Domain policies in Cisco Intersight allow you to configure various parameters for UCS Fabric Interconnects, including port configuration, network control settings, and VLAN and VSAN settings. A domain policy can be assigned to any number of domain profiles to provide a configuration baseline. Domain policies in Cisco Intersight are a new feature, and native to the application. Policy-based configuration with Domain Profiles is a Cisco Intersight Essentials feature, and is supported on Cisco UCS B-Series M5 and M6 servers and Cisco UCS C-Series M5, M6, M7, and M8 servers, and Cisco UCS X-Series M6, M7, and M8 servers that are in a UCS Domain.

The Domain Policy creation wizard in Cisco Intersight has two pages:

• General—The general page allows you to select the organization and enter a name for your policy. Optionally, include a short description and tag information to help identify the policy. Tags must be in the key:value format. For example, Org:IT or Site APJ

• Policy Details—The policy details page has properties that are applicable to UCS Domain Policies.

The following list describes the domain policies that you can configure in Cisco Intersight.

• Port Policy—Configures the ports and port roles for the Fabric Interconnect. Each Fabric Interconnect has a set of ports in a fixed port module that you can configure. You can enable or disable a port or a port channel.

  The port policy is associated with a switch model. The network configuration limits also vary with the switch model.

• The maximum number of ports and port channels supported on Cisco UCS 6400, 6500, and 6600 Series Fabric Interconnects are:

  • Ethernet Uplink, Fibre Channel over Ethernet (FCoE) Uplink port channels, and Appliance port channels (combined) — 12

  • Ethernet Uplink ports per port channel — 16

  • FC uplink port channel — 4

  • FCoE Uplink ports per port channel —16

  • Ethernet Uplink and FCoE Uplink ports (combined) —31

  • Server ports—54 ports for Cisco UCS 6454, 108 ports for Cisco UCS 64108 Fabric Interconnects, and 64 ports for 6664 Fabric Interconnect.

  The maximum number of ports and port channels supported for Cisco UCS Fabric Interconnects 9108 100G are:

  • Ethernet uplink, Fibre Channel over Ethernet (FCoE) uplink, Ethernet uplink port channels, FCoE uplink port channels, and Appliance port channels (combined) —8

  • Ethernet uplink ports per port channel —8

  • FC uplink port channel —4

  • FC uplink count —8

  • FC uplink per SAN port —8

  • FCoE Uplink ports per port channel —8

  • Ethernet Uplink and FCoE uplink ports (combined) —8

• Ethernet Network Control Policy—Configures the network control settings for appliance ports, appliance port channels, or vNICS.

• Ethernet Network Group Policy—Configures the allowed VLANs and native VLAN for ethernet uplink ports, ethernet uplink port channels, appliance ports, or appliance port channels.

  Note

  When Ethernet Network Group Policies are assigned to an ethernet uplink port or ethernet uplink port channel in a Port Policy, the specified Ethernet Network Group Policies across Ethernet Network Group Policies must be either identical to or disjoint from the VLAN sets specified on other uplink interfaces Ensure that the VLANs are defined in the VLAN Policy and that Auto Allow on Uplinks is disabled.

  You can add multiple Ethernet Network Group Policies (ENGPs) on ethernet uplink port and ethernet uplink port channels in port policies. For more information, see Configuring UCS Domain Policies.

• VLAN Configuration Policy—Creates a connection to a specific external LAN.

• VSAN Configuration Policy—Partitions the Fibre Channel fabric into one or more zones. Each zone defines the set of Fibre Channel initiators and Fibre Channel targets that can communicate with each other in a VSAN.

• NTP Policy—Enables the NTP service to configure a UCS system that is managed by Cisco Intersight to synchronize the time with an NTP server. You must enable and configure the NTP service by specifying the IP/DNS address of at least one server or a maximum of four servers that function as NTP servers. When you enable the NTP service, Cisco Intersight configures the NTP details on the endpoint. For more information, see Creating an NTP policy.

• Network Connectivity Policy—Specifies the DNS Domain settings that are used to add or update the resource records on the DNS server from the endpoints, and the DNS server settings for IPv4 and IPv6 on an endpoint.

• System QoS Policy—Implements network traffic prioritization based on the importance of the connected network by assigning system classes for individual vNICs. Intersight uses Data Center Ethernet (DCE) to handle all traffic inside a Cisco UCS domain. This industry standard enhancement to Ethernet divides the bandwidth of the Ethernet pipe into eight virtual lanes. Two virtual lanes are reserved for internal system and management traffic. You can configure quality of service (QoS) for the other six virtual lanes. System classes determine how the DCE bandwidth in these six virtual lanes is allocated across the entire Cisco UCS domain.

  Each system class reserves a specific segment of the bandwidth for a specific type of traffic, which provides a level of traffic management, even in an oversubscribed system. For example, you can configure the Fibre Channel Priority system class to determine the percentage of DCE bandwidth allocated to FCoE traffic. The configuration setup validates each input on the system class to prevent duplicate or invalid entries.

  The following list describes the system classes that you can configure.

  • Platinum, Gold, Silver, and Bronze—A configurable set of system classes that you can include in the QoS policy for a service profile. Each system class manages one lane of traffic. All properties of these system classes are available for you to assign custom settings and policies.

  • Best Effort—A system class that sets the quality of service for the lane reserved for basic Ethernet traffic. Some properties of this system class are preset and cannot be modified. For example, this class has a drop policy that allows it to drop data packets if required. You cannot disable this system class.

  • Fibre Channel—A system class that sets the quality of service for the lane reserved for Fibre Channel over Ethernet traffic. Some properties of this system class are preset and cannot be modified. For example, this class has a no-drop policy that ensures it never drops data packets. You cannot disable this system class.

• Multicast Policy—Configures Internet Group Management Protocol (IGMP) snooping and IGMP querier. IGMP Snooping dynamically determines hosts in a VLAN that should be included in multicast transmissions.

  You can create, modify, and delete a multicast policy that can be associated to one or more VLANs. When a multicast policy is modified, all VLANs associated with that multicast policy are re-processed to apply the changes. By default, IGMP snooping is enabled and IGMP querier is disabled. On enabling IGMP querier, you can configure the IPv4 addresses for the local and peer IGMP snooping querier interfaces.

• Simple Network Management Protocol (SNMP) Policy—Configures the SNMP settings for sending fault and alert information by SNMP traps from the managed devices. Any existing SNMP Users or SNMP Traps configured previously on the managed devices are removed and replaced with users or traps that you configure in this policy.

• Syslog Policy—Enables to configure the local logging and remote logging (minimum severity) for an endpoint. This policy also provides configuration support to store the syslog messages in the local file and the remote syslog server.

• Switch Control Policy—Enables to configure and manage multiple network operations on the Fabric Interconnects (FI) that include:

  • Port Count Optimization—If the VLAN port count optimization is enabled, the Virtual Port (VP) groups are configured on the Fabric Interconnect (FI) and if VLAN port count optimization is disabled, the configured VP groups are removed from the FI.

  • MAC Aging Time—Allows to set the MAC aging time for the MAC address table entries. The MAC aging time specifies the time before a MAC entry expires and discards the entry from the MAC address table.

  • Link Control Global Settings—Enables configurations of message interval time in seconds and allows to reset the recovery action of an error-disabled port.

• Flow Control Policy—Enables configurations for Priority Flow Control for ports and port channels.

• Link Control Policy—Enables configurations of Link Control administrative state and configuration (normal or aggressive) mode for ports.

• Link Aggregation Policy— Enables to configure Link Aggregation properties. Link Aggregation combines multiple network connections in parallel to increase throughput and to provide redundancy.

• LDAP Policy—Specifies the LDAP configuration settings and preferences for an endpoint. The endpoints support LDAP to store and maintain directory information in a network. The LDAP policy determines configuration settings for LDAP Servers, DNS parameters including options to obtain a domain name used for the DNS SRV request, Binding methods, Search parameters, and Group Authorization preferences. Through an LDAP policy, you can also create multiple LDAP groups and add them to the LDAP server database.

