Click To Edit Master Title Style Lesson 11: Cisco UCS

Click to edit Master title style
Lesson 11 : Cisco UCS

Unified Computing System (UCS)
• A unique architecture that integrates compute, data, network
access and storage network access
• Single management portal (Single-pane-of-glass)
• Goal is simple:-
• Unify Fabrics
• Optimize Virtualization
• Remove unnecessary resources
• Switches
• Adapters
• Management modules
UCS – The Ultimate Solution
ü High Availability
ü Scalability
ü Flexibility
ü Optimized Server
Virtualization
Components
• Cisco UCS Manager
• Cisco UCS Fabric Interconnect
• Cisco UCS I/O Modules
• Cisco UCS Blade Server Chassis
• Cisco UCS B-Series Blade Server
• Cisco UCS Rack Servers
• UCS Virtual Adapters
Cisco UCS Manager
Cisco UCS Fabric Interconnects
• Core component of Cisco UCS deployments
• Provides both network connectivity and management
capabilities
• Components
• Cisco UCS 6200 / 6332 Series Fabric Interconnects (FI), Cisco
UCS Mini
• Transceivers for network and storage connectivity
• Expansion modules
• Cisco UCS Manager software
Cisco UCS I/O Modules (IOMs)
• Cisco UCS IOMs are also known as Cisco Fabric Extenders
(FEX)
• Serve as line cards to FI. Always used in pairs in production
• Provides interface connections to blade servers
UCS 2408 FEX UCS 2304 FEX UCS 2208XP FEX UCS 2204XP FEX
8 * 25-Gbps uplink 4 * 40-Gbps QSFP+ 8 * 10-Gbps SFP+ 4 * 10-Gbps SFP+
ports uplink ports uplink ports uplink ports
Up to 320-Gbps of I/O Up to 320-Gbps of I/O Up to 160 Gbps of I/O Up to 80-Gbps of I/O to
to the chassis to the chassis to the chassis the chassis
Cisco UCS Blade Server Chassis
Cisco UCS 5108 Blade Server Chassis • Cisco UCS 5100 Series Blade Server
Chassis
• 6 RU Chassis
• Up to 8 half width server blades
• Up to 4 full width server blades
• Redundancy hot swappable power
supply
• Reduces total cost of ownership
• Supports all generations of fabric
interconnects
• Requires no independent
management
• Energy efficient
Cisco Virtual Interface Cards (VICs)
• Cisco UCS Virtual Interface Cards (VICs) extend network fabric
directly to both servers and virtual machines
• Provide complete programmability of Cisco UCS I/O infrastructure
• Capable of 10G/25G/40G/100G Ethernet and FCoE
• Incorporates Cisco’s next generation Converged Network Adapter
(CNA) technology
• Supports Virtual Machine Fabric Extender (VM-FEX) technology
• Cisco UCS VIC 1400 –
• Stateless and agile platform
• Network interface virtualization
Cisco 1400 Series VICs
Cisco VIC Cisco VIC Cisco VIC Cisco VIC Cisco VIC Cisco VIC
1440 1480 1455 1457 1495 1497
single-port 40- single-port 40- 10/25-Gbps 10/25-Gbps 40/100-Gbps 40/100-Gbps
Gbps or 4x10-Gbps Gbps or 4x10-Gbps Ethernet or FCoE Ethernet or FCoE Ethernet or FCoE Ethernet or FCoE
Ethernet/FCoE Ethernet/FCoE (quad-port Small (quad-port Small (dual-port Quad (dual-port Quad
capable modular capable mezzanine Form-Factor Form-Factor Small Form-Factor Small Form-Factor
LAN On card (mezz) Pluggable (SFP28) Pluggable (SFP28) (QSFP28) PCIe (QSFP28) mLOM
Motherboard half-height PCIe mLOM card) card) card)
(mLOM) card)
Setup using CLI
Enter the installation method (console/gui)? console
