter 5.5
– Lists, Create and Manages service-profiles, service-profile templates
– Manage Host FW packages
– Reload UCS domain
– Manage BIOS Policies
• Requires VMware vSphere PowerCLI 5.1
82
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCS Plugin for VMware vCenter
83
UCSM Collection and Threshold Policies
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCSM Statistic Collection Policy
• Policy defines
– How frequently stats are to be collected (collection interval)
– How frequently stats are to be reported (reporting interval)
• Report Interval Time > Collection Interval Time
• Stats can be collected and reported for the following areas :
– Adapter
– Chassis
– Fex
– Host
– Port
– Server
85
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCSM Statistic Collection Policy
• Only one (1) default policy per area present which cannot be deleted
• New stats collection policies cannot be created
• Only modification of the default policy is allowed
86
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
GUI Statistics Collection Display
• Since there are several collections per report the UCSM provides a min/max/avg display for each stat
87
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCSM Statistic Threshold Policy
• Monitors stats about certain aspects of the system
• Generates an event if a threshold is crossed
• Minimum and Maximum thresholds can be configured
• Threshold policy does not control any hardware, just raises alarms
• Available for the following components
– Uplink Ethernet Ports
– Uplink Fibre Channel Ports
– Ethernet server ports
– Server and server components
– Chassis
– Fabric Interconnects
88
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCSM Statistic Threshold Policy
• It can be configured via Policy under Server, LAN, SAN or Admin tab
• Define Name Define Threshold Classes Define Threshold Definition
89
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Cisco UCSM Statistic Threshold Policy
• Once defined it can be added to any service-profile thru the Policies Tab
90
Cisco UCSM Backups
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Backup Operation
• Allows the backup of the Domain configuration
• There are four (4) types of backup options
– Full state
– All configuration
– System configuration
– Logical configuration
• Multiple transport protocol options
– FTP
– TFTP
– SCP
– SFTP
92
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Backup Options
• Full State
– Binary file that contains full configuration of system
– Ideal for DR situations
– Cannot be used for an import
• All Configuration
– XML file that contains all system and logical configuration of system
– Cannot be used to restore system
– Ideal to import the stored configuration settings back to the same or new UCSM
– Does not include password for Locally Authenticated Users
93
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Backup Options
• System Configuration
– XML file that includes all system configurations (username, roles, locales, etc)
– Cannot be used to restore system
– Ideal to import the stored configuration settings back to the same or new UCSM
• Logical Configuration
– XML file that includes all logical configurations (Service-profile, VLAN, VSAN, etc)
– Cannot be used to restore system
– Ideal to import the stored configuration settings back to the same or new UCSM
• The All Configuration and Logical Configuration options allow the chance to Preserve Identities
– The backup file preserves all identities derived from pools, including the MAC addresses, WWPN, WWNN, and UUIDs
94
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Backup Automation
• Backup Export Policy introduced in 2.1(1) release
95
In Conclusion
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Takeaways
• SNMP has support for large number of MIBs ideal for monitoring system
• Smart Call Home expedites the time of resolution by automatic SR creation
• Very powerful XML API programmatic interface to assist in many tasks
• Multiple authentication methods available
• Use of Roles and Locales allow for task to be divided into smaller groups
• UCS Central provides single window to multiple UCS Domains
• Stats Collection and Threshold Policies can provide insight on traffic patterns
• Backup – If you haven’t backup your system, then that is your HOMEWORK!
97
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Participate in the “My Favorite Speaker” Contest
• Promote your favorite speaker through Twitter and you could win $200 of Cisco Press products (@CiscoPress)
• Send a tweet and include
– Your favorite speaker’s Twitter handle <@jose_at_csco>
– Two hashtags: #CLUS #MyFavoriteSpeaker
• You can submit an entry for more than one of your “favorite” speakers
• Don’t forget to follow @CiscoLive and @CiscoPress
• View the official rules at http://bit.ly/CLUSwin
Promote Your Favorite Speaker and You Could be a Winner
98
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Complete Your Online Session Evaluation
• Give us your feedback and you could win fabulous prizes. Winners announced daily.
• Complete your session evaluation through the Cisco Live mobile app or visit one of the interactive kiosks located throughout the convention center.
Don’t forget: Cisco Live sessions will be available for viewing on-demand after the event at CiscoLive.com/Online
99
© 2014 Cisco and/or its affiliates. All rights reserved. BRKCOM-2006 Cisco Public
Continue Your Education
• Demos in the Cisco Campus
• Walk-in Self-Paced Labs
• Table Topics
• Meet the Engineer 1:1 meetings
100