Guest

Unified Computing

Use Cisco UCS Connectivity Policies to Achieve Strict Administrative Role Delineation

  • Viewing Options

  • PDF (1.0 MB)
  • Feedback

What You Will Learn

As more customers deploy and expand their Cisco Unified Computing System (Cisco UCS ®) installations, they require a variety of methods for domain experts to construct and deploy service profiles. Many customers have expressed interest in dividing the responsibility and privilege for service profile construction among server, storage, and network administrators. This division would provide a more natural configuration process that is in concert with their data center's roles, responsibilities, and privileges.
Cisco UCS Manager 2.1 provides support for this clear delineation of responsibilities and privileges with LAN and SAN connectivity policies. Figure 1 contrasts (a) a simple service profile and (b) a service profile that references LAN and SAN connectivity policies. Note the clear division of server, storage and network components in the service profile, SAN connectivity policy, and LAN connectivity policy, respectively. Cisco UCS Manager 2.1 also provides a new role that can be used when configuring connectivity policies. An administrator with this role cannot configure network and storage resources; these resources are derived by referencing connectivity policies.

Figure 1. Service Profile: (a) Simple Construction and (b) Construction Using LAN and SAN Connectivity Policies

This document explains how to use LAN and SAN connectivity policies to deploy service profiles on Cisco UCS. It also discusses how connectivity policies, in conjunction with the Cisco UCS role-based access control (RBAC) system, can be used to provide a clear delineation of responsibilities and privileges for service profile configuration. Connectivity policies are introduced as part of Cisco UCS Manager Release 2.1 and are supported by all versions of Cisco UCS hardware.

Connectivity Policies

LAN connectivity policies are used to configure a service profile's network resources. These resources include virtual network interface cards (vNICs), Small Computer System Interface over IP (iSCSI) vNICs, VLANs, network identities (MAC addresses), pinning, statistics, and adapter policies. A LAN connectivity policy can be used by one or many service profiles; therefore, its network identities must be pool or hardware derived. Typically, the network administrator configures the LAN connectivity policy.
SAN connectivity policies are used to configure a service profile's storage resources. These resources include virtual host bus adapters (vHBAs), virtual SANs (vSANs), storage identities (worldwide node names [WWNNs] and worldwide port names [WWPNs]), statistics, and adapter policies. A SAN connectivity policy can be used by one or more service profiles; therefore, its storage identities must be pool or hardware derived. Typically, the storage administrator configures the SAN connectivity policy.
To derive value from a connectivity policy, the policy must referenced by a service profile. During service profile construction, users can reference a LAN connectivity policy for network resources and a SAN connectivity policy for storage resources. After a policy is referenced, the connectivity policy's network or storage resources are configured on the service profile.

Configuration Flexibility

A connectivity policy can be referenced by one or many service profiles or service profile templates. This approach provides a powerful and flexible foundation for service profile configuration and facilitates connectivity policy reuse. It also means that changes to a connectivity policy will affect (update) all referencing service profiles. Figure 2 illustrates several service profile configurations.
a. Service profile DatabaseProf references LAN and SAN connectivity policies InternalNetLCP and SecureDataSCP.
b. Service profile VDIProfile references LAN connectivity policy InternalNetLCP.
c. Service profile template DbVMTemplate references LAN and SAN connectivity policies InternalNetLCP and SecureDataSCP.

Figure 2. Logical View of Connectivity Policies Shared by Service Profiles

Even though the server administrator references a LAN or SAN connectivity policy, the administrator still can configure the device order and boot order.

Configuration Flexibility

Note the clear division of network, storage, and server components in the service profile and their connectivity policies. Cisco UCS Manager 2.1 also provides a new role , designed to be used in conjunction with connectivity policies.

Server Administrator Privileges

Cisco UCS provides a RBAC system that allows administrators to control access to the actions and resources in Cisco UCS. Cisco UCS Manager 2.1 introduces a new role, server-compute, which allows administrators to limit a user's role to server administration only. A server administrator with this role will have the necessary privileges to create service profiles that reference LAN and SAN connectivity policies. However, the administrator will be prohibited from configuring network and storage resources. The following example demonstrates how this role can be used with Cisco UCS locales to implement a clear delineation of responsibilities and privileges among server, storage and network administrators.

Sample Configuration

The following sections show the use of the Cisco UCS GUI to configure a service profile that references LAN and SAN connectivity policies. Configuration includes the following steps:
1. Create users and roles.
2. Create a LAN connectivity policy.
3. Create a SAN connectivity policy.
4. Create a service profile.

Create Users and Roles

This example assumes that network and storage administrator users have already been created, and it shows how to create a new server administrator user using the new server-compute role. This example also limits the server administrator to configuration of the finance organization through creation of a Cisco UCS locale. To create a locale, launch the Create Locale wizard as illustrated in Figure 3.

Figure 3. Launch the Create Locale Wizard

You create a locale named financial and assign the finance organization to it, as shown in Figure 4. Users assigned this locale will be able to perform configuration operations in the finance organization.

Figure 4. Create a Locale That Includes the Finance Organization

Next, you launch the Create User wizard from the Admin tab, as shown in Figure 5 1.

Figure 5. Launch the Create User Wizard

In the Create User wizard, you populate details about the new user. Choose the server-compute role and the financial locale as illustrated in Figure 6.

Figure 6. Create a User with the server-compute Role and Assign the Locale

You have created a server administrator who can configure server resources only in the financial locale. The administrator will rely on the network and storage administrators to create LAN and SAN connectivity policies to create service profiles with network and storage connectivity.