Enter the setup mode (restore from backup or initial setup) [restore/setup]? setup
You have chosen to setup a new switch. Continue? (y/n): y
Enter the password for “admin”: adminpassword
Confirm the password for “admin”: adminpassword
Do you want to create a new cluster on this switch (select ‘no’ for standalone setup or if you
want this switch to be added to an existing cluster)? (yes/no) [n]: yes
Enter the switch fabric (A/B): A
Enter the system name: UCS-Demo
Mgmt0 IPv4 address: 172.16.18.3
Mgmt0 IPv4 netmask: 255.255.255.0
IPv4 address of the default gateway: 172.16.18.254
Virtual IPv4 address: 172.16.18.2
Configure the DNS Server IPv4 address? (yes/no) [n]: yes
DNS IPv4 address: 172.16.18.1
Configure the default domain name? (yes/no) [n]: yes
Default domain name: mydc.com
Setup using CLI (contd…)
Join centralized management environment (UCS Central)? (yes/no) [n]: no
Following configurations will be applied:
Switch Fabric=A
System Name=UCS-Demo
Management IP Address=172.16.18.3
Management IP Netmask=255.255.255.0
Default Gateway=172.16.18.254
Cluster Enabled=yes
Virtual Ip Address=172.16.18.2
DNS Server=172.16.18.1
Domain Name=mydc.com
Apply and save the configuration (select ‘no’ if you want to re-enter)? (yes/no): yes
Initializing another FI
Enter the installation method (console/gui)? console
Installer has detected the presence of a peer Fabric interconnect. This Fabric interconnect
will be added to the cluster. Continue (y/n) ? y
Enter the admin password of the peer Fabric Interconnect: adminpassword
Peer Fabric interconnect Mgmt0 IPv4 Address: 172.16.18.4
Apply and save the configuration (select ‘no’ if you want to re-enter)? (yes/no): yes
Virtual Storage Area Networks (VSANs)
• A logical partition in storage area network
• Cisco UCS supports ‘Named VSANs’
• The traffic on one named VSAN knows that the traffic on
another named VSAN exists, but cannot read or access that
traffic
• Name assigned to the VSAN ID adds a layer of abstraction
• Allows you to globally update all servers associated with the
service profiles that use the named VSAN
• Cisco UCS supports maximum of 32 VSANs
Zones
Zones and Zone Sets
• Zone – Collection of ports that can communicate between
them over the SAN
• Allows partitioning of Fibre Channel fabric into one or more
zones
• Each zone defines the set of Fibre Channel initiators and Fibre
Channel targets that can communicate with each other in a
VSAN
• Can be used to setup access control between hosts and
storage devices or user groups
Zone - Characteristics
• Members in a zone can access each other; members in
different zones cannot access each other.
• Can vary in size
• Devices can belong to one or more zone
• A physical fabric can have a maximum of 8000 zones
Zone Set
• Consists of one or more zones
• Provides flexibility to activate or deactivate all zone members
in a single activity
• Zone can be a member of one or more zone sets
• Only one zone set can be activated at any time
• Can be used to enforce access control within the Fibre
Channel fabric
Supported Zoning
• Cisco UCS Manager-based Fibre Channel zoning
• Switch-based Fibre Channel zoning
Lesson 12 : Automation &

