Category: Cisco

This is part three of a series of posts about the CCNA Cyber Ops certification, you can find the second part here. Essentially in this post, we summarize the basic concepts about cryptography, hash, signatures and algorithms.

3.1 Describe the uses of a hash algorithm

A hash function is any function that can be used to map data of arbitrary size to data of fixed size. The values returned by a hash function are called hash values, hash codes, digests, or simply hashes.

A cryptographic hash function is a special class of hash function that has certain properties which make it suitable for use in cryptography. It is a mathematical algorithm that maps data of arbitrary size to a bit string of a fixed size (a hash function) which is designed to also be a one-way function, that is, a function which is infeasible to invert. The only way to recreate the input data from an ideal cryptographic hash function’s output is to attempt a brute-force search of possible inputs to see if they produce a match. The input data is often called the message, and the output (the hash value or hash) is often called the message digest or simply the digest.

3.2 Describe the uses of encryption algorithms

Cryptographic hash functions have many information-security applications, notably in digital signatures, message authentication codes (MACs), and other forms of authentication. They can also be used as ordinary hash functions, to index data in hash tables, for fingerprinting, to detect duplicate data or uniquely identify files, and as checksums to detect accidental data corruption. Indeed, in information-security contexts, cryptographic hash values are sometimes called (digital) fingerprints, checksums, or just hash values, even though all these terms stand for more general functions with rather different properties and purposes.

3.3 Compare and contrast symmetric and asymmetric encryption algorithms: Symmetric-key algorithms are algorithms for cryptography that use the same cryptographic keys for encryption of plaintext and decryption of ciphertext. Public key cryptography, or asymmetric cryptography, is any cryptographic system that uses pairs of keys: public keys which may be disseminated widely, and private keys which are known only to the owner. This accomplishes two functions: authentication, which is when the public key is used to verify that a holder of the paired private key sent the message, and encryption, whereby only the holder of the paired private key can decrypt the message encrypted with the public key.

3.4 Describe the processes of digital signature creation and verification

A digital signature is a mathematical scheme for demonstrating the authenticity of digital messages or documents. A valid digital signature gives a recipient reason to believe that the message was created by a known sender (authentication), that the sender cannot deny having sent the message (non-repudiation), and that the message was not altered in transit (integrity).

Digital signatures are based on public key cryptography, also known as asymmetric cryptography. Using a public key algorithm such as RSA, one can generate two keys that are mathematically linked: one private and one public. To create a digital signature, signing software (such as an email program) creates a one-way hash of the electronic data to be signed. The private key is then used to encrypt the hash. The encrypted hash — along with other information, such as the hashing algorithm — is the digital signature. The reason for encrypting the hash instead of the entire message or document is that a hash function can convert an arbitrary input into a fixed length value, which is usually much shorter. This saves time since hashing is much faster than signing.

The value of the hash is unique to the hashed data. Any change in the data, even changing or deleting a single character, results in a different value. This attribute enables others to validate the integrity of the data by using the signer’s public key to decrypt the hash. If the decrypted hash matches a second computed hash of the same data, it proves that the data hasn’t changed since it was signed. If the two hashes don’t match, the data has either been tampered with in some way (integrity) or the signature was created with a private key that doesn’t correspond to the public key presented by the signer (authentication).

3.5 Describe the operation of a PKI

A public key infrastructure (PKI) is a set of roles, policies, and procedures needed to create, manage, distribute, use, store, and revoke digital certificates and manage public-key encryption.

In the following video the concept of digital signatures is explained in a simple way:

3.6 Describe the security impact of these commonly used hash algorithms

• 3.6.a MD5: The MD5 algorithm is a widely used hash function producing a 128-bit hash value. Although MD5 was initially designed to be used as a cryptographic hash function, it has been found to suffer from extensive vulnerabilities. It can still be used as a checksum to verify data integrity, but only against unintentional corruption.
  
• 3.6.b SHA-1: Secure Hash Algorithm 1 is a cryptographic hash function designed by the United States National Security Agency and is a U.S. Federal Information Processing Standard published by the United States NIST. SHA-1 produces a 160-bit (20-byte) hash value known as a message digest. A SHA-1 hash value is typically rendered as a hexadecimal number, 40 digits long. SHA-1 is no longer considered secure against well-funded opponents.
• 3.6.c SHA-2: Secure Hash Algorithm 2  is a set of cryptographic hash functions designed by the National Security Agency (NSA). SHA-2 includes significant changes from its predecessor, SHA-1. The SHA-2 family consists of six hash functions with digests (hash values) that are 224, 256, 384 or 512 bits: SHA-224, SHA-256, SHA-384, SHA-512, SHA-512/224, SHA-512/256.
  • 3.6.c.1 SHA-256
  • 3.6.c.2 SHA-512
• 3.6.d SHA-3

3.7 Describe the security impact of these commonly used encryption algorithms and secure communications protocols

• 3.7.a DES: Data Encryption Standard is a symmetric-key algorithm for the encryption of electronic data. Although now considered insecure, it was highly influential in the advancement of modern cryptography.
  
• 3.7.b 3DES: Triple DES, officially the Triple Data Encryption Algorithm (TDEA or Triple DEA), is a symmetric-key block cipher, which applies the Data Encryption Standard (DES) cipher algorithm three times to each data block.
  
• 3.7.c AES: The Advanced Encryption Standard, also known by its original name Rijndael, is a specification for the encryption of electronic data established by the U.S. National Institute of Standards and Technology (NIST) in 2001. AES is based on a design principle known as a substitution-permutation network, a combination of both substitution and permutation, and is fast in both software and hardware. Unlike its predecessor DES, AES does not use a Feistel network. AES is a variant of Rijndael which has a fixed block size of 128 bits, and a key size of 128, 192, or 256 bits. By contrast, the Rijndael specification per se is specified with block and key sizes that may be any multiple of 32 bits, both with a minimum of 128 and a maximum of 256 bits.
  
• 3.7.d AES256-CTR: AES256 is a symmetrical encryption algorithm that has become ubiquitous, due to the acceptance of the algorithm by the U.S. and Canadian governments as standards for encrypting transited data and data at rest. Because of the length of the key (256 bits) and the number of hashes (14), it takes a murderously long time for a malware hacker to perform a dictionary attack.
  

Block cipher mode of operation: (ECB, CBC, OFB, CTR and CFB) In cryptography, a mode of operation is an algorithm that uses a block cipher to provide an information service such as confidentiality or authenticity.

• 3.7.e RSA: RSA is one of the first practical public-key cryptosystems and is widely used for secure data transmission. In such a cryptosystem, the encryption key is public and differs from the decryption key which is kept secret. In RSA, this asymmetry is based on the practical difficulty of factoring the product of two large prime numbers, the factoring problem. RSA is made of the initial letters of the surnames of Ron Rivest, Adi Shamir, and Leonard Adleman, who first publicly described the algorithm in 1977.
  
• 3.7.f DSA: The Digital Signature Algorithm (DSA) is a Federal Information Processing Standard for digital signatures. It was proposed by the National Institute of Standards and Technology (NIST) in August 1991 for use in their Digital Signature Standard (DSS) and adopted as FIPS 186 in 1993.
  
• 3.7.g SSH: Secure Shell (SSH) is a cryptographic network protocol for operating network services securely over an unsecured network. The best known example application is for remote login to computer systems by users.
  
• 3.7.h SSL/TLS: Transport Layer Security (TLS) and its predecessor, Secure Sockets Layer (SSL), both frequently referred to as “SSL”, are cryptographic protocols that provide communications security over a computer network.
  

