UCS - Disjoined L2 - Security

I havent seen much documents on Disjioned L2 UCS deployment (on security). We have a UCS chassis (5108) and have few B230s on it.. We want to use the same chassis both for internal LAN and DMZ.
Obviously the first question that comes in is security -  We know that UCS in EHM doesnt act like a switch (with regards to unicasts & broadcasts), but is the design secure enough - logically and physically ? Has anyone come across any security limiations with disjoined L2 ?
Our thinking was -
1) Isolation is anyway done on link going from FI to upstream switches - internal LAN VNICs go through a different PINNED uplink than DMZ
2) Should we consider seperate blades for DMZ ? or running both DMZ and internal on the same blade is fine (with different Vswitches) ?
3) How about the links going from 2204 FEX to FI ? I know that the VNICs are built upon automatically generated port channels - but is it possible to use 2 different sets of links for internal and DMZ ?
Regards
Raj

I guess it all depends on the organizations security posture. I am finding gov't institutions slow to adopt the segregation mechanisms that UCS and the Nexus products provides, mostly a result of their lack of understanding of the technology and how it's implemented.
Some people have issues with “mixing” data in the FIs from the different zones. On the other hand, financial institutions seem to be more willing/understanding of the technology in question. But we still see clients requesting physical hardware separation in the DMZ.
The current implementation of the L2 disjointed works quite well but requires some planning when configuring your vNICs. As you know by default, all VLANs are accessible by all ports. Disjointed L2 is similar to “switchport trunk allow” in the switching world.

Similar Messages

  • UCS KVM Manger Security Prompt

    Since setting our UCS Manager to use HTTPS, we get security prompts when opening the KVM manager.
    After doing some traces, it looks like the KVM manager makes the following HTTP calls:
    http://fpdownload.adobe.com/pub/swz/crossdomain.xml
    http://fpdownload.adobe.com/crossdomain.xml
    As a result, the HTTPS verion of the KVM manager prompts saying there is unsecured content (the HTTP calls) on the page.
    It's not a huge deal to hit yes or no to get past it, but it seems like some lazy programming.
    Any ideas on if this will get fixed?  The fpdownload.adobe.com pages are available in HTTPS which would fix the issue.
    We are running 1.4.1j.

    OK...here's a link to the Cisco Bug Toolkit:
    http://tools.cisco.com/Support/BugToolKit/action.do?hdnAction=searchBugs
    I just opened CSCtn08512.  Might be a bit until it is viewable.  Of course, I could have missed an existing bug and it might be scrapped.
    Hope that helps!
    --Justin

  • Security with disjoined l2 networks

    Hi
    What are the security features with UCS when working in disjoined l2 networks ?
    If we have the UCS connecting both to internal segment, and another layer 2 segment in external DMZ, is it safe ?
    We have 2 blades and want to configure both the internal and DMZ VMs on ESX running on them.. I see we can run VSG's with N1KV's, but without VSG's are we compromosing on security ?
    Regards
    Raj

    Hi Gokulakrishnan -
    Yes - the NAC Appliance is a hw/sw solution for you.
    There are a few components
    - the NAC Manager - this is where the policy is defined (also called CAM)
    - the NAC Server - this enforces the policy and is placed nearest the user (also called CAS)
    - the NAC Agent - this installs on the computers to provide posture information
    Eval Units are available through your account team.
    Please let me know if you have additional questions.
    thxs
    peter

  • UCS secure boot - should I enable?

    C220 M3 server shipped with 1.5(4d). Looking to upgrade to ucs-c220-huu-2.0.1a. This is the recommeded release on cisco.com.  Anyone have experience or recommendations on this? Should I use v2.0.1a and/or enable secure boot?  Thanks!

    If you're talking about Secure Boot then I'm assuming you're talking about UEFI.
    If so, and you're planning on running VMware, you may want to look at 2.0(3d)1 that came out a couple of days ago.  This has a fairly critical fix that fixes an issue where the onboard LOM's won't detect and load drivers properly in VMware when the system is booted with UEFI (this will prevent you installing VMware under UEFI - but it will work under legacy BIOS).  2.0(1)a still has this bug.
    I'm running 2.0(3d)1 and it seems to be good so far.

