Policies in Cisco Intersight provide different configurations for UCS servers, including BIOS settings, firmware versions, disk group creation, Simple Mail Transfer Protocol (SMTP), Intelligent Platform Management Interface (IPMI) settings, and more. A policy that is once configured can be assigned to any number of servers to provide a configuration baseline. Policies in Cisco Intersight are native to the application and are not directly imported from the UCS Systems. Policy-based configuration with Server Profiles is a Cisco Intersight Essentials license tier functionality.

Certain server configurations applied through policies are automatically cleared and reset to default settings in Intersight Managed Mode servers. This occurs under the following conditions: when policies are detached and the profile is re-deployed, when a server is unassigned from a profile, during first-time discovery, decommissioning, or during recommissioning of a server. For more information, see Clearing and Resetting Server Configurations.

To launch the Policies Table View, choose Configure > Policies.

The Server Policy creation wizard in Cisco Intersight has two pages:

• General—The general page allows you to select the organization and enter a name for your policy. Optionally, include a short description and tag information to help identify the policy. Tags must be in the key:value format. For example, Org: IT or Site: APJ.

• Policy Details—The policy details page has properties that are applicable to standalone UCS servers, FI-attached UCS servers, or both. You can view these properties separately for All Platforms, UCS Servers (Standalone), and UCS Servers (FI-Attached) by clicking on these options.

Server Policies can be imported as part of importing configuration details (server profiles and policies) of a Cisco C-Series Standalone server from Cisco IMC. For more information, see Importing a Server Profile.

The following list describes the server policies that you can configure in Cisco Intersight.

• Adapter Configuration Policy—Configures the Ethernet and Fibre-Channel settings for the VIC adapter.

• BIOS Policy—Automates the configuration of BIOS settings on the managed devices. You can create one or more BIOS policies which contain a specific grouping of BIOS settings. If you do not specify a BIOS policy for a server, the BIOS settings remain as they are. If a BIOS policy is specified, the values that are specified in the policy replace any previously configured values on a server (including bare metal server configuration settings). To apply the BIOS policy settings, you must reboot the server.

  To simplify creating a BIOS policy, you can use a pre-defined Cisco Provided BIOS Configuration. These configurations are ready to use without requiring any modifications. For more information, see Creating a BIOS Policy.

  Note	If you are using a Cisco Provided Configuration in a policy, you can still modify the configurations while you create the policy. However, you cannot modify the default Cisco Provided Configurations.

• Boot Order Policy—Allows you to configure the boot mode and your preferred boot device(s). You can specify the order in which the server attempts to boot from the configured devices. The supported boot devices are listed in the Policy Details.

  The inventory view enables you to view the actual boot order configured on a server. The boot order displays the details that include device name, device type, configuration details such as Boot Mode (Legacy or UEFI), and Secure Boot Mode (Enabled or Disabled).

  Note	A device configured in the server profile of Boot Order Policy may not appear in the actual boot order, if the server BIOS does not detect the device during server boot.

  Intersight provides a One-Time Boot (OTB) option to set a boot device that temporarily overrides the Boot Order Policy and the existing boot order. To set a One-Time Boot Device, select Power Cycle or Power On from the Servers Table view or from the Server Details page and toggle ON the Set One Time Boot Device Option. This operation attempts to boot from the One Time Boot device as part of the power cycle or power on action. After power cycle or power on, OTB configuration will be cleared to enable the next reboot to follow the default Boot Order.

  Note

  The OTB option is available for servers that have been configured with a Boot Order Policy that is associated with a server profile. For a successful OTB configuration, you must deploy a server profile with a Boot Order Policy in Intersight in advance. Any out-of-band- boot order change will not reflect on the Intersight UI for OTB device configuration.

  In the case of PXE Boot configuration, importing the server policy will not create the PXE device under boot policy if either the MAC address or both the slot and port are not present for a given PXE device under the Boot policy on the server. However, if both slot and port are present, boot order is set to ANY for the bootable interface on a given slot on the server. For non-VIC adapters you can configure PXE Boot with the MAC address, or both the slot and port, or slot only.

  In the case of SAN Boot device configuration in the legacy mode, provide the boot target Logical Unit Number (LUN), device slot ID, interface name, and target WWPN. For SAN Boot device configuration in the Unified Extensible Firmware Interface (UEFI) mode, provide the bootloader name, description, and path in addition to the fields listed in the legacy mode.

  In the case of iSCSI Boot provide the target interface details, authentication mechanism, and initiator IP source. You can configure iSCSI boot using either IPv4 or IPv6,

• In the case of Non-Volatile Memory Express (NVMe) Boot, configure the NVMe drive as bootable in the UEFI mode. During the server profile deployment, this NVMe configuration setting enables selecting the BIOS in a defined order.

• Certificate Management Policy—Allows you to specify the certificate details for an external certificate and attach the policy to servers. Cisco Intersight currently supports the following certificates:

  • Root CA certificates

  • IMC certificates

• Disk Group Policy—Disk Group Policy is now a part of Storage Policy.

• Device Connector Policy—Lets you choose the Configuration from Intersight only option to control configuration changes allowed from Cisco IMC. The Configuration from Intersight only option is enabled by default. You will observe the following changes when you deploy the Device Connector policy in Intersight:

  • Validation tasks will fail:

    • If Intersight Read-only mode is enabled in the claimed device.

    • If the firmware version of the Cisco UCS Standalone C-Series Servers is lower than 4.0(1).

  • If Intersight Read-only mode is enabled, firmware upgrades will be successful only when performed from Intersight. Firmware upgrade performed locally from Cisco IMC will fail.

  • IPMI over LAN privileges will be reset to read-only level if Configuration from Intersight only is enabled through the Device Connector policy, or if the same configuration is enabled in the Device Connector in Cisco IMC.

    Attention

    The Device Connector Policy will not be imported as part of the Server Profile Import.

• Ethernet Adapter Policy—Governs the host-side behavior of the adapter, including how the adapter handles traffic. For each VIC Virtual Ethernet Interface, you can configure various features such as VXLAN, NVGRE, ARFS, Interrupt settings, and TCP Offload settings.

  To simplify creating an Ethernet Adapter policy, you can use a pre-defined Cisco Provided Ethernet Adapter Configuration. These configurations are ready to use without requiring any modifications. For more information, see Creating an Ethernet Adapter Policy.

  Note	If you are using a Cisco Provided Configuration in a policy, you can still modify the configurations while you create the policy. However, you cannot modify the default Cisco Provided Configurations.

• Ethernet Network Policy—Allows to define the port to carry single VLAN(Access) or multiple VLANs(Trunk) traffic. You can configure the Default VLAN and QinQ VLAN settings for vNICs. You can specify the VLAN to be associated with an Ethernet packet if no tag is found.

• Ethernet Network Control Policy—Configures the network control settings for the appliance ports, appliance port channels, or vNICs.

• Ethernet Network Group Policy—Configures the allowed VLAN and native VLAN for the appliance ports, appliance port channels, or vNICs. You can add multiple Ethernet Network Group Policies (ENGPs) on vNICs for LAN Connectivity Policy or vNIC templates, For more information, see Creating a LAN Connectivity Policy.

• Ethernet QoS Policy—Assigns a system class to the outgoing traffic for a vNIC. This system class determines the quality of service for the outgoing traffic. For certain adapters, you can also specify additional controls like burst and rate on the outgoing traffic.

• Fibre Channel Adapter Policy—Governs the host-side behavior of the adapter, including how the adapter handles traffic. You can enable FCP Error Recovery, change the default settings of Queues, and Interrupt handling for performance enhancement.

  To simplify creating an Fibre Channel Adapter policy, you can use a pre-defined Cisco Provided Fibre Channel Adapter Configuration. These configurations are ready to use without requiring any modifications. For more information, see Creating an Fibre Channel Adaptor Policy.

  Note	If you are using a Cisco Provided Configuration in a policy, you can still modify the configurations while you create the policy. However, you cannot modify the default Cisco Provided Configurations.

• Fibre Channel Network Policy—Governs the VSAN configuration for the virtual interfaces.

• Fibre Channel QoS Policy—Assigns a system class to the outgoing traffic for a vHBA. This system class determines the quality of service for the outgoing traffic. For certain adapters, you can also specify additional controls like burst and rate on the outgoing traffic.

• IPMI over LAN Policy—Defines the protocols for interfacing with a service processor that is embedded in a server platform. The Intelligent Platform Management Interface (IPMI) enables an operating system to obtain information about the system health and control system hardware and directs the Cisco IMC to perform the required actions. You can create an IPMI Over LAN policy to manage the IPMI messages through Cisco Intersight. You can assign these user roles to an IPMI user per session:

  • admin—IPMI users can perform all available actions. If you select this option, IPMI users with the "Administrator" user role can create admin, user, and read-only sessions on this server.

  • read-only—Can view information but cannot make any changes. IPMI users with the "Administrator", "Operator", or "User" user roles can only create read-only IPMI sessions, regardless of their other IPMI privileges.

  • user—IPMI users can perform some functions but cannot perform administrative tasks. If you select this option, IPMI users with the "Administrator" or "Operator" user role can create user and read-only sessions on this server.

  Important

  The encryption key to use for IPMI Communication. The key must have an even number of hexadecimal characters and not exceeding 40 characters. You can use "00" to disable the encryption key use. If the encryption key specified is less than 40 characters, then the IPMI commands must add zeroes to the encryption key to achieve a length of 40 characters.

• LAN Connectivity Policy—Determines the connections and the network communication resources between the server and the LAN on the network. You must create the Ethernet Adapter, Ethernet QoS, and Ethernet Network policies as part of the LAN connectivity policy. For IMM servers, use a MAC pool, or static MAC addresses, to assign MAC addresses to servers and to identify the vNICs that the servers use to communicate with the network. For more information about creating Network Policies, see Creating Network Policies.

• LDAP Policy—Specifies the LDAP configuration settings and preferences for an endpoint. The endpoints support LDAP to store and maintain directory information in a network. The LDAP policy determines configuration settings for LDAP Servers, DNS parameters including options to obtain a domain name used for the DNS SRV request, Binding methods, Search parameters, and Group Authorization preferences. Through an LDAP policy, you can also create multiple LDAP groups and add them to the LDAP server database.

• Local User Policy—Automates the configuration of local user preferences. You can create one or more Local User policies which contain a list of local users that need to be configured.

• Persistent Memory Policy—Persistent Memory Modules (PMem Modules) are non-volatile memory modules that bring together the low latency of memory and the persistence of storage. PMem Modules provide faster access to data and retain across power cycles, based on the mode. Intersight supports the configuration of Intel® Optane™ PMem Module modules on the UCS M5 servers that are based on the Second Generation Intel® Xeon® Scalable processors. Intel® Optane™ PMem Modules can be used only with the Second-Generation Intel® Xeon® Scalable processors. The Persistent Memory Policy allows the configuration of security, Goals, and Namespaces of Persistent Memory Modules:

  • Security—Used to configure the secure passphrase for all the persistent memory modules.

  • Goal—Used to configure volatile memory and regions in all the PMem Modules connected to all the sockets of the server. Intersight supports only the creation and modification of a Goal as part of the Persistent Memory policy. Some data loss occurs when a Goal is modified during the creation or modification of a Persistent Memory Policy.

  • Namespaces—Used to partition a region mapped to a specific socket or a PMem Module on a socket. Intersight supports only the creation and deletion of Namespaces as part of the Persistent Memory Policy. Modifying a Namespace is not supported. Some data loss occurs when a Namespace is created or deleted during the creation of a Persistent Memory policy.

    It is important to consider the memory performance guidelines and population rules of the Persistent Memory Modules before they are installed or replaced, and the policy is deployed. The population guidelines for the PMem Modules can be divided into the following categories, based on the number of CPU sockets:

    • Dual CPU for UCS C220 M6, C240 M6, and B200 M6 servers

    • Dual CPU for UCS C220 M5, C240 M5, and B200 M5 servers

    • Quad CPU for UCS C480 M5 and B480 M5 servers

    • Dual CPU for UCS S3260 M5 servers

    For more information about creating a Persistent Memory policy, exceptions to the policy, and other caveats regarding the policy, see Persistent Memory Policy.

• SAN Connectivity Policy—Determines the network storage resources and the connections between the server and the SAN on the network. This policy enables you to configure vHBAs that the servers use to communicate with the Storage Area Network. You can use WWNN and WWPN address pools, or static WWNN and WWPN addresses to add vHBAs and to configure them. You must create the Fibre Channel Adapter, Fibre Channel QoS, and Fibre Channel Network policies as part of the SAN connectivity policy. For more information about creating Network policies, see Creating Network Policies.

