Network Security Configuration | Cisco Systems UCSCPCIEBTG, 57712

Configuring Network-Related Settings

Network Security Configuration

Network Security Configuration

Network Security

The CIMC uses IP blocking as network security. IP blocking prevents the connection between a server or website and certain IP addresses or ranges of addresses. IP blocking effectively bans undesired connections from those computers to a website, mail server, or other Internet servers.

IP banning is commonly used to protect against denial of service (DoS) attacks. CIMC bans IP addresses by setting up an IP blocking fail count.

Configuring Network Security

Configure network security if you want to set up an IP blocking fail count.

Before You Begin

You must log in as a user with admin privileges to configure network security.

Procedure

	Command or Action	Purpose
Step 1	Server# scope cimc	Enters the CIMC command mode.
Step 2	Server /cimc # scope network	Enters the CIMC network command mode.
Step 3	Server /cimc/network # scope	Enters the IP blocking command mode.
	ipblocking
Step 4	Server /cimc/network/ipblocking #	Enables or disables IP blocking.
	set enabled {yes no}
Step 5	Server /cimc/network/ipblocking #	Sets the number of times a user can attempt to log in
	set fail-count fail-count	unsuccessfully before the system locks that user out for
		a specified length of time.
		The number of unsuccessful login attempts must occur
		within the time frame specified in the IP Blocking Fail
		Window field.
		Enter an integer between 3 and 10.
Step 6	Server /cimc/network/ipblocking #	Sets the length of time, in seconds, in which the
	set fail-window fail-seconds	unsuccessful login attempts must occur in order for the
		user to be locked out.
		Enter an integer between 60 and 120.
Step 7	Server /cimc/network/ipblocking #	Sets the number of seconds the user remains locked out
	set penalty-time penalty-seconds	if they exceed the maximum number of login attempts
		within the specified time window.

	Cisco UCS C-Series Servers Integrated Management Controller CLI Configuration Guide, Release 1.5
80	OL-28893-01

Image 96

Cisco Systems UCSCPCIEBTG, 57712 manual Network Security Configuration, Configuring Network Security