  • CUCM security password recover on a UCS c220

    Hello i'm trying to recover my security password on my cucm v10
    but there a step saying that i have to insert a CD ,
    i have a C220 where the hell i will insert this CD so i can recover it???? its confusing there is no disk drive on C220!!!!
    Thanks & Best Regrads,

    Yes you will need to reboot the CUCM cluster(if you have more than one servers) after changing the security password.
    Version 10 specific ref:
    http://www.cisco.com/c/en/us/td/docs/voice_ip_comm/cucm/cucos/10_0_1/CUCM_BK_C2F2626C_00_cucm-os-admin-guide-100/CUCM_BK_C2F2626C_00_cucm-os-admin-guide-100_chapter_010.html#CUCM_TK_R280FDB4_00
    n
     You must reset each node in a cluster after you change its security password. Failure to reboot the nodes causes system service problems and problems with the Cisco Unified Communications Manager Administration windows on the subscriber nodes.
    -Terry

  • Please tell me how to connect with FCoE UCS-mini and Nexus N5k (N5K-C5548UP-B-S32)

    I have UCS 5108 Blade Server Chassis (with two B200 M3 Blade Servers inside and two FI 6324) connected to Nexus N5k switch through 4x10GE links.
    I want to configure the two aggregated channels FCoE (vFC) from chassi to switch.
    All instructions I've been seen refer to the fact that UCS-mini must be in the FC end-host mode, but UCSM 3.0 version does not support this mode, what shoud I do?
    I set up following the instructions www.cisco.com/c/en/us/support/docs/switches/nexus-5000-series-switches/116248-configure-fcoe-00.html
    But, after setup I have a fault on fabric: FCoE or FC uplink is down on Vsan 500;
    And in Nexus: Vsan 500 is down (waiting for flogi)
    When I do "show interface vfc 1" from Nexus CLI I see no 'Trunk vsans (up)', but
    'Trunk vsans (initializing)             (500)'
    Unfortunately, I can't find technical notes for UCS mini (with UCSM v. 3.0), so may be You can promt any guides or suggestion for this?
    Thank You in advance!

    The release notes of 3.0.1e, which is for UCS-mini,
    http://www.cisco.com/c/en/us/td/docs/unified_computing/ucs/release/notes/ucs_3_0_rn.html
    says:
    Unsupported Features
    The following features are not supported in Cisco UCS Manager, Release 3.0:
    Features, defect fixes, and platforms introduced in Cisco UCS Manager, Release 2.2(2c) and newer that are not explicitly called out in New Features or Resolved Caveats sections of this document.
    Some features introduced in Cisco UCS Manager, Release 2.2(1b) and earlier releases:
    –Ethernet Switching Mode
    –FC End Host Mode
    – Private VLANs
    – Port Security
    – KVM Virtualization is not tested (although not explicitly disabled)

  • Post-provisioning workflow in UCS Director

    Hi
    I created a service request in UCS director (v4.1) to provision a VM.
    Additionally I created/added post-provisioning workflow to that service request with the purpose to sent the custom report upon completing the provisioning process.
    The question here: How I can access the provisioned VM details from my custom workflow task's Cloupia script without asking the user to enter them manually? I am interested to get details like assigned IP address of the VM and its hostname at least and then to build some logic around.
    Thanks in advance

    Hello Sandeep,
    Follwing  are key high point of UCSD or are better than what other vendors are  providing.
    1) Enable Automation & Self Service through Workflows,  Triggers, & Tasks.
    2) Lifecycle Management Controls.
    3)  Automated adaptive provisioning.
    4) Multi-tenant Security
    5)  Single pane of glass for continuous capacity monitoring.
    6)  Chargeback.
    7) Orchestrator & workflow designer.
    8 )CloudSense Analytics.
    9) Multi-hypervisor support.
    10) Multi-cloud  support.
    Regards,
    Shahzad