• SD Card Policy—Configures the Cisco FlexFlash and FlexUtil Secure Digital (SD) cards for the Cisco UCS C-Series Standalone M4 and M5 servers. This policy specifies details of virtual drives on the SD cards. You can configure the SD cards in the Operating System Only, Utility Only, or Operating System + Utility modes.

  When two cards are present in the Cisco FlexFlash controller and Operating System is chosen in the SD card policy, the configured OS partition is mirrored. If only single card is available in the Cisco FlexFlash controller, the configured OS partition is non-RAID. The utility partitions are always set as non-RAID.

  .

  Note

  This policy is currently not supported on Cisco UCS M6 servers. You can enable up to two utility virtual drives on Cisco UCS M5 servers, and any number of supported utility virtual drives on Cisco UCS M4 servers. Diagnostics is supported only for Cisco UCS M5 servers. User Partition drives can be renamed only on Cisco UCS M4 servers. FlexFlash configuration is not supported on Cisco UCS C460 M4 servers. For the Operating System+Utility mode, the Cisco UCS M4 servers require two FlexFlash cards, and the Cisco UCS M5 servers require at least 1 FlexFlash + 1 FlexUtil card.

• SMTP Policy—Sets the state of the SMTP client in the managed device. You can specify the preferred settings for outgoing communication and select the fault severity level to report and the mail recipients.

• SOL Policy—Enables the input and output of the serial port of a managed system to be redirected over IP. You can create one or more Serial over LAN policies which contain a specific grouping of Serial over LAN attributes that match the needs of a server or a set of servers.

• SSH Policy—Enables an SSH client to make a secure, encrypted connection. You can create one or more SSH policies that contain a specific grouping of SSH properties for a server or a set of servers.

• Simple Network Management Protocol (SNMP) Policy—Configures the SNMP settings for sending fault and alert information by SNMP traps from the managed devices. Any existing SNMP Users or SNMP Traps configured previously on the managed devices are removed and replaced with users or traps that you configure in this policy. If you have not added any users or traps in the policy, the existing users or traps on the server are removed but not replaced.

• Storage Policy—A Storage policy allows you to create drive groups, virtual drives, configure the storage capacity of a virtual drive, and configure the M.2 RAID controllers.

• Syslog Policy—Defines the logging level (minimum severity) to report for a log file collected from an endpoint, the target destination to store the Syslog messages, and the Hostname/IP Address, port information, and communication protocol for the Remote Logging Server(s).

• Virtual Media Policy—Enables you to install an Operating System on the server using the KVM console and virtual media, mount files to the host from a remote file share, and enable virtual media encryption. You can create one or more Virtual Media policies, which can contain virtual media mappings for different OS images, and configure up to two virtual media mappings, one for ISO files (through CDD), and the other for IMG files (through HDD).

  For more information about the various mount options for the Virtual Media volumes, see Virtual Media Mount options.

• Virtual KVM Policy—Enables specific grouping of virtual KVM properties. This policy allows you specify the number of allowed concurrent KVM sessions, port information, and video encryption options.

• IMC Access Policy—Enables to manage and configure your network through mapping of IP pools to the server profile. This policy allows you to configure a VLAN and associate it with an IP address through the IP pool address.

  In-Band IP address, Out-of-Band IP address, or both In-Band and Out-of-Band IP addresses can be configured using IMC Access Policy and are supported on the following:

  • Drive Security, SNMP, Syslog, and vMedia policies

  • vKVM, IPMI, SOL, and vMedia policies using vKVM client

  Note	When both In-Band and Out-of-Band IP addresses are configured, In-Band IP address is the default preference. For more information, see Creating IMC Access Policy section.

• Power Policy—Enables the management of power for FI-attached servers and chassis. This policy allows you to set the power profiling the power priority of the server, and the power restore state of the system. For more information, see Creating a Power Policy for Server

• NTP Policy—Allows you to enable the NTP service on an Intersight Managed Cisco IMC (Standalone) server. The NTP service synchronizes the time with an NTP server. You must enable and configure the NTP service by specifying the IP address or DNS of a minimum of one to a maximum of four NTP servers.

  NTP policy also allows you to configure the timezone on Cisco IMC (Standalone) server. When you enable the NTP service and select Timezone, Cisco Intersight configures the NTP details and Timezone on the endpoint.

• FC Zone Policy—Allows you to set up access control between hosts and storage devices. You can create a Single Initiator Single Target, or Single Initiator Multiple Target Zone on a VSAN with the scope FC Storage, and attach the Zone policy to the SAN Connectivity policy using the vHBA.

  Note	You can configure zones only when the Fabric Interconnect is in FC switching mode Configuration drift is not supported for the FC Zone policy

Cisco Intersight automatically clears and resets endpoint configurations associated with certain server policies in Intersight Managed Mode. This functionality reverts endpoint configurations to their default settings, ensuring reliable and consistent configuration management. It prevents issues caused by residual configurations during various server lifecycle events. Intersight resets server configurations in the following scenarios:

• During the first-time discovery of a server.

• During the recommissioning of a server.

• When a server is unassigned from a profile.

• When policies are detached from a deployed profile and the profile is re-deployed on a server.

Note

When a profile is deployed or undeployed, a workflow is triggered to clear the current configuration and apply default configuration. You can track the progress of the workflow in the Requests tab. The status of the profiles with detached policies that have not been re-deployed is shown as Inconsistent with pending changes on the Server Profile Details View. This status clears during the next profile deployment, when the configurations of the detached policies reset.

The configuration reset causes the following changes to the server configurations:

• BIOS Policy—All the tokens are reset to platform-default. For more information on the platform-defaults, see Cisco UCS Server BIOS Token.

• Boot Order Policy—Boot devices are removed. Boot mode is set to UEFI and Secure boot is disabled. Server boots to UEFI shell on restart.

• Certificate Management Policy—When a server is unassigned from a server profile, the Root CA certificates and IMC certificates are deleted. However, during the first-time discovery or recommissioning of the server, the certificates are not deleted.

• IMC Access Policy—In-Band and Out-Of-Band settings are cleared.

• IPMI over LAN Policy—IPMI over LAN is disabled, and the Encryption Key is set to 0.

• LAN Connectivity Policy—vNICs are removed.

• Local User Policy—The admin account is assigned a random, undisclosed password, effectively disabling it. You can deploy the Server Profile to set the admin account password. All other user accounts are deleted.

• Memory Policy—DIMM blocklisting is disabled.

• Power Policy—Power profiling is enabled, Power Priority is set to Low, and Power Restore is set to Always Off.

• SAN Connectivity Policy—vHBAs are removed.

• Serial Over LAN Policy—Serial over LAN is disabled and the Baud Rate is set to 115200.

• SNMP Policy—SNMP is disabled, the Port is set to 161, and all SNMP users and traps are deleted.

• Syslog Policy—Minimum Severity to Report is set to Debug in Local Logging, and the remote logging servers are removed.

• Thermal Policy—FanControlMode is set to Acoustic mode.

• Virtual KVM Policy—Virtual KVM is enabled and Remote Port is set to 2068.

• Virtual Media Policy—Virtual Media is enabled, and the Virtual Media mounts are removed.

• UUID—The UUID address is cleared.

• Asset Tag—Is cleared.

• User Label—Is cleared.

The following server policy configurations will not be impacted or modified by this functionality:

• Firmware Policy

• Drive Security Policy

• SD Card Policy

• Storage Policy

• Scrub Policy

Supported UCS Server Policies

The following table provides a list of UCS server policies and the managed devices on which they are supported. All the server policies listed in this table are available with a Cisco Intersight Essentials license tier.

_*1 Only Power Restore capability is supported.

_*2 For Cisco UCS B-Series and X-Series servers, assign a Thermal Policy at the Chassis Profile level.

_*3 Power Restore and Processor Package Power Limit (PPL) properties are supported.

_*4 Server PID qualifier is not supported for C-Series M4 Standalone server.

Creating a Certificate Management Policy

The Certificate Management policy allows you to specify the certificate details for an external certificate and attach the policy to server profile or to domain profile. Cisco Intersight currently supports the following certificates:

• Root CA certificates: A Root CA certificate is necessary for HTTPS boot authentication for a server or for secure LDAP authentication to the Device Console of a Fabric Interconnect. You can deploy a maximum of 10 Root CA certificates using the Certificate Management Policy for a server, and a maximum of five Root CA certificates for a domain. For a successful boot or a secure LDAP authentication, at least one valid and unexpired Root CA certificate is required.

  Note

  In Intersight Managed Mode servers, removing a server profile will delete the Root CA certificates from the CIMC. However, for C-Series servers in Standalone mode, the Root CA certificates are not automatically removed. You must manually delete them from CIMC or perform a factory reset on the server. Additionally, when you export the profile of a C-Series server in Standalone mode, the certificate management policy will not be included. The deployed domain profile should be attached to an LDAP policy for device console authentication using an LDAP server. The deployed domain profile should be attached to an LDAP policy and a Certificate Management policy if authentication is to be done through a secure channel.

• IMC certificates: An IMC certificate is used to set up the HTTPS server certificate for Intersight Managed Mode servers to enable trusted KVM connections. This option is available only for Intersight Managed Mode servers.

  The table below lists the certificates supported on different platforms:

  Supported Certificate	Standalone Server	IMM Server	UCS Domain
  Root Certificate	Yes	Yes	Yes
  IMC Certificate	No	Yes	No

1. Log in to Cisco Intersight with Account Administrator or Server Administrator or Domain Administrator roles.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Certificate Management, and then click Start.

4. On the General page, configure the following parameters:

   Property	Description
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Enter a short description.

5. On the Policy Details page, navigate to the required tab (UCS Server (Standalone) or UCS Server (FI-Attached)), add the certificate that you want to provide, and configure the following parameters:

   Property	Description
   Root CA	Certificate Name—Enter the name of the certificate. Certificate—Enter the certificate details. For a domain, get the certificate details from the LDAP Server admin. For a domain, get the certificate details from the LDAP Server admin.
   IMC	Certificate—Enter the certificate details. Private Key—Enter the private key details for the certificate. Note   This option is available only for Intersight Managed Mode server.

6. Click Create.

When downgrading the firmware, the user must unconfigure the Certificate Management policy from the profile by removing the policies and then redeploying.

To know about the supported infrastructure firmware versions for the Certificate Management policy, see Supported Systems.

An Adapter Configuration Policy configures the Ethernet and Fibre-Channel settings for the Virtual Interface Card (VIC) adapter.

Note	This policy, if attached to a server profile that is assigned to an Intersight Managed Fabric Attached server, will be ignored.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Adapter Configuration, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Description (Optional)	Provide a short description
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.

5. On the Policy Details page, click Add VIC Adapter Configuration and configure the following parameters:

   Property	Essential Information
   Add VIC Adapter Configuration
   PCI Slot	The PCI slot in which the adapter is installed. The range is from 1 to 15 and MLOM.
   LLDP	The LLDP protocol status on the adapter interface. If checked, then Link Layer Discovery Protocol (LLDP) enables all the Data Center Bridging Capability Exchange protocol (DCBX) functionality, which includes FCoE, priority based flow control. Note   LLDP is available only on some UCS C-Series servers. We recommend that you do not disable LLDP option, as it disables all the DCBX functionality.
   FIP	The FIP protocol status on the adapter interface. If checked, then FCoE Initialization Protocol (FIP) mode is enabled. FIP mode ensures that the adapter is compatible with current FCoE standards. Note   We recommend that you use FIP option only when explicitly directed to do so by a technical support representative.
   Port Channel	The port channel status on the adapter interface. When Port Channel is enabled, two vNICs and two vHBAs are available for use on the adapter card. When disabled, four vNICs and four vHBAs are available for use on the adapter card. Disabling port channel reboots the server. Note   Port Channel is supported only for Cisco VIC 1455/1457 adapters.
   Enable Physical NIC Mode	When Physical NIC Mode is enabled, uplink ports of the VIC are set to pass-through mode. Note   Enabling Physical NIC Mode reboots the server. Physical NIC Mode supports UCS VIC 1400 Series and VIC 15000 Series adapters. The default VLAN option is disabled (greyed out) for ACCESS or TRUNK mode when using a physical NIC. The minimum supported VIC firmware version for physical NIC mode is 5.3(5.14). This feature is not supported for Cisco Intersight Managed FI Attached servers. Only default vNICs will be added if the Physical NIC mode is enabled. After physical nic-mode mode switch, vNIC configurations will be lost and new default vNICs will be created. Click Ok. In Trunk Mode: In addition to configuring the Cisco VIC adapter policy, you can set up a sub-interface on a bare metal Linux host with a specific VLAN to ensure packets are correctly VLAN tagged. Similarly, a virtual switch can be created on an ESXi Hypervisor and added to a virtual machine. It is recommended to collaborate with the Host OS vendor for these configurations
   DCE Interface	The Forward Error Correction (FEC) mode setting for the DCE interfaces of the adapter. Note   FEC mode setting is supported only for Cisco VIC 14xx adapters. FEC mode 'cl74' is unsupported for Cisco VIC 1495/1497. This setting will be ignored for unsupported adapters and for unavailable DCE interfaces

6. Click Add.

7. Click Create.

A LAN Connectivity Policy determines the connections and the network communication resources between the server and the LAN on the network. You can specify MAC address pools, or static MAC addresses, to assign MAC addresses to servers and to identify the vNICs that the servers use to communicate with the network.

