Professional Documents
Culture Documents
ü High Availability
ü Scalability
ü Flexibility
ü Optimized Server
Virtualization
Components
Click to edit Master title style
• Cisco UCS Manager
• Cisco UCS Fabric Interconnect
• Cisco UCS I/O Modules
• Cisco UCS Blade Server Chassis
• Cisco UCS B-Series Blade Server
• Cisco UCS Rack Servers
• UCS Virtual Adapters
Cisco UCS Manager
Click to edit Master title style
Cisco UCS Fabric Interconnects
Click to edit Master title style
• Core component of Cisco UCS deployments
• Provides both network connectivity and management
capabilities
• Components
• Cisco UCS 6200 / 6332 Series Fabric Interconnects (FI), Cisco
UCS Mini
• Transceivers for network and storage connectivity
• Expansion modules
• Cisco UCS Manager software
Cisco UCS I/O Modules (IOMs)
Click to edit Master title style
• Cisco UCS IOMs are also known as Cisco Fabric Extenders
(FEX)
• Serve as line cards to FI. Always used in pairs in production
• Provides interface connections to blade servers
UCS 2408 FEX UCS 2304 FEX UCS 2208XP FEX UCS 2204XP FEX
8 * 25-Gbps uplink 4 * 40-Gbps QSFP+ 8 * 10-Gbps SFP+ 4 * 10-Gbps SFP+
ports uplink ports uplink ports uplink ports
Up to 320-Gbps of I/O Up to 320-Gbps of I/O Up to 160 Gbps of I/O Up to 80-Gbps of I/O to
to the chassis to the chassis to the chassis the chassis
Cisco UCS Blade Server Chassis
Click to edit Master title style
Cisco UCS 5108 Blade Server Chassis • Cisco UCS 5100 Series Blade Server
Chassis
• 6 RU Chassis
• Up to 8 half width server blades
• Up to 4 full width server blades
• Redundancy hot swappable power
supply
• Reduces total cost of ownership
• Supports all generations of fabric
interconnects
• Requires no independent
management
• Energy efficient
Cisco Virtual Interface Cards (VICs)
Click to edit Master title style
• Cisco UCS Virtual Interface Cards (VICs) extend network fabric
directly to both servers and virtual machines
• Provide complete programmability of Cisco UCS I/O infrastructure
• Capable of 10G/25G/40G/100G Ethernet and FCoE
• Incorporates Cisco’s next generation Converged Network Adapter
(CNA) technology
• Supports Virtual Machine Fabric Extender (VM-FEX) technology
• Cisco UCS VIC 1400 –
• Stateless and agile platform
• Network interface virtualization
Cisco 1400 Series VICs
Click to edit Master title style
Cisco VIC Cisco VIC Cisco VIC Cisco VIC Cisco VIC Cisco VIC
1440 1480 1455 1457 1495 1497
single-port 40- single-port 40- 10/25-Gbps 10/25-Gbps 40/100-Gbps 40/100-Gbps
Gbps or 4x10-Gbps Gbps or 4x10-Gbps Ethernet or FCoE Ethernet or FCoE Ethernet or FCoE Ethernet or FCoE
Ethernet/FCoE Ethernet/FCoE (quad-port Small (quad-port Small (dual-port Quad (dual-port Quad
capable modular capable mezzanine Form-Factor Form-Factor Small Form-Factor Small Form-Factor
LAN On card (mezz) Pluggable (SFP28) Pluggable (SFP28) (QSFP28) PCIe (QSFP28) mLOM
Motherboard half-height PCIe mLOM card) card) card)
(mLOM) card)
Setup using CLI
Click to edit Master title style
Enter the installation method (console/gui)? console
Enter the setup mode (restore from backup or initial setup) [restore/setup]? setup
You have chosen to setup a new switch. Continue? (y/n): y
Enter the password for “admin”: adminpassword
Confirm the password for “admin”: adminpassword
Do you want to create a new cluster on this switch (select ‘no’ for standalone setup or if you
want this switch to be added to an existing cluster)? (yes/no) [n]: yes
Enter the switch fabric (A/B): A
Enter the system name: UCS-Demo
Mgmt0 IPv4 address: 172.16.18.3
Mgmt0 IPv4 netmask: 255.255.255.0