Scripting Tools
EEM
EEM Overview
• Embedded Event Manager (EEM) is a powerful device and system
management technology integrated in NX-OS
• Provides capability to customize behavior based on network events
• Takes various events as input and enables user to define what
actions can be taken
• Major components:
• Event – Defines the event to be monitored from another NX-OS
component
• Action – Defines action to be taken when the event is triggered
• EEM Policy – An event paired with one or more actions to help
troubleshoot or recover from an event
EEM Events and Actions
• An event can either be a system event or user triggered event (e.g.
configuration change)
• Actions are defined as the workaround or notification that should be
triggered when the event occurs
• Actions that can be defined:
• Executing CLI commands (configuration and/or show commands)
• Updating the counters
• Logging exceptions
• Reloading devices
• Printing a syslog message
• Sending an snmp notification
• Setting the default action policy for the system policy
• Executing a TCL or Python script
Demo – EEM Script

Scheduler
Scheduler
• Scheduler feature allows commands or scripts to be executed
in a non-interactive mode at a defined start time and
frequency
• Does not require any special license
• Useful for backing up configurations, copying files or
collecting data
• Can be combined with EEM or Python on NX-OS for providing
automation capabilities
• To configure scheduler, feature scheduler is enabled
Demo – Scheduler
Bash Shell
Bash Shell Overview
• Bourne-Again Shell (Bash) is a modern UNIX shell, a successor of
the Bourne shell
• Provides a rich feature set and built-in capability to interact with
the low-level components of the underlying operating system
• Currently available on the Nexus 9000, Nexus 3000, and Nexus 3500
series platforms
• Provides shell access to underlying Linux operating system,
which has additional capabilities that standard NX-OS CLI does
not provide
• Also allows you to install packages using yum package manager
Demo – Bash Shell

Guest Shell
Guest Shell Overview
• Is an open source and secure Linux environment (based on CentOS)
for rapid 3rd party software development and deployment
• Guest shell is basically a libvirt managed LXC container under the
hood
• Available only on Nexus 9000 and Nexus 3000 series switches
• Leverages the benefits of Python and Bash execution environments
and NX-OS app hosting framework
• Enabled by default; can be explicitly destroyed
bash-4.3# virsh list
Id Name State
----------------------------------------------------
1946 vdc_1_guestshell+ running
Command Description
guestshell enable
This CLI installs and enables the guest shell service. When this command is enabled, users
can enter into the guestshell using the guestshell command.
guestshell disable This command disables the guest shell service. When disabling the guestshell, the access to
the guestshell is disabled.
guestshell destroy The CLI deactivates and uninstall the current guest shell. Also, all the system resources
associated with the guest shell are returned to the system.
guestshell reboot The CLI deactivates and reactivates the current guest shell.
guestshell run command-line The CLI is used to execute a program inside a guest shell, return the output and exit the
guest shell.
guestshell sync The CLI deactivates the current active guest shell, sync it’s root file system contents to the
standby RP and then re-activate the guest shell again on the active RP.
guestshell upgrade The CLI deactivates and performs an upgrade the current guest shell using the OVA that is
embedded within the booted system image. Upon successful upgrade, the guest shell is
activated again.
guestshell resize The CLI allows to modify the default or existing parameters related to guest shell, such as
CPU, memory and root file system parameters.
Guest Shell Status
Site2-SP-BGW3# show guestshell
Virtual service guestshell+ detail
State : Activated
Package information
Name : guestshell.ova
Path : /isanboot/bin/guestshell.ova
Application
Name : GuestShell
Installed version : 2.4(0.0)
Description : Cisco Systems Guest Shell
Signing
Key type : Cisco release key
Method : SHA-1
Licensing
Name : None
Version : None
Resource reservation
Disk : 250 MB
Memory : 256 MB
CPU : 1% system CPU
Demo – Guest Shell

REST API
REST API
• Representational State Transfer (REST) is an architectural style
for API’s, where data and functions are considered a resource
• Key abstraction of information in REST is a resource
• REST has its 6 guiding constraints which must be satisfied:
• Client-server
• Stateless
• Cacheable
• Uniform interface
• Layered system
• Code on demand (optional)
HTTP Methods for RESTful Services
• GET – used to read or fetch a representation of a resource
• PUT – used for updating / replacing a resource
• POST – used to create a resource
• PATCH – used for updating specific sections of the resource
but not the complete resource
• DELETE – used to delete a resource identified by the URI
Demo – Using REST API’s with

NX-API
XML and JSON Encodings

XML Encodings
• Extensible Markup Language (XML) is one of the most common
choices for data interchange in any programming language
• Is a markup language that has tags to define elements
• Data is stored in tree structure
• Can perform processing and formatting of documents and objects
• Bulky and slow in parsing, leading to slower data transmission rate
• Doesn’t support arrays, users have to tag each item
• Supports UTF-8 and UTF-16 encodings
• Supports complex data types such as charts, images and other non-
primitive data types
JSON Encodings
• JavaScript Object Notation (JSON) is a text-based light-weight data
representation format which stores the data in key-value pairs a.k.a.
map format
• Easy to understand, lower in size and allows for faster transmission
of data
• Ease of data modelling, allows for mapping directly to domain
objects
• Language independent and has powerful validation and schema
related features
• Doesn’t perform any processing or computation
• Supports UTF and ASCII encodings
• Supports strings, numbers, arrays, Boolean and object as data types
Demo – XML and JSON

