VWannabe

Author: javirodz

  • UCS B-Series Configuration using the UCS SDK and Python

    UCS B-Series Configuration using the UCS SDK and Python

    The Cisco UCS B-Series is a powerful system. I admit that it has a little learning curve to it, but in time I’ve learned to appreciate the way it works. The thing is that after a few deployments you wonder, when are the Cisco engineers going to take usability into consideration? Well, luckily there is an SDK out there that you can get from GitHub here. If you need to refresh the use of GitHub, Atom and Python check my previous post about it => GitHub and Atom. After cracking my head with Java for the 10th million time (UCS Manager GUI), I was able to put together a couple of code lines to configure a UCS B-Series. Using an input file created from an Excel Spreadsheet and saving it as a .CSV:

    excel

    This example file is available as a gist: ucs-book.csv.

    The following example configures a UCS B-Series with 8 blades. It uses ports 3 and 4 on both Fiber-Interconnects as Network Uplinks and creates port channels 50 and 51 with them.

    The system will have three VLANs:

    1. vMotion with id 50
    2. Management with id 51
    3. Production with id 200

    The script can take as many VLANs as you want from the ucs-book.csv file and it will create those, but it will not allocate them to any vNIC template by default. At this point, there is an option to omit the iSCSI or the FC with two boolean variables at the beginning or the script. Download it from GitHub => ucs-config

    To test all of this you could download the UCS Manager Emulator from Cisco and use Fusion to provision a new UCS B-Series. This is a basic and raw script, you would need to change the path to the .csv file and I can’t guarantee that it will work on your system and of course I am not responsible for what happens to it. I would recommend to use it in you development environment only until you become familiar with the DSK, enjoy.

    #!python
#import section
import csv
#UCS Connection Handle
from ucsmsdk.ucshandle import UcsHandle
#Create Organization
from ucsmsdk.mometa.org.OrgOrg import OrgOrg
#UUID Pool
from ucsmsdk.mometa.uuidpool.UuidpoolPool import UuidpoolPool
from ucsmsdk.mometa.uuidpool.UuidpoolBlock import UuidpoolBlock
#VLAN
from ucsmsdk.mometa.fabric.FabricVlan import FabricVlan
#Sever Pool
from ucsmsdk.mometa.compute.ComputePool import ComputePool
from ucsmsdk.mometa.compute.ComputePooledSlot import ComputePooledSlot
#Maintenance Policy
from ucsmsdk.mometa.lsmaint.LsmaintMaintPolicy import LsmaintMaintPolicy
#Power Policy
from ucsmsdk.mometa.power.PowerPolicy import PowerPolicy
#Create IP Pool
from ucsmsdk.mometa.ippool.IppoolPool import IppoolPool
from ucsmsdk.mometa.ippool.IppoolBlock import IppoolBlock
#Create MAC Pool
from ucsmsdk.mometa.macpool.MacpoolPool import MacpoolPool
from ucsmsdk.mometa.macpool.MacpoolBlock import MacpoolBlock
#Create Network Control Policy
from ucsmsdk.mometa.nwctrl.NwctrlDefinition import NwctrlDefinition
from ucsmsdk.mometa.dpsec.DpsecMac import DpsecMac
#FC WWNN and WWPN Pools
from ucsmsdk.mometa.fcpool.FcpoolInitiators import FcpoolInitiators
from ucsmsdk.mometa.fcpool.FcpoolBlock import FcpoolBlock
#Create vNIC Templates
from ucsmsdk.mometa.vnic.VnicLanConnTempl import VnicLanConnTempl
from ucsmsdk.mometa.vnic.VnicEtherIf import VnicEtherIf
#Create Local Disk Conf Policy
from ucsmsdk.mometa.storage.StorageLocalDiskConfigPolicy import StorageLocalDiskConfigPolicy
#Create Boot Policy
from ucsmsdk.mometa.lsboot.LsbootPolicy import LsbootPolicy
from ucsmsdk.mometa.lsboot.LsbootVirtualMedia import LsbootVirtualMedia
from ucsmsdk.mometa.lsboot.LsbootStorage import LsbootStorage
from ucsmsdk.mometa.lsboot.LsbootLocalStorage import LsbootLocalStorage
from ucsmsdk.mometa.lsboot.LsbootUsbFlashStorageImage import LsbootUsbFlashStorageImage
#Create HBA Template
from ucsmsdk.mometa.vnic.VnicSanConnTempl import VnicSanConnTempl
from ucsmsdk.mometa.vnic.VnicFcIf import VnicFcIf
#Configuring Uplink ports
from ucsmsdk.mometa.fabric.FabricEthLanEp import FabricEthLanEp
#Configure Port Channels
from ucsmsdk.mometa.fabric.FabricEthLanPc import FabricEthLanPc
from ucsmsdk.mometa.fabric.FabricEthLanPcEp import FabricEthLanPcEp
#Create Service Profile Template
from ucsmsdk.mometa.ls.LsServer import LsServer
from ucsmsdk.mometa.ls.LsVConAssign import LsVConAssign
from ucsmsdk.mometa.vnic.VnicEther import VnicEther
from ucsmsdk.mometa.vnic.VnicFc import VnicFc
from ucsmsdk.mometa.vnic.VnicFcIf import VnicFcIf
from ucsmsdk.mometa.vnic.VnicFcNode import VnicFcNode
from ucsmsdk.mometa.ls.LsRequirement import LsRequirement
from ucsmsdk.mometa.ls.LsPower import LsPower
from ucsmsdk.mometa.fabric.FabricVCon import FabricVCon

#Are we having iSCSI to the Hosts?
iSCSI = True
#Are we having FC to the hosts?
FC = False

#Create the handle
handle = UcsHandle("192.168.67.148","admin","password",secure=False)
#login into UCS manager
handle.login()

#reading variables from the ucs workbook
my_file=open("/Users/javirodz/Documents/ucs-book.csv", "r")
my_csv_file = csv.reader(my_file)
for row in my_csv_file:
 if row[0] == "Organization Name":
 my_Org = row[1]
 my_Full_Path_Org = "org-root/org-%s" % my_Org
 elif row[0] == "KVM Starting IP Address":
 my_kvm_pool_first = row[1]
 elif row[0] == "KVM Primary DNS IP Address":
 my_Primary_DNS = row[1]
 elif row[0] == "KVM Secondary DNS IP Address":
 my_Secondary_DNS = row[1]
 elif row[0] == "KVM Gateway":
 my_KVM_Gateway = row[1]
 elif row[0] == "KVM Ending IP Address":
 my_kvm_last_addr = row[1]
 elif row[0] == "Service Profile Template Name":
 my_SPT = row[1]
 elif row[0] == "Service Profile Name Seed":
 my_SP_Name = row[1]
 elif row[0] == "VLAN Name":
 VLAN_Name = row
 i=1
 while i < len(VLAN_Name):
 i = i + 1
 elif row[0] == "VLAN ID":
 VLAN_ID = row
 i=1
 while i < len(VLAN_ID):
 i = i + 1
 else:
 print "Bad Robot"