3.8 Describe how the success or failure of a cryptographic exchange impacts security investigation

The key exchange problem is how to exchange whatever keys or other information are needed so that no one else can obtain a copy. Historically, this required trusted couriers, diplomatic bags, or some other secure channel. With the advent of public key / private key cipher algorithms (ie, asymmetric ciphers), the encrypting key (aka, the public key of a pair) could be made public, since (at least for high quality algorithms) no one without the decrypting key (aka, the private key of that pair) could decrypt the message.

In terms of a “security investigation” let’s first take the case of a failed exchange between the authorized parties. If the exchange fails the concepts of authentication, non-reputation, and integrity are affected. Then an investigation can’t take place and also the systems are left vulnerable. If the exchange is successful then there is no problem, but that makes me think that this question could be referring to the attack itself. If the attack is protected and the exchange between the system and the attacker is successful, then the investigation is going to be really hard because the investigator will have limited access to the facts of the attack, like where it comes from or the actual code of the virus, if that were the case.

3.9 Describe these items in regards to SSL/TLS

• 3.9.a Cipher-suite: is a concept used in Transport Layer Security (TLS) / Secure Sockets Layer (SSL) network protocol. Before TLS version 1.3, a cipher suite is a named combination of authentication, encryption, message authentication code (MAC) and key exchange algorithms used to negotiate the security settings. The format of cipher suites is modified since TLS 1.3. In the current TLS 1.3 draft document, cipher suites are only used to negotiate encryption and HMAC algorithms. When a TLS connection is established, a handshaking, known as the TLS Handshake Protocol, occurs. Within this handshake, a client hello (ClientHello) and a server hello (ServerHello) message are passed. First, the client sends a list of the cipher suites that it supports, in order of preference. Then the server replies with the cipher suite that it has selected from the client’s list. To test which TLS ciphers a server supports, an SSL/TLS Scanner may be used.
  
• 3.9.b X.509 certificates: In cryptography, X.509 is an important standard for a public key infrastructure (PKI) to manage digital certificates and public-key encryption and a key part of the Transport Layer Security protocol used to secure both web and email communication. An ITU-T standard, X.509 specifies formats for public key certificates, certificate revocation lists, attribute certificates, and a certification path validation algorithm.
  
• 3.9.c Key exchange: Key exchange (also known as “key establishment”) is any method in cryptography by which cryptographic keys are exchanged between two parties, allowing the use of a cryptographic algorithm.
  
• 3.9.d Protocol version: TLS 1.0, TLS 1.1, TLS 1.2, TLS 1.3.
  
• 3.9.e PKCS: stands for “Public Key Cryptography Standards”. These are a group of public-key cryptography standards devised and published by RSA Security Inc, starting in the early 1990s. The company published the standards to promote the use of the cryptography techniques to which they had patents, such as the RSA algorithm, the Schnorr signature algorithm, and several others. 
  

The Cisco UCS B-Series is a powerful system. I admit that it has a little learning curve to it, but in time I’ve learned to appreciate the way it works. The thing is that after a few deployments you wonder, when are the Cisco engineers going to take usability into consideration? Well, luckily there is an SDK out there that you can get from GitHub here. If you need to refresh the use of GitHub, Atom and Python check my previous post about it => GitHub and Atom. After cracking my head with Java for the 10th million time (UCS Manager GUI), I was able to put together a couple of code lines to configure a UCS B-Series. Using an input file created from an Excel Spreadsheet and saving it as a .CSV:

This example file is available as a gist: ucs-book.csv.

The following example configures a UCS B-Series with 8 blades. It uses ports 3 and 4 on both Fiber-Interconnects as Network Uplinks and creates port channels 50 and 51 with them.

The system will have three VLANs:

1. vMotion with id 50
2. Management with id 51
3. Production with id 200

The script can take as many VLANs as you want from the ucs-book.csv file and it will create those, but it will not allocate them to any vNIC template by default. At this point, there is an option to omit the iSCSI or the FC with two boolean variables at the beginning or the script. Download it from GitHub => ucs-config

To test all of this you could download the UCS Manager Emulator from Cisco and use Fusion to provision a new UCS B-Series. This is a basic and raw script, you would need to change the path to the .csv file and I can’t guarantee that it will work on your system and of course I am not responsible for what happens to it. I would recommend to use it in you development environment only until you become familiar with the DSK, enjoy.

#!python
#import section
import csv
#UCS Connection Handle
from ucsmsdk.ucshandle import UcsHandle
#Create Organization
from ucsmsdk.mometa.org.OrgOrg import OrgOrg
#UUID Pool
from ucsmsdk.mometa.uuidpool.UuidpoolPool import UuidpoolPool
from ucsmsdk.mometa.uuidpool.UuidpoolBlock import UuidpoolBlock
#VLAN
from ucsmsdk.mometa.fabric.FabricVlan import FabricVlan
#Sever Pool
from ucsmsdk.mometa.compute.ComputePool import ComputePool
from ucsmsdk.mometa.compute.ComputePooledSlot import ComputePooledSlot
#Maintenance Policy
from ucsmsdk.mometa.lsmaint.LsmaintMaintPolicy import LsmaintMaintPolicy
#Power Policy
from ucsmsdk.mometa.power.PowerPolicy import PowerPolicy
#Create IP Pool
from ucsmsdk.mometa.ippool.IppoolPool import IppoolPool
from ucsmsdk.mometa.ippool.IppoolBlock import IppoolBlock
#Create MAC Pool
from ucsmsdk.mometa.macpool.MacpoolPool import MacpoolPool
from ucsmsdk.mometa.macpool.MacpoolBlock import MacpoolBlock
#Create Network Control Policy
from ucsmsdk.mometa.nwctrl.NwctrlDefinition import NwctrlDefinition
from ucsmsdk.mometa.dpsec.DpsecMac import DpsecMac
#FC WWNN and WWPN Pools
from ucsmsdk.mometa.fcpool.FcpoolInitiators import FcpoolInitiators
from ucsmsdk.mometa.fcpool.FcpoolBlock import FcpoolBlock
#Create vNIC Templates
from ucsmsdk.mometa.vnic.VnicLanConnTempl import VnicLanConnTempl
from ucsmsdk.mometa.vnic.VnicEtherIf import VnicEtherIf
#Create Local Disk Conf Policy
from ucsmsdk.mometa.storage.StorageLocalDiskConfigPolicy import StorageLocalDiskConfigPolicy
#Create Boot Policy
from ucsmsdk.mometa.lsboot.LsbootPolicy import LsbootPolicy
from ucsmsdk.mometa.lsboot.LsbootVirtualMedia import LsbootVirtualMedia
from ucsmsdk.mometa.lsboot.LsbootStorage import LsbootStorage
from ucsmsdk.mometa.lsboot.LsbootLocalStorage import LsbootLocalStorage
from ucsmsdk.mometa.lsboot.LsbootUsbFlashStorageImage import LsbootUsbFlashStorageImage
#Create HBA Template
from ucsmsdk.mometa.vnic.VnicSanConnTempl import VnicSanConnTempl
from ucsmsdk.mometa.vnic.VnicFcIf import VnicFcIf
#Configuring Uplink ports
from ucsmsdk.mometa.fabric.FabricEthLanEp import FabricEthLanEp
#Configure Port Channels
from ucsmsdk.mometa.fabric.FabricEthLanPc import FabricEthLanPc
from ucsmsdk.mometa.fabric.FabricEthLanPcEp import FabricEthLanPcEp
#Create Service Profile Template
from ucsmsdk.mometa.ls.LsServer import LsServer
from ucsmsdk.mometa.ls.LsVConAssign import LsVConAssign
from ucsmsdk.mometa.vnic.VnicEther import VnicEther
from ucsmsdk.mometa.vnic.VnicFc import VnicFc
from ucsmsdk.mometa.vnic.VnicFcIf import VnicFcIf
from ucsmsdk.mometa.vnic.VnicFcNode import VnicFcNode
from ucsmsdk.mometa.ls.LsRequirement import LsRequirement
from ucsmsdk.mometa.ls.LsPower import LsPower
from ucsmsdk.mometa.fabric.FabricVCon import FabricVCon