IPv4 address of the default gateway: 172.16.18.254
Virtual IPv4 address: 172.16.18.2
Configure the DNS Server IPv4 address? (yes/no) [n]: yes
DNS IPv4 address: 172.16.18.1
Configure the default domain name? (yes/no) [n]: yes
Default domain name: mydc.com
Setup using CLI (contd…)
Click to edit Master title style
Join centralized management environment (UCS Central)? (yes/no) [n]: no
Following configurations will be applied:
Switch Fabric=A
System Name=UCS-Demo
Management IP Address=172.16.18.3
Management IP Netmask=255.255.255.0
Default Gateway=172.16.18.254
Cluster Enabled=yes
Virtual Ip Address=172.16.18.2
DNS Server=172.16.18.1
Domain Name=mydc.com
Apply and save the configuration (select ‘no’ if you want to re-enter)? (yes/no): yes
Initializing another FI
Click to edit Master title style
Enter the installation method (console/gui)? console
Installer has detected the presence of a peer Fabric interconnect. This Fabric interconnect
will be added to the cluster. Continue (y/n) ? y
Enter the admin password of the peer Fabric Interconnect: adminpassword
Peer Fabric interconnect Mgmt0 IPv4 Address: 172.16.18.4
Apply and save the configuration (select ‘no’ if you want to re-enter)? (yes/no): yes
Virtual Storage Area Networks (VSANs)
Click to edit Master title style
• A logical partition in storage area network
• Cisco UCS supports ‘Named VSANs’
• The traffic on one named VSAN knows that the traffic on
another named VSAN exists, but cannot read or access that
traffic
• Name assigned to the VSAN ID adds a layer of abstraction
• Allows you to globally update all servers associated with the
service profiles that use the named VSAN
• Cisco UCS supports maximum of 32 VSANs
Click to edit Master title style
Zones
Zones and Zone Sets
Click to edit Master title style
• Zone – Collection of ports that can communicate between
them over the SAN
• Allows partitioning of Fibre Channel fabric into one or more
zones
• Each zone defines the set of Fibre Channel initiators and Fibre
Channel targets that can communicate with each other in a
VSAN
• Can be used to setup access control between hosts and
storage devices or user groups
Zone - Characteristics
Click to edit Master title style
• Members in a zone can access each other; members in
different zones cannot access each other.
• Can vary in size
• Devices can belong to one or more zone
• A physical fabric can have a maximum of 8000 zones
Zone Set
Click to edit Master title style
• Consists of one or more zones
• Provides flexibility to activate or deactivate all zone members
in a single activity
• Zone can be a member of one or more zone sets
• Only one zone set can be activated at any time
• Can be used to enforce access control within the Fibre
Channel fabric
Supported Zoning
Click to edit Master title style
• Cisco UCS Manager-based Fibre Channel zoning
• Switch-based Fibre Channel zoning
Click to edit Master title style
EEM
EEM Overview
Click to edit Master title style
• Embedded Event Manager (EEM) is a powerful device and system
management technology integrated in NX-OS
• Provides capability to customize behavior based on network events
• Takes various events as input and enables user to define what
actions can be taken
• Major components:
• Event – Defines the event to be monitored from another NX-OS
component
• Action – Defines action to be taken when the event is triggered
• EEM Policy – An event paired with one or more actions to help
troubleshoot or recover from an event
EEM Events and Actions
Click to edit Master title style
• An event can either be a system event or user triggered event (e.g.