#Create Sub Organization
mo = OrgOrg(parent_mo_or_dn="org-root", name=my_Org, descr="Sub Organization")
handle.add_mo(mo)
handle.commit()

#Create Production VLANs
k = 1
while k < len(VLAN_Name):
 mo = FabricVlan(parent_mo_or_dn="fabric/lan", sharing="none", name=VLAN_Name[k], id=VLAN_ID[k], mcast_policy_name="", policy_owner="local", default_net="no", pub_nw_name="", compression_type="included")
 handle.add_mo(mo)
 handle.commit()
 k = k+1

#Create UUID Pool
mo = UuidpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", prefix="derived", descr="UUID Pool", assignment_order="sequential", name="UUID_POOL")
mo_1 = UuidpoolBlock(parent_mo_or_dn=mo, to="0001-000000000100", r_from="0001-000000000001")
handle.add_mo(mo)
handle.commit()

#Create a Server Pool
mo = ComputePool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", name="Server_Pool", descr="Server Pool")
mo_1 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="1", chassis_id="1")
mo_2 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="2", chassis_id="1")
mo_3 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="3", chassis_id="1")
mo_4 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="4", chassis_id="1")
mo_5 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="5", chassis_id="1")
mo_6 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="7", chassis_id="1")
mo_7 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="8", chassis_id="1")
handle.add_mo(mo)
handle.commit()

#Create Maintenance Policy
mo = LsmaintMaintPolicy(parent_mo_or_dn=my_Full_Path_Org, uptime_disr="user-ack", name="User_Ack", descr="User Ack", trigger_config="on-next-boot", sched_name="", policy_owner="local")
handle.add_mo(mo)
handle.commit()

#Create Power Policy
mo = PowerPolicy(parent_mo_or_dn=my_Full_Path_Org, fan_speed="any", policy_owner="local", name="No_Cap", prio="no-cap", descr="No Cap")
handle.add_mo(mo)
handle.commit()

#Create IP Pool
mo = IppoolPool(parent_mo_or_dn=my_Full_Path_Org, is_net_bios_enabled="disabled", name="ext_mgmt", descr="KVM", policy_owner="local", ext_managed="internal", supports_dhcp="disabled", assignment_order="sequential")
mo_1 = IppoolBlock(parent_mo_or_dn=mo, prim_dns=my_Primary_DNS, r_from=my_kvm_pool_first, def_gw=my_KVM_Gateway, sec_dns=my_Secondary_DNS, to=my_kvm_last_addr)
handle.add_mo(mo)
handle.commit()

#Create MAC Pools
mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="Mamagement FI-A", assignment_order="sequential", name="MGMT-A")
mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:A0:00:0F", r_from="00:25:B5:A0:00:00")
handle.add_mo(mo)
handle.commit()

mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="Mamagement FI-B", assignment_order="sequential", name="MGMT-B")
mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:B0:00:0F", r_from="00:25:B5:B0:00:00")
handle.add_mo(mo)
handle.commit()

mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="Production FI-A", assignment_order="sequential", name="VM-A")
mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:A1:00:0F", r_from="00:25:B5:A1:00:00")
handle.add_mo(mo)
handle.commit()

mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="Production FI-B", assignment_order="sequential", name="VM-B")
mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:B1:00:0F", r_from="00:25:B5:B1:00:00")
handle.add_mo(mo)
handle.commit()

if(iSCSI):
 mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="iSCSI FI-A", assignment_order="sequential", name="iSCSI-A")
 mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:A2:00:0F", r_from="00:25:B5:A2:00:00")
 handle.add_mo(mo)
 handle.commit()
 mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="iSCSI FI-B", assignment_order="sequential", name="iSCSI-B")
 mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:B3:00:0F", r_from="00:25:B5:B3:00:00")
 handle.add_mo(mo)
 handle.commit()
#End Create MAC Pools

#Create Network Control Policy
mo = NwctrlDefinition(parent_mo_or_dn=my_Full_Path_Org, lldp_transmit="disabled", name="CDP_EN", lldp_receive="disabled", mac_register_mode="only-native-vlan", policy_owner="local", cdp="enabled", uplink_fail_action="link-down", descr="CDP Enable")
mo_1 = DpsecMac(parent_mo_or_dn=mo, forge="allow", policy_owner="local", name="", descr="")
handle.add_mo(mo)
handle.commit()

#FC WWNN and WWPN Pools
if(FC):
 mo = FcpoolInitiators(parent_mo_or_dn=my_Full_Path_Org, name="WWNN_Pool", policy_owner="local", descr="WWNN Pool", assignment_order="sequential", purpose="node-wwn-assignment")
 mo_1 = FcpoolBlock(parent_mo_or_dn=mo, to="20:00:00:25:B5:A0:00:FF", r_from="20:00:00:25:B5:A0:00:00")
 handle.add_mo(mo)
 handle.commit()

mo = FcpoolInitiators(parent_mo_or_dn=my_Full_Path_Org, name="WWPN_Pool-A", policy_owner="local", descr="WWPN Pool FI-A", assignment_order="sequential", purpose="port-wwn-assignment")
 mo_1 = FcpoolBlock(parent_mo_or_dn=mo, to="20:01:00:25:B5:A0:00:0F", r_from="20:01:00:25:B5:A0:00:00")
 handle.add_mo(mo)
 handle.commit()

mo = FcpoolInitiators(parent_mo_or_dn=my_Full_Path_Org, name="WWPN_Pool-B", policy_owner="local", descr="WWPN Pool FI-B", assignment_order="sequential", purpose="port-wwn-assignment")
 mo_1 = FcpoolBlock(parent_mo_or_dn=mo, to="20:01:00:25:B5:B0:00:0F", r_from="20:01:00:25:B5:B0:00:00")
 handle.add_mo(mo)
 handle.commit()