Encodings
Lesson 13 : Evaluating
Automation and
Orchestration Technologies
Ansible
Ansible - Introduction
• Ansible is an YAML based agentless configuration management and
orchestration tool
• Users can be used to deploy / configured nodes and can also be used
to run commands across all nodes in the network
• Allows users to roll out updates and new features into staged
production environment
• Minimize downtime
• Ansible workflow:
• Define workflow in Ansible playbooks
• Deploy the Ansible playbooks on control stations
• Ansible copy modules to remote hosts
• Ansible executes modules on remote hosts to complete the workflow
Ansible Components
• Modules – Typically written in Python. Executed by Ansible
ad-hoc CLI tool or via Ansible playbooks
• Inventory files – Contains list of hosts operated by Ansible.
Has host and group mapping definitions
• Playbooks – Contains Ansible Domain specific language (DSL).
Variables containing data for playbooks can be separated into
YAML files
• Configuration files – Ansible related configurations. Controls
how the tool runs
Ansible CLI Tools
• ansible
• ansible-playbook
• ansible-vault
• ansible-pull
• ansible-docs
• ansible-galaxy
Steps for setting up environment
Click
Local Machine
to edit Master title style
cd Ansible-local
git clone --recursive git://github.com/ansible/ansible.git
cd ./ansible
NX-OS
Leaf1# conf t
Leaf1(config)# feature nxapi
Leaf1(config)# end
Leaf1# show feature | in ssh|nxapi

nxapi 1 enabled
sshServer 1 enabled
Inventory file – host-file
[all:vars]
un = admin
Pwd = admin
[N9ks]
172.16.31.11
172.16.31.12
Test Execution
• Test ansible execution against inventory file
mac:my_files user$ ansible -i host-file nxos -m ping

172.16.31.11 | SUCCESS => {
"changed": false,
"ping": "pong"
}
172.16.31.12 | SUCCESS => {
"changed": false,
"ping": "pong"
}
Creating Playbook – vlan-add.yml
- name: Create VLAN's across NX-OS based switches
hosts: nxos
connection: local
gather_facts: no
vars:
provider:
username: "{{ un }}"
password: "{{ pwd }}"
transport: nxapi
host: "{{ inventory_hostname }}"
tasks:
- name: Adding VLAN using NXOS module "nxos_vlan"
nxos_vlan:
vlan_id: 210
name: Ansible-Added-VLAN
provider: "{{ provider }}"
Execute Ansible Playbook
• Execute Ansible playbook against inventory file
ansible-playbook -i host-file vlan-add.yml -vvvv

ansible-playbook 2.4.2.0 (detached HEAD e3a8bf02ac) last updated
2019/10/20 19:43:44 (GMT +200)
<snipped>
PLAY RECAP
*********************************************************************
***
172.16.31.11 : ok=1 changed=1 unreachable=0 failed=0
172.16.31.12 : ok=1 changed=1 unreachable=0 failed=0
Puppet
Puppet Overview
• Puppet – An open source cross platform system, developed
by Puppet Labs, for automating system administration tasks
• It is a declarative language for describing system
configuration
• Client/Server based application
• Server – puppetmaster
• Client – node or puppet
• Puppet is idempotent
• Detects current state of the system
• Enforces only new configuration to the system
Puppet Overview
• Puppet – An open source cross platform system, developed
by Puppet Labs, for automating system administration tasks
• It is a declarative language for describing system
configuration
• Client/Server based application
• Server – puppetmaster
• Client – node or puppet
• Puppet is idempotent
• Detects current state of the system
• Enforces only new configuration to the system
Manifests
• Manifests are files containing Puppet’s declarative language
• Helps define relationships between resources within reusable modules
• Core of Puppet language is declaring resources
• If there is a dependency of one resource on another, the relationship
should be explicitly stated
• Class is a set of common configurations – resources, variables, etc.
• Modules – collection of files and directions containing Puppet
manifests
• Hierarchy
• Module { Manifest { Classes { Resources }. . . }. . .}
On-Box Python
POAP
POAP Overview
• Power-on Auto Provisioning (POAP) provides the capability of
zero-touch provisioning
• Helps with rapid deployments for repeatable configurations
• Ensures consistent software and configuration across the
network
• Easy replacements for failed hardware in the network
• No hassle of booting the device with correct software, copying
the correct configuration and then replacing it with running
configuration
• Gives users plug and play capability for any new device
Switch Bootup
Power on switch
yes
Abort no
POAP
process?
yes Startup no
Configurati
on exists?
Follow POAP Process
Boot normally with Boot normally with