  • Aaa ldap problem on UCS Manager

    Hi all,
    i'm working on UCS Manager Suite and i would like configure Authentication method using LDAP protocol ( AD : Windows 2008 R2 Standard Edition).
    I follow this configuration guide:
    http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/sample_configurations/UCSM_1_4_LDAP_with_AD/b_Sample_Configuration_LDAP_with_AD.pdf
    but i obtained some message : authentication failed.
    10.164.85.2 (UCS Manager)
    10.164.85.21 (AD)
    I have some doubt regarding  "Non-Admin Bind User Account" : what are the privileges that it need?
    In attach wireshark capture taken on AD Server.
    Regards.
    Dino

    Hi Brian,
    I deleted ldap provider profle and reconfigure new profile with same parameters and now it works.
    I already use "aaa test server" command to verify authentication and it's works BUT if i checks output
    scope security
    scope ldap
    show server
    i obtained same output
    DAP server:
        Hostname or IP address   DN to search and read    Port  SSL  Password
        10.164.85.21             CN=ucs binduser,OU=DDUsers,DC=didata-dc,DC=local
                                                          389   No
    I expected **** under Password column.
    Thank you for support.
    Regards.
    Dino

  • Secure Network Servers (SNS) in ISE version 1.1.4

    Hi board,
    I'm quite confused about the supported ISE versions for the new Cisco Secure Network Server 3415 and 3495.
    In nearly all documents it is stated, that the support for this HW will be introduced with ISE 1.2
    For example ISE Q&A
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11637/ps11195/qa_c67-658591.html
    What else is being released with ISE 1.2*?
    A. Two new hardware platforms called the Cisco Network Secure Servers*. These new servers bring scalability improvement as they are based on the powerful Cisco UCS® C220 Rack Server platform and configured to support the Cisco Identity Services Engine* (ISE), Network Admission Control (NAC), and Access Control System (ACS)  security applications. The multiuse Cisco Secure Network Servers offer  many improvements over current ISE, ACS, and NAC appliances, and are the  platform recommended to deploy newer versions of these applications.  During ordering, customers can specify which security application they  would like to have installed. See the Product Details section for more  information.
    On the other hand, in the 1.1.x release notes it's stated, that the HW is supported in the current 1.1.4 release
    http://www.cisco.com/en/US/docs/security/ise/1.1.1/release_notes/ise111_rn.html#wp417581
    New Features in Cisco ISE, Release 1.1.4 Cisco ISE, Release 1.1.4 provides support for the Cisco SNS 3400 Series  appliance. For details on the installing and configuring the Cisco SNS  3400 Series appliance, refer to the ISE 1.1.4 Installation Guide at the  following location:
    What is true now? What HW appliance do I chose, if I want to order today?
    I don't want to order the old appliances (33xx), because they are already EoL announced:
    http://www.cisco.com/en/US/prod/collateral/vpndevc/ps5712/ps11640/eol_C51-728424.html
    Thanks!