#Create vNIC Templates
mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="MGMT-A", descr="Management FI-A", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="MGMT-A", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="yes", name="Mgmt")
mo_2 = VnicEtherIf(parent_mo_or_dn=mo, default_net="no", name="vMotion")
handle.add_mo(mo)
handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="MGMT-B", descr="Management FI-B", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="MGMT-B", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="yes", name="Mgmt")
mo_2 = VnicEtherIf(parent_mo_or_dn=mo, default_net="no", name="vMotion")
handle.add_mo(mo)
handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="VM-A", descr="Production FI-A", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="VM-A", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
#Depending on the VLANs that will pass wot the NIC:
mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="no", name=Production)
handle.add_mo(mo)
handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="VM-B", descr="Production FI-B", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="VM-B", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
#Depending on the VLANs that will pass wot the NIC:
mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="no", name=Production)
handle.add_mo(mo)
handle.commit()

if(iSCSI):
 #Create iSCSI-A VLAN on FI-A (ID 2550)
 mo = FabricVlan(parent_mo_or_dn="fabric/eth-estc/A", sharing="none", name="iSCSI-A", id="2550", mcast_policy_name="", policy_owner="local", default_net="no", pub_nw_name="", compression_type="included")
 handle.add_mo(mo)
 handle.commit()

#Create iSCSI-B VLAN on FI-B (ID 2551)
 mo = FabricVlan(parent_mo_or_dn="fabric/eth-estc/B", sharing="none", name="iSCSI-B", id="2551", mcast_policy_name="", policy_owner="local", default_net="no", pub_nw_name="", compression_type="included")
 handle.add_mo(mo)
 handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="iSCSI-A", descr="iSCSI FI-A", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="iSCSI-A", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
 mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="yes", name="iSCSI-A")
 handle.add_mo(mo)
 handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="iSCSI-B", descr="iSCSI FI-B", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="iSCSI-B", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
 mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="yes", name="iSCSI-B")
 handle.add_mo(mo)
 handle.commit()

#Create Local Disk Conf Policy (any-configuration)
mo = StorageLocalDiskConfigPolicy(parent_mo_or_dn=my_Full_Path_Org, protect_config="yes", name="Local_Disk_CP", descr="Local Disk Configuration Policy Desc", flex_flash_raid_reporting_state="enable", flex_flash_state="enable", policy_owner="local", mode="any-configuration")
handle.add_mo(mo)
handle.commit()

#Create Boot Policy (boot from SD)
mo = LsbootPolicy(parent_mo_or_dn=my_Full_Path_Org, name="Boot_Policy", descr="Boot Policy Desc", reboot_on_update="no", policy_owner="local", enforce_vnic_name="yes", boot_mode="legacy")
mo_1 = LsbootVirtualMedia(parent_mo_or_dn=mo, access="read-write-drive", lun_id="0", mapping_name="", order="2")
mo_2 = LsbootStorage(parent_mo_or_dn=mo, order="1")
mo_2_1 = LsbootLocalStorage(parent_mo_or_dn=mo_2, )
mo_2_1_1 = LsbootUsbFlashStorageImage(parent_mo_or_dn=mo_2_1, order="1")
handle.add_mo(mo)
handle.commit()

#Create HBA Template
if(FC):
 mo = VnicSanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="fc-a", descr="", stats_policy_name="default", switch_id="A", pin_to_group_name="", policy_owner="local", qos_policy_name="", ident_pool_name="WWPN_Pool-A", max_data_field_size="2048")
 mo_1 = VnicFcIf(parent_mo_or_dn=mo, name="default")
 handle.add_mo(mo)
 handle.commit()

 mo = VnicSanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="fc-b", descr="", stats_policy_name="default", switch_id="B", pin_to_group_name="", policy_owner="local", qos_policy_name="", ident_pool_name="WWPN_Pool-B", max_data_field_size="2048")
 mo_1 = VnicFcIf(parent_mo_or_dn=mo, name="default")
 handle.add_mo(mo)
 handle.commit()

#Configuring Uplink ports
#FI-A Port-3
mo = FabricEthLanEp(parent_mo_or_dn="fabric/lan/A", eth_link_profile_name="default", name="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", usr_lbl="", slot_id="1", admin_state="enabled", port_id="3")
handle.add_mo(mo)
handle.commit()
#FI-A Port-4
mo = FabricEthLanEp(parent_mo_or_dn="fabric/lan/A", eth_link_profile_name="default", name="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", usr_lbl="", slot_id="1", admin_state="enabled", port_id="4")
handle.add_mo(mo)
handle.commit()
#FI-B Port-3
mo = FabricEthLanEp(parent_mo_or_dn="fabric/lan/B", eth_link_profile_name="default", name="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", usr_lbl="", slot_id="1", admin_state="enabled", port_id="3")
handle.add_mo(mo)
handle.commit()
#FI-B Port-4
mo = FabricEthLanEp(parent_mo_or_dn="fabric/lan/B", eth_link_profile_name="default", name="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", usr_lbl="", slot_id="1", admin_state="enabled", port_id="4")
handle.add_mo(mo)
handle.commit()
#Configure Port Channels
#PC-50 with FI-A P3 and FI-A P4
mo = FabricEthLanPc(parent_mo_or_dn="fabric/lan/A", name="PC-50", descr="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", admin_state="enabled", oper_speed="10gbps", port_id="50", lacp_policy_name="default")
mo_1 = FabricEthLanPcEp(parent_mo_or_dn=mo, eth_link_profile_name="default", name="", auto_negotiate="yes", slot_id="1", admin_state="enabled", port_id="3")
mo_2 = FabricEthLanPcEp(parent_mo_or_dn=mo, eth_link_profile_name="default", name="", auto_negotiate="yes", slot_id="1", admin_state="enabled", port_id="4")
handle.add_mo(mo)
handle.commit()
#PC-51 with FI-B P3 and FI-B P4
mo = FabricEthLanPc(parent_mo_or_dn="fabric/lan/B", name="PC-51", descr="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", admin_state="enabled", oper_speed="10gbps", port_id="51", lacp_policy_name="default")
mo_1 = FabricEthLanPcEp(parent_mo_or_dn=mo, eth_link_profile_name="default", name="", auto_negotiate="yes", slot_id="1", admin_state="enabled", port_id="3")
mo_2 = FabricEthLanPcEp(parent_mo_or_dn=mo, eth_link_profile_name="default", name="", auto_negotiate="yes", slot_id="1", admin_state="enabled", port_id="4")
handle.add_mo(mo)
handle.commit()