#Are we having iSCSI to the Hosts?
iSCSI = True
#Are we having FC to the hosts?
FC = False

#Create the handle
handle = UcsHandle("192.168.67.148","admin","password",secure=False)
#login into UCS manager
handle.login()

#reading variables from the ucs workbook
my_file=open("/Users/javirodz/Documents/ucs-book.csv", "r")
my_csv_file = csv.reader(my_file)
for row in my_csv_file:
 if row[0] == "Organization Name":
 my_Org = row[1]
 my_Full_Path_Org = "org-root/org-%s" % my_Org
 elif row[0] == "KVM Starting IP Address":
 my_kvm_pool_first = row[1]
 elif row[0] == "KVM Primary DNS IP Address":
 my_Primary_DNS = row[1]
 elif row[0] == "KVM Secondary DNS IP Address":
 my_Secondary_DNS = row[1]
 elif row[0] == "KVM Gateway":
 my_KVM_Gateway = row[1]
 elif row[0] == "KVM Ending IP Address":
 my_kvm_last_addr = row[1]
 elif row[0] == "Service Profile Template Name":
 my_SPT = row[1]
 elif row[0] == "Service Profile Name Seed":
 my_SP_Name = row[1]
 elif row[0] == "VLAN Name":
 VLAN_Name = row
 i=1
 while i < len(VLAN_Name):
 i = i + 1
 elif row[0] == "VLAN ID":
 VLAN_ID = row
 i=1
 while i < len(VLAN_ID):
 i = i + 1
 else:
 print "Bad Robot"

#Create Sub Organization
mo = OrgOrg(parent_mo_or_dn="org-root", name=my_Org, descr="Sub Organization")
handle.add_mo(mo)
handle.commit()

#Create Production VLANs
k = 1
while k < len(VLAN_Name):
 mo = FabricVlan(parent_mo_or_dn="fabric/lan", sharing="none", name=VLAN_Name[k], id=VLAN_ID[k], mcast_policy_name="", policy_owner="local", default_net="no", pub_nw_name="", compression_type="included")
 handle.add_mo(mo)
 handle.commit()
 k = k+1

#Create UUID Pool
mo = UuidpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", prefix="derived", descr="UUID Pool", assignment_order="sequential", name="UUID_POOL")
mo_1 = UuidpoolBlock(parent_mo_or_dn=mo, to="0001-000000000100", r_from="0001-000000000001")
handle.add_mo(mo)
handle.commit()

#Create a Server Pool
mo = ComputePool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", name="Server_Pool", descr="Server Pool")
mo_1 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="1", chassis_id="1")
mo_2 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="2", chassis_id="1")
mo_3 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="3", chassis_id="1")
mo_4 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="4", chassis_id="1")
mo_5 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="5", chassis_id="1")
mo_6 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="7", chassis_id="1")
mo_7 = ComputePooledSlot(parent_mo_or_dn=mo, slot_id="8", chassis_id="1")
handle.add_mo(mo)
handle.commit()

#Create Maintenance Policy
mo = LsmaintMaintPolicy(parent_mo_or_dn=my_Full_Path_Org, uptime_disr="user-ack", name="User_Ack", descr="User Ack", trigger_config="on-next-boot", sched_name="", policy_owner="local")
handle.add_mo(mo)
handle.commit()

#Create Power Policy
mo = PowerPolicy(parent_mo_or_dn=my_Full_Path_Org, fan_speed="any", policy_owner="local", name="No_Cap", prio="no-cap", descr="No Cap")
handle.add_mo(mo)
handle.commit()

#Create IP Pool
mo = IppoolPool(parent_mo_or_dn=my_Full_Path_Org, is_net_bios_enabled="disabled", name="ext_mgmt", descr="KVM", policy_owner="local", ext_managed="internal", supports_dhcp="disabled", assignment_order="sequential")
mo_1 = IppoolBlock(parent_mo_or_dn=mo, prim_dns=my_Primary_DNS, r_from=my_kvm_pool_first, def_gw=my_KVM_Gateway, sec_dns=my_Secondary_DNS, to=my_kvm_last_addr)
handle.add_mo(mo)
handle.commit()

#Create MAC Pools
mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="Mamagement FI-A", assignment_order="sequential", name="MGMT-A")
mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:A0:00:0F", r_from="00:25:B5:A0:00:00")
handle.add_mo(mo)
handle.commit()

mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="Mamagement FI-B", assignment_order="sequential", name="MGMT-B")
mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:B0:00:0F", r_from="00:25:B5:B0:00:00")
handle.add_mo(mo)
handle.commit()

mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="Production FI-A", assignment_order="sequential", name="VM-A")
mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:A1:00:0F", r_from="00:25:B5:A1:00:00")
handle.add_mo(mo)
handle.commit()

mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="Production FI-B", assignment_order="sequential", name="VM-B")
mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:B1:00:0F", r_from="00:25:B5:B1:00:00")
handle.add_mo(mo)
handle.commit()

if(iSCSI):
 mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="iSCSI FI-A", assignment_order="sequential", name="iSCSI-A")
 mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:A2:00:0F", r_from="00:25:B5:A2:00:00")
 handle.add_mo(mo)
 handle.commit()
 mo = MacpoolPool(parent_mo_or_dn=my_Full_Path_Org, policy_owner="local", descr="iSCSI FI-B", assignment_order="sequential", name="iSCSI-B")
 mo_1 = MacpoolBlock(parent_mo_or_dn=mo, to="00:25:B5:B3:00:0F", r_from="00:25:B5:B3:00:00")
 handle.add_mo(mo)
 handle.commit()
#End Create MAC Pools

#Create Network Control Policy
mo = NwctrlDefinition(parent_mo_or_dn=my_Full_Path_Org, lldp_transmit="disabled", name="CDP_EN", lldp_receive="disabled", mac_register_mode="only-native-vlan", policy_owner="local", cdp="enabled", uplink_fail_action="link-down", descr="CDP Enable")
mo_1 = DpsecMac(parent_mo_or_dn=mo, forge="allow", policy_owner="local", name="", descr="")
handle.add_mo(mo)
handle.commit()

#FC WWNN and WWPN Pools
if(FC):
 mo = FcpoolInitiators(parent_mo_or_dn=my_Full_Path_Org, name="WWNN_Pool", policy_owner="local", descr="WWNN Pool", assignment_order="sequential", purpose="node-wwn-assignment")
 mo_1 = FcpoolBlock(parent_mo_or_dn=mo, to="20:00:00:25:B5:A0:00:FF", r_from="20:00:00:25:B5:A0:00:00")
 handle.add_mo(mo)
 handle.commit()

mo = FcpoolInitiators(parent_mo_or_dn=my_Full_Path_Org, name="WWPN_Pool-A", policy_owner="local", descr="WWPN Pool FI-A", assignment_order="sequential", purpose="port-wwn-assignment")
 mo_1 = FcpoolBlock(parent_mo_or_dn=mo, to="20:01:00:25:B5:A0:00:0F", r_from="20:01:00:25:B5:A0:00:00")
 handle.add_mo(mo)
 handle.commit()

mo = FcpoolInitiators(parent_mo_or_dn=my_Full_Path_Org, name="WWPN_Pool-B", policy_owner="local", descr="WWPN Pool FI-B", assignment_order="sequential", purpose="port-wwn-assignment")
 mo_1 = FcpoolBlock(parent_mo_or_dn=mo, to="20:01:00:25:B5:B0:00:0F", r_from="20:01:00:25:B5:B0:00:00")
 handle.add_mo(mo)
 handle.commit()