• Certificate Management Policy— Allows you to specify the certificate details for an external certificate and attach the policy to domain profile. Cisco Intersight currently supports Root CA certificates for Fabric Interconnect in Intersight Managed Mode.

• MACSec Policy— Media Access Control Security (MACsec), an IEEE 802.1AE standard, along with the MACsec Key Agreement (MKA) protocol, provide secure communications on Ethernet links. The MKA protocol discovers MACsec peers and negotiates the keys used by MACsec, as defined in IEEE 802.1x-2010. The Advanced Encryption Standard (AES) feature enables secure storage of MACsec keys in NXOS using a master key.

  MACsec feature offers the following benefits:

  • Provides line-rate encryption capabilities.

  • Ensures data confidentiality through strong encryption at Layer 2.

  • Provides integrity checking to prevent data modification during transit.

  • Provides replay protection.

  A MACsec policy configures the cipher suite for data encryption and other related attributes.

The port policy is used for configuring the port parameters such as unified ports that carry Ethernet or Fibre Channel traffic, port roles and speed.

1. Log in to Cisco Intersight with Account Administrator or Domain Administrator role.

2. Choose Configure > Policies and then select Create Policy.

3. Select Port, and then click Start.

4. On the General page, configure the following parameters, and then click Next:

   Property	Description
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Fabric Interconnect Model	Select any one of the following FI models: Cisco UCS 64108 Fabric Interconnect Cisco UCS 6454 Fabric Interconnect Cisco UCS 6536 Fabric Interconnect Cisco UCS Fabric Interconnects 9108 100G Cisco UCS 6664 Fabric Interconnect Note   The FI models provide different network configuration capabilities to the policy. The switch model cannot be changed once the policy is created.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Description
   Unified Ports By default, all the unconfigured ports are Ethernet ports. Use the blue slider to select a range of Fibre Channel ports. The selected Fibre Channel ports are highlighted in blue.
   Fibre Channel (FC)	Displays the port range selected for Fibre Channel. Note   Valid FC port range for Cisco UCS 6454 Fabric Interconnect: Port 1-16 Valid FC port range for Cisco UCS 64108 Fabric Interconnect: Port 1-16 Valid FC port range for Cisco UCS 6536 Fabric Interconnect: Port 33-36 Valid FC port range for Cisco UCS 9108 100G Fabric Interconnect: Port 1-2 Valid FC port range for Cisco UCS 6664 Fabric Interconnect: Port 25-40
   Ethernet	Displays the port range selected for Ethernet.

6. On the Breakout Options page, configure the breakout ports on Fibre Channel or Ethernet.

   Note

   To configure breakout port, the supported Infrastructure firmware version is 4.2(2a) or later. Ethernet Select the ports for breakout either by clicking on the valid ports within the graphic image or by selecting the port number from the table below the image Following are the breakout port range for different Cisco UCS Fabric Interconnects: Cisco UCS 64108 Fabric Interconnect, the valid breakout port range is 97—108 Cisco UCS 6454 Fabric Interconnect, the valid breakout port range is 49—54 Cisco UCS 6536 Fabric Interconnect, the valid breakout port range is 1—36 Cisco UCS 9108 100G Fabric Interconnect, the valid breakout port range is 1—8 Note   Cisco UCS 6664 Fabric Interconnect does not support breakout ports. Click Configure. A pop-up window appears. It displays the Admin speeds that can be set for the breakout ports. Ethernet breakout ports can be configured with three options: no breakout, Admin speed of 4x10G, and Admin speed of 4x25G. Select the desired speed. Note   You can configure Ethernet breakout and switch between breakout speeds without requiring an FI reboot. Click Set. Click Next to move to the Port Roles page or navigate to the Fibre Channel tab to configure the FC breakout ports. Fibre Channel Fibre Channel port is applicable only for UCS-FI-6536, UCS-FI-6664, and UCSX-S9108-100G Fabric Interconnects. Select the ports for breakout either by clicking on the valid ports within the graphic image or by selecting the port number from the table below the image. Click Configure. A pop-up window appears. It displays the Admin speeds that can be set for the breakout ports. FC breakout ports can be configured in three different Admin speed: 4x8G, 4x16G, and 4x32G. Select the desired speed. Note   Changing the FC breakout speeds does not require FI reboot. Switching from the Ethernet breakout to the FC breakout and vice versa, or from the Ethernet port to the FC breakout port and vice versa, requires an FI reboot each time. Click Set. Click Next.