#Create Service Profile Template
if (FC and not iSCSI):
 mo = LsServer(parent_mo_or_dn="org-root/org-Test_Org", vmedia_policy_name="", ext_ip_state="none", bios_profile_name="", mgmt_fw_policy_name="", agent_policy_name="", mgmt_access_policy_name="", dynamic_con_policy_name="", kvm_mgmt_policy_name="", sol_policy_name="", uuid="0", descr="SPT Description", stats_policy_name="default", policy_owner="local", ext_ip_pool_name="ext-mgmt", boot_policy_name="Boot_Policy", usr_lbl="", host_fw_policy_name="", vcon_profile_name="", ident_pool_name="UUID_POOL", src_templ_name="", type="initial-template", local_disk_policy_name="Local_Disk_CP", scrub_policy_name="", power_policy_name="default", maint_policy_name="User_Ack", name=my_SPT, resolve_remote="yes")
 mo_1 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="1", transport="ethernet", vnic_name="MGMT-A")
 mo_2 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="2", transport="ethernet", vnic_name="MGMT-B")
 mo_3 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="3", transport="ethernet", vnic_name="VM-A")
 mo_4 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="4", transport="ethernet", vnic_name="VM-B")
 mo_5 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="5", transport="fc", vnic_name="fc-a")
 mo_6 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="6", transport="fc", vnic_name="fc-b")
 mo_7 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="MGMT-A", order="1", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-A", addr="derived")
 mo_8 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="MGMT-B", order="2", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-B", addr="derived")
 mo_9 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="VM-A", order="3", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-A", addr="derived")
 mo_10 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="VM-B", order="4", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-B", addr="derived")
 mo_11 = VnicFc(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", addr="derived", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", pers_bind="disabled", order="5", pers_bind_clear="no", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", max_data_field_size="2048", nw_templ_name="fc-a", name="fc-a")
 mo_11_1 = VnicFcIf(parent_mo_or_dn=mo_11, name="")
 mo_12 = VnicFc(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", addr="derived", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", pers_bind="disabled", order="6", pers_bind_clear="no", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", max_data_field_size="2048", nw_templ_name="fc-b", name="fc-b")
 mo_12_1 = VnicFcIf(parent_mo_or_dn=mo_12, name="")
 mo_13 = VnicFcNode(parent_mo_or_dn=mo, ident_pool_name="WWNN_Pool", addr="pool-derived")
 mo_14 = LsRequirement(parent_mo_or_dn=mo, restrict_migration="no", name="Server_Pool", qualifier="")
 mo_15 = LsPower(parent_mo_or_dn=mo, state="admin-up")
 mo_16 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="1", inst_type="auto")
 mo_17 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="2", inst_type="auto")
 mo_18 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="3", inst_type="auto")
 mo_19 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="4", inst_type="auto")
 handle.add_mo(mo)
 handle.commit()

if(iSCSI and not FC):
 mo = LsServer(parent_mo_or_dn="org-root/org-Test_Org", vmedia_policy_name="", ext_ip_state="none", bios_profile_name="", mgmt_fw_policy_name="", agent_policy_name="", mgmt_access_policy_name="", dynamic_con_policy_name="", kvm_mgmt_policy_name="", sol_policy_name="", uuid="0", descr="SPT Desc", stats_policy_name="default", policy_owner="local", ext_ip_pool_name="ext-mgmt", boot_policy_name="Boot_Policy", usr_lbl="", host_fw_policy_name="", vcon_profile_name="", ident_pool_name="UUID_POOL", src_templ_name="", type="updating-template", local_disk_policy_name="Local_Disk_CP", scrub_policy_name="", power_policy_name="default", maint_policy_name="User_Ack", name=my_SPT, resolve_remote="yes")
 mo_1 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="1", transport="ethernet", vnic_name="MGMT-A")
 mo_2 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="2", transport="ethernet", vnic_name="MGMT-B")
 mo_3 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="3", transport="ethernet", vnic_name="VM-A")
 mo_4 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="4", transport="ethernet", vnic_name="VM-B")
 mo_5 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="5", transport="ethernet", vnic_name="iSCSI-A")
 mo_6 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="6", transport="ethernet", vnic_name="iSCSI-B")
 mo_7 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="MGMT-A", order="1", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-A", addr="derived")
 mo_8 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="MGMT-B", order="2", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-B", addr="derived")
 mo_9 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="VM-A", order="3", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-A", addr="derived")
 mo_10 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="VM-B", order="4", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-B", addr="derived")
 mo_11 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="iSCSI-A", order="5", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="iSCSI-A", addr="derived")
 mo_12 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="iSCSI-B", order="6", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="iSCSI-B", addr="derived")
 mo_13 = VnicFcNode(parent_mo_or_dn=mo, ident_pool_name="node-default", addr="pool-derived")
 mo_14 = LsRequirement(parent_mo_or_dn=mo, restrict_migration="no", name="Server_Pool", qualifier="")
 mo_15 = LsPower(parent_mo_or_dn=mo, state="admin-up")
 mo_16 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="1", inst_type="auto")
 mo_17 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="2", inst_type="auto")
 mo_18 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="3", inst_type="auto")
 mo_19 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="4", inst_type="auto")
 handle.add_mo(mo)
 handle.commit()