startup configuration startup configuration
POAP Process
Click to edit Master title
1. Switch obtains a temporary IP address via DHCP
style
2. Switch downloads the POAP script
3. Switch executes the POAP script
4. Fetches proper software image and configuration
5. Reload device with new image and apply final configuration
Lesson 14 : Implementing
Network Security
AAA Overview
• Authentication, Authorization and Accounting (AAA) is an architectural
framework for implementing security on a network device
• Authentication – provides method for identifying users, challenge and
response messaging and encryption method (based on the security
protocol being used)
• Authorization – refers to the method of granting specific types of privileges
to an entity or a user based on the authentication. provides method for
remote access control, per-user account list and profile, user group
support, etc. This is done through remote security servers such as RADIUS
and TACACS+.
• Accounting – refers to the tracking of consumption of network resources
by users. Provides method for collecting and sending security server
information which is used for auditing, reporting, billing, resource analysis,
etc.
AAA Accounting Support
• Network Accounting
• Connection Accounting
• EXEC Accounting
• System Accounting
• Command Accounting
Benefits of AAA
• Flexibility and access control for resources and services
• Scalability
• Standardized authentication methods
• Easy to manage users / passwords for each device in the network
• Centrally manage accounting logs
Radius Protocols
• RADIUS packets are sent to the server at UDP port 1812 for RADIUS
authentication and UDP port 1813 for RADIUS accounting messages
User / pwd Access-Request
Access-Accept
Accounting-Requests (start)
Accounting-Response
Subscriber access the resources
Accounting-Requests (stop)
Accounting-Response
TACACS+ Protocol
User / pwd Authentication (start)
Reply (user / pwd) ?
Continue (user / pwd)

• TACACS+ uses TCP port 49 for
authentication and accounting Replay (Accept / Reject)
Authorization (start)
Response
Accounting (start)
Replay (success)
Accounting (stop)
Replay (success)
AAA Server Parameters in NX-OS
• Dead Time - Specifies the interval that the NXOS waits, after
declaring a RADIUS/TACACS+ server is dead, before sending out a
test packet to determine if the server is now alive
• Timeout Value - Time a switch waits for a response before declaring
all RADIUS/TACACS+ servers dead / unreachable
• Directed request – Allows user to specify which RADIUS server to
send the authentication request by enabling directed request
option
• Retransmit - By default, a switch retries transmission to a RADIUS
server only once before reverting to local authentication. You can
increase this number up to a maximum of five retries per server
RBAC
• Role-based access control (RBAC) allows network administrators to
define the rules for a role that restrict the authorization that the
user has for various operations on NX-OS
• User roles contain rules that define the operations allowed for the
user assigned to that role
• Multiple rules per role
• Multiple roles allowed per user
• User Roles:- Cannot be modified
• network-admin – Complete RW access to entire NX-OS device
• network-operator or vdc-operator – Complete Read access to entire
NX-OS device
RBAC Limitations
• Up to 256 users allowed on NX-OS
• Up to 256 rules per user role
• Can assign a maximum of 64 user roles to a user account
• User roles configured on local device preferred and assigned
to the user on remote server. AAA roles are overridden when
using the same user name on both local and remote server
• Can add up to 64 user-defined feature groups in addition to
default feature group named L3
AAA Configuration
• Configuring RADIUS Servers and assigning it in a group
nexus(config)# radius-server host 10.77.13.240 key secret1

