Server Policies
Policies in Cisco Intersight provide different configurations for UCS servers, including BIOS settings, firmware versions, disk group creation, Simple Mail Transfer Protocol (SMTP), Intelligent Platform Management Interface (IPMI) settings, and more. A policy that is once configured can be assigned to any number of servers to provide a configuration baseline. Policies in Cisco Intersight are native to the application and are not directly imported from the UCS Systems. Policy-based configuration with Server Profiles is a Cisco Intersight Essentials functionality.
The Server Policy creation wizard in Cisco Intersight has two pages:
-
General—The general page allows you to select the organization and enter a name for your policy. Optionally, include a short description and tag information to help identify the policy. Tags must be in the key:value format. For example, Org: IT or Site: APJ.
-
Policy Details—The policy details page has properties that are applicable to standalone UCS servers, FI-attached UCS servers, or both. You can view these properties separately for All Platforms, UCS Servers (Standalone), and UCS Servers (FI-Attached) by clicking on these options.
Server Policies can be imported as part of importing configuration details (server profiles and policies) of a Cisco C-Series Standalone server from Cisco IMC. For more information, see Importing a Server Profile.
The following list describes the server policies that you can configure in Cisco Intersight.
-
Adapter Configuration Policy—Configures the Ethernet and Fibre-Channel settings for the VIC adapter.
-
BIOS Policy—Automates the configuration of BIOS settings on the managed devices. You can create one or more BIOS policies which contain a specific grouping of BIOS settings. If you do not specify a BIOS policy for a server, the BIOS settings remain as they are. If a BIOS policy is specified, the values that are specified in the policy replace any previously configured values on a server (including bare metal server configuration settings). To apply the BIOS policy settings, you must reboot the server.
-
Boot Order Policy—Configures the linear ordering of devices and enables you to change the boot order and boot mode. You can also add multiple devices under various device types, rearrange the boot order, and set parameters for each boot device type.
The inventory view enables you to view the actual boot order configured on a server. The boot order displays the details that include device name, device type, configuration details such as Boot Mode (Legacy or UEFI), and Secure Boot Mode (Enabled or Disabled).
Note
A device configured in the server profile of Boot Order Policy may not appear in the actual boot order, if the server BIOS does not detect the device during server boot.
Intersight provides a One-Time Boot (OTB) option to set a boot device that temporarily overrides the Boot Order Policy and the existing boot order. To set a One-Time Boot Device, select Power Cycle or Power On from the Servers Table view or from the Server Details page and toggle ON the Set One Time Boot Device Option. This operation attempts to boot from the One Time Boot device as part of the power cycle or power on action. After power cycle or power on, OTB configuration will be cleared to enable the next reboot to follow the default Boot Order.
Note
-
The OTB option is available for servers that have been configured with a Boot Order Policy that is associated with a server profile. For a successful OTB configuration, you must deploy a server profile with a Boot Order Policy in Intersight in advance.
-
Any out-of-band- boot order change will not reflect on the Intersight UI for OTB device configuration.
In the case of PXE Boot configuration, importing the server policy will not create the PXE device under boot policy if either the MAC address or both the slot and port are not present for a given PXE device under the Boot policy on the server. However, if both slot and port are present, boot order is set to ANY for the bootable interface on a given slot on the server. For non-VIC adapters you can configure PXE Boot with the MAC address, or both the slot and port, or slot only.
In the case of SAN Boot device configuration in the legacy mode, provide the boot target Logical Unit Number (LUN), device slot ID, interface name, and target WWPN. For SAN Boot device configuration in the Unified Extensible Firmware Interface (UEFI) mode, provide the bootloader name, description, and path in addition to the fields listed in the legacy mode.
In the case of iSCSI Boot provide the target interface details, authentication mechanism, and initiator IP source.
-
-
In the case of Non-Volatile Memory Express (NVMe) Boot, configure the NVMe drive as bootable in the UEFI mode. During the server profile depoloyment, this NVMe configuration setting enables selecting the BIOS in a defined order.