#Create vNIC Templates
mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="MGMT-A", descr="Management FI-A", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="MGMT-A", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="yes", name="Mgmt")
mo_2 = VnicEtherIf(parent_mo_or_dn=mo, default_net="no", name="vMotion")
handle.add_mo(mo)
handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="MGMT-B", descr="Management FI-B", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="MGMT-B", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="yes", name="Mgmt")
mo_2 = VnicEtherIf(parent_mo_or_dn=mo, default_net="no", name="vMotion")
handle.add_mo(mo)
handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="VM-A", descr="Production FI-A", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="VM-A", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
#Depending on the VLANs that will pass wot the NIC:
mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="no", name=Production)
handle.add_mo(mo)
handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="VM-B", descr="Production FI-B", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="VM-B", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
#Depending on the VLANs that will pass wot the NIC:
mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="no", name=Production)
handle.add_mo(mo)
handle.commit()

if(iSCSI):
 #Create iSCSI-A VLAN on FI-A (ID 2550)
 mo = FabricVlan(parent_mo_or_dn="fabric/eth-estc/A", sharing="none", name="iSCSI-A", id="2550", mcast_policy_name="", policy_owner="local", default_net="no", pub_nw_name="", compression_type="included")
 handle.add_mo(mo)
 handle.commit()

#Create iSCSI-B VLAN on FI-B (ID 2551)
 mo = FabricVlan(parent_mo_or_dn="fabric/eth-estc/B", sharing="none", name="iSCSI-B", id="2551", mcast_policy_name="", policy_owner="local", default_net="no", pub_nw_name="", compression_type="included")
 handle.add_mo(mo)
 handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="iSCSI-A", descr="iSCSI FI-A", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="iSCSI-A", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
 mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="yes", name="iSCSI-A")
 handle.add_mo(mo)
 handle.commit()

mo = VnicLanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="iSCSI-B", descr="iSCSI FI-B", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", mtu="1500", policy_owner="local", qos_policy_name="", ident_pool_name="iSCSI-B", cdn_source="vnic-name", nw_ctrl_policy_name="CDP_EN")
 mo_1 = VnicEtherIf(parent_mo_or_dn=mo, default_net="yes", name="iSCSI-B")
 handle.add_mo(mo)
 handle.commit()

#Create Local Disk Conf Policy (any-configuration)
mo = StorageLocalDiskConfigPolicy(parent_mo_or_dn=my_Full_Path_Org, protect_config="yes", name="Local_Disk_CP", descr="Local Disk Configuration Policy Desc", flex_flash_raid_reporting_state="enable", flex_flash_state="enable", policy_owner="local", mode="any-configuration")
handle.add_mo(mo)
handle.commit()

#Create Boot Policy (boot from SD)
mo = LsbootPolicy(parent_mo_or_dn=my_Full_Path_Org, name="Boot_Policy", descr="Boot Policy Desc", reboot_on_update="no", policy_owner="local", enforce_vnic_name="yes", boot_mode="legacy")
mo_1 = LsbootVirtualMedia(parent_mo_or_dn=mo, access="read-write-drive", lun_id="0", mapping_name="", order="2")
mo_2 = LsbootStorage(parent_mo_or_dn=mo, order="1")
mo_2_1 = LsbootLocalStorage(parent_mo_or_dn=mo_2, )
mo_2_1_1 = LsbootUsbFlashStorageImage(parent_mo_or_dn=mo_2_1, order="1")
handle.add_mo(mo)
handle.commit()

#Create HBA Template
if(FC):
 mo = VnicSanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="fc-a", descr="", stats_policy_name="default", switch_id="A", pin_to_group_name="", policy_owner="local", qos_policy_name="", ident_pool_name="WWPN_Pool-A", max_data_field_size="2048")
 mo_1 = VnicFcIf(parent_mo_or_dn=mo, name="default")
 handle.add_mo(mo)
 handle.commit()

 mo = VnicSanConnTempl(parent_mo_or_dn=my_Full_Path_Org, templ_type="updating-template", name="fc-b", descr="", stats_policy_name="default", switch_id="B", pin_to_group_name="", policy_owner="local", qos_policy_name="", ident_pool_name="WWPN_Pool-B", max_data_field_size="2048")
 mo_1 = VnicFcIf(parent_mo_or_dn=mo, name="default")
 handle.add_mo(mo)
 handle.commit()

#Configuring Uplink ports
#FI-A Port-3
mo = FabricEthLanEp(parent_mo_or_dn="fabric/lan/A", eth_link_profile_name="default", name="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", usr_lbl="", slot_id="1", admin_state="enabled", port_id="3")
handle.add_mo(mo)
handle.commit()
#FI-A Port-4
mo = FabricEthLanEp(parent_mo_or_dn="fabric/lan/A", eth_link_profile_name="default", name="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", usr_lbl="", slot_id="1", admin_state="enabled", port_id="4")
handle.add_mo(mo)
handle.commit()
#FI-B Port-3
mo = FabricEthLanEp(parent_mo_or_dn="fabric/lan/B", eth_link_profile_name="default", name="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", usr_lbl="", slot_id="1", admin_state="enabled", port_id="3")
handle.add_mo(mo)
handle.commit()
#FI-B Port-4
mo = FabricEthLanEp(parent_mo_or_dn="fabric/lan/B", eth_link_profile_name="default", name="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", usr_lbl="", slot_id="1", admin_state="enabled", port_id="4")
handle.add_mo(mo)
handle.commit()
#Configure Port Channels
#PC-50 with FI-A P3 and FI-A P4
mo = FabricEthLanPc(parent_mo_or_dn="fabric/lan/A", name="PC-50", descr="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", admin_state="enabled", oper_speed="10gbps", port_id="50", lacp_policy_name="default")
mo_1 = FabricEthLanPcEp(parent_mo_or_dn=mo, eth_link_profile_name="default", name="", auto_negotiate="yes", slot_id="1", admin_state="enabled", port_id="3")
mo_2 = FabricEthLanPcEp(parent_mo_or_dn=mo, eth_link_profile_name="default", name="", auto_negotiate="yes", slot_id="1", admin_state="enabled", port_id="4")
handle.add_mo(mo)
handle.commit()
#PC-51 with FI-B P3 and FI-B P4
mo = FabricEthLanPc(parent_mo_or_dn="fabric/lan/B", name="PC-51", descr="", flow_ctrl_policy="default", admin_speed="10gbps", auto_negotiate="yes", admin_state="enabled", oper_speed="10gbps", port_id="51", lacp_policy_name="default")
mo_1 = FabricEthLanPcEp(parent_mo_or_dn=mo, eth_link_profile_name="default", name="", auto_negotiate="yes", slot_id="1", admin_state="enabled", port_id="3")
mo_2 = FabricEthLanPcEp(parent_mo_or_dn=mo, eth_link_profile_name="default", name="", auto_negotiate="yes", slot_id="1", admin_state="enabled", port_id="4")
handle.add_mo(mo)
handle.commit()