7. On the Port Roles page, configure port roles or create port channels or pin groups.

   Port Roles Select the ports that have to be configured for port roles either in the graphic image or by selecting in the table present below the graphic image.
   Selected Ports	Indicates the port number(s) selected.
   Name	The user determined port name.
   Type	The type can be Ethernet or FC. Note   FC is not applicable for Cisco UCS 6400 Series FI.
   Click Configure.
   Role	Select the port role type: The roles for an Ethernet port are: Unconfigured—Default Server—All server traffic travels through the input or output (I/O) module to server ports on the fabric interconnect. Note   For Cisco UCS 6664 Fabric Interconnect, the maximum number of server ports allowed is 64. For Cisco UCS Fabric Interconnects 9108 100G, Server role is not available for port role configuration. For Cisco UCS 6536 Fabric Interconnect, server roles are not supported on 10G breakout ports. For Cisco UCS 6454 Fabric Interconnect, the maximum number of server ports allowed is 54. For Cisco UCS 64108 Fabric Interconnect, the maximum number of server ports allowed is 108. Server port configuration is supported for discovering direct-attach Cisco UCS C-Series servers only after configuring breakout port on Ports 49-54 for Cisco UCS 6454 Fabric Interconnect and on Ports 97-108 for Cisco UCS 64108 Fabric Interconnect. Discovering chassis, blade server connected to chassis, or rack servers connected to FEX are not supported after configuring breakout port on Ports 49-54 for Cisco UCS 6454 Fabric Interconnect and on Ports 97-108 for Cisco UCS 64108 Fabric Interconnect. Ethernet Uplink—Ethernet traffic passes through the unified uplink port Note   The maximum number of combined Ethernet Uplink ports and FCoE Uplink ports allowed is 31. Appliance—Allows the Network File System to connect directly with the Fabric Interconnects, without traffic having to pass through the uplink ports. FCoE Uplink—Fibre Channel over Ethernet (FCoE) uplink ports allow both Ethernet and Fibre Channel traffic to flow on the same physical Ethernet link The roles for an FC port are: FC Uplink —FC traffic passes through the FC uplink port. To specify the role of an FC port as an FC Uplink port the VSAN scope of the port must have been created as Storage and Uplink, or as Uplink in the VSAN Configuration policy. FC Storage—FC port acts as a storage port. To specify the role of an FC port as an FC Storage port the VSAN scope of the port must have been created as Storage and Uplink, or as Storage in the VSAN Configuration policy. Moreover, the FC has to be in the switching mode. Unconfigured—Unconfigured is the default role of the port.
   Admin Speed	The administrative port speed. The options are: 1 Gbps 10 Gbps 25 Gbps 40 Gbps 100 Gbps Note   Admin Speed can be selected as Auto or Breakout speed for any role on breakout ports. For Cisco UCS 6536 Fabric Interconnect, only 25G/40G/100G connectivity is supported for server ports. For Cisco UCS Fabric Interconnects 9108 100G, 1 Gbps speed is available only for Ports 7 and 8. Note   When the 25 Gbps admin speed is selected, Enable 25 Gbps Copper Cable Negotiation is automatically enabled for any copper cable that is more than 3 meters. Enable 25 Gbps Copper Cable Negotiation: Supports only on Appliance, Ethernet Uplink, FCoE Uplink port roles. Does not support breakout ports. Supports firmware versions 4.2(1a) or higher. Supports only for the FEC configuration set to Auto.
   FEC	The forward error correction configuration on the ports of an Ethernet Channel: This setting can be one of the following: Auto (Auto-FEC) Cl91 (CL91-RS-FEC)—Supported with Appliance, Ethernet uplink, and FCoE uplinks roles at 25 Gbps and 100 Gbps Admin speed. Cl74 (CL74-FC-FEC)—Supported with Server port role and with Appliance, Ethernet uplink, and FCoE uplinks roles at 25 Gbps Admin speed rs-cons16 (CONS16-RS-FEC)—Supported with Appliance, Ethernet uplink, and FCoE uplinks roles at 25 Gbps Admin speed. rs-ieee (IEEE-RS-FEC)—Supported with Appliance, Ethernet uplink, and FCoE uplinks roles at 25 Gbps Admin speed. Off—FEC can be disabled using this option. It is supported with Admin speeds: Auto, 25 Gbps, and 100 Gbps. Note   If the latest device connector firmware version is not running on the FI, then on selecting the rs-cons16, rs-ieee, or Off option, the domain profile deployment will fail. Turning off Forward Error Correction (FEC) can lead to increased data loss, higher error rates, and potential disruptions in data transmission.
   Priority	It is the name of the System QoS Class. Select the priority of the Appliance port for routing traffic and ensuring QoS.
   Mode	Select the port mode to be set on the Appliance port. Port mode can be Trunk or Access.
   Auto-negotiation	This option is available only for Server port roles. Auto Negotiation is not supported for N9K-C93180YC-FX3 FEX when server port is connected with a 100G speed transceiver. If the port is connected to N9K-C93180YC-FX3 FEX, the Auto Negotiation option should be disabled.
   Connected Device Type and Device Number	This option is applicable for Server port roles only Select the device type and device number for each port or a set of ports. By default, this option is disabled. To enable: Select the ports and click Configure. Turn the Manual Chassis/Server Numbering button ON. A table is displayed where you can specify the Connected Device Type and Device Number for each port. Note   Auto-Fill Numbering can be enabled to edit Connected Device Type, Starting Device Number, and Ports per Device for each port according to your preferences. Click Save to see the Connected Device Type and Device Number columns in the Port Roles list view. Note   If the selected Device Number is already allocated for any other server/chassis on any other port then the next available number will be allocated to the server that is discovered. This action will not result in failure of Port policy deployment. The Port policy changes are not applicable for FEX.
   Ethernet Network Group	Select the Ethernet Network Group policies that is to be attached to the Ethernet Uplink or Ethernet Appliance port channel. The Ethernet Network Group policies specifies the Allowed VLANs, Native VLAN. Note   Ethernet Network Group policy applies to port channels with Ethernet Uplink and Appliance roles. To create Ethernet Network Groups for configuring Disjoint VLANs, ensure that the groups are completely disjoint. Partial overlap of VLANs is not allowed. You cannot apply ethernet network group policies with QinQ configuration to uplink ports. You can add multiple Ethernet Network Group Policies (ENGPs) on uplink port and uplink port channels. The maximum number of ethernet network group policies is restricted to 50 including shared policies. Note   The native VLAN must be the same across all ethernet network group policies, or must be set in only one ethernet network group policy.
   Ethernet Network Control	Select the Ethernet Network Control policy that is to be attached to the appliance port. The Ethernet Network Control policy allows you to enable or disable CDP, specify the MAC Register Mode, the action to be taken on uplink fail, the MAC security details and LLDP details. Note   Ethernet Network Control policy applies only for a port with an appliance role.
   Flow Control	Select the Flow Control policy that is to be attached to the Ethernet uplink port.
   Link Control	Select the Link Control policy that is to be attached to the Ethernet uplink or FCoE uplink port.
   MACsec Policy	Select the MACsec policy that is to be attached to the Ethernet uplink port.
   VSAN ID	The VSAN ID of an FC port as specified in the VSAN Configuration policy.
   User Label	You can assign a user label to configured ports. It can also be assigned using Set User Label action available for ports in FI Inventory view. These labels enhance device identification, network tracing, troubleshooting, and interface management. Once set, the label is stored in the NXOS as part of the port description, which includes both the port role and the custom user label. This feature allows SNMP users to access detailed port information, helping in troubleshooting. The user label must be between 1 and 128 alphanumeric characters, allowing special characters: ! # $ % & * + , ( ) [ ] { } | / . ? @ _ : ; . The same user label can be assigned to multiple ports. Only one user label can be assigned to a port at a time. A user label can be assigned to disabled ports as well. Resetting the port does not remove the user label. The label set Port action is enclosed in angular brackets <>. The label set through Port policy is appended next to the port description, followed by the label set through Port action. Port Description Format in NXOS: Description: Role: label-set-through-port-policy<label-set-through-port-action> Example: Server: Port-Role-Server-FLM19389KT8<Port-Operation-Rack-FLM19389KT8> User labels can be set, modified, and cleared without impacting other functionalities.
   Port Channels Click Create Port Channel where you can choose the role for the selected ports. FC or Ethernet ports with unconfigured role are available for port channel creation. Select the ports for configuration either by clicking on the ports within the graphic image or in the box next to the desired port within the table.
   Role	The port channel role type. The role type can be: Ethernet Uplink Port Channel FC Uplink Port Channel FCoE Uplink Port Channel Appliance Port Channel Note   The maximum number of ports allowed for: Ethernet Uplink port channel, FCoE Uplink port channel, and Appliance port channel (combined) is 12. FC uplink port channel is 4. Ethernet ports per port channel is 16. FCoE Uplink ports per port channel is 16. You cannot combine normal ports and breakout ports for any port channel. For example, Uplink port channel ID 100 with members 1/96 and 1/97/1 are not allowed. If a port with a speed of 100G in Cisco UCS 6536 Fabric Interconnect, is connected with N9K-C93180YC-FX3, then you must disable Auto Negotiation while assigning the port role. For FC uplink Port Channel, port channel with different port speed is not allowed. For example, FC uplink port channel ID 101 with member 1/33 with port speed 8Gbps and 1/34 with port speed 16Gbps are not allowed.
   Port Channel ID	Unique Identifier of the port channel, local to this switch.
   Admin Speed	The administrative port channel speed options for Ethernet Uplink Port Channel, FCoE Uplink Port Channel, and Appliance Port Channel are: 1 Gbps 10 Gbps 25 Gbps 40 Gbps 100 Gbps The administrative port channel speed options for FC Uplink and FC Uplink Port Channel are: 8 Gbps 16 Gbps 32 Gbps 64 Gbps Admin Speed can be selected as Auto or Breakout speed for Ethernet Uplink Port Channel, FCoE Uplink Port Channel, and Appliance Port Channel Role on ethernet breakout ports. Note   64 Gbps FC speed is supported only on the Cisco UCS 6664 Fabric Interconnect. The 8 Gbps FC speed has been deprecated for this model.
   FEC	The Forward Error Correction (FEC) configuration can be applied on Ethernet uplink, FCoE uplink, and Appliance port channels. FEC configured on a port-channel gets applied to the individual port members. The forward error correction configuration for the port are: Auto (AUTO-FEC) Cl91 (CL91-RS-FEC)—Supported with Supported with Appliance Port Channel, Ethernet Uplink Port Channel, and FCoE Uplinks Port Channel roles at 25 Gbps and 100 Gbps Admin speed. Cl74 (CL74-FC-FEC)—Supported with Appliance Port Channel, Ethernet Uplink Port Channel, and FCoE Uplinks Port Channel roles at 25 Gbps Admin speed. rs-cons16 (CONS16-RS-FEC)—Supported with Appliance Port Channel, Ethernet Uplink Port Channel, and FCoE Uplinks Port Channel roles at 25 Gbps Admin speed. rs-ieee (IEEE-RS-FEC)—Supported with Appliance Port Channel, Ethernet Uplink Port Channel, and FCoE Uplinks Port Channel roles at 25 Gbps Admin speed. Off—FEC can be disabled using this option. It is supported with admin speeds: Auto, 25 Gbps, and 100 Gbps. Note   Turning off Forward Error Correction (FEC) can lead to increased data loss, higher error rates, and potential disruptions in data transmission. If the latest device connector firmware version is not running on the FI, then on choosing the rs-cons16, rs-ieee, or Off option, the domain profile deployment will fail.
   Priority	Select the priority of the Appliance port channel for routing traffic and ensuring QoS.
   Mode	Select the port channel mode for the Appliance port channel. Port channel mode can be Trunk or Access.
   Ethernet Network Group	Select the Ethernet Network Group policy that is to be attached to the Ethernet Uplink or Appliance port channel. The Ethernet Network Group policy specifies the Allowed VLANs, Native VLAN. Note   Ethernet Network Group policy applies to port channels with Ethernet Uplink and Appliance roles. To create Ethernet Network Groups for configuring Disjoint VLANs, ensure that the groups are completely disjoint. Partial overlap of VLANs is not allowed.
   Ethernet Network Control	Select the Ethernet Network Control policy that is to be attached to the appliance port channel. The Ethernet Network Control policy allows you to enable or disable CDP, specify the MAC Register Mode, the action to be taken on uplink fail, the MAC security details and LLDP details. Note   Ethernet Network Control policy applies only for a port channel with an Appliance role.
   Flow Control Policy	Select the Flow Control policy that is to be attached to the Ethernet uplink port channel.
   Link Aggregation Policy	Select the Link Aggregation policy that is to be attached to the appliance port channel, FCoE uplink port channel or the Ethernet uplink port channel.
   Link Control Policy	Select the Link Control policy that is to be attached to the FCoE uplink port channel or the Ethernet uplink port channel.
   MACsec Policy	Select the MACsec policy that is to be attached to the Ethernet uplink port channel. Note   On the Cisco UCS 6664 Fabric Interconnect, only ports 49-64 support MAC Security (MACsec). The option to attach a MACsec policy is available only when you select ports 49-64.
   VSAN ID	The VSAN ID of an FC port as specified in the VSAN Configuration policy.
   Port Channel	Select the valid port channel range between 1 and 256.
   User Label	You can assign a user label to configured port channels. It can also be assigned using Set User Label action available for port channels in FI Inventory view. These labels enhance device identification, network tracing, troubleshooting, and interface management. Once set, the label is stored in the NXOS as part of the port description, which includes both the port role and the custom user label. This feature allows SNMP users to access detailed port information, helping in troubleshooting. The user label must be between 1 and 128 alphanumeric characters, allowing special characters: ! # $ % & * + , ( ) [ ] { } | / . ? @ _ : ; . The same user label can be assigned to multiple port channels. Only one user label can be assigned to a port channel at a time. A user label can be assigned to disabled port channel as well. Resetting the port channel does not remove the user label. User Label cannot be set on Fabric and Server port channels. The label set through Port action is enclosed in angular brackets <>. The label set through Port policy is appended next to the port description, followed by the label set through Port action. Port Description Format in NXOS: Description: Role: label-set-through-port-policy<label-set-through-port-action> Example: Server: Port-Role-Server-FLM19389KT8<Port-Operation-Rack-FLM19389KT8> User labels can be set, modified, and cleared without impacting other functionalities.
   Pin Groups Pin Group is used to pin Ethernet/FC traffic from a vNIC/vHBA on a server to an uplink Ethernet/FC port or port channel on the Fabric Interconnect. You can use this pinning to manage the distribution of traffic from the servers. Static pinning is not supported when FI are in Switching Mode (Ethernet and FC). To configure pinning for a server, you must include the LAN/SAN pin group in the LAN/SAN connectivity policy. Click Create Pin Group to specify the ports/port channels in the FI through which the LAN and SAN data traffic can be made to flow.
   Pin Group Type	The type of the data traffic that needs to flow to the pinned ports/port channels. The type can be LAN SAN
   Pin Group Name	The name of the Pin Group. This name will appear in LAN/SAN Connectivity policy creation page, once the Pin Group is created.
   Interface Type	The type of the interface on the Fabric Interconnect. Port Port Channels
   Port Selection	From the available table, you can select the ports and the breakout ports that should be pinned for data traffic flow. It is enabled by default.