    Hi Johanne,
    Cisco ISE software is packaged with your appliance  or image for installation. Cisco ISE, Release 1.2 is shipped on the  following platforms. After installation, you can configure Cisco ISE  with specified component personas (Administration, Policy Service, and  Monitoring) or as an Inline Posture node on the platforms.
    Supported Hardware and Personas:
    Hardware Platform Persona Configuration
    Cisco SNS-3415-K9
    (small)
    Any
    •Cisco UCS 1 C220 M3
    •Single socket Intel E5-2609 2.4-GHz CPU, 4 total cores, 4 total threads
    •16-GB RAM
    •1 x 600-GB disk
    •Embedded Software RAID 0
    •4 GE network interfaces
    Cisco SNS-3495-K92
    (large)
    Administration
    Policy Service
    Monitor
    •Cisco UCS C220 M3
    •Dual socket Intel E5-2609 2.4-GHz CPU, 8 total cores, 8 total threads
    •32-GB RAM
    •2 x 600-GB disk
    •RAID 0+1
    •4 GE network interfaces
    Cisco ISE-3315-K9 (small)
    Any
    •1x Xeon 2.66-GHz quad-core processor
    •4 GB RAM
    •2 x 250 GB SATA3 HDD4
    •4x 1 GB NIC5
    Cisco ISE-3355-K9 (medium)
    Any
    •1x Nehalem 2.0-GHz quad-core processor
    •4 GB RAM
    •2 x 300 GB 2.5 in. SATA HDD
    •RAID6 (disabled)
    •4x 1 GB NIC
    •Redundant AC power
    Cisco ISE-3395-K9 (large)
    Any
    •2x Nehalem 2.0-GHz quad-core processor
    •4 GB RAM
    •4 x 300 GB 2.5 in. SAS II HDD
    •RAID 1
    •4x 1 GB NIC
    •Redundant AC power
    Cisco ISE-VM-K9 (VMware)
    Stand-alone Administration, Monitoring, and Policy Service (no Inline Posture)
    •For CPU and memory recommendations, refer to the "VMware Appliance Sizing Recommendations" section in the Cisco Identity Services Engine Hardware Installation Guide, Release 1.2.7
    •Hard Disks (minimum allocated memory):
    –Stand-alone—600 GB
    –Administration—200 GB
    –Policy Service and Monitoring—600 GB
    –Monitoring—500 GB
    –Policy Service—100 GB
    •NIC—1 GB NIC interface required (You can install up to 4 NICs.)
    •Supported VMware versions include:
    –ESX 4.x
    –ESXi 4.x and 5.x
    1 Cisco Unified Computing System (UCS)
    2 Inline  posture is a 32-bit system and is not capable of symmetric  multiprocessing (SMP). Therefore, it is not available on the SNS-3495  platform.
    3 SATA = Serial Advanced Technology Attachment
    4 HDD = hard disk drive
    5 NIC = network interface card
    6 RAID = Redundant Array of Independent Disks
    7 Memory  allocation of less than 4GB is not supported for any VMware appliance  configuration. In the event of a Cisco ISE behavior issue, all users  will be required to change allocated memory to at least 4GB prior to  opening a case with the Cisco Technical Assistance Center.
    Please check the following link for fruther information.
    https://supportforums.cisco.com/message/3986953#3986953

  • Problem using a group which has a space in it's DN when using LDAP Group mappings in UCS 1.4

    Hey,
    We've been implementing LDAP authentication (Active Directory) using LDAP group mapping in UCS 1.4, and we've noticed that when using a group which has a DN with a space in it (such as "UCS Admins") it wouldn't authenticate the user with the appropriate role.
    Using a DN without spaces (such as "UCSAdmins"), works just fine.
    I should mention that having a base DN with spaces works just fine as well, it's just the group mappings that doesn't work.
    I should also mention that Cisco's "Quick guide to configuring ldap for ucs 1.4" shows an example in which the group's DN doesn't include a space.
    Is there a workaround available which can make it possible using a group which has a space in it's name?
    Thanks,
    Dor

    Hey Roman,
    Thanks for your prompt reply.
    We've tried putting quotes using UCSM which is not possible at all - not for the entire entry nor for the part with spaces.
    We've also tried using CLI ("scope security/ldap/ldap-group") where you have to put quotes if you use a DN with spaces, and it still doesn't work. Furthermore, we tried adding quotes only to the part with the spaces, i.e. - CN="UCS Admins",OU=TEST,DC=TEST. It adds the entry without an error, but shows like we would use "CN=UCS Admins,OU=TEST,DC=TEST". Anyway, it doesn't work either.
    Thanks again,
    Dor

  • Adding SAN through web-security and Creating CSR for Tomcat (CUCM 10.5) to be signed by Third Party CA

    Hi Guys,
    Wondering if Any one has done this or could suggest the needful,
    We are running CUCM 10.5 cluster and currently using self-signed certificate for Tomcat. Now, we would like to get it signed by Third party CA.
    Just to be clear that we are doing this for Jabber clients so they should not get prompted for certificate Invalid.
    Now the issue; The CUCM is using IP address as hostname and for that reason we had to add the desired IP address under SAN (alternate name) through set web-security command. We did that successfully and restarted the Tomcat service and when we run the Show web-security command, it does show the added SAN;
     altNames: 2 names
              1) UCS-CUCM-UB.domain (dNSName)
              2) 10.x.x.x (dNSName)
    But when we try to generate the new CSR, it didn't contain the modified SAN, just the first one i.e only 1) UCS-CUCM-UB.domain (dNSName)
    Is there anything we missed here to get the added SAN being populated in the new CSR ?
    Regards
    M