configuration change)
• Actions are defined as the workaround or notification that should be
triggered when the event occurs
• Actions that can be defined:
• Executing CLI commands (configuration and/or show commands)
• Updating the counters
• Logging exceptions
• Reloading devices
• Printing a syslog message
• Sending an snmp notification
• Setting the default action policy for the system policy
• Executing a TCL or Python script
Click to edit Master title style
Scheduler
Scheduler
Click to edit Master title style
• Scheduler feature allows commands or scripts to be executed
in a non-interactive mode at a defined start time and
frequency
• Does not require any special license
• Useful for backing up configurations, copying files or
collecting data
• Can be combined with EEM or Python on NX-OS for providing
automation capabilities
• To configure scheduler, feature scheduler is enabled
Click to edit Master title style
Demo – Scheduler
Click to edit Master title style
Bash Shell
Bash Shell Overview
Click to edit Master title style
• Bourne-Again Shell (Bash) is a modern UNIX shell, a successor of
the Bourne shell
• Provides a rich feature set and built-in capability to interact with
the low-level components of the underlying operating system
• Currently available on the Nexus 9000, Nexus 3000, and Nexus 3500
series platforms
• Provides shell access to underlying Linux operating system,
which has additional capabilities that standard NX-OS CLI does
not provide
• Also allows you to install packages using yum package manager
Click to edit Master title style
Guest Shell
Guest Shell Overview
Click to edit Master title style
• Is an open source and secure Linux environment (based on CentOS)
for rapid 3rd party software development and deployment
• Guest shell is basically a libvirt managed LXC container under the
hood
• Available only on Nexus 9000 and Nexus 3000 series switches
• Leverages the benefits of Python and Bash execution environments
and NX-OS app hosting framework
• Enabled by default; can be explicitly destroyed
bash-4.3# virsh list
Id Name State
----------------------------------------------------
1946 vdc_1_guestshell+ running
Command Description
guestshell enable
Click to edit Master title style
This CLI installs and enables the guest shell service. When this command is enabled, users
can enter into the guestshell using the guestshell command.
guestshell disable This command disables the guest shell service. When disabling the guestshell, the access to
the guestshell is disabled.
guestshell destroy The CLI deactivates and uninstall the current guest shell. Also, all the system resources
associated with the guest shell are returned to the system.
guestshell reboot The CLI deactivates and reactivates the current guest shell.
guestshell run command-line The CLI is used to execute a program inside a guest shell, return the output and exit the
guest shell.
guestshell sync The CLI deactivates the current active guest shell, sync it’s root file system contents to the
standby RP and then re-activate the guest shell again on the active RP.
guestshell upgrade The CLI deactivates and performs an upgrade the current guest shell using the OVA that is
embedded within the booted system image. Upon successful upgrade, the guest shell is
activated again.
guestshell resize The CLI allows to modify the default or existing parameters related to guest shell, such as
CPU, memory and root file system parameters.
Guest Shell Status
Click to edit Master title style
Site2-SP-BGW3# show guestshell
Virtual service guestshell+ detail
State : Activated
Package information
Name : guestshell.ova
Path : /isanboot/bin/guestshell.ova
Application
Name : GuestShell
Installed version : 2.4(0.0)
Description : Cisco Systems Guest Shell
Signing
Key type : Cisco release key
Method : SHA-1
Licensing
Name : None
Version : None
Resource reservation
Disk : 250 MB
Memory : 256 MB
CPU : 1% system CPU
Click to edit Master title style
REST API
REST API
Click to edit Master title style
• Representational State Transfer (REST) is an architectural style
for API’s, where data and functions are considered a resource
• Key abstraction of information in REST is a resource
• REST has its 6 guiding constraints which must be satisfied:
• Client-server
• Stateless
• Cacheable
• Uniform interface
• Layered system
• Code on demand (optional)
HTTP Methods for RESTful Services
Click to edit Master title style
• GET – used to read or fetch a representation of a resource
• PUT – used for updating / replacing a resource
• POST – used to create a resource
• PATCH – used for updating specific sections of the resource
but not the complete resource
• DELETE – used to delete a resource identified by the URI
Click to edit Master title style
Ansible
Ansible - Introduction
Click to edit Master title style
• Ansible is an YAML based agentless configuration management and
orchestration tool
• Users can be used to deploy / configured nodes and can also be used
to run commands across all nodes in the network
• Allows users to roll out updates and new features into staged
production environment
• Minimize downtime
• Ansible workflow:
• Define workflow in Ansible playbooks
• Deploy the Ansible playbooks on control stations
• Ansible copy modules to remote hosts
• Ansible executes modules on remote hosts to complete the workflow
Ansible Components
Click to edit Master title style
• Modules – Typically written in Python. Executed by Ansible
ad-hoc CLI tool or via Ansible playbooks
• Inventory files – Contains list of hosts operated by Ansible.