8. Click Save.

An Ethernet Network Group policy enables you to manage settings for VLANs on a UCS Server. These settings include defining which VLANs are allowed, designating a Native VLAN, and specifying a QinQ VLAN.

Note

When an Ethernet Network Group is assigned to a Port Policy, the specified VLAN set must be either identical to or disjoint from the VLAN sets specified on other uplink interfaces. Ensure that the VLANs are defined in the VLAN Policy and that Auto Allow on Uplinks is disabled. Ethernet Network Groups should only be used for Disjoint Layer 2 configurations and will fail if a VLAN present in the Ethernet Network Group has Auto Allow on Uplinks enabled in the VLAN Configuration Policy section.

This policy also supports VIC QinQ Tunneling. A QinQ (802.1Q-in-802.1Q) tunnel allows segregation and isolation of different VLANs within a network. To configure QinQ VLAN, you can specify the desired VLAN ID as part of the VLAN settings for the specific port, port channel, or vNIC. This enables the transmission of multiple VLANs over a single VLAN trunk.

1. Log in to Cisco Intersight with Account Administrator or Server or Domain Administrator roles.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Ethernet Network Group, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Description
   Add VLANs	From the Add VLANs drop-down list, choose one of the following three options to add VLAN IDs to the Ethernet Network Group Policy: Enter Manually From Policy From CSV File Note   The Add VLANs option is available only when the Enable QinQ (802.1Q-in-802.1Q) Tunneling on the vNIC check box is unchecked.
   Enter Manually	You can specify the allowed VLANs by providing a list of comma-separated VLAN IDs and VLAN ID ranges. For example, you can enter VLAN IDs 10, 20, and 30-40 to allow VLANs 10, 20, and a range from 30 to 40.
   From Policy	You can specify the allowed VLANs by importing the VLAN IDs from an existing VLAN policy. Note   You can create a new VLAN policy by clicking Create New on the Select Policy page and later import the VLAN IDs from it.
   From CSV File	You can specify the allowed VLANs by importing the VLAN IDs from a CSV file on your local machine.
   Native VLAN (Optional)	To configure a native VLAN, click the ellipsis (…) icon next to the desired VLAN ID and select Set Native VLAN. To remove a native VLAN, click the ellipsis (…) icon next to it and select Unset Native VLAN. Note   Setting a native VLAN is an optional configuration. You can create an Ethernet Network Group Policy without including a native VLAN. If a native VLAN is already assigned, any change may cause brief network interruptions during profile deployment.
   Show VLAN ID Ranges	Toggle the Show VLAN ID Ranges option to view all allowed VLAN ID ranges.
   Enable QinQ (802.1Q-in-802.1Q) Tunneling on the vNIC	Check this check box to enable VIC QinQ (802.1Q-in-802.1Q) Tunneling. This feature allows the configuration of QinQ Tunneling, which facilitates the encapsulation of multiple VLANs within a single VLAN. Supported VLAN IDs range from 1 to 4093, enabling effective management and segregation of network traffic.
   QinQ VLAN	From the QinQVLANs drop-down list, choose one of the following two options to add QinQ VLAN IDs to the Ethernet Network Group Policy: Enter Manually From Policy Note   The QinQ VLAN option is available only when the Enable QinQ (802.1Q-in-802.1Q) Tunneling on the vNIC check box is checked.
   Enter Manually	You can specify the allowed QinQ VLANs by providing a list of comma-separated VLAN IDs and VLAN ID ranges.
   From Policy	You can specify the allowed QinQ VLANs by importing the VLAN IDs from the VLAN polices.
   Native VLAN (Optional)	From the Native VLAN drop-down list, choose one of the following two options to add QinQ Native VLAN to the Ethernet Network Group Policy: Enter Manually From Policy Note   Setting a native VLAN is an optional configuration. You can create an Ethernet Network Group Policy without including a native VLAN.