    Hi Gordon,
    Thank you for your prompt response. For recommendation, you are right but we don't want to initiate that change for now unless, there is no other option left.
    While Generating new CSR, under SAN, there is only Parent Domain field which is populated with our domain name. How should I add the IP address there ?
    Regards

  • NULL SID Security Log Event ID 4625 when attempting logon to 2008 R2 Remote Desktop Session Host

    This is a new deployment of Server 2008 R2 in a newly created 08 R2 active directory on a newlyt installed 08 R2 RDSH server.
    A new generic user is created in AD. That user can log on to the terminal server on the console just fine. But that user cannot logon via RDP. Furthermore, the domain admin credentials also cannot logon via RDP.
    When either set of credentials is used, the logon attempt registered in the Windows Security Even Log as a denied attempt with Event ID 4625 reporting a NULL SID.
    Troubleshooting: The RDSH has already been disjoined and rejoined to the domain. Also, curious note, there are three ways to save the user account on the RDSH server as a valid user account which has permissions to logon. The one Microsoft recommends is to open computer management and edit the remote desktop users group. When I the accounts here and click apply, they immediately dissapear. Secondly, I can open the computer properties and go to the remote tab. There I find the user accounts added using the previous method are enumerated but not displaying correctly. They show up with the RDSH server name and a question mark. The last way, is to open the Remote Desktop Session Configuration tool and edit the properties of the rdp connection and go to the security tab. This was the only place I could get a user to ‘stick’ but the logon attempts still show a NULL SID and access is denied.
    I have scoured every bit of RDS documenation I can find with no luck.
    Thanks,
    Chris

    I am also experiencing this issue. 
    2008 servers, 2007 exchange on server 2008. 
    These are fresh servers, fresh AD. Users can log onto domain normally, RDP not working for admin accounts, generating same errors as posted above.
    The bigger issue, is that we have a cisco messaging service account that is generating this error on the DC's and the Exchange server as well. The service basically emails users voicemails to their inbox. The user we've created for the cisco service is unable
    to authenticate to the exchange server, in turn generating the same errors posted above as well. We can log on to the domain with this account just fine. 
    Any ideas on this? We have not tried re-adding the servers to the domain. 
    Log Name:      Security
    Source:        Microsoft-Windows-Security-Auditing
    Date:          5/5/2010 9:01:13 AM
    Event ID:      4625
    Task Category: Logon
    Level:         Information
    Keywords:      Audit Failure
    User:          N/A
    Computer:      xx.corp
    Description:
    An account failed to log on.
    Subject:
    Security ID:                         NULL SID
                    Account Name:                 -
                    Account Domain:                             -
                    Logon ID:                             0x0
    Logon Type:                                       3
    Account For Which Logon Failed:
                    Security ID:                         NULL SID
                    Account Name:                
    xxxx
                    Account Domain:                            
    xxxx
    Failure Information:
                    Failure Reason:                 Domain sid inconsistent.
                    Status:                                  0xc000006d
                    Sub Status:                         0xc000019b
    Process Information:
                    Caller Process ID:             0x0
                    Caller Process Name:     -
    Network Information:
                    Workstation Name:        laptop
                    Source Network Address:            -
                    Source Port:                       -
    Detailed Authentication Information:
                    Logon Process:                  NtLmSsp 
                    Authentication Package:               NTLM
                    Transited Services:          -
                    Package Name (NTLM only):       -
                    Key Length:                        0

  • Cisco Security Manager Appliance bundle

    I have a customer subscribed to the Security ELA, so all security related licenses and subscriptions are free.  It is possible to order this product as an appliance without the bundled licenses?

    Yes, if we do get a UCS, it will be sized to accommodate more than just CSM due to the other stuff we could load it with, although now that Cisco VMs run under Hyper-V....?  We are also getting FS (their VM is not big enough, shame) in hope that appliance/product will absorb CSM in a future release.
    Thanks,

  • How to set UCS Locales using Radius/Tacacs+ Attributes

    I know how to set a remotely authenticated/authorized users Role using the Radius av-pairs with UCS.
    What Radius attribute/av-pair syntax is needed to set the users Locale within UCS?
    I have tried shell:roles="role@locales" and shell:locales="locale name" with no success.