Prerequisites

Choose the following sub-policies or pool as per your requirement to create the LAN Connectivity policy

• Ethernet Network Policy—Specify if the port should carry single VLAN (Access) or multiple VLANs (Trunk) traffic. You can specify the VLAN to be associated with an Ethernet packet if no tag is found.

• Ethernet QoS Policy—Configure the maximum size for a Fibre Channel frame payload that the virtual interface supports, limit the data rate on the virtual interface, associate a Class of Service to the traffic on the virtual interface.

• Ethernet Adapter Policy—Configure features like Virtual Extensible LAN (VXLAN), Network Virtualization using Generic Routing Encapsulation (NVGRE), Accelerated Receive Flow Steering (ARFS), EtherChannel Pinning, Interrupt settings, RoCE, and TCP Offload settings to govern the host side behavior of the adapter.

• IQN Pool—You can configure the Prefix and Suffix for the IQN block, the first suffix number in the block and the number of identifiers the block can hold .

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select LAN Connectivity, and then click Start.

4. On the General page, enter the following information:

   • Name of your policy.

   • Target Platform for which the policy is applicable. This can be Standalone servers or FI Attached servers.

     A LAN Connectivity Policy created for Standalone servers cannot be deployed on FI Attached servers. Similarly, a LAN Connectivity Policy created for FI Attached servers cannot be deployed on Standalone servers.

   • Description to help identify the policy.

   • Set Tags for the policy. Tags must be in the key:value format. For example, Org: IT or Site: APJ.

5. On the Policy Details page, configure the following:

   • For an FI-attached server, turn the Enable Azure Stack Host QoS button ON, to successfully deploy the Azure Stack QoS capability on the adapter with RDMA enabled.

     Enabled—Enabling AzureStack-Host QoS on an adapter allows the user to carve out traffic classes for RDMA traffic and ensure a desired portion of the bandwidth is allocated to it.

     Disabled—Disables the Azure Stack Host QoS feature on the adapter.

   • Specify whether no IQN, an IQN pool, or a unique IQN identifier is to be associated with the policy by selecting None, Pool, or Static.

     • None—If you select this option, you do not have to specify any IQN details.

     • Pool—If you select this option, select the IQN pool that you want to associate with the LAN Connectivity policy.

     • Static—If you select this option, enter a static IQN for use as initiator identifiers by iSCSI vNICs in a Fabric Interconnect domain.

   • Select the placement option for each vNIC—Manual or Auto

     • Manual vNIC Placement—If you select this option, you must manually specify the placement for each vNIC. You can also use the Graphic vNICs Editor to create and specify the placement for each vNIC manually by adding vNICs and slots, and defining the connection between them.

       Note	For manual placement, PCI Link is not supported on UCS VIC 1400 Series adapters. If a LAN Connectivity Policy has both Simple and Advanced placements, ensure the number provided in PCI Order is appropriate to prevent Server Profile deployment failure.

     • Auto vNIC Placement—If you select this option, vNIC placement will be done automatically during profile deployment. This option is available only for Cisco Intersight Managed FI Attached servers.

       Note

       Cisco UCS VIC 1300 Series adapters auto-upgrade is supported on B-Series server with Cisco Server firmware version 4.2(2e) and above. Discovery of a C-Series server will not get triggered if the server with Cisco UCS VIC 1300 Series adapters has a Cisco Server firmware version lower than 4.2(2g). Upgrade the Cisco Server firmware to 4.2(2g) to enable server discovery.

6. To set up a vNIC without using a template, click Add vNIC and configure the following parameters:

   Property	Essential Information
   Add vNIC Ensure that you configure eth0 and eth1 interfaces for each VIC adapter you configure. You can add additional vNICs depending on your network requirements.
   Name	vNIC name.
   Pin Group Name	Name of the pin group that contains the specific port/port channels. All traffic from the vNIC is pinned to the specified uplink Ethernet ports or port channels. Note   The pin group can be defined while creating a Port policy. If you do not assign a pin group to a vNIC, an uplink Ethernet port or port channel for traffic is chosen from that server interface dynamically. This choice is not permanent. A different uplink Ethernet port or port channel may be used for traffic from that server interface after an interface flap or a server reboot.
   MAC Address Pool	Click Select Pool and choose a MAC address pool for MAC address assignment.
   Static	Click Static and enter a static MAC address for MAC address assignment. This option is available only for Cisco Intersight Managed FI Attached servers.
   Placement Placement Settings for the virtual interface.
   Simple When you select Simple Placement, the Slot ID and PCI Link are determined automatically by the system. vNICs are deployed on the first VIC. The slot ID determines the first VIC. Slot ID numbering begins with MLOM, and thereafter it keeps incrementing by 1, starting from 1. The PCI link is always set to 0.
   Switch ID	Refers to the Fabric Interconnect that carries the vNIC traffic.
   PCI Order	The order in which the virtual interface is brought up. The order assigned to an interface should be unique and in sequence starting with "0" for all the Ethernet and Fibre-Channel interfaces on each PCI link on a VIC adapter. The maximum value of PCI order is limited by the number of virtual interfaces (Ethernet and Fibre-Channel) on each PCI link on a VIC adapter. Note   You cannot change the PCI order of two vNICs without deleting and recreating the vNICs.
   Advanced
   Automatic Slot ID Assignment	When enabled, slot ID is determined automatically by the system.
   Slot ID	When automatic slot ID assignment is disabled, the slot ID needs to be entered manually. Supported values are (1-15) and MLOM.
   PCI link The PCI link used as transport for the virtual interface. PCI Link is only applicable for select Cisco UCS VIC 1300 Series models (UCSC-PCIE-C40Q-03, UCSB-MLOM-40G-03, UCSB-VIC-M83-8P) that support two PCI links. The value, if specified, for any other VIC model will be ignored. Note   The host device order can get impacted when using both the PCI links and while adding or removing vNICs.
   Automatic PCI link Assignment	When enabled, PCI link is determined automatically by the system. Note   If Automatic assignment is enabled for both Slot ID and PCI link, then the behavior is same as Simple placement. All the vNICs are placed on the same PCI link (link 0). If Automatic Slot ID assignment is disabled but automatic PCI link assignment is enabled, then you need to provide the slot ID and the vNIC will be placed on PCI link 0.
   Load Balanced	When Automatic PCI link assignment is disabled and Load Balanced is enabled, the system uniformly distributes the interfaces across the PCI Links. If automatic PCI link assignment is disabled and automatic Slot ID is enabled, you need to specify the PCI order to load balance the vNICs. If both automatic PCI link assignment and automatic Slot ID are disabled, you need to specify the slot and the PCI order to load balance the vNICs. Note   You cannot change the PCI link mode of two vNICs from Load Balanced mode to Custom mode without deleting and recreating the vNICs.
   Custom	If automatic PCI link assignment is disabled and automatic Slot ID is enabled, you need to provide the value of the PCI order, PCI link, and Switch ID. If both automatic PCI link assignment and automatic Slot ID assignment are disabled, you need to provide the values of the Slot ID, PCI order and the PCI link. Note   You cannot change the PCI link mode of two vNICs from Custom mode to Load Balanced mode without deleting and recreating the vNICs.
   Consistent Device Naming (CDN) Consistent Device Naming configuration for the virtual NIC.
   Source	Whether the source of the CDN name is the name of the vNIC instance or a user-defined name.
   Failover Enabling failover ensures that traffic automatically fails over from one uplink to another in case of an uplink failure.
   Ethernet Network Policy	Select or create an Ethernet Network policy. Note   This sub-policy is applicable only for the LAN Connectivity Policy on Standalone servers.
   Ethernet Network Group Policy	Select or create an Ethernet Network Group policies. You can add multiple Ethernet Network Group Policies (ENGPs) on vNICs. The maximum number of ethernet network group policies is restricted to 50 including shared policies. Note   This sub-policy is applicable only for the LAN Connectivity Policy on FI-attached servers. You can associate only one ethernet network group policy with a vNIC if QinQ is configured​. The native VLAN must be the same across all ethernet network group policies, or must be set in only one ethernet network group policy.
   Ethernet Network Control Policy	Select or create an Ethernet Network Control policy. Note   This sub-policy is applicable only for the LAN Connectivity Policy on FI-attached servers.
   Ethernet QoS Policy	Select or create an Ethernet QoS policy.
   Ethernet Adapter Policy	Select or create an Ethernet Adapter policy.
   iSCSI Boot Policy	Select or create an iSCSI Boot policy. Note   This sub-policy is applicable only for the LAN Connectivity Policy on FI-attached servers.
   Connection: Disabled/usNIC/VMQ/SR-IOV
   Disabled	Does not configure a connection policy.
   usNIC User Space NIC Settings that enable low-latency and higher throughput by bypassing the kernel layer when sending/receiving packets.
   Number of usNICs	Number of usNIC interfaces to be created.
   usNIC Adapter Policy	Select the Ethernet Adapter policy to be associated with the usNICs.
   Class of Service	Class of service to be used for traffic on the usNIC.
   VMQ Virtual Machine Queue Settings for the virtual interface that allow efficient transfer of network traffic to the guest operating system.
   Enable Virtual Machine Multi-Queue	Enables Virtual Machine Multi-Queue (VMMQ) option on the virtual interface. VMMQ allows configuration of multiple I/O queues for a single VM and thus distributes traffic across multiple CPU cores in a VM.
   Number of Interrupts	The number of interrupt resources to be allocated. Recommended value is the number of CPU threads or logical processors available in the server.
   Number of Virtual Machine Queues	The number of hardware Virtual Machine Queues to be allocated. The number of VMQs per adapter must be one more than the maximum number of VM NICs. Note   The value should be at least 2 to enable EtherChannel pinning.
   Number of Sub vNICs	Number of sSub vNICs to be created for Multi Queue. Note   This property displays only when Enable Virtual Machine Multi-Queue is enabled.
   VMMQ Adapter Policy	Select an Ethernet Adapter policy to be associated with the Sub vNICs. The Transmit Queue and Receive Queue resource value of VMMQ adapter policy should be greater than or equal to the configured number of sub vNICs. Note   This property displays only when Enable Virtual Machine Multi-Queue is enabled.
   SR-IOV Single Root Input/Output Virtualization (SR-IOV) allows multiple VMs running a variety of Linux guest operating systems to share a single PCIe network adapter within a host server. SR-IOV allows a VM to move data directly to and from the vNIC, bypassing the hypervisor for increased network throughput and lower server CPU overhead.
   Number of VFs	Number of VFs to create. Enter a value between 1 and 64. Default value is 64.
   Receive Queue Count Per VF	Number of Receive Queue resources to configure for each VF. Enter a value between 1 to 8. Default value is 4.
   Transmit Queue Count Per VF	Number of Transmit Queue resources to configure for each VF. Enter a value between 1 to 8. Default value is 1.
   Completion Queue Count Per VF	Number of Completion Queue resources to configure for each VF. Enter a value between 1 to 16. Default value is 5.
   Interrupt Count Per VF	Number of Interrupt count to configure for each VF. Enter a value between 1 to 16. Default value is 8.

7. To derive vNIC for FI-attached servers using a vNIC template, choose vNIC from Template from the Add drop-down list. For more information on creating vNIC templates, see Creating vNIC or vHBA Templates.

   Note

   When deriving a vNIC from a template, the vNIC configuration is auto-populated from the template configuration. You can edit or delete parameters, which are enabled for configuration override through the vNIC template. For parameters that are not enabled for override, you can only view the configurations using the Eye icon. The parameters that have been overridden are indicated using an Overridden label. In the case of override-enabled parameters, the changes applied in the template are not reflected in the derived vNIC. Only those parameters can be modified in the derived vNIC instance which are not included in the template. If you attempt to derive a vNIC from a template while profile deployment is in progress, the task will be retried until the profile deployment is completed. You can find these details in the Requests tab.

8. Click Create.

The following table shows the features supported by various adapters in Intersight Managed Mode.

An Ethernet adapter policy governs the host-side behavior of the adapter, including how the adapter handles traffic. For each VIC Virtual Ethernet Interface, you can configure various features like Virtual Extensible LAN (VXLAN), Network Virtualization using Generic Routing Encapsulation (NVGRE), Accelerated Receive Flow Steering (ARFS), Interrupt settings, and TCP Offload settings.