   Note	To make the server an Isolated host or a Community host, specify the ID of an Isolated VLAN or a Community VLAN in both Allowed VLANs and Native VLAN

6. Click Create.

Ethernet Network Control policies configure the network control settings for the UCS Domain. This policy is applicable only for the Appliance Ports defined in a Port Policy and for the vNICs defined in a LAN Connectivity Policy, on an FI-Attached UCS Servers.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator roles.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Ethernet Network Control, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Enable CDP	Enables the Cisco Discovery Protocol (CDP) on an interface.
   MAC Register Mode	Determines the MAC addresses to be registered with the switch. This can be: Only Native VLAN—MAC addresses are only added to the native VLAN. This option is the default, and it maximizes the port+VLAN count. All Host VLANs—MAC addresses are added to all VLANs with which they are associated. Select this option if your VLANs are configured to use trunking but are not running in Promiscuous mode.
   Action on Uplink Fail	Determines how the interface behaves if no uplink port is available when the switch is in end-host mode. Link Down—Changes the operational state of a vNIC to down when uplink connectivity is lost on the switch, and enables fabric failover for vNICs. This is the default option. Warning—Maintains server-to-server connectivity even when no uplink port is available, and disables fabric failover when uplink connectivity is lost on the switch.
   MAC Security Forge	Determines whether forged MAC addresses are allowed or denied when packets are sent from the server to the switch. This can be: Allow— All server packets are accepted by the switch, regardless of the MAC address associated with the packets. This is the default option. Deny— After the first packet has been sent to the switch, all other packets must use the same MAC address or they will be silently rejected by the switch. In effect, this option enables port security for the associated vNIC.
   LLDP	Determines whether interfaces can transmit or receive LLDP packets. To enable or disable the transmission of LLDP packets on an interface, click Enable Transmit. To enable or disable the receipt of LLDP packets on an interface, click Enable Receive.

6. Click Create.

VLAN policies create a connection to a specific external LAN. The VLAN isolates traffic to that external LAN, including broadcast traffic. You can create VLANs and Private VLANs using the VLAN policy.

Note	Ensure that each VLAN is associated with a multicast policy. You can edit the existing VLANs and associate them to a multicast policy. You cannot associate a Multicast policy to a Private VLAN.

1. Log in to Cisco Intersight with Account Administrator or Domain Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select VLAN, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, click Add VLAN and configure the following policy details:

   Note	The maximum number of VLANs allowed per Ethernet Network Policy is 3000.

   Property	Essential Information
   Add VLANs	Click Add VLANs to add VLANs and Private VLANs
   Name/Prefix	For a single VLAN, this is the VLAN name. For a range of VLANs, this is the prefix that the system uses for each VLAN name.
   VLAN IDs	Enter the VLAN ID number or a number range between 2 and 4093. You can enter a range of IDs uisng a hyphen, and you can enter multiple IDs or ID ranges separated by commas. Examples of valid VLAN IDs or ID ranges are 50, 200, 2000-2100. You cannot use VLANs from 3915-4042, 4043-4047, 4094, and 4095 because these IDs are reserved for system use. The name that you assign to a VLAN ID adds a layer of abstraction that allows you to globally update all servers associated with service profiles that use the named VLAN.
   Auto Allow on Uplinks	Used to determine whether this VLAN will be allowed on all uplink ports and port channels in this Fabric Interconnect. Enable to allow this VLAN on uplink ports and port channels. Disable to configure disjoint VLANs.
   Multicast Policy	Click Select Policy and choose a Multicast policy that needs to be associated with VLAN. Click Create New to create a new Multicast policy that will be available to all VLANs. Note   You cannot add Multicast policy for a Private VLAN.
   Enable VLAN Sharing	Enable to create Private VLANs.
   Sharing Type	The Sharing type can be: Primary: The Primary VLAN of a Private VLAN. Secondary VLANs are mapped to Primary VLANs. Note   You must create the Primary VLAN before creating the Isolated or Community VLANs. Isolated: One of the two Sharing Types of a Secondary VLAN. Only one Isolated VLAN can be mapped to a Primary VLAN. Community: One of the Sharing Types of a Secondary VLAN. Multiple Community VLANs can be mapped to a Primary VLAN.
   Primary VLAN ID	The Primary VLAN to which a Community or Isolated VLAN is to be mapped. Note   When a Secondary VLAN is mapped to a Primary VLAN, you cannot modify or delete the Primary VLAN.

   Note	If the VLAN configuration in the domain profile is modified, the corresponding changes in the server profile will take effect only after the server profile is redeployed.

6. Click Add.

With the VSAN policy, you can create Virtual SANs (VSANs) to isolate devices physically connected to the same SAN fabric. VSANs improve security and stability in Fibre Channel fabrics and let you create several logical SANs over a common physical infrastructure.

1. Log in to Cisco Intersight with Account Administrator or Domain Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select VSAN, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Description (Optional)	Provide a short description
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.

5. On the Policy Details page, do the following:

   • Click Trunking Mode to enable or disable Fibre Channel uplink trunking.

     If you enable trunking for the named VSANs on a Fabric Interconnect, all named VSANs in the Cisco UCS domain are allowed on all Fibre Channel uplink ports on that Fabric Interconnect. If you configure Fabric Interconnects for Fibre Channel end-host mode, enabling Fibre Channel uplink trunking renders all VSANs with an ID in the range from 3840 to 4079 non-operational.

   • Click Add VSAN and configure the following policy details:

     Property	Essential Information
     Name	The user-defined name given to the VSAN configuration.
     VSAN Scope	The scope of the VSAN. Indicate if the VSAN is a storage and uplink VSAN, a storage VSAN, or an uplink VSAN VSAN Scope can be: Storage and Uplink Storage Uplink Note   If you want to create an FC Zone policy for a VSAN, then the VSAN scope must be Storage.
     VSAN ID	The unique identifier for the VSAN on the switch. The VSAN ID can be between 1 and 4093.
     FCoE VLAN ID	The unique identifier assigned to the VLAN used for Fibre Channel connections. IDs of FCOE VLANs associated with the VSAN configuration must be between 2 and 4093. VLAN IDs from 3915-4042, 4043-4047, 4094, and 4095 are reserved for system use. By default, VLAN 4048 is mapped to VSAN-1 on the switch. Attempting to use VLAN 4048 for FCoE in a VSAN Policy will result in an error. In this case, you need to explicitly configure VSAN-1 to use a different FCOE VLAN ID in the VSAN policy.

6. Click Create.

The NTP policy enables the NTP service to configure a UCS system that is managed by Cisco Intersight to synchronize the time with an NTP server. You must enable and configure the NTP service by specifying the IP/DNS address of at least one server or a maximum of four servers that function as NTP servers. When you enable the NTP service, Cisco Intersight configures the NTP details on the endpoint.

1. Log in to Cisco Intersight with Account Administrator or Server or Domain Administrator roles.

2. Choose Configure > Policies, and then select Create Policy.

3. Select NTP, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Enable NTP	Enables NTP policy configuration.
   NTP Servers	A collection of NTP Server IP addresses or hostnames.
   Time Zone	A collection of time zones from which you can select a time zone for the endpoint. This property is applicable to switches and to Cisco IMC (standalone) servers.

   When a hostname is used for NTP configuration, DNS server information must be configured in the Network Connectivity policy.

6. Click Create.

The Network Connectivity policy enables you to configure and assign IPv4 and IPv6 addresses.

Dynamic DNS

Dynamic DNS (DDNS) is used to add or update the resource records on the DNS server. When you enable the DDNS option, the DDNS service records the current hostname, Domain name, and the management IP address and updates the resource records in the DNS server.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator or Domain Administrator roles.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Network Connectivity, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Description (Optional)	Provide a short description
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.