if(iSCSI and FC):
 mo = LsServer(parent_mo_or_dn="org-root/org-Test_Org", vmedia_policy_name="", ext_ip_state="none", bios_profile_name="", mgmt_fw_policy_name="", agent_policy_name="", mgmt_access_policy_name="", dynamic_con_policy_name="", kvm_mgmt_policy_name="", sol_policy_name="", uuid="0", descr="SPT Description", stats_policy_name="default", policy_owner="local", ext_ip_pool_name="ext-mgmt", boot_policy_name="Boot_Policy", usr_lbl="", host_fw_policy_name="", vcon_profile_name="", ident_pool_name="UUID_POOL", src_templ_name="", type="updating-template", local_disk_policy_name="Local_Disk_CP", scrub_policy_name="", power_policy_name="default", maint_policy_name="User_Ack", name=my_SPT, resolve_remote="yes")
 mo_1 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="1", transport="ethernet", vnic_name="MGMT-A")
 mo_2 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="2", transport="ethernet", vnic_name="MGMT-B")
 mo_3 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="3", transport="ethernet", vnic_name="VM-A")
 mo_4 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="4", transport="ethernet", vnic_name="VM-B")
 mo_5 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="5", transport="ethernet", vnic_name="iSCSI-A")
 mo_6 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="6", transport="ethernet", vnic_name="iSCSI-B")
 mo_7 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="7", transport="fc", vnic_name="fc-a")
 mo_8 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="8", transport="fc", vnic_name="fc-b")
 mo_9 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="MGMT-A", order="1", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-A", addr="derived")
 mo_10 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="MGMT-B", order="2", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-B", addr="derived")
 mo_11 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="VM-A", order="3", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-A", addr="derived")
 mo_12 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="VM-B", order="4", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-B", addr="derived")
 mo_13 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="iSCSI-A", order="5", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="iSCSI-A", addr="derived")
 mo_14 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="iSCSI-B", order="6", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="iSCSI-B", addr="derived")
 mo_15 = VnicFc(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", addr="derived", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", pers_bind="disabled", order="7", pers_bind_clear="no", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", max_data_field_size="2048", nw_templ_name="fc-a", name="fc-a")
 mo_15_1 = VnicFcIf(parent_mo_or_dn=mo_15, name="")
 mo_16 = VnicFc(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", addr="derived", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", pers_bind="disabled", order="8", pers_bind_clear="no", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", max_data_field_size="2048", nw_templ_name="fc-b", name="fc-b")
 mo_16_1 = VnicFcIf(parent_mo_or_dn=mo_16, name="")
 mo_17 = VnicFcNode(parent_mo_or_dn=mo, ident_pool_name="WWNN_Pool", addr="pool-derived")
 mo_18 = LsRequirement(parent_mo_or_dn=mo, restrict_migration="no", name="Server_Pool", qualifier="")
 mo_19 = LsPower(parent_mo_or_dn=mo, state="admin-up")
 mo_20 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="1", inst_type="auto")
 mo_21 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="2", inst_type="auto")
 mo_22 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="3", inst_type="auto")
 mo_23 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="4", inst_type="auto")
 handle.add_mo(mo)
 handle.commit()

# Logout after script is executed
handle.logout()
my_file.close()

    By the way, there is another script “clean-ucs.py” that will undo whatever the configuration script does, in case that you need to go back and forth with it.

  • CCNA Cyber Ops – 2.0 Security Concepts

    CCNA Cyber Ops – 2.0 Security Concepts

    This is part two of a series of posts about the CCNA Cyber Ops certification, you can find the first part here. Essentially in this post, we summarize the basic security concepts needed to understand and become competent with this topic.

    2.0 Security Concepts

    2.1 Describe the principles of the defense in depth strategy: Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier. Defense in depth can be divided into three areas: Physical, Technical, and Administrative.

    Physical controls are anything that physically limits or prevents access to IT systems. Fences, guards, dogs, and CCTV systems.

    Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, fingerprint readers, and Windows Active Directory. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves.

    Administrative controls are an organization’s policies and procedures. Their purpose is to ensure that there is proper guidance available in regards to security and that regulations are met. They include things such as hiring practices, data handling procedures, and security requirements.

    2.2 Compare and contrast these concepts

    • 2.2.a Risk: the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence.
      • Risk = Likelihood * Impact
    • 2.2.b Threat: In computer security, a threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm.
    • 2.2.c Vulnerability: In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. A vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
    • 2.2.d Exploit: An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause an unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack.

    2.3 Describe these terms

    • 2.3.a Threat actor: A threat actor, or malicious actor, is a person or entity that is responsible for an event or incident that impacts, or has the potential to impact, the safety or security of another entity. Most often, the term is used to describe the individuals and groups that perform malicious acts against organizations of various types and sizes. From a threat intelligence perspective, threat actors are often categorized as unintentional or intentional and external or internal.
    • 2.3.b Run book automation (RBA): Runbook automation (RBA) is the ability to define, build, orchestrate, manage, and report on workflows that support system and network operational processes. A runbook workflow can potentially interact with all types of infrastructure elements, such as applications, databases, and hardware.
    • 2.3.c Chain of custody (evidentiary): Chain of custody (CoC), in legal contexts, refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. It is essential that any items of evidence can be traced from the crime scene to the courtroom, and everywhere in between. This known as maintaining the ‘chain of custody’ or ‘continuity of evidence. You must have the ability to prove that a particular piece of evidence was at a particular place, at a particular time and in a particular condition. This applies to the physical hardware as well as the information being retrieved from that hardware. If the chain of custody is broken, the forensic investigation may be fatally compromised. This is where proper management of the evidence is important.
    • 2.3.d Reverse engineering: Reverse engineering is taking apart an object to see how it works in order to duplicate or enhance the object. The practice, taken from older industries, is now frequently used in computer hardware and software. Software reverse engineering involves reversing a program’s machine code (the string of 0s and 1s that are sent to the logic processor) back into the source code that it was written in, using program language statements.
    • 2.3.e Sliding window anomaly detection: The time span used to collect data to build your traffic profile is called the profiling time window (PTW). The PTW is a sliding window; that is, if your PTW is one week (the default), your traffic profile includes connection data collected over the last week. You can change the PTW to be as short as an hour or as long as several weeks. A traffic profile is based on connection data collected over a time span that you specify. `After you create a traffic profile, you can detect abnormal network traffic by evaluating new traffic against your profile, which presumably represents normal network traffic.
    • 2.3.f PII: Personally identifiable information (PII), or sensitive personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
    • 2.3.g PHI: Protected health information (PHI) under US law is any information about health status, provision of healthcare, or payment for health care that is created or collected by a “Covered Entity” (or a Business Associate of a Covered Entity), and can be linked to a specific individual. 

    2.4 Describe these security terms

    • 2.4.a Principle of least privilege: In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
    • 2.4.b Risk scoring/risk weighting: First, gather information about the threat agent involved, the attack that will be used, the vulnerability involved, and the impact of a successful exploit on the business. Then, assign a score or weight to the risk, this value will be used in the risk assessment.
    • 2.4.c Risk reduction: The application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.
    • 2.4.d Risk assessment: is the process of assessing the probabilities and consequences of risk events if they are realized. The results of this assessment are then used to prioritize risks to establish a most-to-least-critical importance ranking. Ranking risks in terms of their criticality or importance provides insights to the project’s management on where resources may be needed to manage or mitigate the realization of high probability/high consequence risk events.

    2.5 Compare and contrast these access control models: Access control is basically identifying a person doing a specific job, authenticating them by looking at their identification, then giving that person only the key to the door or computer that they need access to and nothing more. In the world of information security, one would look at this as granting an individual permission to get onto a network via a username and password, allowing them access to files, computers, or other hardware or software the person requires, and ensuring they have the right level of permission (i.e. read only) to do their job.