-
Certificate Management Policy—Allows you to specify the certificate details for an external certificate and attach the policy to servers. Cisco Intersight currently supports the following certificates:
-
Root CA certificates
-
IMC certificates
-
-
Disk Group Policy—Disk Group Policy is now a part of Storage Policy.
-
Device Connector Policy—Lets you choose the Configuration from Intersight only option to control configuration changes allowed from Cisco IMC. The Configuration from Intersight only option is enabled by default. You will observe the following changes when you deploy the Device Connector policy in Intersight:
-
Validation tasks will fail:
-
If Intersight Read-only mode is enabled in the claimed device.
-
If the firmware version of the Cisco UCS Standalone C-Series Servers is lower than 4.0(1).
-
-
If Intersight Read-only mode is enabled, firmware upgrades will be successful only when performed from Intersight. Firmware upgrade performed locally from Cisco IMC will fail.
-
IPMI over LAN privileges will be reset to read-only level if Configuration from Intersight only is enabled through the Device Connector policy, or if the same configuration is enabled in the Device Connector in Cisco IMC.
Attention
The Device Connector Policy will not be imported as part of the Server Profile Import.
-
-
Ethernet Adapter Policy—Governs the host-side behavior of the adapter, including how the adapter handles traffic. For each VIC Virtual Ethernet Interface, you can configure various features such as VXLAN, NVGRE, ARFS, Interrupt settings, and TCP Offload settings.
This policy includes the recommended default configurations for the supported server operating systems. The policy supports 16 default configurations. During the policy creation, you can select and import a default configuration.
Note
You cannot modify the default configurations. However, the policy that has the imported default configuration can be modified.
-
Ethernet Network Policy—Allows to define the port to carry single VLAN(Access) or multiple VLANs(Trunk) traffic. You can configure the Default VLAN and QinQ VLAN settings for vNICs. You can specify the VLAN to be associated with an Ethernet packet if no tag is found.
-
Ethernet Network Control Policy—Configures the network control settings for the appliance ports, appliance port channels, or vNICs.
-
Ethernet Network Group Policy—Configures the VLAN settings that include Native VLAN and QinQ VLAN for appliance ports, appliance port channels, or vNICs.
-
Ethernet QoS Policy—Assigns a system class to the outgoing traffic for a vNIC. This system class determines the quality of service for the outgoing traffic. For certain adapters, you can also specify additional controls like burst and rate on the outgoing traffic.
-
Fibre Channel Adapter Policy—Governs the host-side behavior of the adapter, including how the adapter handles traffic. You can enable FCP Error Recovery, change the default settings of Queues, and Interrupt handling for performance enhancement.
This policy includes the recommended default configurations for the supported server operating systems. The policy supports nine default configurations. During the policy creation, you can select and import a default configuration.
Note
You cannot modify the default configurations. However, the policy that has the imported default configuration can be modified.
-
Fibre Channel Network Policy—Governs the VSAN configuration for the virtual interfaces.
-
Fibre Channel QoS Policy—Assigns a system class to the outgoing traffic for a vHBA. This system class determines the quality of service for the outgoing traffic. For certain adapters, you can also specify additional controls like burst and rate on the outgoing traffic.
-
IPMI over LAN Policy—Defines the protocols for interfacing with a service processor that is embedded in a server platform. The Intelligent Platform Management Interface (IPMI) enables an operating system to obtain information about the system health and control system hardware and directs the Cisco IMC to perform the required actions. You can create an IPMI Over LAN policy to manage the IPMI messages through Cisco Intersight. You can assign these user roles to an IPMI user per session:
-
admin—IPMI users can perform all available actions. If you select this option, IPMI users with the "Administrator" user role can create admin, user, and read-only sessions on this server.
-
read-only—Can view information but cannot make any changes. IPMI users with the "Administrator", "Operator", or "User" user roles can only create read-only IPMI sessions, regardless of their other IPMI privileges.
-
user—IPMI users can perform some functions but cannot perform administrative tasks. If you select this option, IPMI users with the "Administrator" or "Operator" user role can create user and read-only sessions on this server.