nexus(config)# aaa group server radius radius1

nexus(config-radius)# server 10.77.13.240
nexus(config-radius)# use-vrf management
AAA Configuration
• Configuring TACACS+ Servers and assigning it in a group
nexus(config)# feature tacacs+

nexus(config)# tacacs-server host 10.77.13.240 key secret1
nexus(config)# aaa group server tacacs+ tacacs1

nexus(config-radius)# use-vrf management
AAA Configuration
• Configure Authentication to use remote server (Fallback to
local if server is not reachable)
! RADIUS Server
nexus(config)# aaa authentication login default group radius1
! TACACS+ Server
nexus(config)# aaa authentication login default group tacacs1
AAA Configuration
! Print expiry date for remote user login
nexus(config)# aaa authentication login password-aging
! Print authentication failure error message for local

and remote user login
nexus(config)#aaa authentication login error-enable
! Configure Accounting log to store in local as well

as remote server
nexus(config)# aaa accounting default group radius1
! Reverting to Local Accounting configuration:

nexus(config)# no aaa accounting default group radius
Demo – RBAC
- Secure Password
Demo – RBAC
- Roles and Rules
ACI Contracts
Why do we need Contracts?
• End Point Group (EPG) – A group that contains multiple
endpoints (VMs/bare-metal servers/etc.)
• Contracts – Provide access between EPGs
• Are used to define relationships
• Implicit deny access for EPG to EPG access
• All endpoints in EPG have the same security posture
• Granular access in fabric can be achieved natively by
breaking EPGs so that all VMs / endpoints have the exact
same security posture
Components of Contract
• Contract – Specify the subjects, scope, description
• EPG – Specifies which contracts to consume or provide
• Filter – Specify the “filter-entries” Layer 4 information such as
protocol and port(s)
• Subject – Specify the filters, direction (unidirectional or bi-
directional)
• Action – Action to be taken on the filtered traffic with a
subject (required within a subject)
• Label - (optional) when used, labels allow for more complex
definition of relationships within the policy model
Subjects
External-Web Contract
Subject Subject
Subject
Filter Action Label
Subject
In/out Drop, mark, Optional label

port, etc. redirect, etc.
Subjects contain: filters, actions and labels
EPG Relationship to Contract
• Contracts can be either consumed or provided:
• Provided contract – Destination
• Consumed contract – Source
• EPG consuming the contract can connect to the EPG providing
the contract
• We can apply the filter in the reverse direction which reverses
the consume/provide relationship
permit {filter protocol} {Consuming EPG} {Provided EPG} {dst-filter port}

Applications and Conversations
Application communication can be defined as who is allowed to talk to whom.
App Servers
Users Web Farm DB Farm
Communication between objects on the network can be thought of as one or two way
conversations (monologue/dialogue.)
The Provider Consumer Relationship
Provides Web Provides App
Services Services
App Servers
Users Web Farm
Consumes Consumes App

Web Services Services
Provider consumer relationships define application connectivity in application terms. All