5. On the Policy Details page, configure the following properties:

   Common Properties

   Property	Essential Information
   Enable Dynamic DNS	Enables Dynamic DNS. This property is not applicable to Fabric Interconnects.
   Dynamic DNS Update Domain	Specify the dynamic DNS Domain. The Domain can be either a main Domain or a sub-Domain. This property is not applicable to Fabric Interconnects.

   IPv4 Properties

   Property	Essential Information
   Obtain IPv4 DNS Server Addresses from DHCP	Whether the IPv4 addresses are obtained from Dynamic Host Configuration Protocol (DHCP) or from a specifically configured set of DNS servers. Enabled—Intersight uses DHCP Disabled—Intersight uses a configured set of IPv4 DNS servers. This property is not applicable to Fabric Interconnects.
   Preferred IPv4 DNS Server	The IP address of the primary DNS server. This property is displayed only when Obtain IPv4 DNS Server Addresses from DHCP is disabled.
   Alternate IPv4 DNS Server	The IP address of the secondary DNS server. This property is displayed only when Obtain IPv4 DNS Server Addresses from DHCP is disabled.

   Property	Essential Information
   Enable IPv6	Whether IPv6 is enabled. You can configure IPv6 properties only if this property is enabled.

   IPv6 Properties

   Property	Essential Information
   Obtain IPv6 DNS Server Addresses from DHCP	Whether the IPv6 addresses are obtained from Dynamic Host Configuration Protocol (DHCP) or from a specifically configured set of DNS servers. Enabled—Intersight uses DHCP Disabled—Intersight uses a configured set of IPv6 DNS servers. This property is not applicable to Fabric Interconnects.
   Preferred IPv6 DNS Server	The IP address of the primary DNS server. This property is displayed only when Obtain IPv6 DNS Server Addresses from DHCP is disabled.
   Alternate IPv6 DNS Server	The IP address of the secondary DNS server. This property is displayed only when Obtain IPv6 DNS Server Addresses from DHCP is disabled.

6. Click Create.

The SNMP policy configures the SNMP settings for sending fault and alert information by SNMP traps from the managed devices. This policy supports SNMP versions such as SNMPv1, SNMPv2(includes v2c), and SNMPv3. Any existing SNMP Users or SNMP Traps configured previously on the managed devices are removed and replaced with users or traps that you configure in this policy.

Using the SNMP Policy you can enable or disable SNMP, specify the access and community strings, and provide the SNMP user details that is used to retrieve data.

1. Log in to Cisco Intersight with Account Administrator or Domain Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select SNMP, and then click Start.

4. In the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the organization.
   Name	Enter a name for your policy.
   Set Tags (optional)	Enter a tag in the key value format. For example, Org: IT or Site: APJ.
   Description (optional)	Enter a short description.

5. In the Policy Details page, configure the following parameters:

   Property	Essential Information
   Enable SNMP	Displays the state of the SNMP Policy on the endpoint. Enable this option for the endpoint to send SNMP traps to the designated host.
   Access Community String	Enter the SNMPv1, SNMPv2 community string or the SNMPv3 username. This field allows maximum of 18 characters.
   Trap Community String	Enter the SNMP community group name used for sending SNMP trap to other devices. Note   This field is applicable only for SNMPv2c trap host or destination.
   System Contact	The contact person responsible for the SNMP implementation. Enter a string up to 64 characters, such as an email address or a name and telephone number.
   System Location	The location of host on which the SNMP agent (server) runs.
   SNMP Users
   Name	Enter the SNMP username. This field must have a minimum of 1 and a maximum of 31 characters.
   Security Level	Select the security mechanism for communication between the agent and the manager that include: AuthPriv AuthNoPriv
   Auth Type	Select SHA as the authorization protocol for authenticating the user. Note   The MD5 authorization protocol is not supported.
   Auth Password	Enter the authorization password for the user.
   Auth Password Confirmation	Enter the authorization password confirmation for the user.
   Privacy Type	Select AES as the privacy protocol for the user. Note   The DES privacy type is deprecated to meet security standards.
   Privacy Password	Enter the privacy password for the user.
   Privacy Password Confirmation	Enter the privacy password confirmation for the user.
   SNMP Trap Destinations
   Enable	Enable this option to use the SNMP policy.
   SNMP Version	Select V2 or V3 as the SNMP version for the trap.
   User	Select the SNMP user for the trap. You can define maximum of 15 trap users. Note   This field is applicable only to SNMPv3.
   Trap Type	Select the trap type to receive a notification when a trap is received at the destination: Trap Inform
   Destination Address	Provide the address to which the SNMP trap information can be sent. You are allowed to define maximum of 10 trap destinations.
   Port	Enter the port number for the server to communicate with trap destination. The range is from 1 to 65535. The default is 162.

6. Click Create.

A System Quality of Service (QoS) policy assigns a system class to the outgoing traffic. This system class determines the quality of service for the outgoing traffic.

1. Log in to Cisco Intersight with Account Administrator or Domain Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select System QoS, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Platinum Gold Silver Bronze	This option enables you to configure the associated QoS class on the fabric interconnect and assign the class to a QoS policy. Note   The Best Effort or Fibre Channel system classes are enabled by default.
   CoS	Set the class of service (CoS) by entering an integer value between 0 and 6, with 0 being the lowest priority and 6 being the highest priority. Set the value to 0 only when you require the system class to be the default system class for traffic if the QoS policy is deleted or the assigned system class is disabled.
   Weight	An integer between 1 and 10. If you enter an integer, Cisco UCS determines the percentage of network bandwidth assigned to the priority level as described in the Weight field.
   Allow Packet Drops	You can select to allow the packet drop for this system class during transmission. This field is always selected for the Best Effort class, which allows dropped packets, and always not selected for the Fibre Channel class, which never allows dropped packets.
   MTU	The maximum transmission unit (MTU) for the channel. You can enter an integer between 1500 and 9216. This value corresponds to the maximum packet size.

6. Click Create.

The Syslog policy defines the minimum severity as logging level from an endpoint. The policy also defines the target destination to store the Syslog messages, and the Hostname or the IP Address, the port information, and the communication protocol for the Remote Logging Servers.

1. Log in to Cisco Intersight with Account Administrator or Domain Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Syslog, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Local Logging
   Minimum Severity to Report	Select the lowest severity level to report in the remote log. The severity levels are: 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notice 6 Informational 7 Debug
   Remote Logging - Syslog Server 1 and Syslog Server 2
   Enable	Select this option to enable or disable the Syslog policy.
   Hostname/IP Address	Enter the hostname or IP address of the Syslog server to store the Cisco IMC log. You can set an IPv4 or IPv6 address or a domain name as the remote system address. Note   If you have both IPv4 and IPv6 as the remote logging addresses, ensure to configure IPv4 and IPv6 in the Fabric Interconnect through the command-line interface (CLI).
   Minimum Severity To Report	Select the lowest severity level to report in the remote log. The severity levels are: 0 Emergency 1 Alert 2 Critical 3 Error 4 Warning 5 Notice 6 Informational 7 Debug

6. Click Create.

1. Log in to Cisco Intersight with Account Administrator or Domain Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Switch Control, and then click Start.

4. In the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the organization.
   Name	Enter a name for your policy.
   Set Tags (optional)	Enter a tag in the key value format. For example, Org: IT or Site: APJ.
   Description (optional)	Enter a short description.