Important
The encryption key to use for IPMI Communication. The key must have an even number of hexadecimal characters and not exceeding 40 characters. You can use "00" to disable the encryption key use. If the encryption key specified is less than 40 characters, then the IPMI commands must add zeroes to the encryption key to achieve a length of 40 characters.
-
-
LAN Connectivity Policy—Determines the connections and the network communication resources between the server and the LAN on the network. You must create the Ethernet Adapter, Ethernet QoS, and Ethernet Network policies as part of the LAN connectivity policy. For IMM servers, use a MAC pool, or static MAC addresses, to assign MAC addresses to servers and to identify the vNICs that the servers use to communicate with the network. For more information about creating Network Policies, see Creating Network Policies.
-
LDAP Policy—Specifies the LDAP configuration settings and preferences for an endpoint. The endpoints support LDAP to store and maintain directory information in a network. The LDAP policy determines configuration settings for LDAP Servers, DNS parameters including options to obtain a domain name used for the DNS SRV request, Binding methods, Search parameters, and Group Authorization preferences. Through an LDAP policy, you can also create multiple LDAP groups and add them to the LDAP server database.
-
Local User Policy—Automates the configuration of local user preferences. You can create one or more Local User policies which contain a list of local users that need to be configured.
-
Persistent Memory Policy—Persistent Memory Modules (PMem Modules) are non-volatile memory modules that bring together the low latency of memory and the persistence of storage. PMem Modules provide faster access to data and retain across power cycles, based on the mode. Intersight supports the configuration of Intel® Optane™ PMem Module modules on the UCS M5 servers that are based on the Second Generation Intel® Xeon® Scalable processors. Intel® Optane™ PMem Modules can be used only with the Second-Generation Intel® Xeon® Scalable processors. The Persistent Memory Policy allows the configuration of security, Goals, and Namespaces of Persistent Memory Modules:
-
Security—Used to configure the secure passphrase for all the persistent memory modules.
-
Goal—Used to configure volatile memory and regions in all the PMem Modules connected to all the sockets of the server. Intersight supports only the creation and modification of a Goal as part of the Persistent Memory policy. Some data loss occurs when a Goal is modified during the creation or modification of a Persistent Memory Policy. For information on the data loss, see the Data Loss during Persistent Memory Policy Configuration and Deployment table in Resources.
-
Namespaces—Used to partition a region mapped to a specific socket or a PMem Module on a socket. Intersight supports only the creation and deletion of Namespaces as part of the Persistent Memory Policy. Modifying a Namespace is not supported. Some data loss occurs when a Namespace is created or deleted during the creation of a Persistent Memory policy. For information on the data loss, see the Data Loss during Persistent Memory Policy Configuration and Deployment table in Resources.
It is important to consider the memory performance guidelines and population rules of the Persistent Memory Modules before they are installed or replaced, and the policy is deployed. The population guidelines for the PMem Modules can be divided into the following categories, based on the number of CPU sockets:
-
Dual CPU for UCS S3260 M5 servers
For more information about creating a Persistent Memory policy, exceptions to the policy, and other caveats regarding the policy, see Persistent Memory Policy in Resources.
-
-
SAN Connectivity Policy—Determines the network storage resources and the connections between the server and the SAN on the network. This policy enables you to configure vHBAs that the servers use to communicate with the Storage Area Network. You can use WWNN and WWPN address pools, or static WWNN and WWPN addresses to add vHBAs and to configure them. You must create the Fibre Channel Adapter, Fibre Channel QoS, and Fibre Channel Network policies as part of the SAN connectivity policy. For more information about creating Network policies, see Creating Network Policies.
-
SD Card Policy—Configures the Cisco FlexFlash and FlexUtil Secure Digital (SD) cards for the Cisco UCS C-Series Standalone M4 and M5 servers. This policy specifies details of virtual drives on the SD cards. You can configure the SD cards in the Operating System Only, Utility Only, or Operating System + Utility modes.
When two cards are present in the Cisco FlexFlash controller and Operating System is chosen in the SD card policy, the configured OS partition is mirrored. If only single card is available in the Cisco FlexFlash controller, the configured OS partition is non-RAID. The utility partitions are always set as non-RAID.