objects can provide, consume, or both.
Defining Provider Consumer Relationships
DB Farm
Another Way of looking at EPGs
End Point Nucleus, Vesicle, etc.
End Point Group (EPG) Cell
Contract Cell Membrane
EPGs can be thought of as cells with a membrane (contract) defining what gets in and
out.
For Complex Relationships
First-Hop Security
First-Hop Security Features
Attack
Click to edit Master
Mitigating
title style
Capability
feature
MAC spoofing by rogue Port Security Restricts MAC addresses on a port.
Virtual Machine
IPv6 address spoofing by IPv6 Source Validate IP source on a per port/mac/vlan
an infected virtual Guard basis
machine
ND cache poisoning on IPv6 snooping Monitor ND & DHCP traffic and gleam
other virtual machines, address assignment. Feed Source &
hosts and network Destination guard with list of valid source &
devices destination address.
Rogue DHCP server DHCPv6 guard Prevents untrusted entities from acting as
DHCP servers
Rogue routers RA Guard Prevents untrusted entities from acting as
routers
RA Guard
• Defined in RFC 6105, RA-guard is a feature that allows the
user of the Layer 2 switch to configure which of the switch
ports face routers
• Router Advertisements received on any other port are
dropped, hence never making up to the end-hosts of the link
• RA guard can perform further deep packet inspection to
validate the source of the RA, the prefix list, the preference
and any other information carried
• Is used to inspect Router Neighbor Discovery (ND) traffic e.g.
Router Solicitations (RS), Router Advertisements (RA),
Redirects and to drop any bogus messages
RA Guard Policy Sub-Config Options
Sub-Configuration Option Description
device-role [host | router | monitor | switch] Define the role of the device attached to the port,
which can be host, router, monitor or switch.
hop-limit [maximum | minimum limit] Verifies the specified hop-count limit. If not
configured, the check is bypassed.
managed-config-flag [on | off] Verifies that the advertised managed-config flag is on
or off. If not configured, this check is bypassed.
other-config-flag [on | off] Verifies the advertised other configuration parameters
router-preference maximum Verifies that the advertised default router preference

[high | low | medium] parameter value is lower than or equal to a specified
limit.
trusted-port Specifies that the policy is being applied to trusted
ports.
IPv6 Snooping
• Combination of two features: ND Snooping and DHCPv6 Snooping
• IPv6 ND Snooping – Analyzes IPv6 neighbor discovery traffic and
verifies if it is harmless for nodes on the link
• During this inspection, it gleans address bindings <IP, MAC, port> when
available and stores them in a binding table
• IPv6 DHCP Snooping – Traps DHCPv6 packets between the client
and the server
• From the packets snooped, assigned addresses are learnt and stored in
the binding table
• IPv6 Snooping prevents DoS attacks by limiting the number of
addresses any node on a given link can claim
IPv6 Snooping Policy Sub-Config Options
device-role [node | switch] Specifies the device role of the device attached to the port. By default, the device role is
“node”. The device role (combine with “trusted-port” command) has a direct influence on
the preference level of an entry learnt from the interface where this policy applies.
The device-role node will have an inherent preference of Access port and the device-role
switch will have a preference of Trunk port.
tracking [enable [reachable-lifetime value] | disable Override the default tracking policy on the port where this policy applies.
[stale-lifetime value]] This is especially useful on trusted ports where one does not want to track entries, but still
want the entry to stick in the binding table to prevent stealing. In this case configure the
command tracking disable stale-lifetime infinite.
trusted port When receiving message on ports with this policy, limited to no verification will be
performed. Nevertheless, to protect against address spoofing, messages will still be analyzed
so that the binding information that they carry can be used to maintain the binding table.
Bindings discovered from these ports will be considered more trustable than binding
received from untrusted ports.
validate source-mac When receiving Neighbor Discovery Protocol (NDP) messages which contain a link-layer
address option the source MAC address is checked against the link-layer address option.
Drop the packet if they are different.
protocol [dhcp | ndp] Specifies which protocol should be redirected to snooping component for analysis.
security-level [glean | inspect | guard] Specifies the security level enforced by IPv6 snooping feature. Default is guard.
glean – learns bindings but does not drop the packets.
inspect – learns bindings and drops packets in case it detects an issue.
guard – works like inspect, but in addition drops IPv6, ND, RA, and IPv6 DHCP server packets
in case of a threat.
Dynamic ARP Inspection