#Create Service Profile Template
if (FC and not iSCSI):
 mo = LsServer(parent_mo_or_dn="org-root/org-Test_Org", vmedia_policy_name="", ext_ip_state="none", bios_profile_name="", mgmt_fw_policy_name="", agent_policy_name="", mgmt_access_policy_name="", dynamic_con_policy_name="", kvm_mgmt_policy_name="", sol_policy_name="", uuid="0", descr="SPT Description", stats_policy_name="default", policy_owner="local", ext_ip_pool_name="ext-mgmt", boot_policy_name="Boot_Policy", usr_lbl="", host_fw_policy_name="", vcon_profile_name="", ident_pool_name="UUID_POOL", src_templ_name="", type="initial-template", local_disk_policy_name="Local_Disk_CP", scrub_policy_name="", power_policy_name="default", maint_policy_name="User_Ack", name=my_SPT, resolve_remote="yes")
 mo_1 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="1", transport="ethernet", vnic_name="MGMT-A")
 mo_2 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="2", transport="ethernet", vnic_name="MGMT-B")
 mo_3 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="3", transport="ethernet", vnic_name="VM-A")
 mo_4 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="4", transport="ethernet", vnic_name="VM-B")
 mo_5 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="5", transport="fc", vnic_name="fc-a")
 mo_6 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="6", transport="fc", vnic_name="fc-b")
 mo_7 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="MGMT-A", order="1", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-A", addr="derived")
 mo_8 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="MGMT-B", order="2", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-B", addr="derived")
 mo_9 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="VM-A", order="3", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-A", addr="derived")
 mo_10 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="VM-B", order="4", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-B", addr="derived")
 mo_11 = VnicFc(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", addr="derived", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", pers_bind="disabled", order="5", pers_bind_clear="no", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", max_data_field_size="2048", nw_templ_name="fc-a", name="fc-a")
 mo_11_1 = VnicFcIf(parent_mo_or_dn=mo_11, name="")
 mo_12 = VnicFc(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", addr="derived", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", pers_bind="disabled", order="6", pers_bind_clear="no", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", max_data_field_size="2048", nw_templ_name="fc-b", name="fc-b")
 mo_12_1 = VnicFcIf(parent_mo_or_dn=mo_12, name="")
 mo_13 = VnicFcNode(parent_mo_or_dn=mo, ident_pool_name="WWNN_Pool", addr="pool-derived")
 mo_14 = LsRequirement(parent_mo_or_dn=mo, restrict_migration="no", name="Server_Pool", qualifier="")
 mo_15 = LsPower(parent_mo_or_dn=mo, state="admin-up")
 mo_16 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="1", inst_type="auto")
 mo_17 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="2", inst_type="auto")
 mo_18 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="3", inst_type="auto")
 mo_19 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="4", inst_type="auto")
 handle.add_mo(mo)
 handle.commit()

if(iSCSI and not FC):
 mo = LsServer(parent_mo_or_dn="org-root/org-Test_Org", vmedia_policy_name="", ext_ip_state="none", bios_profile_name="", mgmt_fw_policy_name="", agent_policy_name="", mgmt_access_policy_name="", dynamic_con_policy_name="", kvm_mgmt_policy_name="", sol_policy_name="", uuid="0", descr="SPT Desc", stats_policy_name="default", policy_owner="local", ext_ip_pool_name="ext-mgmt", boot_policy_name="Boot_Policy", usr_lbl="", host_fw_policy_name="", vcon_profile_name="", ident_pool_name="UUID_POOL", src_templ_name="", type="updating-template", local_disk_policy_name="Local_Disk_CP", scrub_policy_name="", power_policy_name="default", maint_policy_name="User_Ack", name=my_SPT, resolve_remote="yes")
 mo_1 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="1", transport="ethernet", vnic_name="MGMT-A")
 mo_2 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="2", transport="ethernet", vnic_name="MGMT-B")
 mo_3 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="3", transport="ethernet", vnic_name="VM-A")
 mo_4 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="4", transport="ethernet", vnic_name="VM-B")
 mo_5 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="5", transport="ethernet", vnic_name="iSCSI-A")
 mo_6 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="6", transport="ethernet", vnic_name="iSCSI-B")
 mo_7 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="MGMT-A", order="1", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-A", addr="derived")
 mo_8 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="MGMT-B", order="2", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-B", addr="derived")
 mo_9 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="VM-A", order="3", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-A", addr="derived")
 mo_10 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="VM-B", order="4", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-B", addr="derived")
 mo_11 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="iSCSI-A", order="5", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="iSCSI-A", addr="derived")
 mo_12 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="iSCSI-B", order="6", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="iSCSI-B", addr="derived")
 mo_13 = VnicFcNode(parent_mo_or_dn=mo, ident_pool_name="node-default", addr="pool-derived")
 mo_14 = LsRequirement(parent_mo_or_dn=mo, restrict_migration="no", name="Server_Pool", qualifier="")
 mo_15 = LsPower(parent_mo_or_dn=mo, state="admin-up")
 mo_16 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="1", inst_type="auto")
 mo_17 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="2", inst_type="auto")
 mo_18 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="3", inst_type="auto")
 mo_19 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="4", inst_type="auto")
 handle.add_mo(mo)
 handle.commit()

if(iSCSI and FC):
 mo = LsServer(parent_mo_or_dn="org-root/org-Test_Org", vmedia_policy_name="", ext_ip_state="none", bios_profile_name="", mgmt_fw_policy_name="", agent_policy_name="", mgmt_access_policy_name="", dynamic_con_policy_name="", kvm_mgmt_policy_name="", sol_policy_name="", uuid="0", descr="SPT Description", stats_policy_name="default", policy_owner="local", ext_ip_pool_name="ext-mgmt", boot_policy_name="Boot_Policy", usr_lbl="", host_fw_policy_name="", vcon_profile_name="", ident_pool_name="UUID_POOL", src_templ_name="", type="updating-template", local_disk_policy_name="Local_Disk_CP", scrub_policy_name="", power_policy_name="default", maint_policy_name="User_Ack", name=my_SPT, resolve_remote="yes")
 mo_1 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="1", transport="ethernet", vnic_name="MGMT-A")
 mo_2 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="2", transport="ethernet", vnic_name="MGMT-B")
 mo_3 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="3", transport="ethernet", vnic_name="VM-A")
 mo_4 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="4", transport="ethernet", vnic_name="VM-B")
 mo_5 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="5", transport="ethernet", vnic_name="iSCSI-A")
 mo_6 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="6", transport="ethernet", vnic_name="iSCSI-B")
 mo_7 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="7", transport="fc", vnic_name="fc-a")
 mo_8 = LsVConAssign(parent_mo_or_dn=mo, admin_vcon="any", admin_host_port="ANY", order="8", transport="fc", vnic_name="fc-b")
 mo_9 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="MGMT-A", order="1", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-A", addr="derived")
 mo_10 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="MGMT-B", order="2", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="MGMT-B", addr="derived")
 mo_11 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="VM-A", order="3", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-A", addr="derived")
 mo_12 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="VM-B", order="4", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="VM-B", addr="derived")
 mo_13 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", name="iSCSI-A", order="5", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="iSCSI-A", addr="derived")
 mo_14 = VnicEther(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", nw_ctrl_policy_name="", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", name="iSCSI-B", order="6", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", mtu="1500", nw_templ_name="iSCSI-B", addr="derived")
 mo_15 = VnicFc(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", addr="derived", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="A", pin_to_group_name="", pers_bind="disabled", order="7", pers_bind_clear="no", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", max_data_field_size="2048", nw_templ_name="fc-a", name="fc-a")
 mo_15_1 = VnicFcIf(parent_mo_or_dn=mo_15, name="")
 mo_16 = VnicFc(parent_mo_or_dn=mo, cdn_prop_in_sync="yes", addr="derived", admin_host_port="ANY", admin_vcon="any", stats_policy_name="default", admin_cdn_name="", switch_id="B", pin_to_group_name="", pers_bind="disabled", order="8", pers_bind_clear="no", qos_policy_name="", adaptor_profile_name="VMWare", ident_pool_name="", cdn_source="vnic-name", max_data_field_size="2048", nw_templ_name="fc-b", name="fc-b")
 mo_16_1 = VnicFcIf(parent_mo_or_dn=mo_16, name="")
 mo_17 = VnicFcNode(parent_mo_or_dn=mo, ident_pool_name="WWNN_Pool", addr="pool-derived")
 mo_18 = LsRequirement(parent_mo_or_dn=mo, restrict_migration="no", name="Server_Pool", qualifier="")
 mo_19 = LsPower(parent_mo_or_dn=mo, state="admin-up")
 mo_20 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="1", inst_type="auto")
 mo_21 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="2", inst_type="auto")
 mo_22 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="3", inst_type="auto")
 mo_23 = FabricVCon(parent_mo_or_dn=mo, placement="physical", fabric="NONE", share="shared", select="all", transport="ethernet,fc", id="4", inst_type="auto")
 handle.add_mo(mo)
 handle.commit()