The Ethernet Adapter policy include the recommended settings for the virtual Ethernet interface, for each supported server operating system. Operating systems are sensitive to the settings in these policies. In general, the storage vendors require non-default adapter settings. You can find the details of these required settings on the support list provided by those vendors.

GENEVE Offload

Cisco Intersight supports Generic Network Virtualization Encapsulation (GENEVE) Offload on the ESXi platform, which allows essentially any information to be encoded in a packet and passed between tunnel endpoints. GENEVE provides the overlay capability to create isolated, multi-tenant broadcast domains across data center fabrics on 1400 Series adapters. Using the GENEVE protocol allows you to create logical networks that span physical network boundaries.

GENEVE offload is present in all Ethernet adapter policies and is disabled by default. It is the recommended setting if using VMWare ESXi GENEVE.

For more information on how to implement GENEVE offload end-to-end configuration, see Cisco UCS Manager Network Management documentation.

Cisco recommends configuring the following values in the Ethernet adapter policy when GENEVE offload is enabled:

• Transmit Queues :1

• TX Ring Size: 4096

• Receive Queues: 8

• RX Ring Size: 4096

• Completion Queues : 16

• Interrupts : 32

The following features are not supported when GENEVE offload is enabled on any interface:

• Azure Stack QoS

• RoCEv2 - you cannot have GENEVE enabled on one vNIC and RoCEv2 enabled on another.

• Advanced Filters

• VIC QinQ Tunneling

Support for usNIC and VIC QinQ Tunneling features on interfaces:

Note

usNIC or VMQ is not compatible with GENEVE Offload on the same interface only for 1400 Series adapters. usNIC or VMQ is compatible with GENEVE Offload on different interfaces for 1400 Series adapters. usNIC and VMQ is compatible with GENEVE Offload on both the same and different interfaces for 1500 Series adapters.

Note	On switching from GENEVE offload feature to Azure Stack QoS feature or vice versa, please do the following: Disable the current feature Reboot the server Enable the required feature

Other limitations with GENEVE offload include:

• External outer IPV6 is NOT supported with GENEVE offload.

• GENEVE offload is supported with ESX 7.0 (NSX-T 3.0) and ESX 6.7U3(NSX-T 2.5).

• GENEVE offload is supported only with Cisco UCS VIC 1400/14000 and 15000 Series adapters. It is not supported on Cisco UCS VIC 1300 Series adapters or Cisco UCS VIC 1200 Series adapters.

• Cisco UCS VIC 1400/14000 and 15000 Series adapters.

• Minimum server firmware version for UCS C-Series Standalone: 4.1(2a)

• Minimum adapter firmware version: 5.1(2f)

• Cisco recommends that you remove the GENEVE offload configuration before downgrading to any non-supported release.

For details on supported features matrix with GENEVE offload, refer the table below.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Ethernet Adapter, and then click Start.

4. In the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the organization.
   Name	Enter a name for your policy.
   Set Tags	Enter a tag in the key value format. For example, Org: IT or Site: APJ.
   Description (optional)	Enter a short description.
   Cisco Provided Ethernet Adapter Configuration
   Select Cisco Provided Configuration (Optional)	Click Select Cisco Provided Configuration, search, and choose from the available pre-defined configurations. Note   After you choose a configuration, the policy is updated with the pre-defined values from the chosen configuration. You can modify the values in the Details page or skip Step 6 and proceed to create the policy using these pre-defined values.

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Enable Virtual Extensible LAN	Enables the Virtual Extensible LAN protocol on the virtual Ethernet interface.
   Enable Network Virtualization using Generic Routing Encapsulation	Enables Network Virtualization using Generic Routing Encapsulation on the virtual Ethernet interface. Note   The Transmit checksum offload and TSO must be enabled for the NVGRE offloading to be effective.
   Enable Accelerated Receive Flow Steering	Enables Accelerated Receive Flow Steering (ARFS) on the virtual Ethernet interface. ARFS is hardware-assisted receive flow steering that can increase CPU data cache hit rate by steering kernel level processing of packets to the CPU where the application thread consuming the packet is running.
   Enable Precision Time Protocol	Enables on only one vNIC at a time on the VIC adapter. Precision Time Protocol (PTP) is a protocol that synchronizes clocks on a network with high precision.
   Enable Advanced Filter	Enables advanced filtering on the virtual Ethernet interface.
   Enable Interrupt Scaling	Enables Interrupt Scaling of resources on the virtual Ethernet interface.
   Enable Geneve Offload	Enables GENEVE overlay hardware offloads.
   Enable EtherChannel Pinning	Enables EtherChannel pinning which pins the Tx queues on a vNIC to the physical adapter ports within the port channel to which the vNIC belongs. Note   Ensure that the number of transmit queues (Tx) configured in a vNIC is greater than 1 (minimum of 2). This setting is only applicable to a vNIC in port channel mode. It is recommended to use an even number of transmit queues. In the case of Esx, the number of transmit queues on a vNIC is derived from the VMQ connection policy. Therefore, the VMQ connection policy must have more than one VMQ configured.
   RoCE Settings Intersight supports RDMA over Converged Ethernet (RoCE) for Microsoft SMB Direct. It sends additional configuration information to the adapter while creating or modifying an Ethernet adapter policy.
   Enable RDMA over converged Ethernet	Enables RDMA over Converged Ethernet (RoCE) on the virtual Ethernet interface. RoCE allows direct memory access over an Ethernet network. RoCE is a link layer protocol, and hence, it allows communication between any two hosts in the same Ethernet broadcast domain. RoCE delivers superior performance compared to traditional network socket implementations because of lower latency, lower CPU utilization, and higher utilization of network bandwidth.
   Queue Pairs	The number of queue pairs per adapter. Enter an integer between 0 and 8192. It is recommended that this number be an integer power of 2. Note   This property is displayed only when Enable RDMA over converged Ethernet is enabled.
   Memory Regions	The number of memory regions per adapter. Enter an integer between 0 and 524288. It is recommended that this number be an integer power of 2. Note   This property is displayed only when Enable RDMA over converged Ethernet is enabled.
   Resource Groups	The number of resource groups per adapter. It is recommended that this number be an integer power of 2 greater than or equal to the number of CPU cores on the system for optimum performance. Enter an integer between 0 and 128. Note   This property is displayed only when Enable RDMA over converged Ethernet is enabled.
   Version	Version of the RDMA protocol Version 1 is a link layer protocol. It allows communication between any two hosts in the same Ethernet broadcast domain. Note   This property is displayed only when Enable RDMA over converged Ethernet is enabled.
   Interrupt Settings
   Interrupts	Enter the number of interrupt resources to allocate. Typically this value is equal to the number of completion queue resources. Enter an integer between 1 and 1024.
   Interrupt Mode	Select the preferred driver interrupt mode that include: MSIx—Message Signaled Interrupts (MSI) with the optional extension. This is the recommended option. MSI—Message Signaled Interrupts (MSI) only INTx—PCI INTx interrupts
   Interrupt Timer, us	The time to wait between interrupts or the idle period that must be encountered before an interrupt is sent. To turn off interrupt coalescing, enter 0 (zero) in this field. Enter an integer between 0 and 65535.
   Interrupt Coalescing Type	Select the Interrupt Coalescing Type: Min - The system waits for the time specified in the Coalescing Time field before sending another interrupt event. Idle - The system does not send an interrupt until there is a period of no activity lasting as least the time specified in the Coalescing Time field.
   Receive Receive Queue resource settings.
   Receive Queue Count	The number of queue resources to allocate. Enter an integer between 1 and 1000.
   Receive Ring Size	The number of descriptors in each queue. Enter an integer between 64 and 4096.
   Transmit Transmit Queue resource settings
   Transmit Queue Count	The number of queue resources to allocate. Enter an integer between 1 and 1000. Note   The value should be at least 2 to enable EtherChannel pinning.
   Transmit Ring Size	The number of descriptors in each queue. Enter an integer between 64 and 4096.
   Completion Completion Queue resources settings
   Completion Queue Count	The number of completion queue resources to allocate. In general, the number of completion queue resources to allocate is equal to the number of transmit queue resources plus the number of receive queue resources. Enter an integer between 1 and 2000.
   Completion Ring Size	The number of descriptors in each queue. Enter an integer between 1 and 256. Note   This property is displayed only when Enable RDMA over converged Ethernet is enabled.
   Uplink Failback Timeout (seconds)	Uplink Failback Timeout in seconds when uplink failover is enabled for a vNIC. After a vNIC has started using its secondary interface, this setting controls how long the primary interface must be available before the system resumes using the primary interface for the vNIC. Enter an integer between 0 and 600.
   TCP Offload The TCP offload settings decide whether to offload the TCP related network functions from the CPU to the network hardware or not. These options help reduce the CPU overhead and increase the network throughput.
   Enable Tx Checksum Offload	Enables the CPU to send all packets to the hardware so that the checksum can be calculated.
   Enable Rx Checksum Offload	Enables the CPU to send all packet checksums to the hardware for validation.
   Enable Large Send Offload	Enables the CPU to send large packets to the hardware for segmentation.
   Enable Large Receive Offload	Enables the CPU to reassemble the segmented packets in hardware before sending them to the CPU.
   Receive Side Scaling: Receive Side Scaling (RSS)/Receive Side Scaling Version 2 (RSSv2) supports multiple cores to process the incoming data traffic. RSSv2 is supported on Windows 2019 OS and later versions and it requires Windows NENIC driver. With RSS enabled Windows NENIC driver and Cisco UCS VIC adapter, you can configure multiple hardware receive queues on the Physical Function(PF). With VMMQ enabled on the VIC, you can configure multiple hardware receive queues per Virtual Machine(VM). Before using the RSSv2 functionality, ensure the NENIC driver supports RSSv2. In general, a NENIC driver supports 4 queues. With RSSv2, the NENIC driver has no upper limit on the number of hardware queues for PF or VM.
   Enable Receive Side Scaling	Enables receive side scaling and allows the incoming traffic to be spread across multiple CPU cores. This property supports both RSS and RSSv2. By default, RSS is enabled. RSSv2 is compatible with RSS. Based on the NENIC driver support on RSS or RSSv2, this property is supported accordingly. Note   RSSv2 is supported on the following: Cisco UCS VIC 15000 Series adapters Cisco UCS M6, M7, and M8 servers
   Enable IPv4 Hash	Enables the IPv4 address for traffic distribution.
   Enable IPv6 Extension Hash	Enables the IPv6 extensions for traffic distribution.
   Enable IPv6 Hash	Enables the IPv6 address for traffic distribution.
   Enable TCP and IPv4 Hash	Enables both the IPv4 address and TCP port number for traffic distribution.
   Enable TCP and IPv6 Extensions Hash	Enables both the IPv6 extensions and TCP port number for traffic distribution.
   Enable TCP and IPv6 Hash	Enables both the IPv6 address and TCP port number for traffic distribution.
   Enable UDP and IPv4 Hash	Enables both the IPv4 address and UDP port number for traffic distribution.
   Enable UDP and IPv6 Hash	Enables both the IPv6 address and UDP port number for traffic distribution.

6. Click Create.

An Ethernet Quality of Service (QoS) policy assigns a system class to the outgoing traffic for a vNIC. This system class determines the quality of service for the outgoing traffic. For certain adapters, you can also specify additional controls like burst and rate on the outgoing traffic.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Ethernet QoS, and then click Start.

4. In the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the organization.
   Name	Enter a name for your policy.
   Set Tags (optional)	Enter a tag in the key value format. For example, Org: IT or Site: APJ.
   Description (optional)	Enter a short description.

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   MTU, Bytes	The Maximum Transmission Unit (MTU) or packet size that the virtual interface accepts. The valid range is between 1500 and 9000. The default value is 1500.
   Rate Limit, Mbps	The value in Mbps (0-100000) to use for limiting the data rate on the virtual interface. Setting this to zero will turn rate limiting off.
   Class of Service	The Class of Service to be associated to the traffic on the virtual interface. The valid range is between 0 and 6. The default value is 3. Note   This property is supported only on Standalone servers.
   Burst	The burst traffic allowed on the vNIC in bytes. The valid range is between 1024 and 1000000. The default value is 10240. Note   This property is supported only on FI-attached servers.
   Priority	Select the priority matching the System QoS defined in the domain profile that include: Best-effort Fibre Channel (FC) Platinum Gold Silver Bronze Note   The Best-effort system class is enabled by default. This property is supported only on FI-attached servers.
   Enable Trust Host CoS	Select to enable the usage of the Class of Service to be associated to the traffic on the virtual interface.

6. Click Create.

An Ethernet Network policy sets the rules for the port to handle network traffic. This policy determins whether the port can carry single VLAN (Access) or multiple VLANs (Trunk) traffic.