Has host and group mapping definitions
• Playbooks – Contains Ansible Domain specific language (DSL).
Variables containing data for playbooks can be separated into
YAML files
• Configuration files – Ansible related configurations. Controls
how the tool runs
Ansible CLI Tools
Click to edit Master title style
• ansible
• ansible-playbook
• ansible-vault
• ansible-pull
• ansible-docs
• ansible-galaxy
Steps for setting up environment
Click
Local Machine
to edit Master title style
cd Ansible-local
git clone --recursive git://github.com/ansible/ansible.git
cd ./ansible
NX-OS
Leaf1# conf t
Leaf1(config)# feature nxapi
Leaf1(config)# end
[N9ks]
172.16.31.11
172.16.31.12
Test Execution
Click to edit Master title style
• Test ansible execution against inventory file
vars:
provider:
username: "{{ un }}"
password: "{{ pwd }}"
transport: nxapi
host: "{{ inventory_hostname }}"
tasks:
- name: Adding VLAN using NXOS module "nxos_vlan"
nxos_vlan:
vlan_id: 210
name: Ansible-Added-VLAN
provider: "{{ provider }}"
Execute Ansible Playbook
Click to edit Master title style
• Execute Ansible playbook against inventory file
PLAY RECAP
*********************************************************************
***
172.16.31.11 : ok=1 changed=1 unreachable=0 failed=0
172.16.31.12 : ok=1 changed=1 unreachable=0 failed=0
Click to edit Master title style
Puppet
Puppet Overview
Click to edit Master title style
• Puppet – An open source cross platform system, developed
by Puppet Labs, for automating system administration tasks
• It is a declarative language for describing system
configuration
• Client/Server based application
• Server – puppetmaster
• Client – node or puppet
• Puppet is idempotent
• Detects current state of the system
• Enforces only new configuration to the system
Puppet Overview
Click to edit Master title style
• Puppet – An open source cross platform system, developed
by Puppet Labs, for automating system administration tasks
• It is a declarative language for describing system
configuration
• Client/Server based application
• Server – puppetmaster
• Client – node or puppet
• Puppet is idempotent
• Detects current state of the system
• Enforces only new configuration to the system
Manifests
Click to edit Master title style
• Manifests are files containing Puppet’s declarative language
• Helps define relationships between resources within reusable modules
• Core of Puppet language is declaring resources
• If there is a dependency of one resource on another, the relationship
should be explicitly stated
• Class is a set of common configurations – resources, variables, etc.
• Modules – collection of files and directions containing Puppet
manifests
• Hierarchy
• Module { Manifest { Classes { Resources }. . . }. . .}
Click to edit Master title style
On-Box Python
Click to edit Master title style
POAP
POAP Overview
Click to edit Master title style
• Power-on Auto Provisioning (POAP) provides the capability of
zero-touch provisioning
• Helps with rapid deployments for repeatable configurations
• Ensures consistent software and configuration across the
network
• Easy replacements for failed hardware in the network
• No hassle of booting the device with correct software, copying
the correct configuration and then replacing it with running
configuration
• Gives users plug and play capability for any new device
Switch Bootup
Click to edit Master title style
Power on switch
yes
Abort no
POAP
process?
yes Startup no
Configurati
on exists?
Lesson 14 : Implementing
Network Security
AAA Overview
Click to edit Master title style
• Authentication, Authorization and Accounting (AAA) is an architectural
framework for implementing security on a network device
• Authentication – provides method for identifying users, challenge and
response messaging and encryption method (based on the security
protocol being used)
• Authorization – refers to the method of granting specific types of privileges
to an entity or a user based on the authentication. provides method for
remote access control, per-user account list and profile, user group
support, etc. This is done through remote security servers such as RADIUS
and TACACS+.
• Accounting – refers to the tracking of consumption of network resources
by users. Provides method for collecting and sending security server
information which is used for auditing, reporting, billing, resource analysis,
etc.