DAI Overview
• Dynamic ARP Inspection (DAI) is a
security feature that helps protect Host DHCP Server
hosts and other network devices
from ARP cache poisoning
• Verifies sanity of the ARP requests
and responses sent by hosts
connected to the switch
• Check each ARP packet for correct
MAC-IP binding w.r.t. the binding
table created by DHCP snooping Host
(MITM)
• If check fails, ARP packet dropped
DAI Overview
• DAI enabled on a per-VLAN basis
• Supports enabling src-MAC, dst-MAC and IP address validation
• The [Source, Destination] and [MAC, IP] addresses of the ARP
packets are validated against the snooping binding entry for
valid unicast IP addresses
• DAI works when the port is trusted
DHCP Snooping
DHCP Snooping Overview
• Is an Layer-2 security feature
• Resolves DoS attacks that can be engineered by DHCP
messages and help avoid IP spoofing attacks
• Works on two levels:
• Discovery – includes the functions of intercepting DHCP
messages and building a database of {IP address, MAC address,
Port, VLAN} a.k.a. binding table
• Enforcement - includes the functions of DHCP message
validation, rate limiting, and conversion of DHCP broadcasts to
unicasts.
DHCP Snooping Overview
• Provides following security features
• Prevention of DoS attacks through DHCP messages
• DHCP message validation
• Creation of DHCP binding table that helps validate DHCP
messages
• Option 82 insertion / removal
• Rate limiting the number of DHCP message on an interface
CoPP Policies
CoPP Overview
• Control Plane Policing (CoPP) – security feature that leverages
Nexus hardware to regulate or limit traffic destined to CPU
• Provides distributed policing mechanism that is synchronized
across individual forwarding engines
• Applied as an input QoS policy to a special interface called
control-plane
• Exception Logic – Separates data and control plane packets
• Classification – Identify DoS attack packets
• Service Policies – Mark, drop or police
CoPP Policy Classification
CoPP Profiles
• Nexus platform boots up, the NX-OS installs a default CoPP policy
named copp-system-policy
• NX-OS also comes with different profile settings for CoPP, to pro-
vide different protection levels to the system
• Strict: Defines a BC value of 250 ms for regular classes and 1000 ms for
the important class.
• Moderate: Defines a BC value of 310 ms for regular classes and 1250
ms for the important class.
• Lenient: Defines a BC value of 375 ms for regular classes and 1500 ms
for the important class.
• Dense: Recommended when the chassis has more F2 line cards than
other I/O modules. Introduced in release 6.0(1).
CoPP Policies Pre-defined Classes
• Critical: Routing protocol packets with IP precedence value 6
• Important: Redundancy protocols such as GLBP, VRRP, and
HSRP
• Management: All management traffic, such as Telnet, SSH,
FTP, NTP, and Radius
• Monitoring: Ping and traceroute traffic
• Exception: ICMP unreachables and IP options
• Undesirable: All unwanted traffic
Demo – Nexus CoPP Policies

Click To Edit Master Title Style Lesson 11: Cisco UCS

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Click To Edit Master Title Style Lesson 11: Cisco UCS

Uploaded by

Copyright:

Available Formats

Click to edit Master title style

Lesson 11 : Cisco UCS

Lesson 12 : Automation &

Demo – EEM Script

Demo – Bash Shell

Demo – Guest Shell

Demo – Using REST API’s with

XML and JSON Encodings

Demo – XML and JSON

Leaf1# show feature | in ssh|nxapi

mac:my_files user$ ansible -i host-file nxos -m ping

ansible-playbook -i host-file vlan-add.yml -vvvv

Follow POAP Process

Boot normally with Boot normally with

User / pwd Access-Request

Subscriber access the resources

Reply (user / pwd) ?

Continue (user / pwd)

nexus(config)# radius-server host 10.77.13.240 key secret1

nexus(config)# aaa group server radius radius1

nexus(config)# feature tacacs+

nexus(config)# aaa group server tacacs+ tacacs1

! Print authentication failure error message for local

! Configure Accounting log to store in local as well

! Reverting to Local Accounting configuration:

In/out Drop, mark, Optional label

permit {filter protocol} {Consuming EPG} {Provided EPG} {dst-filter port}

Application communication can be defined as who is allowed to talk to whom.

Consumes Consumes App

Provider consumer relationships define application connectivity in application terms. All

End Point Nucleus, Vesicle, etc.

End Point Group (EPG) Cell

Contract Cell Membrane

router-preference maximum Verifies that the advertised default router preference

Dynamic ARP Inspection

Demo – Nexus CoPP Policies

You might also like