Contents

Americas Headquarters First Published March 04Page N T E N T S Viewing Server Properties Viewing Server Sensors Managing User Accounts Creating a vNIC Configuring Communication Services Configuring Platform Event Filters Bios Parameters by Server Model Preface AudienceConventions This preface includes the following sections Default responses to system prompts are in square brackets StringString will include the quotation marks Indicates a comment line Feature Description Where Documented New and Changed Information for this Release Feature Description Related Cisco UCS Documentation Documentation Roadmaps Other Documentation Resources System UCS Documentation Roadmap Bundle Overview Overview of the Server SoftwareThis chapter includes the following sections Cisco Integrated Management Controller Cimc FirmwareServer OS Management Interfaces Command Modes Cimc CLI Overview Command Modes Mode Name Command to Access Mode Prompt Command to Access Mode Prompt Scope role-group command from Scope power-cap command fromScope sensor command from Scope trap-destinations command Complete a Command Command HistoryCommitting, Discarding, and Viewing Pending Commands Command Output Formats Online Help for the CLI OL-28893-01 Installing the Server OS OS Installation MethodsKVM Console PXE Installation Servers Installing an OS Using a PXE Installation ServerYou can use the KVM console to install an OS on the server Command or Action Purpose Step Enters chassis command modeManaging the Server Toggling the Locator LED Managing the Server Boot Order Server Boot OrderToggling the Locator LED for a Hard Drive Server /chassis/hdd # set locateHDD Configuring the Server Boot Order Server# scope bios Resetting the Server Viewing the Actual Server Boot OrderServer /bios # show actual-boot-order Detail Server# scope chassis Enters chassis mode Server /chassis # power shutdownShutting Down the Server Server# scope chassis Managing Server Power Powering On the ServerPowering Off the Server Power Cycling the Server Command or Action PurposeServer# scope chassis Enters chassis command mode Configuring Power Policies Viewing the Power StatisticsName Description Power Capping Policy Configuring the Power Cap PolicyNon-Compliance Action Server# scope power-cap Enters the power cap command modeServer /power-cap # set Enabled yes no Configuring the Power Restore Policy Power-off power-onRestore-last-state Delay-value delay Managing the Flexible Flash Controller Cisco Flexible FlashDual Card Management in the Cisco Flexible Flash Controller Action Description Configuring the Flexible Flash Controller Properties Scenario Behavior # set read-error-count-threshold # set write-error-count-threshold# set virtual-drives-enabled list # set raid-primary-member slot1 Booting from the Flexible Flash Server /bios # set boot-overrideNone SCU HV HUU Resetting the Flexible Flash Controller Permissible index value is FlexFlash-0 Default configuration Server /chassis/flexflash # commit Configuring Bios Settings Viewing Bios StatusBios Version Version string of the running Bios Secondary slot Configuring Main Bios Settings Boot OrderFor each Bios setting, see one the following topics Attempt to use Configuring Advanced Bios Settings On, you are prompted to choose whether to reboot nowConfigure the Bios settings Server /bios/advanced # Server /bios/main # set POSTErrorPause Enabled Configuring Server Management Bios Settings Command or ActionConfigure the Bios settings Server-management Restoring Bios Defaults Restoring Bios Manufacturing Custom DefaultsServer /bios # bios-setup-default Server /bios # restore-mfg-defaults Default valuesServer # scope bios Server /bios # restore-mfg-defaults OL-28893-01 Viewing Server Properties Viewing Server PropertiesServer# show chassis detail Displays server properties Viewing Cimc Properties Viewing CPU PropertiesServer# show cimc detail Displays Cimc properties Viewing Memory Properties This example displays Dimm summary information Viewing Power Supply Properties Viewing Storage PropertiesViewing Storage Adapter Properties Show psu detail Error-counters detail Hw-config detailSettings detail Server /chassis # show storageadapter Viewing the Flexible Flash Controller Properties Server /chassis # show flexflash detailOptional Displays the available Cisco Flexible Flash controllers Viewing Physical Drive Properties Viewing Virtual Drive Properties Virtual-drive drive-number detailVirtual-drive-count detail Virtual-drive drive-number Viewing Nvidia GPU Card Information Slot number of the GPU cardServer # scope chassis Viewing PCI Adapter Properties Viewing Network Related PropertiesViewing LOM Properties Server# scope cimc Server# scope cimc Network OL-28893-01 Viewing Power Supply Sensors Viewing Server SensorsServer# scope sensor Show psu-redundancy Viewing Temperature Sensors Server /sensor # show temperature detailViewing Fan Sensors Server /sensor # show psu-redundancy This