AAA Accounting Support
Click to edit Master title style
• Network Accounting
• Connection Accounting
• EXEC Accounting
• System Accounting
• Command Accounting
Benefits of AAA
Click to edit Master title style
• Flexibility and access control for resources and services
• Scalability
• Standardized authentication methods
• Easy to manage users / passwords for each device in the network
• Centrally manage accounting logs
Radius Protocols
Click to edit Master title style
• RADIUS packets are sent to the server at UDP port 1812 for RADIUS
authentication and UDP port 1813 for RADIUS accounting messages
Access-Accept
Accounting-Requests (start)
Accounting-Response
Accounting-Requests (stop)
Accounting-Response
TACACS+ Protocol
Click to edit Master title style
User / pwd Authentication (start)
Authorization (start)
Response
Accounting (start)
Replay (success)
Accounting (stop)
Replay (success)
AAA Server Parameters in NX-OS
Click to edit Master title style
• Dead Time - Specifies the interval that the NXOS waits, after
declaring a RADIUS/TACACS+ server is dead, before sending out a
test packet to determine if the server is now alive
• Timeout Value - Time a switch waits for a response before declaring
all RADIUS/TACACS+ servers dead / unreachable
• Directed request – Allows user to specify which RADIUS server to
send the authentication request by enabling directed request
option
• Retransmit - By default, a switch retries transmission to a RADIUS
server only once before reverting to local authentication. You can
increase this number up to a maximum of five retries per server
RBAC
Click to edit Master title style
• Role-based access control (RBAC) allows network administrators to
define the rules for a role that restrict the authorization that the
user has for various operations on NX-OS
• User roles contain rules that define the operations allowed for the
user assigned to that role
• Multiple rules per role
• Multiple roles allowed per user
• User Roles:- Cannot be modified
• network-admin – Complete RW access to entire NX-OS device
• network-operator or vdc-operator – Complete Read access to entire
NX-OS device
RBAC Limitations
Click to edit Master title style
• Up to 256 users allowed on NX-OS
• Up to 256 rules per user role
• Can assign a maximum of 64 user roles to a user account
• User roles configured on local device preferred and assigned
to the user on remote server. AAA roles are overridden when
using the same user name on both local and remote server
• Can add up to 64 user-defined feature groups in addition to
default feature group named L3
AAA Configuration
Click to edit Master title style
• Configuring RADIUS Servers and assigning it in a group
! RADIUS Server
nexus(config)# aaa authentication login default group radius1
! TACACS+ Server
nexus(config)# aaa authentication login default group tacacs1
AAA Configuration
Click to edit Master title style
! Print expiry date for remote user login
nexus(config)# aaa authentication login password-aging
Demo – RBAC
- Secure Password
Click to edit Master title style
Demo – RBAC
- Roles and Rules
Click to edit Master title style
ACI Contracts
Why do we need Contracts?
Click to edit Master title style
• End Point Group (EPG) – A group that contains multiple
endpoints (VMs/bare-metal servers/etc.)
• Contracts – Provide access between EPGs
• Are used to define relationships
• Implicit deny access for EPG to EPG access
• All endpoints in EPG have the same security posture
• Granular access in fabric can be achieved natively by
breaking EPGs so that all VMs / endpoints have the exact
same security posture
Components of Contract
Click to edit Master title style
• Contract – Specify the subjects, scope, description
• EPG – Specifies which contracts to consume or provide
• Filter – Specify the “filter-entries” Layer 4 information such as
protocol and port(s)
• Subject – Specify the filters, direction (unidirectional or bi-
directional)
• Action – Action to be taken on the filtered traffic with a
subject (required within a subject)
• Label - (optional) when used, labels allow for more complex
definition of relationships within the policy model
Subjects
Click to edit Master title style
External-Web Contract
Subject Subject
Subject
Filter Action Label
Subject
App Servers
Users Web Farm DB Farm
Communication between objects on the network can be thought of as one or two way
conversations (monologue/dialogue.)
The Provider Consumer Relationship
Click to edit Master title style
Provides Web Provides App
Services Services
App Servers
Users Web Farm
DB Farm
Another Way of looking at EPGs
Click to edit Master title style
EPGs can be thought of as cells with a membrane (contract) defining what gets in and
out.