    • 2.5.a Discretionary access control: this access control model is based on a user’s discretion. The owner of the resource can give access rights to that resource to other users based on his discretion.
    • 2.5.b Mandatory access control: In this Model, users/owners do not enjoy the privilege of deciding who can access their files. In this model, the operating system is the decision maker overriding the user’s wishes. Every Subject (users) and Object (resources) are classified and assigned a security label. The security labels of the subject and the object along with the security policy determine if the subject can access the object. The rules for how subjects access objects are made by the security officer, configured by the administrator, enforced by the operating system, and supported by security technologies.
    • 2.5.d Nondiscretionary access control: The Role Based Access Control (RBAC) model provides access control based on the subject’s role in the organization. So, instead of assigning John permissions as a security manager, the position of security manager already has permissions assigned to it.

    2.6 Compare and contrast these terms

    • 2.6.a Network and host antivirus: A Network antivirus prevent unknown programs and processes from accessing the system. A host antivirus is computer software used to prevent, detect and remove malicious software once it reached a system.
    • 2.6.b Agentless and agent-based protections: Agentless monitoring is deployed in one of two ways: Using a remote API exposed by the platform or service being monitored or directly analyzing network packets flowing between service components. In either, there is no special deployment of agents required. In agent-based protection, the monitoring endpoint requires an installation of the software agent. Monitoring with agents has the cost of installation, configuration (proportionate to the number of managed elements), platform support needs and dependencies. You also need to worry about patching.
    • 2.6.c Security Information and Event Management (SIEM) and Log Collection: SIEM provides real-time analysis of security alerts generated by network hardware and applications. In log collection, the events from the assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls are saved to a location for further analysis.
    • 2.6.d Log management (LM): comprises an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, event-logs, etc.). Log Management generally covers:
      • Log collection
      • Centralized log aggregation
      • Long-term log storage and retention
      • Log rotation
      • Log analysis (in real-time and in bulk after storage)
      • Log search and reporting.

    2.7 Describe these concepts

    • 2.7.a Asset management (ITAM): It is the set of business practices that join financial, contractual and inventory functions to support life cycle management and strategic decision making for the IT environment. Assets include all elements of software and hardware that are found in the business environment.
    • 2.7.b Configuration management: It is a systems engineering process for establishing and maintaining consistency of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. Attackers are looking for systems that have default settings that are immediately vulnerable. Once an attacker exploits a system, they start making changes. These two reasons are why Security Configuration Management (SCM) is so important. SCM can not only identify misconfigurations that make your systems vulnerable but also identify “unusual” changes to critical files or registry keys.
    • 2.7.c Mobile device management: Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablet computers, laptops and desktop computers. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices. Mobile Device Management (MDM) servers secure, monitor, manage and support mobile devices deployed across mobile operators, service providers, and enterprises. MDM servers consist of a policy server that controls the use of some applications on a mobile device (for example, an e-mail application) in the deployed environment. However, the network is the only entity that can provide granular access to endpoints based on ACLs, SGTs, etc. To do its job, Cisco ISE queries the MDM servers for the necessary device attributes to ensure it is then able to provide network access control for those devices.
      mobile-cisco-ise
    • 2.7.d Patch management: A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bugfixes or bug fixes, and improving the usability or performance. Patch management is a strategy for managing patches or upgrades for software applications and technologies. A patch management plan can help a business or organization handle these changes efficiently. (Patch Management Example for Windows)
      om
    • 2.7.e Vulnerability management: In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability management is the “cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities”, especially in software and firmware. Vulnerability management is integral to computer security and network security.

    Glossary of Cyber Security terms here

    These are the remaining topics:

    • Cryptography
    • Host-Based Analysis
    • Security Monitoring
    • Attack Methods
  • CCNA Cyber Ops Certification

    CCNA Cyber Ops Certification

    From www.cisco.com:

    “The CCNA Cyber Ops certification prepares candidates to begin a career working with associate-level cybersecurity analysts within security operations centers.”

    You should see the chaos out there, both at the personal security level and at the enterprise level. I am surprised that hackers don’t do more damage, well maybe they do and we don’t know about it.

    My CCNA Datacenter is close to the renewal date, so I think it is a good idea to work on this certification because Cisco will renew my Datacenter while achieving this one. There will be a couple of nice books to study for sale on Amazon, but let’s make it fun a create a study guide. You can find the blueprints for these two tests here: Understanding Cisco Cybersecurity Fundamentals (210-250) and here: Implementing Cisco Cybersecurity Operations (210-255).

    I warn you, I will not write anything for this one, I will just point to the location of the useless knowledge, think of this page as your central command on where to find the information you need to study, in other words, I saved you the time to google it.

    1.0 Network Concepts

    1.1 Describe the function of the network layers as specified by the OSI and the TCP/IP network models.

    1.2 Describe the operation of the following

    1.2.a From Cisco: IP From Wikipedia: IP
    1.2.b From Cisco: TCP From Wikipedia: TCP
    1.2.c UDP
    1.2.d ICMP

    1.3 Describe the operation of these network services

    1.3.a From Cisco: ARP From Wikipedia: ARP
    1.3.b From Cisco: DNS From Wikipedia: DNS
    1.3.c DHCP

    1.4 Describe the basic operation of these network device types

    1.4.a From Cisco: Router From Wikipedia: Router
    1.4.b From Cisco: Switch From Wikipedia: Switch
    1.4.c Hub
    1.4.d Bridge
    1.4.e Wireless access point (WAP)
    1.4.f Wireless LAN controller (WLC)

    1.5 Describe the functions of these network security systems as deployed on the host, network, or the cloud:

    1.5.a Firewall: A firewall is a network security device that monitors incoming and outgoing network traffic and decides whether to allow or block specific traffic based on a defined set of security rules.
    1.5.b Cisco Intrusion Prevention System (IPS): An intrusion detection system (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations. (Generic IPS)
    1.5.c Cisco Advanced Malware Protection (AMP): Malware, short for “malicious software,” refers to a type of computer program designed to infect a legitimate user’s computer and inflict harm on it in multiple ways. Malware can infect computers and devices in several ways and comes in a number of forms, just a few of which include viruses, worms, Trojans, spyware, or any type of malicious code that infiltrates a computer. To find more information about the Cisco AMP click here. Cisco AMP is a next-generation endpoint security software that prevent breaches and continuously monitor all file behavior to uncover stealthy attacks. Detect, block, and remediate advanced malware across all endpoints.
    1.5.d Web Security Appliance (WSA): A security appliance is any form of server appliance that is designed to protect computer networks from unwanted traffic. Cisco Cloud Web Security (CWS): As a cloud-delivered web proxy, our Cloud Web Security product provides security and control for the distributed enterprise across one of the top attack vectors: the web. Users are protected on any device and in any location through Cisco worldwide threat intelligence and advanced threat defense capabilities.
    1.5.e Email Security Appliance (ESA): Cisco Email Security protects against ransomware, business email compromise, spoofing, and phishing. Cisco Cloud Email Security (CES)

    1.6 Describe IP subnets and communication within an IP subnet and between IP subnets

    1.7 Describe the relationship between VLAN‘s and data visibility: When properly configured, VLAN segmentation severely hinders access to system attack surfaces. It reduces packet-sniffing capabilities and increases threat agent effort. Finally, authorized users only “see” the servers and other devices necessary to perform their daily tasks. (See an example of data visibility from the security point of view here)

    1.8 Describe the operation of ACLs applied as packet filters on the interfaces of network devices: Access lists filter network traffic by controlling whether routed packets are forwarded or blocked at the router’s interfaces.