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Switching Mode
   Ethernet	Specify the Ethernet switching mode. The switching mode can be End Host or Switch. In End Host mode, the Fabric Interconnects appear to the upstream devices as end hosts with multiple links. In this mode, the switch does not run Spanning Tree Protocol and avoids loops by following a set of rules for traffic forwarding. In Switch mode, the switch runs Spanning Tree Protocol to avoid loops, and broadcast and multicast packets are handled in the conventional way.
   FC	Specify the FC switching mode. The switching mode can be End Host or Switch. End-host mode allows the Fabric Interconnect to act as an end host to the connected Fibre Channel networks, representing all servers (hosts) connected to it through vHBAs. The end-host mode is achieved by pinning (dynamically pinned or hard pinned) vHBAs to Fibre Channel uplink ports, which makes the Fibre Channel ports appear as server ports (N-ports) to the rest of the fabric. When in end-host mode, the Fabric Interconnect avoids loops by ensuring that uplink ports do not receive traffic from one another. Switch mode is the traditional Fibre Channel switching mode. Switch mode allows the Fabric Interconnect to connect directly to a storage device. Enabling Fibre Channel switch mode is useful in POD models where there is no SAN (for example, a single Cisco UCS system connected directly to storage), or where a SAN exists (with an upstream MDS).
   VLAN Port Count
   Enable VLAN Port Count Optimization	Select to enable the VLAN port count optimization. This option is disabled by default. Note   PV Count with VLAN Port Count Optimization Enabled on Cisco UCS 6400 Series and 6500 Series FI in IMM is 108000. VLAN Port Count Optimization is always enabled for Cisco UCS Fabric Interconnects 9108 100G.
   System Reserved VLANs
   Reserved VLAN Start ID	Select this option to specify the Start ID of the reserved VLAN range. By default, the Start ID is 3915. VLAN ID with Start ID + 127 cannot be used in configuring VLAN or VSAN policy. For example, if the VLAN Start ID is changed to 3912, the Reserved VLAN range is 3912-4039. The Reserved VLAN range cannot be used for user-defined VLAN or VSAN policy. Note   Before you begin: Remove any existing VLANs in the new reserved VLAN range. Ensure that there are no VLANs or FCoE VLANs in the reserved VLAN block being used in the VLAN or VSAN policy. In other words, ensure that the VLAN and VSAN policies in both Fabric Interconnect A and B do not conflict with the reserved VLAN range. If the Reserved VLAN Start ID is changed, VLANs in the old range which are not included in the new range will be available for VLAN and VSAN policies after the new switch control policy is deployed. The default reserved VLAN range is 3916–4095. This system reserved VLAN range can be changed but note that VLANs 1002-1005 are blocked for internal use and cannot be used as part of system reserved range. Note   Fabric Interconnect reboots for the changes to take effect. Reboot occurs only once even if multiple changes are made. On a device unclaim, the previously configured reserved VLAN will not be removed. On a subsequent claim, users will have to configure reserved VLAN via the Switch Control Policy if they intend to use a new range.
   Reserved VLAN End ID	The End ID of the reserved VLAN range.The system blocks 128 reserved VLANs from the specified VLAN Start ID. By default, the End ID is 4042. This ID cannot be used in configuring VLAN policy.
   MAC Address Table Aging Time
   Default	Select this option to set the default MAC address aging time to 14500 seconds for the End-Host mode.
   Custom	Select this option to allow the user to configure the MAC address aging time on the switch. For the switch model UCS-FI-6454 or higher versions, the valid time range is 120 to 918000 seconds. After the time range is defined by the user, the switch resets the defined time to its lower multiple of 5.
   Never	Select this option to disable the MAC address aging process. This option ensures the MAC entries never expire and are not discarded from the MAC address table.
   Aging Time (Seconds)	Define the MAC address aging time in seconds. This field is valid only when the Custom option is selected.
   Unidirectional Link Detection (UDLD) Global Settings
   Message Interval	Define the UDLD probe message interval (time in seconds) on ports that are in advertisement mode and are bidirectional. Note   The valid message interval time ranges between 7 and 90 Seconds.
   Recovery Action	Select Reset to recover an error-disabled port. Note   The option None is selected by default.
   Fabric port-channel vHBA
   Enable the fabric port-channel vHBA reset	A virtual host bus adapter (vHBA) logically connects a virtual machine to a virtual interface on the fabric interconnect and allows the virtual machine to send and receive traffic through that interface. This is currently accomplished by using the fibre channel modes (End Host mode/Switch mode). The port channel operations involve addition or removal of a member link between Fabric Interconnect and I/O Module (IOM). Such operations may result in a long I/O pause or connection drop from virtual machines to its targets and require a vHBA reset support. With the fabric port-channel vHBA reset set to enabled, when the Cisco UCS IOM port-channel membership changes, the Fabric Interconnect sends a Registered State Change Notification (RSCN) packet to each vHBA configured via that Cisco UCS IOM. The RSCN enables the virtual interface card (VIC) or VIC Driver to reset the Fabric port-channel vHBA and to restore the connectivity. By default, the Fabric port-channel vHBA reset is set to disabled. When disabled (default), vHBA reset is done only when all the members of a fabric port-channel are down. Note   The feature is supported on Cisco Intersight Infrastructure firmware version 4.1(3e) and above. ESX NFNIC driver version 5.0.0.37 and later or 4.0.0.87 and later process this RSCN. Linux FNIC driver version 2.0.0.85 and later process this RSCN.

6. Click Create

   .

Note

On the Policy Details page, all the existing Switch Control policies show the value of Link Control Global Settings fields as blank. These policies display the correct values on policy edit/update. When you change the switching mode of a Fabric Interconnect, the Fabric Interconnect goes for a reboot.

Configure the Priority Flow Control for each port, to enable the no-drop behavior for the CoS defined by the System QoS Policy and an Ethernet QoS policy. In Auto and On priorities, the Receive and Send link level flow control will be Off.

1. Log in to Cisco Intersight with Account Administrator or Domain Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Flow Control, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property		Essential Information
   Priority Flow Control Mode
   Auto		Auto receives and sends the priority flow. This field is enabled by default.
   On		Enables priority control flow on the local port. Note   You cannot enable Send and Receive direction at the same time.
   Off		Enables Link Level Flow Control on the local port. Note   You can enable Send and Receive direction at the same time.
   		Send When enabled, the link level flow control is configured in the send direction.
   		Receive When enabled, the link level flow control is configured in the receive direction.

   Note	If Priority Flow Control is in Auto/On mode then the Flow Control cannot be enabled and the options are not listed. To enable Flow Control, you must set the Priority Flow Control in Off mode.

   Note	Flow Control should be enabled only on interfaces that are connected to Flow Control capable devices. The following interface types are supported: Ethernet uplink ports and port channels

6. Click Create.

This policy can be used to configure Link Aggregation properties.

1. Log in to Cisco Intersight with Account Administrator or Domain Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Link Aggregation, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Suspend Individual
   False	Select False to continue to receive PDUs from the peer port.
   True	Select True to suspend a port that is not receiving the PDUs from the peer port.
   LACP Rate
   Normal	The port is expected to receive 1 PDU every 30 seconds. The timeout for this is 90 seconds.
   Fast	The port is expected to receive 1 PDU every 1 second from the peer port. The time out for this is 3 seconds.

   Note	Link Aggregation should be enabled only on interfaces that are connected to link aggregation capable devices. The following interface types are supported: Ethernet uplink port channel FCoE uplink port channel

6. Click Create.

This policy enables configuration of link control administrative state and configuration (normal or aggressive) mode for ports.

1. Log in to Cisco Intersight with Account Administrator or Domain Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Link Control, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Link Control Administrative State The link control state of the port configured and managed by the administrator.
   Link Control Mode
   Normal	Detects unidirectional links caused by misconnected interfaces on fiber-optic connections.
   Aggressive	Detects unidirectional links caused by to one-way traffic on fiber-optic and twisted-pair links and by misconnected interfaces on fiber-optic links. When UDLD Administrative State is disabled, the policy cannot be set to Aggressive mode When configuring the UDLD Mode (normal or aggressive), ensure the same mode is configured on both sides of the unidirectional link.