.Note
-
This policy is currently not supported on Cisco UCS M6 servers.
-
You can enable up to two utility virtual drives on Cisco UCS M5 servers, and any number of supported utility virtual drives on Cisco UCS M4 servers.
-
Diagnostics is supported only for Cisco UCS M5 servers.
-
User Partition drives can be renamed only on Cisco UCS M4 servers.
-
FlexFlash configuration is not supported on Cisco UCS C460 M4 servers.
-
For the Operating System+Utility mode, the Cisco UCS M4 servers require two FlexFlash cards, and the Cisco UCS M5 servers require at least 1 FlexFlash + 1 FlexUtil card.
-
-
SMTP Policy—Sets the state of the SMTP client in the managed device. You can specify the preferred settings for outgoing communication and select the fault severity level to report and the mail recipients.
-
SOL Policy—Enables the input and output of the serial port of a managed system to be redirected over IP. You can create one or more Serial over LAN policies which contain a specific grouping of Serial over LAN attributes that match the needs of a server or a set of servers.
-
SSH Policy—Enables an SSH client to make a secure, encrypted connection. You can create one or more SSH policies that contain a specific grouping of SSH properties for a server or a set of servers.
-
Simple Network Management Protocol (SNMP) Policy—Configures the SNMP settings for sending fault and alert information by SNMP traps from the managed devices. Any existing SNMP Users or SNMP Traps configured previously on the managed devices are removed and replaced with users or traps that you configure in this policy. If you have not added any users or traps in the policy, the existing users or traps on the server are removed but not replaced.
-
Storage Policy—A Storage policy allows you to create drive groups, virtual drives, configure the storage capacity of a virtual drive, and configure the M.2 RAID controllers.
-
Syslog Policy—Defines the logging level (minimum severity) to report for a log file collected from an endpoint, the target destination to store the Syslog messages, and the Hostname/IP Address, port information, and communication protocol for the Remote Logging Server(s).
-
Virtual Media Policy—Enables you to install an Operating System on the server using the KVM console and virtual media, mount files to the host from a remote file share, and enable virtual media encryption. You can create one or more Virtual Media policies, which can contain virtual media mappings for different OS images, and configure up to two virtual media mappings, one for ISO files (through CDD), and the other for IMG files (through HDD).
For more information about the various mount options for the Virtual Media volumes, see Virtual Media Mount options. -
Virtual KVM Policy—Enables specific grouping of virtual KVM properties. This policy allows you specify the number of allowed concurrent KVM sessions, port information, and video encryption options.
-
IMC Access Policy—Enables to manage and configure your network through mapping of IP pools to the server profile. This policy allows you to configure a VLAN and associate it with an IP address through the IP pool address.
In-Band IP address, Out-of-Band IP address, or both In-Band and Out-of-Band IP addresses can be configured using IMC Access Policy and are supported on the following:
-
Drive Security, SNMP, Syslog, and vMedia policies
-
vKVM, IPMI, SOL, and vMedia policies using vKVM client
-
-
Power Policy—Enables the management of power for FI-attached servers and chassis. This policy allows you to set the power profiling the power priority of the server, and the power restore state of the system. For more information, see Creating a Power Policy for Server
-
NTP Policy—Allows you to enable the NTP service on an Intersight Managed Cisco IMC (Standalone) server. The NTP service synchronizes the time with an NTP server. You must enable and configure the NTP service by specifying the IP address or DNS of a minimum of one to a maximum of four NTP servers.
NTP policy also allows you to configure the timezone on Cisco IMC (Standalone) server. When you enable the NTP service and select Timezone, Cisco Intersight configures the NTP details and Timezone on the endpoint.
-
FC Zone Policy—Allows you to set up access control between hosts and storage devices. You can create a Single Initiator Single Target, or Single Initiator Multiple Target Zone on a VSAN with the scope FC Storage, and attach the Zone policy to the SAN Connectivity policy using the vHBA.
Note
You can configure zones only when the Fabric Interconnect is in FC switching mode
Configuration drift is not supported for the FC Zone policy