This policy also supports VIC QinQ Tunneling. A QinQ (802.1Qin802.1Q) tunnel allows segregation and isolation of different VLANs within a network. To configure QinQ VLAN, you can specify the desired VLAN ID as part of the VLAN settings for the specific port, port channel, or vNIC. This enables the transmission of multiple VLANs over a single VLAN trunk.

Important

This policy is supported only on C-Series Standalone servers.

An Ethernet Network policy determines if the port can carry single VLAN (Access) or multiple VLANs (Trunk) traffic. You can specify the VLAN to be associated with an Ethernet packet if no tag is found.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Ethernet Network, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   VLAN Mode	Assign traffic flow to the VLAN to determine if the port can carry single VLAN (Access) or multiple VLANs (Trunk) traffic. Access Mode—Traffic is received and sent in native formats with no VLAN tagging. Anything arriving on an access port is assumed to belong to the VLAN assigned to the port. You can configure a port in access mode and specify the VLAN to carry the traffic for that interface. If you do not configure the VLAN for a port in access mode, or an access port, the interface carries the traffic for the default VLAN, which is VLAN 1. You can change the access port membership in a VLAN by configuring the VLAN. You must create the VLAN before you can assign it as an access VLAN for an access port. If you change the access VLAN on an access port to a VLAN that is not yet created, the UCS Manager shuts down that access port. If an access port receives a packet with an 802.1Q tag in the header other than the access VLAN value, that port drops the packet without learning its MAC source address. If you assign an access VLAN that is also a primary VLAN for a private VLAN, all access ports with that access VLAN receives all the broadcast traffic for the primary VLAN in the private VLAN mode. Trunk Mode—Trunk ports allow multiple VLANs to transport between switches over that trunk link. A trunk port can carry untagged packets simultaneously with the 802.1Q tagged packets. When you assign a default port VLAN ID to the trunk port, all untagged traffic travels on the default port VLAN ID for the trunk port, and all untagged traffic is assumed to belong to this VLAN. This VLAN is referred to as the native VLAN ID for a trunk port. The native VLAN ID is the VLAN that carries untagged traffic on trunk ports. The trunk port sends an egressing packet with a VLAN that is equal to the default port VLAN ID as untagged; all the other egressing packets are tagged by the trunk port. If you do not configure a native VLAN ID, the trunk port uses the default VLAN. This property is applicable only to Standalone servers, and not to FI Attached servers. For FI Attached mode, VLAN Mode is configured as Trunk.
   Access Mode
   Enable QinQ Tunneling	Slide to enable VIC QinQ (802.1Qin802.1Q) Tunneling.
   Default VLAN	Refers to the VLAN ID assigned to the traffic on the virtual interface by default. The range for the Default VLAN ID is from 0 to 4094.
   QinQ VLAN	This property enables the configuration of QinQ Tunneling, that facilitates the encapsulation of multiple VLANs within a single VLAN. This supported VLAN ID range is from 2 to 4093, allowing you to effectively manage and seggregate the network traffic. Note   This property is displayed only when Enable QinQ Tunneling slider is enabled.
   Trunk Mode
   Enable QinQ Tunneling	Slide to enable VIC QinQ (802.1Qin802.1Q) Tunneling.
   Default VLAN	Refers to the VLAN ID assigned to the traffic on the virtual interface by default. The range for the Default VLAN ID is from 0 to 4094.
   QinQ VLAN	This property enables the configuration of QinQ Tunneling, that facilitates the encapsulation of multiple VLANs within a single VLAN. This supported VLAN ID range is from 2 to 4093, allowing you to effectively manage and seggregate the network traffic. Note   This property is displayed only when Enable QinQ Tunneling slider is enabled.

6. Click Create.

An Ethernet Network Group policy enables you to manage settings for VLANs on a UCS Server. These settings include defining which VLANs are allowed, designating a Native VLAN, and specifying a QinQ VLAN.

Note

When an Ethernet Network Group is assigned to a Port Policy, the specified VLAN set must be either identical to or disjoint from the VLAN sets specified on other uplink interfaces. Ensure that the VLANs are defined in the VLAN Policy and that Auto Allow on Uplinks is disabled. Ethernet Network Groups should only be used for Disjoint Layer 2 configurations and will fail if a VLAN present in the Ethernet Network Group has Auto Allow on Uplinks enabled in the VLAN Configuration Policy section.

This policy also supports VIC QinQ Tunneling. A QinQ (802.1Q-in-802.1Q) tunnel allows segregation and isolation of different VLANs within a network. To configure QinQ VLAN, you can specify the desired VLAN ID as part of the VLAN settings for the specific port, port channel, or vNIC. This enables the transmission of multiple VLANs over a single VLAN trunk.

1. Log in to Cisco Intersight with Account Administrator or Server or Domain Administrator roles.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Ethernet Network Group, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Description
   Add VLANs	From the Add VLANs drop-down list, choose one of the following three options to add VLAN IDs to the Ethernet Network Group Policy: Enter Manually From Policy From CSV File Note   The Add VLANs option is available only when the Enable QinQ (802.1Q-in-802.1Q) Tunneling on the vNIC check box is unchecked.
   Enter Manually	You can specify the allowed VLANs by providing a list of comma-separated VLAN IDs and VLAN ID ranges. For example, you can enter VLAN IDs 10, 20, and 30-40 to allow VLANs 10, 20, and a range from 30 to 40.
   From Policy	You can specify the allowed VLANs by importing the VLAN IDs from an existing VLAN policy. Note   You can create a new VLAN policy by clicking Create New on the Select Policy page and later import the VLAN IDs from it.
   From CSV File	You can specify the allowed VLANs by importing the VLAN IDs from a CSV file on your local machine.
   Native VLAN (Optional)	To configure a native VLAN, click the ellipsis (…) icon next to the desired VLAN ID and select Set Native VLAN. To remove a native VLAN, click the ellipsis (…) icon next to it and select Unset Native VLAN. Note   Setting a native VLAN is an optional configuration. You can create an Ethernet Network Group Policy without including a native VLAN. If a native VLAN is already assigned, any change may cause brief network interruptions during profile deployment.
   Show VLAN ID Ranges	Toggle the Show VLAN ID Ranges option to view all allowed VLAN ID ranges.
   Enable QinQ (802.1Q-in-802.1Q) Tunneling on the vNIC	Check this check box to enable VIC QinQ (802.1Q-in-802.1Q) Tunneling. This feature allows the configuration of QinQ Tunneling, which facilitates the encapsulation of multiple VLANs within a single VLAN. Supported VLAN IDs range from 1 to 4093, enabling effective management and segregation of network traffic.
   QinQ VLAN	From the QinQVLANs drop-down list, choose one of the following two options to add QinQ VLAN IDs to the Ethernet Network Group Policy: Enter Manually From Policy Note   The QinQ VLAN option is available only when the Enable QinQ (802.1Q-in-802.1Q) Tunneling on the vNIC check box is checked.
   Enter Manually	You can specify the allowed QinQ VLANs by providing a list of comma-separated VLAN IDs and VLAN ID ranges.
   From Policy	You can specify the allowed QinQ VLANs by importing the VLAN IDs from the VLAN polices.
   Native VLAN (Optional)	From the Native VLAN drop-down list, choose one of the following two options to add QinQ Native VLAN to the Ethernet Network Group Policy: Enter Manually From Policy Note   Setting a native VLAN is an optional configuration. You can create an Ethernet Network Group Policy without including a native VLAN.

   Note	To make the server an Isolated host or a Community host, specify the ID of an Isolated VLAN or a Community VLAN in both Allowed VLANs and Native VLAN

6. Click Create.

Ethernet Network Control policies configure the network control settings for the UCS Domain. This policy is applicable only for the Appliance Ports defined in a Port Policy and for the vNICs defined in a LAN Connectivity Policy, on an FI-Attached UCS Servers.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator roles.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Ethernet Network Control, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Enable CDP	Enables the Cisco Discovery Protocol (CDP) on an interface.
   MAC Register Mode	Determines the MAC addresses to be registered with the switch. This can be: Only Native VLAN—MAC addresses are only added to the native VLAN. This option is the default, and it maximizes the port+VLAN count. All Host VLANs—MAC addresses are added to all VLANs with which they are associated. Select this option if your VLANs are configured to use trunking but are not running in Promiscuous mode.
   Action on Uplink Fail	Determines how the interface behaves if no uplink port is available when the switch is in end-host mode. Link Down—Changes the operational state of a vNIC to down when uplink connectivity is lost on the switch, and enables fabric failover for vNICs. This is the default option. Warning—Maintains server-to-server connectivity even when no uplink port is available, and disables fabric failover when uplink connectivity is lost on the switch.
   MAC Security Forge	Determines whether forged MAC addresses are allowed or denied when packets are sent from the server to the switch. This can be: Allow— All server packets are accepted by the switch, regardless of the MAC address associated with the packets. This is the default option. Deny— After the first packet has been sent to the switch, all other packets must use the same MAC address or they will be silently rejected by the switch. In effect, this option enables port security for the associated vNIC.
   LLDP	Determines whether interfaces can transmit or receive LLDP packets. To enable or disable the transmission of LLDP packets on an interface, click Enable Transmit. To enable or disable the receipt of LLDP packets on an interface, click Enable Receive.

6. Click Create.

A Storage Area Network (SAN) connectivity policy determines the network storage resources and the connections between the server and the storage device on the network. This policy enables you to specify WWPN address pools, or a static WWPN address to add a vHBA. Similarly, you can specify a WWNN pool, or a static WWNN address to configure vHBAs that the servers use to communicate with the SAN.

Prerequisites

The following sub-policies are required to create the SAN Connectivity policy:

• Fibre Channel Network Policy—Configure the VSAN ID on the virtual interfaces.

• Fibre Channel QoS Policy—Limit the data rate on the virtual interface, configure the maximum size for a Fibre Channel frame payload bytes that the virtual interface supports, associate a Class of Service to the traffic on the virtual interface.

• Fibre Channel Adapter Policy—Govern the host side behavior of the adapter. You can enable FCP Error Recovery, change the default settings of Queues, and change Interrupt handling for performance enhancement.

• Fibre Channel Zone Policy—Specify direct access storage path configurations in the FC Zone policy, to set up access control between hosts and storage devices. You can create a Single Initiator Single Target, or Single Initiator Multiple Target zone on a VSAN with FC Storage scope.

• WWNN Pool—A World Wide Name (WWN) pool that contains only WW node names for use by the Fibre Channel vHBAs in a Cisco UCS Domain. You can also assign a static WWNN to a Fibre Channel vHBA in a Cisco UCS Domain.

• WWPN Pool—A World Wide Name (WWN) pool that contains only WW port names for use by the Fibre Channel vHBAs in a Cisco UCS Domain. You can also assign a static WWPN to a Fibre Channel vHBA in a Cisco UCS Domain.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select SAN Connectivity, and then click Start.

4. On the General page, enter the following information:

   • Name of your policy.

   • Target Platform for which the policy is applicable. This can be Standalone servers or FI Attached servers.

     A SAN Connectivity Policy created for Standalone servers cannot be deployed on FI Attached servers. Similarly, a SAN Connectivity Policy created for FI Attached servers cannot be deployed on Standalone servers.

   • Set Tags for the policy. Tags must be in the key:value format. For example, Org: IT or Site: APJ.

   • Description to help identify the policy.

5. On the Policy Details page, configure the following:

   • Select the placement option—Manual or Auto

     • Manual vHBAs Placement—If you select this option, you must manually specify the PCI slot and PCI order for each vHBA. You can also use the Graphic vHBAs Editor to create and specify the placement for each vHBA manually by adding vHBAs and slots, and defining the connection between them.

       Note	For manual placement, PCI Link is not supported on UCS VIC 1400 Series adapters If a SAN Connectivity Policy has both Simple and Advanced placements, ensure the number provided in PCI Order is appropriate to prevent Server Profile deployment failure.

     • Auto vHBAs Placement—If you select this option, vHBA placement will be done automatically during profile deployment. This option is available only for Cisco Intersight Managed FI Attached servers.

   • Create or select a WWNN Address Pool, or select Static and enter a WWNN address. The Static option is available only for Cisco Intersight Managed FI Attached servers.