example displays temperature sensor statistics Viewing Voltage SensorsPurpose Step Procedure Command or Action Purpose Step Viewing Current SensorsViewing Storage Sensors Status column LED Status column Current LED color, if any OL-28893-01 Managing Remote Presence Managing the Virtual KVMKVM Console Server /kvm # set enabled yes Enabling the Virtual KVMDisabling the Virtual KVM Server# scope kvm Configuring the Virtual KVM Set encrypted yesSet local-video yes Server /kvm # set max-sessions Configuring Virtual Media Set enabled yesServer# scope vmedia Configuring Network Mounted vMedia Mapping Command or Action Server # scope vmediaVolume-name remote-share Remote-file-path mount options Enters the virtual media command mode Viewing Network Mount vMedia Mapping PropertiesRemoving Network Mounted vMedia Mapping Server # scope vmedia Managing Serial over LAN Serial Over LAN Configuring Serial Over LAN Enters SoL command modeServer# scope sol Yes no Server console port. You can enter this command in any Command modeLaunching Serial Over LAN Server# connect host OL-28893-01 Configuring Local Users Managing User Accounts Configuring Active Directory Configuring the Active Directory ServerActive Directory Properties Value Role Configuring Active Directory in Cimc Server# scope ldap Configuring Active Directory Groups in Cimc Server# scope ldapServer /ldap *# set dc1 Server /ldap *# set gc1 Admin user readonly Set group-authScope role-group Viewing User Sessions Terminating a User Session Terminate Configuring Network-Related Settings Server NIC ConfigurationNIC Mode Server NICs Configuring Server NICs Server /cimc/network # set mode dedicatedNIC Redundancy Sharedlom Sharedlom10g shipping ciscocard Configuring Common Properties Redundancy noneActive-active Active-standby Configuring IPv4 Configuring the Server Vlan Optional Displays the IPv4 network settingsYou must be logged in as admin to configure the server Vlan Specifies the IP address of the secondary DNS Connecting to a Port Profile Set vlan-enabledSet vlan-priority Port profile must be defined on the switch to Displays the network settingsManagement interface, the virtual Ethernet, and the VIF on Supported adapter cards such as the Cisco UCS VIC1225 Network Security Configuration Configuring Network SecurityNetwork Security Network Time Protocol Configuration Configuring Network Time Protocol SettingsServer # scope cimc Yes Server /cimc/network/ntp* # commit Commits the transaction 10.120.33.4410.120.34.45 10.120.35.46 Managing Network Adapters Overview of the Cisco UCS C-Series Network Adapters Cisco UCS P81E Virtual Interface Card Cisco UCS VIC1225 Virtual Interface Card Configuring Network Adapter Properties Viewing Network Adapter PropertiesIndex detail Fip-mode disable enable Niv-mode disable enableConfigure-vmfex port-count Managing vHBAs Viewing vHBA Properties Host-fc-if fc0 fc1 name detailAll vHBAs Modifying vHBA Properties Error-detect-timeout msec Resource-allocation-timeout msecError-recovery # set fcp-error-recovery disable Enable Enters the interrupt command mode Set flogi-timeout msecInterrupt Interrupt-mode intx msi msix Enters the Fibre Channel port login command mode Set plogi-timeout msecPort-p-logi Server Creating a vHBA Host-fc-if name Deleting a vHBA Set channel-number numberServer /chassis/adapter # delete Server /chassis/adapter # commit VHBA Boot Table Viewing the Boot TableCreating a Boot Table Entry Show boot Deleting a Boot Table Entry Create-boot-entry wwpn lun-idServer /chassis # scope adapter Delete boot entry Take effect upon the next server resetVHBA Persistent Binding Locate the number of the entry to be deleted Set persistent-lun-binding enable Enabling Persistent BindingDisabling Persistent Binding Perbi Set persistent-lun-binding disable Rebuilding Persistent BindingScope perbi # rebuild Managing vNICs Guidelines for Managing vNICsViewing vNIC Properties Host-eth-if eth0 eth1 name detail Modifying vNIC Properties Host-eth-if eth0 eth1 nameUplink 0 Trust-host-cos disable enable Vlan-mode access trunkUplink-failover disable enable Channel-number number Uplink-failback-timeout seconds Scope interruptSet interrupt-count count Set coalescing-time usec Set tcp-segment-offload disable # set rq-count count# set rq-ring-size size Scope trans-queue Set tcp-rx-checksum-offload disable Set tcp-tx-checksum-offload disableSet tcp-large-receive-offload disable Set rss disable enable Set rss-hash-tcp-ipv6 disable Set rss-hash-ipv6-ex disable enableSet rss-hash-tcp-ipv6-ex disable Creating a vNIC Deleting a vNIC Host-eth-if name Configuring iSCSI Boot Capability RebootYou can configure a maximum of 2 iSCSI vNICs for each host This example deletes a vNIC on adapter Iscsi-boot index Dhcp-net-settings enabledDhcp-iscsi-settings enabled Eth0 eth1 name Delete iscsi-boot Managing VM FEXVirtual Machine Fabric Extender Viewing VM FEX Properties VM FEX Settings General Properties Settings Name DescriptionName