    1.9 Compare and contrast deep packet inspection (Deep packet inspection (DPI) provides the ability to look into the packet past the basic header information. DPI intelligently determines the contents of a particular packet, and then either records that information for statistical purposes or performs an action on the packet) with packet filtering (Packet filtering is a firewall technique used to control network access by monitoring outgoing and incoming packets and allowing them to pass or halt based on the source and destination Internet Protocol (IP) addresses, protocols and ports) and stateful firewall operation(tracks the operating state and characteristics of network connections traversing it. The firewall is configured to distinguish legitimate packets for different types of connections. Only packets matching a known active connection are allowed to pass the firewall)

    1.10 Compare and contrast inline traffic interrogation (An inline tool passes live traffic directly through a tool to process the live traffic before it is forwarded on to its final destination) and taps (A network TAP is a simple device that connects directly to the cabling infrastructure to split or copy packets for use in analysis, security, or general network management) or traffic mirroring (SPAN, Switch Port ANalyzer, is a software function of a switch or router that duplicates traffic from incoming or outgoing ports and forwards the copied traffic to a special SPAN, or sometimes called mirror, port)

    1.11 Compare and contrast the characteristics of data obtained from taps or traffic mirroring and NetFlow in the analysis of network traffic. (IEEE paper on NetFlow)

    1.12 Identify potential data loss from provided traffic profiles: an inline tool, such as Intrusion Prevention Systems (IPS), can drop or even add packets into the production network. Since it is running as an inline application, a tool failure could be devastating
    and bring down the entire system.

    Note: Not sure if “Data Loss” means the potential problems with the monitoring or the data lost to unauthorize users. The Following paragraph was taken from the Cisco Cloud Security 1.0, Design Guide => Chapter: End-To-End Visibility

    Detecting Data Loss
    Data loss describes the loss of critical business data to unauthorized users. Data loss typically involves a data breach and back end transmission of sensitive data such as credit-card data, patient or financial information. Detecting data loss is imperative for implementing security controls for various compliance regimes such as PCI DSS and HIPAA. However, data loss incidents are unintentionally undetectable.

    Data loss incidents normally involve asymmetrical outbound flows, in which outbound flows significantly outweigh a few inbound packets. Cisco CTD can trigger data loss alarms on such conditions. NetFlow generated flows contain flow direction, so Cisco CTD can leverage NetFlow generated flows and trigger data loss alarms on asymmetrical flows. Data loss events can be viewed using the data loss pane of the Cyber Threats Dashboard, as shown in Figure 4-13.

    Figure 4-13 Detected Data Loss

    data-loss

    Now that we’ve covered the basics, in future posts I will write about the remaining topics:

  • What’s New: vSphere 6.5

    What’s New: vSphere 6.5

    We have an announcement from VMware about vSphere 6.5. I will check this on VMware’s hand on labs (labs.hol.vmware.com) and try to synthesize it here. These labs a are sleek way to experience VMware products without the hassle of setting up everything in your personal lab.

    vCenter Server Appliance Native Protection

    This is one of the most awaited vCenter features. The previous method included manual re-configuration and/or a load balancer, the new way seems to simplify this by creating an  HA Cluster

    Screenshot 2016-11-14 10.39.38.png

    Another neat improvement is that now the user interface is entirely HTML, with no dependencies on flash or having a Windows VM handy to run the vSphere C# client. I am not sure I would ever stop using it, I am an old UNIX engineer that uses df -k instead of -h.

    The VUM (VMware Update Manager) is integrated with the vCenter Server Appliance, again removing the need for an extra Windows Server. The VUM enables centralized, automated patch and version management for vSphere.

    The Content Library (check my post here) added the capability of mounting an ISO to the VM directly from the library. I will have to re-visit my Content Library post because I’ve had more requests from clients to use this feature. You could even create a new VM from a template in the Content Library. It can also be synchronized between vCenter servers over HTTP.

    screenshot-2016-11-14-11-00-48

    The SIOC (Storage IO Control) can be configured in the storage policies and applied to the VM. With this, you can define IO limits, reservations, and shares that can be assign to VMs through the storage policy.

    VM-Storage-Policies.png

    The HTML5 Host Client is a new product designed to replace the functionality of the C# client. You can monitor resources and review logs  with it.

    Screenshot 2016-11-14 11.18.17.png

    And last but not least you can set up a KM (Key Management) server in the vCenter to use it to encrypt your VMs. I know I know, everything involving certificates is more complicated, but lately, it’s just a necessity if you don’t want to fall victim to vulture groups looking to make a quick buck encrypting your data.

     

  • UCS Manager – Create a VLAN

    UCS Manager – Create a VLAN

    In this post, we are going to create a VLAN in the UCS Manager, but we are going to use the latest HTML5 version. So let’s get started bu logging into the UCS Manager URL. Once there browse to the LAN tab, in the case of the new GUI shown here, the third icon on the left (counting from the top).

    ucs-manager_main_window

     

    Then browse to the VLANs section inside the LAN cloud. Remember to stay on the general LAN cloud instead that on inside the Fabric A or B.ucs_lan

    Now click the Add button in the top-right pane. The Create VLANs pop-up windows appeared, then choose a name (VLAN_704 in this case) and set the VLAN ID (704 in this case). Click OK

    vlanpop-up

    That is all for this post, the VLANs are used within the vNIC templates to pass the network communication from outside the UCS environment. Next time I will show you how to create Policies.