# Logout after script is executed
handle.logout()
my_file.close()

By the way, there is another script “clean-ucs.py” that will undo whatever the configuration script does, in case that you need to go back and forth with it.

This is part two of a series of posts about the CCNA Cyber Ops certification, you can find the first part here. Essentially in this post, we summarize the basic security concepts needed to understand and become competent with this topic.

2.0 Security Concepts

2.1 Describe the principles of the defense in depth strategy: Defense in depth is the coordinated use of multiple security countermeasures to protect the integrity of the information assets in an enterprise. The strategy is based on the military principle that it is more difficult for an enemy to defeat a complex and multi-layered defense system than to penetrate a single barrier. Defense in depth can be divided into three areas: Physical, Technical, and Administrative.

Physical controls are anything that physically limits or prevents access to IT systems. Fences, guards, dogs, and CCTV systems.

Technical controls are hardware or software whose purpose is to protect systems and resources. Examples of technical controls would be disk encryption, fingerprint readers, and Windows Active Directory. Hardware technical controls differ from physical controls in that they prevent access to the contents of a system, but not the physical systems themselves.

Administrative controls are an organization’s policies and procedures. Their purpose is to ensure that there is proper guidance available in regards to security and that regulations are met. They include things such as hiring practices, data handling procedures, and security requirements.

2.2 Compare and contrast these concepts

• 2.2.a Risk: the potential that a given threat will exploit vulnerabilities of an asset or group of assets and thereby cause harm to the organization. It is measured in terms of a combination of the probability of occurrence of an event and its consequence.
  • Risk = Likelihood * Impact
• 2.2.b Threat: In computer security, a threat is a possible danger that might exploit a vulnerability to breach security and therefore cause possible harm.
  
• 2.2.c Vulnerability: In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. A vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw.
  
• 2.2.d Exploit: An exploit is a piece of software, a chunk of data, or a sequence of commands that takes advantage of a bug or vulnerability in order to cause an unintended or unanticipated behavior to occur on computer software, hardware, or something electronic (usually computerized). Such behavior frequently includes things like gaining control of a computer system, allowing privilege escalation, or a denial-of-service (DoS or related DDoS) attack.
  

2.3 Describe these terms

• 2.3.a Threat actor: A threat actor, or malicious actor, is a person or entity that is responsible for an event or incident that impacts, or has the potential to impact, the safety or security of another entity. Most often, the term is used to describe the individuals and groups that perform malicious acts against organizations of various types and sizes. From a threat intelligence perspective, threat actors are often categorized as unintentional or intentional and external or internal.
  
• 2.3.b Run book automation (RBA): Runbook automation (RBA) is the ability to define, build, orchestrate, manage, and report on workflows that support system and network operational processes. A runbook workflow can potentially interact with all types of infrastructure elements, such as applications, databases, and hardware.
  
• 2.3.c Chain of custody (evidentiary): Chain of custody (CoC), in legal contexts, refers to the chronological documentation or paper trail, showing the seizure, custody, control, transfer, analysis, and disposition of physical or electronic evidence. It is essential that any items of evidence can be traced from the crime scene to the courtroom, and everywhere in between. This known as maintaining the ‘chain of custody’ or ‘continuity of evidence. You must have the ability to prove that a particular piece of evidence was at a particular place, at a particular time and in a particular condition. This applies to the physical hardware as well as the information being retrieved from that hardware. If the chain of custody is broken, the forensic investigation may be fatally compromised. This is where proper management of the evidence is important.
• 2.3.d Reverse engineering: Reverse engineering is taking apart an object to see how it works in order to duplicate or enhance the object. The practice, taken from older industries, is now frequently used in computer hardware and software. Software reverse engineering involves reversing a program’s machine code (the string of 0s and 1s that are sent to the logic processor) back into the source code that it was written in, using program language statements.
  
• 2.3.e Sliding window anomaly detection: The time span used to collect data to build your traffic profile is called the profiling time window (PTW). The PTW is a sliding window; that is, if your PTW is one week (the default), your traffic profile includes connection data collected over the last week. You can change the PTW to be as short as an hour or as long as several weeks. A traffic profile is based on connection data collected over a time span that you specify. `After you create a traffic profile, you can detect abnormal network traffic by evaluating new traffic against your profile, which presumably represents normal network traffic.
• 2.3.f PII: Personally identifiable information (PII), or sensitive personal information (SPI), as used in information security and privacy laws, is information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context.
  
• 2.3.g PHI: Protected health information (PHI) under US law is any information about health status, provision of healthcare, or payment for health care that is created or collected by a “Covered Entity” (or a Business Associate of a Covered Entity), and can be linked to a specific individual. 
  

2.4 Describe these security terms

• 2.4.a Principle of least privilege: In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user, or a program, depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
  
• 2.4.b Risk scoring/risk weighting: First, gather information about the threat agent involved, the attack that will be used, the vulnerability involved, and the impact of a successful exploit on the business. Then, assign a score or weight to the risk, this value will be used in the risk assessment.
  
• 2.4.c Risk reduction: The application of one or more measures to reduce the likelihood of an unwanted occurrence and/or lessen its consequences.
  
• 2.4.d Risk assessment: is the process of assessing the probabilities and consequences of risk events if they are realized. The results of this assessment are then used to prioritize risks to establish a most-to-least-critical importance ranking. Ranking risks in terms of their criticality or importance provides insights to the project’s management on where resources may be needed to manage or mitigate the realization of high probability/high consequence risk events.
  

2.5 Compare and contrast these access control models: Access control is basically identifying a person doing a specific job, authenticating them by looking at their identification, then giving that person only the key to the door or computer that they need access to and nothing more. In the world of information security, one would look at this as granting an individual permission to get onto a network via a username and password, allowing them access to files, computers, or other hardware or software the person requires, and ensuring they have the right level of permission (i.e. read only) to do their job.

• 2.5.a Discretionary access control: this access control model is based on a user’s discretion. The owner of the resource can give access rights to that resource to other users based on his discretion.
• 2.5.b Mandatory access control: In this Model, users/owners do not enjoy the privilege of deciding who can access their files. In this model, the operating system is the decision maker overriding the user’s wishes. Every Subject (users) and Object (resources) are classified and assigned a security label. The security labels of the subject and the object along with the security policy determine if the subject can access the object. The rules for how subjects access objects are made by the security officer, configured by the administrator, enforced by the operating system, and supported by security technologies.
  