6. To set up a vHBA without using a template, click Add vHBA and configure the following parameters:

   Property	Essential Information
   Add vHBA
   Name	Name of the virtual Fibre Channel interface.
   vHBA Type	Typeof vHBA configuration for SAN Connectivity Policy. fc-initiator—The type of Fibre Channel zoning to be configured for the vHBA is of the initiator type. fc-target—The type of Fibre Channel zoning to be configured for the vHBA is of the target type. fc-nvme-initiator—The vHBA type is initiator and applies the NVMe interface to Fibre Channel. fc-nvme-target—The vHBA type is target and applies the NVMe interface to Fibre Channel. The NVM Express (NVMe) interface allows host software to communicate with a non-volatile memory subsystem. It is optimized for Enterprise non-volatile storage, which is typically attached as a register level interface to the PCI Express (PCIe) interface. Note   This configuration is supported only on Cisco VIC 1400 series and higher series of adapters. 1300 series adapters support only fc-initiator, and fc-nvme-initiator. Prior to connection, association with adapter should be fine. After connection with adapter, check vhba_type in the vnic.cfg file. For fc-nvme-initiator type, vhba_type should read the name. For fc-initiator type, vhba_type should not be present.
   Pin Group Name	Name of the pin group that contains the specific port/port channels. All traffic from the vHBA is pinned to the specified FC/FCoE uplink ports or port channels. Note   The pin group can be defined while creating a Port policy. If you do not assign a pin group to a vHBA, an uplink FC/FCoE uplink port or port channel for traffic is chosen from that server interface dynamically. This choice is not permanent. A different FC/FCoE uplink port or port channel may be used for traffic from that server interface after an interface flap or a server reboot.
   WWPN Address Pool	Click Select Pool and choose a WWPN address pool.
   Static	Click Static and enter a static WWPN address. This option is available only for Cisco Intersight Managed FI Attached servers.
   Placement Placement Settings for the virtual interface.
   Simple When you select Simple Placement, the Slot ID and PCI Link are determined automatically by the system. vHBAs are deployed on the first VIC. The slot ID determines the first VIC. Slot ID numbering begins with MLOM, and thereafter it keeps incrementing by 1, starting from 1. The PCI link is always set to 0.
   Switch ID	Refers to the Fabric Interconnect that carries the vHBA traffic.
   PCI Order	The order in which the virtual interface is brought up. The order assigned to an interface should be unique and in sequence starting with "0" for all the Ethernet and Fibre-Channel interfaces on each PCI link on a VIC adapter. The maximum value of PCI order is limited by the number of virtual interfaces (Ethernet and Fibre-Channel) on each PCI link on a VIC adapter. Note   You cannot change the PCI order of two vHBAs without deleting and recreating the vHBAs.
   Advanced
   Automatic Slot ID Assignment	When enabled, slot ID is determined automatically by the system.
   Slot ID	When automatic slot ID assignment is disabled, the slot ID needs to be entered manually. Supported values are (1-15) and MLOM.
   PCI link The PCI link used as transport for the virtual interface. PCI Link is only applicable for select Cisco UCS VIC 1300 Series models (UCSC-PCIE-C40Q-03, UCSB-MLOM-40G-03, UCSB-VIC-M83-8P) that support two PCI links. The value, if specified, for any other VIC model will be ignored. Note   The host device order can get impacted when using both the PCI links.
   Automatic PCI link Assignment	When enabled, PCI link is determined automatically by the system. Note   If Automatic assignment is enabled for both Slot ID and PCI link, then the behavior is same as Simple placement. All the vHBAs are placed on the same PCI link (link 0). If Automatic Slot ID assignment is disabled but automatic PCI link assignment is enabled, then you need to provide the slot ID and the vHBA will be placed on PCI link 0.
   Load Balanced	When Automatic PCI link assignment is disabled and Load Balanced is enabled, the system uniformly distributes the interfaces across the PCI Links. If automatic PCI link assignment is disabled and automatic Slot ID is enabled, you can specify the PCI order to load balance the vHBAs. If both automatic PCI link assignment and automatic Slot ID are disabled, you can specify the slot and the PCI order to load balance the vHBAs. Note   You cannot change the PCI link mode of two vHBAs from Load Balanced mode to Custom mode without deleting and recreating the vHBAs.
   Custom	If automatic PCI link assignment is disabled and automatic Slot ID is enabled, you need to provide the value of the PCI order, PCI link, and Switch ID. If both automatic PCI link assignment and automatic Slot ID assignment are disabled, you need to provide the values of the Slot ID, PCI order, and the PCI link. Note   You cannot change the PCI link mode of two vHBAs from Custom mode to Load Balanced mode without deleting and recreating the vHBAs.
   Persistent LUN Bindings
   Enable Persistent LUN Bindings	Enables retention of LUN ID associations in memory until they are manually cleared.
   Fibre Channel Network	Select or create a Fibre Channel Network policy.
   Fibre Channel QoS	Select or create a Fibre Channel QoS policy.
   Fibre Channel Adapter	Select or create a Fibre Channel Adapter policy.
   FC Zone	Select or create the FC Zone policy to be attached.

7. To derive vHBA for FI-attached servers using a vHBA template, choose vHBA from Template from the Add drop-down list. For more information on creating vHBA templates, see Creating vNIC or vHBA Templates.

   Note

   When deriving a vHBA from a template, the vHBA configuration is auto-populated from the template configuration. You can edit or delete parameters, which are enabled for configuration override through the vHBA template. For parameters that are not enabled for override, you can only view the configurations using the Eye icon. The parameters that have been overridden are indicated using an Overridden label. In the case of override-enabled parameters, the changes applied in the template are not reflected in the derived vHBA. Only those parameters can be modified in the derived vHBA instance which are not included in the template. If you attempt to derive a vHBA from a template while profile deployment is in progress, the task will be retried until the profile deployment is completed. You can find these details in the Requests tab.

8. Click Create.

A Fibre Channel adapter policy governs the host-side behavior of the adapter, including how the adapter handles traffic. You can enable FCP Error Recovery, change the default settings of Queues, and Interrupt handling for performance enhancement.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Fibre Channel Adapter, and then click Start.

4. In the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the organization.
   Name	Enter a name for your policy.
   Set Tags (optional)	Enter a tag in the key value format. For example, Org: IT or Site: APJ.
   Description (optional)	Enter a short description.
   Cisco Provided Fibre Channel Adapter Configuration
   Select Cisco Provided Configuration (Optional)	Click Select Cisco Provided Configuration, search, and choose from the available pre-defined configurations. Note   After you choose a configuration, the policy is updated with the pre-defined values from the chosen configuration. You can modify the values in the Details page or skip Step 6 and proceed to create the policy using these pre-defined values.

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Error Recovery
   FCP Error Recovery	Enables the use of FCP Sequence Level Error Recovery protocol (FC-TAPE) on the virtual interface.
   Port Down Timeout, ms	The number of milliseconds a remote Fibre Channel port should be offline before informing the SCSI upper layer that the port is unavailable. Enter an integer between 0 and 240000.
   I/O Retry Timeout, Seconds	The number of seconds the adapter waits before aborting the pending command and resending the same I/O request. Enter an integer between 1 and 59.
   Link Down Timeout, ms	The number of milliseconds the uplink port should be offline before it informs the system that the uplink port is down and fabric connectivity has been lost. Enter an integer between 0 and 240000.
   Port Down IO Retry, ms	The number of times an IO request to a port is returned because the port is busy before the system decides the port is unavailable. Enter an integer between 0 and 255.
   Error Detection
   Error Detection Timeout	Error Detection Timeout, also referred to as EDTOV, is the number of milliseconds to wait before the system assumes that an error has occurred. Enter an integer between 1000 and 10000.
   Resource Allocation
   Resource Allocation Timeout	The number of milliseconds to wait before the system assumes that a resource cannot be properly allocated. Enter an integer between 5000 and 100000.
   Flogi
   Flogi Retries	The number of times that the system tries to log in to the fabric after the first failure.
   Flogi Timeout, ms	The number of milliseconds that the system waits before it tries to log in again. Enter an integer between 1000 and 255000.
   Plogi
   Plogi Retries	The number of times that the system tries to log into a port after the first failure. Enter an integer between 0 and 255.
   Plogi Timeout, ms	The number of milliseconds that the system waits before it tries to log in again. Enter an integer between 1000 and 255000
   Interrupt
   Mode	Select the preferred driver interrupt mode: MSIx—Message Signaled Interrupts (MSI) with the optional extension. This is the recommended option. MSI—Message Signaled Interrupts (MSI) only INTx—PCI INTx interrupts
   IO Throttle
   I/O Throttle Count	The number of I/O operations that can be pending in the vHBA at one time. Enter an integer between 1 and 1024.
   LUN
   Maximum LUNs Per Target	The maximum number of LUNs that the driver will export. This is usually an operating system platform limitation. Enter an integer between 1 and 1024. For fc-initiator vHBA type, enter an integer between 1 and 4096. Note   The fc-initiator vHBA maximum LUN configuration requires the minimum server firmware version 4.2(3d). For more information on the supported firmware for adapters, see Supported Hardware.
   LUN Queue Depth	The number of commands that the HBA can send and receive in a single transmission per LUN. Enter an integer between 1 and 254.
   Receive
   Receive Ring Size	The number of descriptors in each queue. Enter an integer between 64 and 2048.
   Transmit
   Transmit Ring Size	The number of descriptors in each queue. Enter an integer between 64 and 2048.
   SCSI I/O
   SCSI I/O Queues	The number of SCSI I/O queue resources the system should allocate. Enter an integer between 1 and 245.
   SCSI I/O Ring Size	The number of descriptors in each SCSI I/O queue. Enter an integer between 64 and 512.

6. Click Create.

A Fibre Channel Network policy governs the Virtual Storage Area Network (VSAN) configuration for the virtual interfaces.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Fibre Channel Network, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Default VLAN	Default VLAN of the virtual interface in Standalone Rack server. Setting the value to 0 is equivalent to None and will not associate any default VLAN to the traffic on the virtual interface. Valid values are 0 to 4094.
   VSAN ID	Default VSAN ID of the virtual interface. Setting the ID to 0 will not associate any default VSAN to the traffic on the virtual interface.

6. Click Create.

The Fibre Channel QoS policy assigns a system class to the outgoing traffic for a vHBA. This system class determines the quality of service for the outgoing traffic. For certain adapters, you can also specify additional controls like burst and rate on the outgoing traffic.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Fibre Channel QoS, and then click Start.

4. In the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the organization.
   Name	Enter a name for your policy.
   Set Tags (optional)	Enter a tag in the key value format. For example, Org: IT or Site: APJ.
   Description (optional)	Enter a short description.

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Rate Limit, Mbps	Used for limiting the data rate on the virtual interface. The valid range is between 0 and 100000. The default value is Zero.
   Maximum Data Field Size, Bytes	The maximum size of the Fibre Channel frame payload bytes that the virtual interface supports. The valid range is between 256 and 2112. The default value is 2112.
   Class of Service	The Class of Service to be associated to the traffic on the virtual interface. The valid range is between 0 and 6. The default value is 3. Note   FCoE traffic has a reserved QoS system class that should not be used by any other type of traffic. If any other type of traffic has a CoS value that is used by FCoE, the value is remarked to 0. This property is supported only on Standalone servers.
   Burst	The burst traffic allowed on the vNIC in bytes. The valid range is between 1024 and 1000000. The default value is 1024. Note   This property is supported only on FI-attached servers.
   Priority	The priority matching the System QoS defined in the domain profile. The Fibre Channel (FC) is enabled by default. Note   This property is supported only on FI-attached servers.

6. Click Create.

This policy allows you to set up access control between hosts and storage devices.

Certain points to be noted when creating the FC Zone policy:

• Deploying a storage VSAN using a domain profile, for the first time, clears all the unmanaged zones from the Fabric Interconnect.

• SAN boot targets with a storage VSAN have a zone entry in the Fabric Interconnect.

• A one-time SAN boot with a storage VSAN has a zone entry in the Fabric Interconnect.

• Editing the FC Zone policy causes the server profile status to be changed to Pending Changes.

• When the Fabric Interconnect is rebooted, there is a replay of zones in the configuration.

• Detection of configuration drift is not supported for FC Zone policy.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select FC Zone, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   FC Target Zoning Type	Type of FC Zoning. FC Zoning can be of type: Single Initiator Single Target Single Initiator Multiple Target None Note   If you select FC Zoning Type as None, you cannot add targets nor view the table of added FC Zone sets.
   Add Target	Click to add target details of the FC Zone policy.
   Name	Name of the FC Zone policy.
   WWPN	WWPN that is a member of the FC Zone.
   Switch ID	Unique identifier of the Fabric object. The Switch ID can be A or B.
   VSAN ID	Unique identifier of the VSAN on which the FC Zone is to be created. Valid values for the VSAN ID are 1 to 4093. Note   The VSAN ID scope should be Storage in the VSAN policy specified for the domain.

6. Click Create.

This policy allows you to see the firmware present in your systems, as against the firmware baseline. Firmware policy also enables you to bring the firmware of your systems in line with the desired version and thereby enables the drive to compliance.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Firmware, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Advanced Mode	Enable Advanced Mode to exclude components during firmware upgrade.
   Exclude Drives	Enable Advanced Mode and select the Exclude Drives checkbox to exclude drives from the firnware upgrade.
   Exclude Storage Controllers	Enable Advanced Mode and select the Exclude Storage Controllers checkbox to exclude storage controllers from the firnware upgrade.
   Server Model	Select the server family for the firmware upgrade. Click + to add more server models.
   Firmware Version	Select the bundle version to which the server is to be upgraded.