For Complex Relationships
Click to edit Master title style
Click to edit Master title style
First-Hop Security
First-Hop Security Features
Attack
Click to edit Master
Mitigating
title style
Capability
feature
MAC spoofing by rogue Port Security Restricts MAC addresses on a port.
Virtual Machine
IPv6 address spoofing by IPv6 Source Validate IP source on a per port/mac/vlan
an infected virtual Guard basis
machine
ND cache poisoning on IPv6 snooping Monitor ND & DHCP traffic and gleam
other virtual machines, address assignment. Feed Source &
hosts and network Destination guard with list of valid source &
devices destination address.
Rogue DHCP server DHCPv6 guard Prevents untrusted entities from acting as
DHCP servers
Rogue routers RA Guard Prevents untrusted entities from acting as
routers
RA Guard
Click to edit Master title style
• Defined in RFC 6105, RA-guard is a feature that allows the
user of the Layer 2 switch to configure which of the switch
ports face routers
• Router Advertisements received on any other port are
dropped, hence never making up to the end-hosts of the link
• RA guard can perform further deep packet inspection to
validate the source of the RA, the prefix list, the preference
and any other information carried
• Is used to inspect Router Neighbor Discovery (ND) traffic e.g.
Router Solicitations (RS), Router Advertisements (RA),
Redirects and to drop any bogus messages
RA Guard Policy Sub-Config Options
Click to edit Master title style
Sub-Configuration Option Description
device-role [host | router | monitor | switch] Define the role of the device attached to the port,
which can be host, router, monitor or switch.
hop-limit [maximum | minimum limit] Verifies the specified hop-count limit. If not
configured, the check is bypassed.
managed-config-flag [on | off] Verifies that the advertised managed-config flag is on
or off. If not configured, this check is bypassed.
other-config-flag [on | off] Verifies the advertised other configuration parameters
DHCP Snooping
DHCP Snooping Overview
Click to edit Master title style
• Is an Layer-2 security feature
• Resolves DoS attacks that can be engineered by DHCP
messages and help avoid IP spoofing attacks
• Works on two levels:
• Discovery – includes the functions of intercepting DHCP
messages and building a database of {IP address, MAC address,
Port, VLAN} a.k.a. binding table
• Enforcement - includes the functions of DHCP message
validation, rate limiting, and conversion of DHCP broadcasts to
unicasts.
DHCP Snooping Overview
Click to edit Master title style
• Provides following security features
• Prevention of DoS attacks through DHCP messages
• DHCP message validation
• Creation of DHCP binding table that helps validate DHCP
messages
• Option 82 insertion / removal
• Rate limiting the number of DHCP message on an interface
Click to edit Master title style
CoPP Policies
CoPP Overview
Click to edit Master title style
• Control Plane Policing (CoPP) – security feature that leverages
Nexus hardware to regulate or limit traffic destined to CPU
• Provides distributed policing mechanism that is synchronized
across individual forwarding engines
• Applied as an input QoS policy to a special interface called
control-plane
• Exception Logic – Separates data and control plane packets
• Classification – Identify DoS attack packets
• Service Policies – Mark, drop or police
CoPP Policy Classification
Click to edit Master title style
CoPP Profiles
Click to edit Master title style
• Nexus platform boots up, the NX-OS installs a default CoPP policy
named copp-system-policy
• NX-OS also comes with different profile settings for CoPP, to pro-
vide different protection levels to the system
• Strict: Defines a BC value of 250 ms for regular classes and 1000 ms for
the impor- tant class.
• Moderate: Defines a BC value of 310 ms for regular classes and 1250
ms for the important class.
• Lenient: Defines a BC value of 375 ms for regular classes and 1500 ms
for the important class.
• Dense: Recommended when the chassis has more F2 line cards than
other I/O modules. Introduced in release 6.0(1).
CoPP Policies Pre-defined Classes
Click to edit Master title style
• Critical: Routing protocol packets with IP precedence value 6
• Important: Redundancy protocols such as GLBP, VRRP, and
HSRP
• Management: All management traffic, such as Telnet, SSH,
FTP, NTP, and Radius
• Monitoring: Ping and traceroute traffic
• Exception: ICMP unreachables and IP options
• Undesirable: All unwanted traffic
Click to edit Master title style