• 2.5.d Nondiscretionary access control: The Role Based Access Control (RBAC) model provides access control based on the subject’s role in the organization. So, instead of assigning John permissions as a security manager, the position of security manager already has permissions assigned to it.
  

2.6 Compare and contrast these terms

• 2.6.a Network and host antivirus: A Network antivirus prevent unknown programs and processes from accessing the system. A host antivirus is computer software used to prevent, detect and remove malicious software once it reached a system.
  
• 2.6.b Agentless and agent-based protections: Agentless monitoring is deployed in one of two ways: Using a remote API exposed by the platform or service being monitored or directly analyzing network packets flowing between service components. In either, there is no special deployment of agents required. In agent-based protection, the monitoring endpoint requires an installation of the software agent. Monitoring with agents has the cost of installation, configuration (proportionate to the number of managed elements), platform support needs and dependencies. You also need to worry about patching.
• 2.6.c Security Information and Event Management (SIEM) and Log Collection: SIEM provides real-time analysis of security alerts generated by network hardware and applications. In log collection, the events from the assets on the network, such as servers, switches, routers, storage arrays, operating systems, and firewalls are saved to a location for further analysis.
  
• 2.6.d Log management (LM): comprises an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, event-logs, etc.). Log Management generally covers:
  • Log collection
  • Centralized log aggregation
  • Long-term log storage and retention
  • Log rotation
  • Log analysis (in real-time and in bulk after storage)
  • Log search and reporting.

2.7 Describe these concepts

• 2.7.a Asset management (ITAM): It is the set of business practices that join financial, contractual and inventory functions to support life cycle management and strategic decision making for the IT environment. Assets include all elements of software and hardware that are found in the business environment.
  
• 2.7.b Configuration management: It is a systems engineering process for establishing and maintaining consistency of a product’s performance, functional, and physical attributes with its requirements, design, and operational information throughout its life. Attackers are looking for systems that have default settings that are immediately vulnerable. Once an attacker exploits a system, they start making changes. These two reasons are why Security Configuration Management (SCM) is so important. SCM can not only identify misconfigurations that make your systems vulnerable but also identify “unusual” changes to critical files or registry keys.
  
• 2.7.c Mobile device management: Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablet computers, laptops and desktop computers. MDM is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices. Mobile Device Management (MDM) servers secure, monitor, manage and support mobile devices deployed across mobile operators, service providers, and enterprises. MDM servers consist of a policy server that controls the use of some applications on a mobile device (for example, an e-mail application) in the deployed environment. However, the network is the only entity that can provide granular access to endpoints based on ACLs, SGTs, etc. To do its job, Cisco ISE queries the MDM servers for the necessary device attributes to ensure it is then able to provide network access control for those devices.
  
• 2.7.d Patch management: A patch is a piece of software designed to update a computer program or its supporting data, to fix or improve it. This includes fixing security vulnerabilities and other bugs, with such patches usually called bugfixes or bug fixes, and improving the usability or performance. Patch management is a strategy for managing patches or upgrades for software applications and technologies. A patch management plan can help a business or organization handle these changes efficiently. (Patch Management Example for Windows)
  
• 2.7.e Vulnerability management: In computer security, a vulnerability is a weakness which allows an attacker to reduce a system’s information assurance. Vulnerability management is the “cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities”, especially in software and firmware. Vulnerability management is integral to computer security and network security.
  

Glossary of Cyber Security terms here

These are the remaining topics:

• Cryptography
• Host-Based Analysis
• Security Monitoring
• Attack Methods

In this post, we are going to create a VLAN in the UCS Manager, but we are going to use the latest HTML5 version. So let’s get started bu logging into the UCS Manager URL. Once there browse to the LAN tab, in the case of the new GUI shown here, the third icon on the left (counting from the top).

 

Then browse to the VLANs section inside the LAN cloud. Remember to stay on the general LAN cloud instead that on inside the Fabric A or B.

Now click the Add button in the top-right pane. The Create VLANs pop-up windows appeared, then choose a name (VLAN_704 in this case) and set the VLAN ID (704 in this case). Click OK

That is all for this post, the VLANs are used within the vNIC templates to pass the network communication from outside the UCS environment. Next time I will show you how to create Policies.

This is a quick reference to the commands used to configure the zoning in NX-OS. This is an existing setup, the switches should be initialized and at the recommended NX-OS level. Connect to the FC Switch using PuTTY and configure it using the following examples. Here I am using fcalias, but devalias is an option too. There are a couple of differences, fcalias is VSAN specific while devalias are not.

show fcalias
show zone
show zoneset active

show flogi database
show fcns database

FCALIAS
conf t
fcalias name <alias name> vsan 1
member pwwn <wwpn>
end

ZONE
conf t
zone name <zonename> vsan 1
member fcalias <fcaliasname>
member fcalias <fcaliasname>
end

ZONESET
conf t
zoneset name <name> vsan 1
member <zonename>

end

ACTIVATE ZONESET
conf t
zoneset activate name <active zoneset name> vsan 1
end

SAVE
copy running-config startup-config

This is part of a series of posts on how to initially configure you UCS B-Series system using UCS manager. With the information in this post, you will be able to configure the vHBAs needed for FC connectivity. Check the other posts under the Cisco section in my blog. If you are using iSCSI you can skip this step of the UCS B-Series configuration.

To start login into your UCS Manager, select the SAN Tab and Navigate to the Pool section. Right click on WWNN and click Create WWNN Pool

Give it a name, select Sequential and clock Next.

Now add the value for the WWNN, first click add then fill the quantity (in this case 16) and cick Ok and Finish.

The WWPN pool creation process is analog to the one just described, but chage one of the its on the WWN window (see below)

That’s it for this post, I am trying to keep them short to keep them coming. On the next post, I will show how to create a VLAN.

 

Now that we have our system up to date with the latest software, we can start configuring the different templates, pools, and policies. The UCS is a stateless system, meaning that you will be able to abstract all the usual properties (UUID, MAC Address, etc…) into a Service Profile and apply those to any compatible hardware.

• Create a Sub-Organization:  this step is recommended for multitenant implementations, it doesn’t hurt to make it the standard installation procedure. Right-Click on Sub-Organization to open the Create Organization window.

• Create the UUID Pool: select the Server Tab, select Pools from the drop down menu, expand the Sub-Organizations and expand the new Sub-Organization (in this case Sub-Org-01). Select the UUID Suffix Pools and click Add.

• Type in a name and select Sequential, then click Next

• Click Add to define the value

• Change one digit to make it unique and add in a decent size to configure it once and forget about it. the click Finish and click OK in the resulting pop-up window.

• Create an IP address pool: this pool will be used to connect to the KVM for console access. First, navigate to the LAN tab and select Pools from the drop down menu, then under the Sub-Organization (Sub-Org-01 in this case) right click and select Create IP Pool.

• Give at name, select Sequential and click Next

• Click Add to define the IP address block.

• Setup the IP address block information, you can do as many as you want, you can always add later, I usually configure one for each blade at the very beginning ad forget about it.

• As a final step, click Next and then click Finish (assuming you won’t use IPv6).

• Create a Server Pool: from the Servers tab, navigate to the Sub-Organization and with a right-click select Create Server Pool. Once there type in a name for the pool and click Next.

• Select the blades and servers from the left pane and add them to the Pooled Servers pane, and click Finish.

• Create the MAC Address Pools: We could use the default pool, or we can get very creative with this, especially if you are using VMware or any other host with multiple vNICs. The trick here is to Identify the FI, chassis, site, etc.

The MAC address is going to be of the format 00:25:B5:00:00:00, the first part
(00:25:B5) is the Organizationally Unique Identifier (OUI) and the second part
(00:00:00) id the Device ID, and the second part is the one that we customize.