6. Click Create.

A BIOS policy automates the configuration of BIOS settings on servers. You can create one or more BIOS policies that contain a specific grouping of BIOS settings, matching the needs of a server or a set of servers. If you do not specify a BIOS policy for a server, the BIOS settings will default to set of values for a brand new baremetal server or to a set of values previously configured using Cisco IMC. If a BIOS policy is specified, its values replace any previously configured values on the server.

All BIOS tokens are not applicable to all servers. If unsupported tokens are pushed to a server, those tokens are ignored.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select BIOS, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Enter a short description.
   Cisco Provided BIOS Configuration
   Select Cisco Provided Configuration (optional)	Click Select Cisco Provided Configuration to search and choose one of the pre-defined BIOS configuration settings. Note   After you choose a configuration, the policy is updated with the pre-defined values from the chosen configuration. You can modify the values in the Details page or skip Step 6 and proceed to create the policy using these pre-defined values.

5. On the Policy Details page, configure the following BIOS policy options. For more information, see Cisco UCS Server BIOS Tokens in Intersight Managed Mode.

6. Click Create.

The Boot Order policy allows you to configure the boot mode and your preferred boot device(s). You can specify the order in which the server attempts to boot from the configured devices. The supported boot devices are listed in the Policy Details.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Boot Order, and then select Start.

4. In the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the organization.
   Name	Enter a name for your policy.
   Set Tags (optional)	Enter a tag in the key value format. For example, Org: IT or Site: APJ.
   Description (optional)	Enter a short description.

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Configured Boot Mode	The type of boot mode that is enabled. This can be one of the following: Legacy—Uses the Master Boot Record (MBR) partitioning scheme. Select Legacy if the system is not UEFI-enabled. UEFI—Uses the GUID Partition Table (GPT). Select Unified Extensible Firmware Interface (UEFI) if the system is UEFI-enabled. Note   There is no legacy boot support for the iSCSI IPv6. Additionally, the legacy boot mode is not supported on Cisco UCS M6 and later servers.
   Enable Secure Boot Mode	This option is available only when UEFI Boot Mode is enabled. Secure boot mode enforces that a device boots using the software that is trusted by the Original Equipment Manufacturer (OEM).
   Add Boot Device	Select to add and configure a boot device. The configuration options vary with boot device types. You can change the boot order using the Up and down arrows for each boot device type. The selected boot device is enabled by default. To disable it, toggle the switch button. The supported boot devices and its configuration options for UCS standalone and FI-attached servers are listed below: FlexMMC Boot Note   FlexMMC boot is supported only with UEFI Boot Mode for C-series standalone servers. Secure Boot option is supported for FlexMMC. For more information on the firmware requirements for FlexMMC Boot, see Firmware Requirements for FlexMMC Boot Option. Configuration options: Device Name—Name of the boot device. Sub-Type—The sub-type for the selected device None FlexMMC Mapped DVD FlexMMC Mapped HDD HTTP Boot Note   HTTP/HTTPS boot is supported only with UEFI Boot Mode for both IMM servers and C-series standalone servers. To use HTTP Boot, it is required to configure a vNIC with its name or MAC address and add both HTTP Boot and PXE Boot to the boot policy. Note that adding PXE Boot to the boot policy enables PXE Boot on the same vNIC, which is a prerequisite for HTTP Boot to work. For more information on the firmware requirements for HTTP Boot, see Firmware Requirements for HTTP Boot Option. Configuration options: Device Name—Name of the boot device. IP Type—The IP address family type to use during the HTTP boot process. IP Config Type—The IP config type to use during the HTTP Boot process. DHCP [Optional] URI—The boot resource location in URI format. Note   If you do not enter a URI, ensure that DHCP is configured with client extensions. Interface Name (Only for UCS Server (FI-Attached))—The name of the underlying vNIC that will be used by the HTTP boot device. You can select a vNIC that was configured using the LAN Connectivity Policy. For more information, see the LAN Connectivity Policy section. Static When IP Config Type is Static and IP Type is IPv4: DNS IP—The IP address of DNS server. Gateway IP—The IP address of default gateway. Static IP—IPv4 or IPv6 static Internet Protocol address. Network Mask—Network mask of the IPv4 address. URI—The boot resource location in URI format. Interface Name—The name of the underlying vNIC that will be used by the HTTP boot device. You can select a vNIC that was configured using the LAN Connectivity Policy. When IP Config Type is Static and IP Type is IPv6: DNS IP—The IP address of DNS server. Gateway IP—The IP address of default gateway. Static IP—IPv4 or IPv6 static Internet Protocol address. Prefix Length—A prefix length which masks the IP address and divides the IP address into network address and host address. URI—The boot resource location in URI format. Interface Name—The name of the underlying vNIC that will be used by the HTTP boot device. You can select a vNIC that was configured using the LAN Connectivity Policy. Protocol—The protocol used for HTTP Boot. To use the HTTPS protocol, you must have a valid Root CA Certificate for authentication. You can deploy Root CA certificates using the Certificate Management Policy. For more information, see the Creating a Certificate Management Policy section. Note   Certificate Management Policy does not support addition, deletion, and modification of a single certificate. Even if one of the certificates is added, deleted or modified in policy, the Server Profile will need to be redeployed or Server Action must be performed, for certificate changes to take effect. Interface Source (Only for C-series standalone servers)—Lists the supported Interface Source for HTTP device. Interface Name (Only for VIC Adapters) Slot—The slot ID of the adapter on which the underlying virtual ethernet interface is present. Interface Name—The name of the underlying virtual ethernet interface used by the HTTP boot device. Port (Only for VIC Adapters) Slot—The slot ID of the adapter on which the underlying virtual ethernet interface is present. Port—The Port ID of the adapter on which the underlying virtual ethernet interface is present. If no port is specified, the default value is -1. Supported values are 0 to 255. MAC Address Slot—The slot ID of the adapter on which the underlying virtual ethernet interface is present. MAC—The MAC address of the underlying virtual ethernet interface used by the HTTP boot device. iSCSI Boot Note   Added support for iSCSI boot with IPv6 for Cisco UCS X-Series, Cisco UCS C-Series servers (M6 and later), and Cisco UCS B-Series M6 servers in Intersight Managed Mode. iSCSI boot (both IPv4 or IPv6) is currently not supported for Intersight Standalone Mode servers. For more information on the firmware requirements for iSCSI Boot, see Firmware Requirements for iSCSI Boot Option. Device Name—Name of the boot device. Slot—The slot id of the boot device. Interface Name (Only for FI-attached servers)—The name of the underlying virtual ethernet interface attached to iSCSI boot device. Port—The port id of the boot device. Bootloader Name—Name of the bootloader image. Bootloader Description—Description of the bootloader. Bootloader Path—Path to the boatloader image. Note   For IPv6 ISCSI boot, only the UEFI mode is supported. Local CDD Device Name—Name of the boot device. Local Disk Note   This device allows the host to use the virtual drive as a bootable device. Device Name—Name of the boot device. Slot—The slot id of the boot device. Bootloader Name—Name of the bootloader image. Bootloader Description—Description of the bootloader. Bootloader Path—Path to the boatloader image. NVMe Device Name—Name of the boot device. Bootloader Name—Name of the bootloader image. Bootloader Description—Description of the bootloader. Bootloader Path—Path to the boatloader image. Note   The NVMe device can be configured only on UEFI mode. PCH Storage Device Name—Name of the boot device. LUN—The Logical Unit Number (LUN) of the boot device (0-255). Bootloader Name—Name of the bootloader image. Bootloader Description—Description of the bootloader. Bootloader Path—Path to the boatloader image. Note   Only UEFI boot mode is supported with software RAID configuration. PXE Boot Device Name—Name of the boot device. IP Type—The IP address family type to use during the PXE boot process. Slot—The slot ID of the adapter on which the virtual ethernet interface is present. Interface Name/Port/ MAC Address— The name or address of the underlying virtual ethernet interface used by the PXE boot device. SAN Boot Device Name—Name of the boot device. LUN—The Logical Unit Number (LUN) of the boot device (0-255). Slot—The slot id of the boot device. This field is applicable only for Standalone servers. Interface Name—The name of the underlying vHBA interface. Target WWPN—The WWPN Address of the underlying fibre channel interface Bootloader Name — The name of the bootloader image. This field is available only in UEFI Mode. Bootloader Description— The details of the bootloader image. This field is available only in UEFI Mode. Bootloader Path— The path of the bootloader image. This field is available only in UEFI Mode. SD Card Device Name—Name of the boot device. LUN—The Logical Unit Number (LUN) of the boot device (0-255). Sub-Type— The sub-type for the selected device: None FlexUtil FlexFlash SDCard UEFI Shell Device Name—Name of the boot device. USB Device Name—Name of the boot device. Sub-Type— The sub-type for the selected device: CD FDD HDD Virtual Media Device Name—Name of the boot device. Sub-Type— The sub-type for the selected device: None Note   This option is not supported on UCS FI-attached servers. CIMC Mapped DVD CIMC Mapped HDD KVM Mapped DVD KVM Mapped HDD KVM Mapped FDD Note   The device name of the boot devices can be any string that adheres to the following constraints. It should start and end with an alphanumeric character. It can have underscores and hyphens. It cannot be more than 30 characters.

6. Click Create.

iSCSI boot support allows you to boot the Operating System on Intersight Managed Mode blade and FI-Attached rack servers on a LUN across a Storage Area Network. The remote disk, known as the target, is accessed using TCP/IP and iSCSI boot firmware.

Prerequisites

The following are required to configure the iSCSI boot device:

• iSCSI Static Target Policy—When you select Static as the mode for configuring the iSCSI boot policy, you can use the iSCSI Static Target policy to specify the primary target details. You can also specify the details of a secondary target, if required.

• iSCSI Adapter Policy—Using this policy you can specify the TCP and DHCP Connection Timeout and the LUN Busy Retry Count.

• Creating an IQN Pool—Using this policy you can specify the TCP and DHCP Connection Timeout and the retry count when the logical unit number of the boot device is busy.

• iSCSI support (both IPv4 and IPv6) is not applicable for Intersight Standalone Mode servers.

• iSCSI capability is applicable for boot operations only.

• Support for both IPv4 and IPv6 on different iSCSI boot-enabled interfaces for the same service profile.

• Service Location Protocol (SLP) and Internet Storage Name Service (iSNS) are not supported.

• Appliance port is not supported for iSCSI IPv6.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Navigate to Configure > Policies, and then select Create Policy.

3. Select iSCSI Boot, and then click Start.

4. In the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the organization.
   Name	Enter a name for your policy.
   Set Tags (optional)	Enter a tag in the key value format. For example, Org: IT or Site: APJ.
   Description (optional)	Enter a short description.

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   IP Protocol	Choose between IPv4 or IPv6.
   Target Interface Target interface can be Auto or Static. Note   Auto option is applicable for IPv4 only.
   DHCP Vendor ID/IQN	If you select Auto for the target interface, specify the Initiator name, or the DHCP vendor ID. The vendor ID can be up to 32 alphanumeric characters. Note   DHCP Option 43 and DHCP Option 17 are currently not supported for iSCSI IPv6.
   Static If the target interface is Static specify the following parameters.
   Primary iSCSI Static Target	Select the Primary Target policy. iSCSI target is the remote disk in the storage area network from which the operating system is initialized. This policy specifies the Target Name, the IP Address of the target, the Port, and the LUN ID.
   Secondary iSCSI Static Target	Select the Secondary Target policy. Secondary Target is optional
   iSCSI Adapter	Select the Adapter Policy for the iSCSI boot device. The Adapter Policy specifies the TCP and DHCP Timeouts, and the Retry Count if the LUN ID is busy.
   Authentication You can select CHAP or Mutual CHAP as the authentication method and specify the parameters. If you have selected CHAP, specify the CHAP authentication parameters for iSCSI Target. Mutual CHAP is a two-way DHCP mechanism and is more secure.
   CHAP	For CHAP authentication, enter: Username: The user Id of the Initiator/Target Interface. Enter between 1 and 128 characters, spaces, or special characters. Password: Password of Initiator or Target Interface. Enter between 12 and 16 characters, including special characters except spaces, tabs, line breaks. Password Confirmation: Re-enter the password that you entered. Both the password and password confirmation have to match.
   Mutual CHAP	Mutual CHAP is a two-way CHAP mechanism. For Mutual CHAP authentication, enter: Username: The user Id of the Initiator or Target Interface. Enter between 1 and 128 characters, spaces, or special characters. Password: Password of Initiator or Target Interface. Enter between 12 and 16 characters, including special characters except spaces, tabs, line breaks. Password Confirmation: Re-enter the password that you entered. Both the password and password confirmation have to match.
   Initiator IP Source	Select the method that determines the Initiator IP Source. The methods to determine the Initiator IP Source are: Pool: You can select an IP pool Auto: The IP is automatically determined Static:You can specify a static IP address as the Initiator IP. When IP Config Type is Static and IP Type is IPv4: IPv4 Address: Enter the Static IPv4 address provided for iSCSI Initiator. Subnet Mask: Enter the 32-bit number that masks an IP address and divides the IP address into network address and host address. Default Gateway: Enter the IP address of the default IPv4 gateway. Primary DNS: Enter the IPv4 address of the primary Domain Name System server. Secondary DNS: Enter the IPv4 address of the secondary Domain Name System server. When IP Config Type is Static and IP Type is IPv6: IPv6 Address: Enter the Static IPv6 address provided for iSCSI Initiator. Prefix:A prefix which masks the IP address and divides the IP address into network address and host address. Gateway: The gateway associated with the IPv6 addresses in the block. Primary DNS: Enter the IPv6 address of the primary Domain Name System server. Secondary DNS: Enter the IPv6 address of the secondary Domain Name System server.