Create a LAN Connectivity Policy

Typically, the network administrator is responsible for creating LAN connectivity policies. To create a LAN connectivity policy, find the target organization ( finance) on the Cisco UCS GUI's LAN tab, launch the wizard by right-clicking the LAN Connectivity Policy node, and select Create LAN Connectivity Policy, as shown in Figure 7.

Figure 7. Launch the Create LAN Connectivity Policy Wizard

The Create LAN Connectivity Policy wizard, shown in Figure 8, allows you to configure vNICs and iSCSI vNICs. Click the Add button to launch the Create vNIC wizard.

Figure 8. The Create LAN Connectivity Policy Wizard

The Create vNIC wizard, shown in Figure 9. allows you to configure the various characteristics of a vNIC, including its MAC address, maximum transmission unit (MTU), pin group, and adapter policy. You can create as many vNICs as required; however, vNICs must be configured to draw their MAC addresses from a pool or be hardware derived. 2

Figure 9. The Create vNIC Wizard Lets You Customize a vNIC's Characteristics

To complete the construction, select the VLANs that the vNIC should use and the policies that define the vNIC. After you finish construction of the LAN connectivity policy, you can view and modify its configuration on the LAN tab, as shown in Figure 10.

Figure 10. View and Modify the LAN Connectivity Policy Configuration

Create a SAN Connectivity Policy

Typically, the storage administrator is responsible for creating the SAN connectivity policies. To create a SAN connectivity policy, find the target organization ( finance) on the Cisco UCS GUI's SAN tab, launch the wizard by right-clicking the SAN Connectivity Policy node, and select Create SAN Connectivity Policy, as shown in Figure 11.

Figure 11. Launch the Create SAN Connectivity Policy Wizard

The Create SAN Connectivity Policy wizard is shown in Figure 12. It allows you to create and configure vHBAs. Click the Add button to launch the Create vHBA wizard.

Figure 12. The SAN Connectivity Policy Creation Wizard

The Create vHBA wizard ( Figure 13) allows you to configure the various characteristics of a vHBA, including the identity, VSAN, maximum data field size, pin group, and adapter policy. You can create as many vHBAs as required; however, the vHBAs must be configured to draw their WWPN from a pool or be hardware derived. 3

Figure 13. The vHBA Creation Wizard

To complete the construction, select the VSAN that the vNIC should use and the policies that define the vHBA. Note that you can create a number of different vHBAs.
After you finish construction of the SAN connectivity policy, you can view and modify its configuration on the SAN tab, as shown in Figure 14.

Figure 14. View and Modify the SAN Connectivity Policy Configuration

Create a Service Profile

The server administrator can now create a service profile using the LAN and SAN connectivity policies that were created in the previous sections. You can create a service profile by right-clicking the finance organization on the Server tab of the Cisco UCS GUI and selecting one of the Create Service Profile options. This example uses the Create Service Profile (expert) option, as shown in Figure 15.

Figure 15. Launch the Create Service Profile Wizard

The Cisco UCS GUI will guide you through the steps for service profile configuration. Note that since you logged in as a user with only the server-compute role, the service profile creation process is streamlined. The wizard will provide only configuration options related to server administration. The connectivity settings are configured by selecting a LAN and SAN connectivity policy, as illustrated in Figure 16.

Figure 16. Select LAN and SAN Connectivity Policies

The wizard will guide you through the other service profile configuration options, such as the NIC placement and server boot order and assignment. At the completion of service profile configuration, you can view and modify the service profile on the Server tab, as illustrated in Figure 17.

Figure 17. View and Modify the Service Profile

Conclusion

Cisco UCS provides a comprehensive RBAC system that allows administrators to control user access to the actions and resources in Cisco UCS. Cisco UCS Manager 2.1 introduces LAN and SAN connectivity policies that allow users to strictly control the network, storage, and server administrator roles in Cisco UCS.

For More Information

Contact your local Cisco representative or visit:

• Cisco UCS: http://www.cisco.com/go/unifiedcomputing

• Cisco UCS: A Complete Reference Guide to the Cisco Data Center: http://www.amazon.com/Cisco-Unified-Computing-System-Center/dp/1587141930

• Virtualization server architecture: http://www.amazon.com/Cisco-Unified-Computing-System-Center/dp/1587141930

• Cisco Developer Network: http://developer.cisco.com/web/unifiedcomputing/home

• Cisco UCS Manager product page on Cisco.com: http://www.cisco.com/en/US/products/ps10281/index.html

• Cisco UCS Platform Emulator (UCSPE) download: http://developer.cisco.com/web/unifiedcomputing/ucsemulatordownload

• Cisco UCS Manager Advantage Video Series: http://www.cisco.com/en/US/prod/ps10265/ucs_advantage_video_library.html

• Cisco IT Solutions: http://www.cisco.com/web/about/ciscoitatwork/data_center/index.html

1This example creates a locally authenticated user. However, Cisco UCS provides a comprehensive set of RBAC options, including Lightweight Directory Access Protocol (LDAP) integration.
2This vNIC configuration process is similar to the process for vNIC configuration on a service profile. Many options are available, however, a detailed explanation of all options is beyond the scope of this document.
3This vHBA configuration process is similar to the process for vHBA configuration directly under a service profile. Many options are available; however, a detailed explanation of all options is beyond the scope of this document.