Is with the second part that we will get creative. Use it to identify the site and FI, and I go even further and if the deployment is small I also identify the vSwitch. For example 00:25:B5:1A:00:00 could be Site 1, FI A, vSwitch 0, and the last three places are for sequential values. Check the following image with a few MAC Pools.

 

In the previous image, you can see separate sets for management, vMotion, iSCSI, and VM traffic. You don’t have to do it exactly as I have it there, maybe you want to use the same vSwitch for management and vMotion, then you could designate one place as the vmk# for example. The next slideshow has the MAC Pool creation process.

 

I am going to submit this post the way I have it up to this point and then release the next steps including:

Create WWNN and WWPN pools (if you are using FC).

Create VLANs.

Create Policies.

Create vNIC and vHBA templates.

Create a Service Profile Template.

Deploy Service Profiles from the Service Profile Template.

Configure Especial Cases like Layer-2 Disjoint Networks

As part of the service portfolio at ABS Technology, we offer Data Center migrations. There are multiple technologies to achieve the data replication necessary in a migration. There are two main levels, host-level replication, and array level replication. With host replication, the granularity is a single operating system instance, it can be physical or virtual. You can use technologies like the vSphere Replication Appliance, Recoverpoint for VM’s, VEEAM, ZERTO, or Double-Take. All of these differ and the use of one vs the other will depend on a number of factors like RPO/RTO, budget, standardization policy, etc.

When it comes to array replication, you will have as many flavors as array vendors, but the two types are Asynchronous and Synchronous, again the selection of technology will depend on the requirements.

In this post, I will summarize what is needed for a migration from one Data Center to another of an environment using a UCS B-Series, a Nimble Storage Array, and vSphere.

In the Nimble storage array, the replication can be done over the Data subnet or the management subnet. If the array has a free NIC, you can configure it for data, but use it only for replication. this last case is the one I will be documenting here.

The first step is to configure the subnet in the Nimble Storage. I will user the network 10.10.10.0/24 as an example, with a discovery IP of 10.10.10.50 and an IP address of 10.10.10.51. The discovery IP will not be used because we will only use this subnet for replication purposes.

Figure 1. From the Administration main menu, select Network Configuration.

Figure 2. Click on Active Settings

Figure 3. Click the Subnets tab and then click the Edit button.

Figure 4. Then click the Add  button

Figure 5. Click Done to finish.

As a final step, you can save the new configuration in the active settings by clicking the Update button, or save it as a draft to be applied later by selecting the Save as Draft button.

The next step is to configure the replication partner. You will need the nimble Group Name of each storage array, the hostname or IP address and a password to use as a shared secret.

In the next four images, we will navigate through the process of setting the replication partner. First, log in the Nimble and from the menu select Manage->Protection->Replication Partners.

Figure 6. From the menu select Manage->Protection->Replication Partners.

Figure 7. Click on the New Replication Partner button.

Figure 8. Input the information, in our case select the newly created network from the drop down menu as a Replication Network (see Figure 5 above).

Figure 9. Create an optional QoS policy and click Finish.

In the following slideshow, I configure the Volume Collection. The Volume Collection contains all the volumes that will replicate at the same time. At the end, you can see the way I would monitor the replication.

This slideshow requires JavaScript.

Now that everything is replicating, wait for it to be synchronized and it’s time to migrate. There can be multiple ways to do this, you could clone a replica and chose the VM’s you want to migrate, or you could “Handover” the complete volume collection.

Option one: Create clone of the replica.

In this case, the pre-requisite is to stop I/O on the source VM, Datastore, or Volume collection. Do this to have a crash consistent copy of the source. After you stop the I/O, wait for the last replica to happen and now in the destination array, clone the volume replica snapshot and put it online. Then configure the cloned Volume for Host access. If you are satisfied with your VM, I would suggest a storage vMotion of that VM to another DS not involved in the replication and remove the clone. Just to keep things clean.

Option two: Handover the Volume Collection.

Before you click on that Handover button, make sure you shutdown your VMs and unmount the Datastores (don’t delete them!). In the case of a migration to a new set of hosts without replication back, remove the old hosts access to the volumes and rescan to remove dead paths.

 

Back in 1999, we hired a guy from Veritas to install our first Netbackup software, version 3.5 it was (I think). Little I knew that it would be 2016 and I would still be working with this. It outlived other things that look more promising at that time.

I wanted to create this quick post about how to gain root access to a Netbackup appliance because it changed a little bit from version 2.6 to version 2.7. See my input in red.

login as: admin
admin@<ip>'s password: <password>
Last login: Wed May  4 09:52:28 2016 from <my mac>

Appliance  Manage master and media appliances.
Exit       Log out and exit from the current shell.
Manage     Manage NetBackup appliance.
Monitor    Monitor NetBackup appliance activities.
Network    Network Administration.
Reports    Examine the running and historical state of the host.
Settings   Change NetBackup appliance settings.
Shell      Shell operations.
Support    NetBackup Support.

<NBU-Appliance-Hostname>.Main_Menu> Support
Entering NetBackup support view...

Checkpoint      Appliance Checkpoint Management.
DataCollect     Gather device logs.
Disk            Gather disk information.
Errors          Display NetBackup errors.
Exit            Log out and exit from the current shell.
FactoryReset    Reset this system to factory install image
InfraServices   Show/control infrastructure services.
iostat          Execute the iostat command.
IPMI            Remote management port configuration.
KillRemoteCall  Terminate running or hung remote calls on peer compute nodes.
Logs            Set level, share, unshare, view, and upload debug logs.
Maintenance     Launch maintenance shell.
Messages        Display the messages file.
NBDNA           Network traces with NBDNA tool (Select Create or Remove).
Nbperfchk       Execute the disk IO or network bandwidth check.
NBSU            Manage NetBackup support data files (Select Create or Remove).
Processes       Show/control NetBackup and Admin Console processes.
Reboot          Reboot the system.
RecoverStorage  View or delete directories backed up during appliance re-image.
Return          Return to the previous menu.
Service         Service management.
Shell           Shell operations.
Show            Display information.
Shutdown        Power off the system.
Storage         Storage data and configuration
Test            Test the current status of various appliance components.

<NBU-Appliance-Hostname>.Support> Maintenance
<!-- Maintenance Mode --!>
maintenance's password: <password>
(this script was for 2.6)
maintenance-!> /opt/Symantec/scspagent/IPS/sisipsoverride.sh
bash: /opt/Symantec/scspagent/IPS/sisipsoverride.sh: No such file or directory
(this is the right script for 2.7)
maintenance-!> /opt/Symantec/sdcssagent/IPS/sisipsoverride.sh
Symantec Data Center Security Server Policy Override

    Agent Version: 6.5.0 (build 355)
   Current Policy: NetBackup Appliance Prevention Policy, r38
Policy Prevention: Enabled
  Policy Override: Allowed
   Override State: Not overridden

To override the policy and disable protection, enter your login password.
Password: <password>

Choose the type of override that you wish to perform:
 1. Override Prevention except for Self-Protection
 2. Override Prevention Completely
Choice? [1] 2

Choose the amount of time after which to automatically re-enable:
 1. 15 minutes
 2. 30 minutes
 3. 1 hour
 4. 2 hours
 5. 4 hours
 6. 8 hours
Choice? [1] 4

Enter a comment. Press Enter to continue.
<comment or just Press Enter>
Please wait while the policy is being overridden.
.................

The policy was successfully overridden.
maintenance-!> elevate
<NBU-Appliance-Hostname>:/home/maintenance #