  • Quick Reference to FC Zoning on MDS

    Quick Reference to FC Zoning on MDS

    This is a quick reference to the commands used to configure the zoning in NX-OS. This is an existing setup, the switches should be initialized and at the recommended NX-OS level. Connect to the FC Switch using PuTTY and configure it using the following examples. Here I am using fcalias, but devalias is an option too. There are a couple of differences, fcalias is VSAN specific while devalias are not.

    show fcalias
    show zone
    show zoneset active

    show flogi database
    show fcns database

    FCALIAS
    conf t
    fcalias name <alias name> vsan 1
    member pwwn <wwpn>
    end

    ZONE
    conf t
    zone name <zonename> vsan 1
    member fcalias <fcaliasname>
    member fcalias <fcaliasname>
    end

    ZONESET
    conf t
    zoneset name <name> vsan 1
    member <zonename>

    end

    ACTIVATE ZONESET
    conf t
    zoneset activate name <active zoneset name> vsan 1
    end

    SAVE
    copy running-config startup-config

  • VMworld Day 1 – PEX

    VMworld Partner Exchange 2016 is in the books. I can only say one thing, it was outstanding. The sessions were top notch, the presenters could not be of higher caliber. The general session and keynotes were incredible, so much new technology is coming out this week. My first stop was the EUC and NSX Technical Deep dive session with Gabriel Maciel (@gmaciel_ca). The main idea here is that most solutions and applications (if not all) can take be paired with the three main use cases for NSX.

    • Security via micro-segmentation
      • One of the main characteristics of a virtual desktop is mobility. Desktops come and go and move around. It is really an intuitive approach to have a security policy follow that desktop everywhere it goes during its whole lifecycle.
    • Edge services like load balancers and distributed routing.
    • Network Virtualization

    The last two just apply to most cases. Better performance with the Edge services and even more mobility with Network Virtualization.

    My second stop was a follow up with a Horizon 7 Deep Dive session with Graeme Gordon. Reviewing the new features, what captured my attention was the Instant Clone capabilities, these reduce significantly the time to deploy the desktops using the Instant clone technology (vmFork). It is not the best option for every case, like when using vGPUs, but great if you hate recomposing pools.

    From there it was the PEX General Session, and there we heard the news that the Dell-EMC deal is progressing, that we can have control and freedom and that during this week we will have great news with the new announcements.

    2016-08-28 11.32.09

     

    The next stop was HCI in the Healthcare market, and there I felt better because I found out that the Windows Server 2003 problem from the medical devices is everywhere. After that, I’ve been eating, drinking and breathing NSX. I just realized in these two days that resistance is futile, if we don’t start solving our client problems using NSX, they will go to the cloud and NSX will catch them there anyway. I was joking earlier today about how VMware should change the name of Cloud Foundation and the Cross Cloud service to Skynet. Watch out Pat (@PGelsinger),  a Terminator may be coming this way to get you!

  • VMworld General Session

    VMworld General Session

    We are the tomorrow, people not customers. It is an intriguing way to get this general session started, nice performance. Pat inform us that Digital Transformation is the top tech buzz word. What does it mean to you? The digital transformation we are having now is all about the cloud. By 2020 the ratio of workloads on the cloud to traditional IT will be 50/50, by 2030 the public cloud will pass the 50% mark. How do we prepare? We can say with some certainty that less and less business are going to be investing in their own hardware and start using  more XaaS.

    2016-08-29 09.23.25.jpg This is why the be_tomorrow is us and is now. And to support this revolution VMware is a leader in the SDDC (software Defined Data Center) field. Pat introduces the cross-cloud architecture to provide freedom and control with the VMware Cloud Foundation.

    2016-08-29 09.34.36.jpg

    IBM is the first partner offering the Cloud Foundation as a service. They mentioned that they already have 500 customers using these services. the main idea of the cloud Foundation is to make the cloud simple.

    Screenshot 2016-08-29 09.40.14.png

    Going back to my first post yesterday morning about my Datacenter wishes, it seems that VMware is my genie. Now switching gears to the Cross-Cloud services from VMware. Is nice to see that VMware is not pretending to run any app, on any device, on their cloud, but the last part of that catch phrase really becomes any cloud.

    2016-08-29 09.45.46

    It is not possible to go back to our clients and tell them to stop using AWS or Azure, it is better to embrace their diversity and wrap the solution around those external services.

    We now have a layer that can move workloads between AWS, Azure, and Google. Micro-segmentation and network virtualization for the public cloud. This is huge! Any application, any device, and now for real any cloud!

    be_tomorrow together!

  • be_here

    be_here

    I am back at VMworld Las Vegas, and once again I am surrounded by the most creative group of people in my line of work. Last year we were ready for any, this year we’ll be_here. What is it that you want to be_? From the customer point of view, I want to have access to my applications from anywhere and all the time. From the engineering point of view, I want to design a system that can accomplish that in the most efficient and simple way possible. I am hearing wonderful things already, most involving NSX.

    One of the buzz phrases that I like the most this year is be_free, we want to be free to move our workloads with no borders, on-prem and off. We are getting there. What is your Datacenter wish list?  I know mine is to have one logical Datacenter span across multiple physical locations seamlessly.  I know that is already possible, some people are doing it. I also know that a huge number of users are not prepared for disasters, and sometimes they are not protected for even the most simple of events. I want to offer a solution that solves all the business continuity challenges in an implicit way. A turned key solution without a thousand parts glued by chewing gum, easy to scale both up and out, and one that can be upgraded with no downtime.

    All this is possible, and this week  I will be on the lookout for this new set of mind, don’t talk to me about old iron, and like an ex-coworker of mine used to say “don’t put lipstick on a pig”. I want to be_tomorrow.

  • Create WWNN and WWPN pools in UCS Manager

    Create WWNN and WWPN pools in UCS Manager

    This is part of a series of posts on how to initially configure you UCS B-Series system using UCS manager. With the information in this post, you will be able to configure the vHBAs needed for FC connectivity. Check the other posts under the Cisco section in my blog. If you are using iSCSI you can skip this step of the UCS B-Series configuration.

    To start login into your UCS Manager, select the SAN Tab and Navigate to the Pool section. Right click on WWNN and click Create WWNN Pool

    create-wwnn.png

    Give it a name, select Sequential and clock Next.

    Screenshot 2016-07-15 12.37.05

    Now add the value for the WWNN, first click add then fill the quantity (in this case 16) and cick Ok and Finish.

    Screenshot 2016-07-15 12.40.06The WWPN pool creation process is analog to the one just described, but chage one of the its on the WWN window (see below)

    Screenshot 2016-07-15 12.44.37

    That’s it for this post, I am trying to keep them short to keep them coming. On the next post, I will show how to create a VLAN.