   Note	Link Control policy should be enabled only on interfaces that are connected to link control capable devices. The following interface types are supported: Ethernet uplink ports FCoE uplink ports Ethernet uplink port channels FCoE uplink port channels

6. Click Create.

The multicast policy is used to configure Internet Group Management Protocol (IGMP) snooping and IGMP querier.

Note	Ensure that each VLAN is associated with a multicast policy. You can edit the existing VLANs and associate them to a multicast policy.

1. Log in to Cisco Intersight with Account Administrator or Domain Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Multicast, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Snooping State	Determines whether IGMP snooping examines IGMP protocol messages within a VLAN to discover which interfaces are connected to hosts or other devices interested in receiving multicast traffic. This can be one of the following: Enabled—IGMP snooping is used for VLANs associated with this policy. Disabled—IGMP snooping is not used for associated VLANs.
   Querier State	Determines whether IGMP snooping querier sends out periodic IGMP queries that trigger IGMP report messages from hosts that want to receive IP multicast traffic. This can be one of the following: Enabled—Periodic IGMP queries are sent out. Disabled—No IGMP queries are sent out. This is the default option.
   Querier IP Address	The IPv4 address for the IGMP snooping querier interface. This field appears only when Querier State is enabled.
   Querier IP Address Peer	(Optional) The IPv4 address for the peer IGMP snooping querier interface. The peer IP address is assigned to FI-B. This field appears only when Querier State is enabled.

6. Click Create.

To create and configure an LDAP policy, see the Creating and LDAP Policy section in Configuring UCS Server Policies.

To create and configure a Certificate Management policy, see the Creating and LDAP Policy section in Configuring UCS Server Policies.

The MACsec feature can be used to encrypt traffic on the data uplinks for enhanced network security.

A MACsec policy describes the cipher suite to be used for encryption along with attributes related to encryption, data integrity, replay protection, and the MKA protocol.

1. Log in to Cisco Intersight with Account Administrator or Domain Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select MACsec, and then click Start.

4. In the General page, configure the following parameters:

   Property	Description
   Organization	Select the organization.
   Name	Enter a name for your policy. Note   The Managed Object ID (Moid) will be added as a prefix to the policy name.
   Set Tags (optional)	Enter a tag in the key value format.
   Description (optional)	Enter a short description.

5. On the Policy Details page, configure the following parameters:

   Property	Description
   Cipher Suite	Cipher suite to be used for MACsec encryption. The default value is GCM-AES-XPN-256.
   Key Server Priority	The key server is selected by comparing key-server priority values during MACsec key agreement (MKA) message exchange between peer devices. Valid values range from 0 to 255. The lower the value, the higher the chance it will be selected as the key server. The default value is 16.
   Confidentiality Offset	The MACsec confidentiality offset specifies the number of bytes starting from the frame header. MACsec encrypts only the bytes after the offset in a frame. The default value is CONF-OFFSET-0.
   SAK Expiry Time	Time in seconds to force secure association key (SAK) rekey. Valid range is from 60 to 2592000 seconds when configured. When not configured, the SAK rekey interval is determined based on Packet Number (PN) exhaustion.
   Security Policy	The security policy specifies the level of MACsec enforcement on network traffic passing through a given interface: Should-secure allows unencrypted traffic to flow until the MACsec key agreement (MKA) session is secured. After the MKA session is secured, the policy switches to only allow encrypted traffic to flow. Must-secure imposes only MACsec encrypted traffic to flow. Traffic will be dropped, until the MKA session is not secured. The default value is Should-secure.
   Replay Window Size	Defines the size of the replay protection window. It determines the number of packets that can be received out of order without being considered replay attacks. The default value is 148809600.
   Include ICV Indicator	Configures inclusion of the optional integrity check value (ICV) indicator as part of the transmitted MACsec key agreement protocol data unit (PDU).
   EAPoL Configurations
   MAC address	MAC address to use in extensible authentication protocol over LAN (EAPoL) for MACsec key agreement (MKA) protocol data units (PDUs). EAPoL MAC address should not be equal to all-zero (0000.0000.0000). The default value is 0180.C200.0003.
   Ether Type	Ethertype to use in extensible authentication protocol over LAN (EAPoL) frames for MACsec key agreement (MKA) protocol data units (PDUs). The range is between 0x600 - 0xffff. The default value is 0x888e.
   MACsec Primary Keychain Primary keychain for managing the default set of security keys for encryption and decryption.
   Primary Keychain Name	The MACsec keychain to hold a set of MACsec keys. It is a mandatory field. Note   The Managed Object ID (Moid) will be added as a prefix to the primary keychain name.
   Click Add Key to add the primary keychain details.
   ID	It is the Connectivity Association Key Name (CKN) which is used to establish the MACSec MKA session. It must have an even number of hexadecimal characters, with a length between 2 and 64 characters. For example, “10”, “2000”, “ABCD1234”, "ABCD1233".
   Cryptographic Algorithm	The cryptographic algorithm that employs the cipher-based message authentication code (CMAC) mode of operation with advanced encryption standard (AES). The default value is AES_256_CMAC
   Secret	It is the key octet string (Connectivity Association Key (CAK)) that is used to derive Security Association Key (SAK). The SAK is then used to encrypt and decrypt data packets. The valid size and format of the octet string depend on the selected Cryptographic Algorithm and the encryption type, which is Type-6 in this case. Valid Hex String Examples: 128-bit Key (16 bytes, 32 hexadecimal characters): A1B2C3D4E5F67890AABBCCDDEEFF0011 1234567890ABCDEF1234567890ABCDEF FFEEDDCCBBAA99887766554433221100 256-bit Key (32 bytes, 64 hexadecimal characters): A1B2C3D4E5F67890AABBCCDDEEFF00112233445566778899AABBCCDDEEFF0001 1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF1234567890ABCDEF FFEEDDCCBBAA99887766554433221100FFEEDDCCBBAA99887766554433221100 For detailed steps on creating a secret key, see Creating a Type-6 Encrypted Key section below this table.
   Secret Confirmation	Repeat the string entered in the secret field.
   Always active	If turned on, the key becomes non-expirable. When turned off, you can provide a Start Time and an End Time.
   Timezone	The time zone used for key lifetime configurations.
   Start Time	The time of day and date when the key becomes active.
   End
   When	If set to Never, it indicates that the key remains active indefinitely after the specified start time. When this parameter is set to on this day, the End Time should be specified.
   End Time	The time of day and date when the key becomes inactive.
   Click + to add another key. A maximum of 64 keys can be added. The order can be modified using the upward and downward arrows located at the top right of the key details section.
   MACsec Fallback Keychain
   Configure Fallback Keychain	Specifies the fallback keychain to use after a MACsec session failure due to a key/key ID mismatch or a key expiration. It is an optional field. Turn on the button to add the fallback keychain and a set of keys.
   Fallback Keychain Name	Name of the fallback keychain. Note   The Managed Object ID (Moid) will be added as a prefix to the fallback keychain name.
   Click Add Key to add a key, similar to the primary set of keys.

6. Click Create.

To enable the MACsec configuration in a domain profile, follow these steps after creating the MACsec policy:

1. Apply the MACsec policy to Ethernet uplink ports and Ethernet uplink port channels during Port policy creation or modification.

2. Enable the AES encryption key configuration and set a secret key during Switch Control policy creation or modification.

3. Attach the policies to the domain profile.

4. Deploy the domain profile.

Note

Before removing the AES primary key from the Switch Control policy, ensure that all MACsec configurations are deleted from the Ethernet interfaces. Otherwise, the domain profile deployment will fail, as MACsec configurations require the AES primary key to be set in the Switch Control policy to function properly.

The MACsec state can be checked on the Fabric Interconnects by navigating to the Fabric Interconnects > specific FI > Inventory > Ports and Port Channels page. In the MACsec State column, the value will display as Secured when the MKA session is secured with MACsec, and as Down when the session is inactive.

If a MACsec session transitions to the Down state, an alarm is triggered and shown on the Alarms page.