    Something else to note:
    /* Style Definitions */
    table.MsoNormalTable
    {mso-style-name:"Table Normal";
    mso-tstyle-rowband-size:0;
    mso-tstyle-colband-size:0;
    mso-style-noshow:yes;
    mso-style-priority:99;
    mso-style-qformat:yes;
    mso-style-parent:"";
    mso-padding-alt:0in 5.4pt 0in 5.4pt;
    mso-para-margin:0in;
    mso-para-margin-bottom:.0001pt;
    mso-pagination:widow-orphan;
    font-size:11.0pt;
    font-family:"Calibri","sans-serif";
    mso-ascii-font-family:Calibri;
    mso-ascii-theme-font:minor-latin;
    mso-hansi-font-family:Calibri;
    mso-hansi-theme-font:minor-latin;}
    Configuring locales to the user roles are not valid as these are global-system users:
    -          aaa
    -          admin
    -          operations
    Locales can be configured only with following user roles:
    -          Network
    -          Server-equipment
    -          Server-profile
    -          Server-security
    -          Storage

  • Browser and secured server communication

    I want to know that How the Browser communicates with the
    secured server ?
    please Explain in detail with Example (if possible)
    Thanks In advance

    hi
    yes nothing is returned from the browser
    request from the browser means
    whenever u type say,www.google.co.in in your browser
    the following type of request will go to the proxy server,after getting the request the proxy server will check for the host address and then it connects to the webserver and get the response and send it back to the browser.
    for google page the request is
    GET http://www.google.co.in/ HTTP/1.1
    Host: www.google.co.in
    Accept: text/html, application/vnd.wap.xhtml+xml, application/xhtml+xml, text/css, multipart/mixed, text/vnd.wap.wml, application/vnd.wap.wmlc, application/vnd.wap.wmlscriptc, application/java-archive, application/java, application/x-java-archive, text/vnd.sun.j2me.app-descriptor, application/vnd.met.ticket, application/x-wallet-appl.user-data-provision, application/vnd.oma.drm.message, application/vnd.oma.drm.content, application/vnd.wap.mms-message, application/vnd.wap.sic, text/x-co-desc, application/vnd.oma.dd+xml, */*
    Accept-Charset: iso-8859-1, utf-8, iso-10646-ucs-2; q=0.6
    Accept-Encoding: gzip,deflate,identity;q=0.9
    Accept-Language: en
    Cookie: PREF=ID=dc8dc6e63dab6e09:TM=1156324791:LM=1156324791:S=FgovcdMV93Mm4Li7
    Cookie2: $Version="1"
    User-Agent: Nokia6630/4.06.0 Series60/2.6 Profile/MIDP-2.0 Configuration/CLDC-1.1
    x-wap-profile: "http://nds1.nds.nokia.com/uaprof/N6630r100.xml"
    in the code u have given the value of the host is http: only

Maybe you are looking for

  • CS4 v4.2.1 Running Slow in Multicam session

    All, Wanted to pass this along.  I experienced very slow performance with mulitcam editing after upgrading to 4.2.1.  I had three streams of HD video (1 AVHCD, 2 .mt2 files) in a multicam editing session.  In the multicam monitor, the video would pla

  • AirPort Extreme Update 2007-004 did not solve my reliability problems.

    The latest update from Apple did not fix the problem on my system, and now I don´t know what I should do, is there anything I can do to somehow fix it? I can´t use the computer like this, it´s very annoying, for example I can´t browse the web with Sa

  • Using Variables in ODI

    I am attempting to insert 20 years of data into our Data Warehouse using ODI. The Problem is that the query to retrieve the data takes upwards of 48+ hours. That is just the query running in a query tool. So what i would like to do is to run the quer

  • M:n relation in apex

    Hi I've a problem to create a form which is able to handle with a m:n relation. I have created three tables via sqldeveloper: hotel, has, address primary key in hotel is h_id, primary key in address is a_id and of course h_id and a_id are foreign key

  • Sync Proxy to SOAP Scenario

    HI All, Scenario: Sync Proxy to SOAP Scenario. just wanted to know below 1) is it possible to Test the sync Scenario using SOAP UI or any other tools when SOAP is target? 2)Is it possible to Trigger a Proxy Message  from ABAP system and Get the respo