Ethernet Interrupt Settings Name Description Completion Queue Settings Name Description TCP Offload Settings Name Description Receive Side Scaling Settings Name Managing Storage Adapters Create Virtual Drive from Unused Physical DrivesStorageadapter slot Create virtual-drive Create Virtual Drive from an Existing Drive Group Carve-virtual-driveWrite policy for the new virtual drive. Enter Appropriate information at each prompt Clearing Foreign Configuration Server /chassis # scope storageadapter500 MB Clear-foreign-config Deleting a Virtual Drive# delete-virtual-drive Cancel-initialization Initializing a Virtual DriveStart-initialization # get-operation-status Set as Boot Drive Set-boot-driveModifying Attributes of a Virtual Drive Server /chassis/storageadapter # scope Making a Dedicated Hot Spare Modify-attributesPolicy You are prompted to choose a virtual drive for Making a Global Hot Spare Preparing a Drive for RemovalServer /chassis/storageadapter/physical-drive # Make-global-hot-spare Removing a Drive from Hot Spare Pools Prepare-for-removal# remove-hot-spare Enabling Auto Learn Cycles for the Battery Backup Unit Enable-auto-learnUndo Preparing a Drive for Removal Undo-prepare-for-removal Disabling Auto Learn Cycles for the Battery Backup Unit Starting a Learn Cycle for a Battery Backup UnitDisable-auto-learn You must be logged in as an admin to use this command Toggling the Locator LED for a Physical Drive Start-learn-cyclePhysical-drive # locator-led on off Backing Up and Restoring the Adapter Configuration Exporting the Adapter ConfigurationViewing Storage Controller Logs Importing the Adapter Configuration This example exports the configuration of adapter Restoring Adapter Defaults Reboot the server to apply the imported configurationAdapter-reset-defaults index PCI slot number specified by the index Installing Adapter Firmware Managing Adapter FirmwareAdapter Firmware Or two specified adapters or, if no adapter is specified Resetting the Adapter Activating Adapter FirmwareServer /chassis # activate-adapter-fw Server/chassis # adapter-reset index Resetting the adapter also resetsThis example resets the adapter in PCI slot Host Configuring Communication Services Configuring HttpServer# scope http Server /http # set http-redirect yes Configuring SSH Set timeout secondsServer# scope ssh Set ssh-port number Configuring XML API XML API for CimcEnabling XML API Server# scope xmlapi Configuring Ipmi Configuring Ipmi over LANSet enabled Ipmi Over LAN Configuring Snmp Configuring Snmp PropertiesEncryption-key key Server# scope snmp Setcommunity-access Community-str communitySettrap-community-str Server /snmp # set sys-location Configuring Snmp Trap Settings Trap-destinations numberVersion 1 2 Type trap inform Configuring SNMPv3 Users Sending a Test Snmp Trap MessageTo send a test message Specified user number V3security-name security-name V3security-level noauthnoprivAuthnopriv authpriv MD5 SHA 142 Managing Certificates Managing the Server CertificateGenerating a Certificate Signing Request Enters the certificate command mode Server# scope certificateServer /certificate # generate-csr Signing request CSR Creating a Self-Signed Certificate Managing Certificates Creating a Self-Signed Certificate Openssl genrsa -out CAkeyfilename ExampleOpenssl req -new -x509 -days numdays Echo nsCertType = server openssl.conf Uploading a Server Certificate Server /certificate # uploadNew server certificate This example uploads a new certificate to the server Begin Certificate Configuring Platform Event Filters Server# scope faultPlatform-event-enabled yes Platform Event Filters Configuring Platform Event Filters Platform-event-enabled noDisabling Platform Event Alerts None reboot power-cycle Power-offPlatform Event Filter Configuring Platform Event Trap Settings Server /fault # scope pef-destinationsEnabled yes Interpreting Platform Event Traps Platform Event Trap DescriptionsEvent Number Note Platform Event Description Test Trap 154 Event Number Note 155 156 Cimc Firmware Management Overview of Firmware Obtaining Firmware from Cisco Center box, click Unified Computing and ServersClick the Unified Computing System UCS Server Firmware link Click Accept License Agreement Installing Cimc Firmware from a Remote Server Log in to the as a user with admin privileges Activating Installed Cimc Firmware Server /cimc/firmware # activate 1 Is specified, the server activates the currentlyInactive image Installing Bios Firmware from a Remote Server Current FW Version field Server # scope bios 163 164 Viewing the Faults and Logs Summary Scope faultShow fault-entries Viewing Logs Cimc Log Viewing the Cimc Log Configuring the Cimc Log Threshold Clearing the Cimc LogServer /cimc # scope log Server /cimc/log # clear Sending the Cimc Log to a Remote Server Local-syslog-severityRemote-syslog-severity level Error Informational Debug CriticalServer-ip ip-address System Event Log Viewing the System Event LogServer# scope sel Enters the system event log command mode Clearing the System Event LogServer# scope sel 172 Server Utilities Exporting Technical Support DataServer /cimc # scope tech-support Remote-ip ip-address Remote-password password Remote-protocol protocolRemote-username name Rebooting the Cimc Clearing the Bios CmosServer# scope bios Enters the bios command mode Provide the generated report file to Cisco TAC Recovering from a Corrupted Bios Scope biosRecover Resetting the Cimc to Factory Defaults This example shows how to recover from a corrupted BiosPower cycle or reset the server Exporting and Importing the Cimc Configuration Exporting and Importing the Cimc ConfigurationExporting the Cimc Configuration Server /cimc # scope import-export Importing a Cimc Configuration Server# scope cimc Enters the Cimc command modeServer /cimc/import-export # Generating Non maskable Interrupts to the Host 181 182 Bios Parameters by Server Model Main Bios Parameters for C22 and C24 ServersC22 and C24 Servers TPM Support Advanced Bios Parameters for C22 and C24 Servers Processor Configuration Parameters NameNumber of Enabled Cores Execute Disable Intel VT Intel VT-dIntel VT-d Coherency Support Intel VT-d ATS Support CPU Performance Hardware PrefetcherAdjacent Cache Line Prefetcher Direct Cache Access Support DCU Streamer PrefetchDCU IP Prefetcher Power Technology Processor Power State C6 Processor Power State C1 EnhancedIntel Turbo Boost Technology Frequency Floor Override State Coordination Energy Performance Memory Configuration Parameters Name Description Select Memory RASDram Clock Throttling Low Voltage DDR Mode Dram Refresh rateChannel Interleaving Rank Interleaving Patrol Scrub Demand ScrubAltitude QPI Configuration Parameters Name Description USB Configuration Parameters Name DescriptionOnboard Storage Parameters Name All USB Devices USB Port RearUSB Port Front USB Port Internal PCI Configuration Parameters Name Description Mmio Above 4GBAspm Support VGA Priority Console Redirection Terminal TypeBits per second Flow Control Putty KeyPad All Onboard LOM Ports LOM Port n OptionROMAll PCIe Slots OptionROM PCIe Slot n OptionROM Server Management Bios Parameters for C22 and C24 Servers FRB-2 TimerOS Watchdog Timer PCIe Slot n Link Speed OS Watchdog Timer Timeout OS Watchdog Timer Policy Boot Order Rules Main Bios Parameters for C220 and C240 Servers Advanced Bios Parameters for C220 and C240 ServersC220 and C240 Servers 204 Disabled -The processor does not support ATS Enabled -The processor uses VT-d ATS as required 206 207 Power consumption but may reduce system performance 209 210 211 212 213 214 USB Port SD Card Memory Mapped I/O Above 4GB4GB or greater address space Enables console redirection on COM port 0 during Post Enables console redirection on COM port 1 during PostOffboard -Priority is given to the Pcie Graphics adapter Introduced by a hidden terminal problem. This can be one None -No flow control is usedAllows you to change the action of the PuTTY function keys 218 Server Management Bios Parameters for C220 and C240 Servers PCIe Mezzanine OptionROMIf it hangs during POST. This can be one of the following Watchdog timer expires 5 minutes after the OS System removes that device type from the boot order Main Bios Parameters for C260 Servers Advanced Bios Parameters for C260 ServersProcessor Configuration Parameters Name Description C260 Servers Enhanced Intel Speedstep Technology Whether the processor uses Enhanced Intel SpeedStepIntel Hyper-Threading Technology Which allows multithreaded software applications to execute Intel Virtualization Technology Intel VT for Directed IOIntel VT-d Interrupt Remapping Direct Cache Access Processor C3 Report Processor C6 Report Package C State LimitCPU C State Numa Optimized Sparing Mode Mirroring ModeSparing Mirroring Serial Port Configuration Parameters Name Description Serial a EnableUSB Configuration Parameters Name Patrol Scrub Interval Onboard NIC n ROM PCIe OptionROMsPCIe Slot n ROM Onboard Gbit LOM Onboard 10Gbit LOM SriovIOH Resource Allocation Server Management Bios Parameters for C260 Servers Assert NMI on SerrAssert NMI on Perr OS Boot Watchdog Timer Timeout Baud Rate OS Boot Watchdog Policy OS Boot Watchdog TimerLegacy OS Redirection Main Bios Parameters for C420 Servers Advanced Bios Parameters for C420 ServersC420 Servers 236 237 238 239 240 241 242 243 244 245 Not detected by the Bios and operating system Enabled -Enables the SD card drives 247 Can be one of the following Allows you to change the action of the PuTTY function keys 250 Server Management Bios Parameters for C420 Servers 252 Main Bios Parameters for C460 Servers Advanced Bios Parameters for C460 ServersC460 Servers 254 255 Intel VT-d PassThrough DMA 257 258 259 260 261 262 Server Management Bios Parameters for C460 Servers 264 265 266 D E Installing from remote server 159 obtaining from Cisco Dedicated LDAP, See Active Directory local users IN-4 Yaml IN-6