6. Click Create.

The iSCSI Adapter policy allows you to configure values for TCP Connection Timeout, DHCP Timeout, and the Retry Count if the specified LUN ID is busy.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select iSCSI Adapter, and then click Start.

4. In the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the organization.
   Name	Enter a name for your policy.
   Set Tags (optional)	Enter a tag in the key value format. For example, Org: IT or Site: APJ.
   Description (optional)	Enter a short description.

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   TCP Connection Timeout	The number of seconds to wait until Cisco UCS assumes that the initial login has failed and the iSCSI adapter is unavailable. Enter an integer between 0 and 255. By default, it is 15 seconds.
   DHCP Timeout	The number of seconds to wait before the initiator assumes that the DHCP server is unavailable. Enter an integer between 60 and 300 (default: 60 seconds).
   LUN Busy Retry Count	The number of times to retry the connection in case of a failure during iSCSI LUN discovery. Enter an integer between 0 and 60. By default, it is 15 seconds. If the iSCSI target is unreachable, the server profile workflow activation may fail. To resolve this, reduce the retry count to a lower value, which can help the workflow complete successfully. Set the LUN Busy Retry Count to 1 to reduce retries and help the server profile workflow activate successfully.

6. Click Create.

The iSCSI Static Target policy allows you to specify the name, IP address, port, and logical unit number of the primary target for iSCSI boot. You can optionally specify these details for a secondary target as well.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select iSCSI Static Target, and then select Start.

4. In the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the organization.
   Name	Enter a name for your policy.
   Set Tags (optional)	Enter a tag in the key value format. For example, Org: IT or Site: APJ.
   Description (optional)	Enter a short description.

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Target Name	Enter the name of the target.
   Port	Enter the port number of the target. Enter an integer between 1 and 65535. The default is 3260.
   LUN ID	Enter the ID of the boot logical unit number. Note   Currently, the supported boot LUN ID for iSCSI (both IPv4 and IPv6) is limited to values less than or equal to 255.
   IP Protocol	Choose between IPv4 or IPv6.
   IP Address	Enter the IPv6 or IPv4 address of the target iSCSI. Note   In an LAN Connectivity Policy, you can configure one iSCSI boot vNIC with IPv4 and another with IPv6. However, combining an IPv4 initiator with an IPv6 target, or vice versa, is not supported.

6. Click Create.

Device Connector Policy lets you choose the Configuration from Intersight only option to control configuration changes allowed from Cisco IMC. The Configuration from Intersight only option is enabled by default. You will observe the following changes when you deploy the Device Connector policy in Intersight:

• Validation tasks will fail:

  • If Intersight Read-only mode is enabled in the claimed device.

  • If the firmware version of the Cisco UCS Standalone C-Series Servers is lower than 4.0(1).

• If Intersight Read-only mode is enabled, firmware upgrades will be successful only when performed from Intersight. Firmware upgrade performed locally from Cisco IMC will fail.

• IPMI over LAN privileges will be reset to read-only level if Configuration from Intersight only is enabled through the Device Connector policy, or if the same configuration is enabled in the Device Connector in Cisco IMC.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Device Connector, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. In the Policy Details page, enable or disable Configuration from Intersight only. This option is enabled by default.

6. Click Create.

Scrub Policy allows you to partially delete data on local drives and reset BIOS settings when a server profile is unassigned from a server. This feature helps repurpose a server for a different workload within an organization. See also, Firmware Requirements for Scrub Policy.

Note	Scrub Policy is supported only on servers in Intersight Managed Mode.

While unassigning a server profile, Scrub policy, if configured, is initiated as a new workflow after the Undeploy Server Profile workflow is complete. You can view the workflow details from the Requests tab.

The Scrub workflow would not initiate if:

• The Fabric Interconnect (FI) cache has insufficient space. The undeploy workflow will fail. You can clear the FI cache to resolve the issue. For more information, see Problem: Scrub or Secure Erase is unsuccessful.

• A firmware upgrade is in progress. You can retry the unassign operation after the upgrade operation is complete.

• The Private Virtual Appliance (PVA) does not have the necessary firmware bundle. To resolve this issue, ensure that the firmware bundle is uploaded to the PVA.

To create a Scrub Policy:

Procedure

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Scrub, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description.

5. On the Policy Details page, specify whether this scrub policy has to be applied on local drives and/or BIOS settings of a server:

   • [Optional] Disk: When enabled, deletes the data on local drives. If disabled, retains all data on local drives.

   • [Optional] BIOS: When enabled, resets BIOS settings to the factory defaults. If disabled, retains the existing BIOS settings on the server.

Time Taken for Scrub Operation on Various Platforms

The following table provides the estimated time required to complete the Scrub operation on various platforms. The actual time taken may vary based on your environment and configuration. The table provides reference data for some of the tested drives, however Scrub policy is applicable to all drives.

Note	These timelines assume that the firmware bundle is cached in the Fabric Interconnect cache.

Drive Security Policy enables you to configure security keys either locally or remotely using a KMIP server.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Drive Security, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Enter a description for your policy.

5. Do one of the following on the Policy Details page:

   • To configure a manual key locally:

     1. Under Drive Security Configuration Type, click Manual Key, and then do one of the following:

        • If you are configuring the security key for the first time, in the New Security Key Passphrase field, enter a new alphanumeric passphrase for the security key. The passphrase should be at least 8 to 32 characters long and should include at least one uppercase letter, one lowercase letter, one number, and one special character.

          Caution

          To avoid losing the manual security key passphrase and ensure its recovery, it is recommended to save the key externally.

        • If security is already enabled with a manual key and you want to reset the key:

          1. In the New Security Key Passphrase field, enter an alphanumeric passphrase. The passphrase should be at least 8 to 32 characters long and should include at least one uppercase letter, one lowercase letter, one number, and one special character.

             Caution

             To avoid losing the manual security key passphrase and ensure its recovery, it is recommended to save the key externally.

          2. Select the Drive Security is Already Enabled with a Manual Key checkbox, and then enter the existing key in the Current Security Key Passphrase field.

             Note	The key entered in the Current Security Key Passphrase field is not validated immediately. The validation happens only while you deploy the profile. If there is a key mismatch, the policy deployment will fail.

        • To configure a KMIP server for remotely managing the key:

          1. Under Drive Security Configuration Type, click Remote Key Management.

          2. Configure the following parameters:

             Property	Essential Information
             Hostname/IP Address	Enter the IP address of the KMIP server that you want to use.
             Port	Enter the port number for the KMIP server. The default port is 5696.
             Timeout	Enter the time that will be allowed to elapse within which the KMIP client should connect. The recommended timeout interval is up to 65 seconds.

          3. To configure a fallback KMIP server, add the details of an additional KMIP server under the Secondary KMIP Server.

          4. In the Server Public Root CA Certificate field, copy-paste the root certificate from the KMIP server.

          5. If your KMIP server supports authentication, click the Enable Authentication option for additional security and enter your username and password.

             Note	You can use authentication only if the KMIP server supports it.

6. Click Create.

The newly created policy is displayed in the table view on the Policy Details page.

See also, Secure Self-Encrypting Drives.

The Disk Group policy defines how a disk group (a group of physical disks that are used for creating virtual drives) is created and configured, and specifies the RAID level to be used for the disk group. With this policy, you can select the physical disks that have to be part of a disk group. When a Disk Group policy is associated with multiple virtual drives in a Storage policy, the virtual drives share the same disk group space.

Note	This policy is not applicable for virtual drives for a Cisco Boot Optimised M.2 RAID Controller.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select Disk Group, and then click Start.

4. In the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the organization.
   Name	Enter a name for your policy.
   Set Tags (optional)	Enter a tag in the key value format. For example, Org: IT or Site: APJ.
   Description (optional)	Enter a short description.

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Virtual Drive Configuration
   RAID Level	Set the Redundant Array of Inexpensive Disks (RAID) level to ensure availability and redundancy of data, and I/O performance. The supported RAID levels for the disk group are: RAID0—Data is striped across all disks in the array, providing fast throughput. There is no data redundancy, and all data is lost if any disk fails. RAID1—Data is written to two disks, providing complete data redundancy if one disk fails. The maximum array size is equal to the available space on the smaller of the two drives. RAID5—Data is striped across all disks in the array. Part of the capacity of each disk stores parity information that can be used to reconstruct data if a disk fails. RAID 5 provides good data throughput for applications with high read request rates. RAID6—Data is striped across all disks in the array and two sets of parity data are used to provide protection against failure of up to two physical disks. In each row of data blocks, two sets of parity data are stored. RAID10—This RAID uses mirrored pairs of disks to provide complete data redundancy and high throughput rates through block-level striping. RAID 10 is mirroring without parity and block-level striping. A minimum of four disks are required for RAID 10. RAID50—Data is striped across multiple striped parity disk sets to provide high throughput and multiple disk failure tolerance. RAID60—Data is striped across multiple striped dual parity disk sets to provide high throughput and greater disk failure tolerance.
   Local Disk Configuration - Disk Group (Span 0)
   Drive Number	Specify the drive number for the disk group associated with the RAID controller.
   Dedicated Hot Spares
   Dedicated Hot Spares	Select Enable to use a hot spare drive in the case of disk failure in the disk group.
   Drive Number	Specify the identified drive number to act as a dedicated hot spare for the disk group.
   Set Disks in JBOD state to Unconfigured good	Select to allow users to convert any disks in JBOD to be un-configured good disks so that they can be used in the RAID group.

   Attention

   All virtual drives in a disk group should be managed by using the same disk group policy.

6. Click Create.

The IMC Access policy allows you to configure your network and associate an IP address from an IP Pool with a server. In-Band IP address, Out-Of-Band IP address, or both In-Band and Out-Of-Band IP addresses can be configured using IMC Access Policy and is supported on Drive Security, SNMP, Syslog, and vMedia policies.

Note

The Out-of-Band IP address support for SNMP policy is available only for the Fabric Interconnects running on Infrastructure Firmware 4.3(2.230129) or later versions. The Out-of-Band IP address support for SNMP policy is not available for servers in Cisco UCS X-Series Direct system. Disjoint Layer 2 rules apply to the Inband VLANs configured on the blades within the same chassis. You can configure multiple Inband VLANs for blades within the same chassis, provided the VLANs belong to the same Disjoint Group and are allowed on the same uplink. When both In-Band and Out-of-Band IP addresses are configured, In-Band IP address is the default preference.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select IMC Access, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property		Essential Information
   In-Band Configuration	Enable, to have the server management services made available using the uplink port.
   	VLAN ID	Enter the VLAN ID to be used for server access over the inband network. The field value can be between 4 and 4093.
   	IPv4 address configuration	Select to determine the type of network for this policy. Note   You can select only IPv4 address configuration or both IPv4 and IPv6 configurations.
   	IPv6 address Configuration	Select to determine the type of network for this policy. Note   You can select only IPv6 address configuration or both IPv4 and IPv6 configurations.
   	IP Pool
   	Select IP Pool	Click to view the list of IP Pools available and select an IP pool for In-Band configuration. Note   Ensure that the default gateway specified in the IP Pool used for IMC Access Policy has connectivity to Cisco IMC. For more information, see the Creating an IP Pool section.
   Out-Of-Band Configuration	Enable, to have the server management services made available using the management port.
   	IP Pool
   	Select IP Pool	Click to view the list of IP Pools available and select an IP pool for the Out-Of-Band configuration. Note   Only IPv4 addresses are supported for Out-Of-Band configuration. Cisco IMC Out-of-Band IPs must be on the same subnet as the Fabric Interconnects (FIs) management IPs.

The IPMI over LAN policy defines the protocols for interfacing with a service processor that is embedded in a server platform. The Intelligent Platform Management Interface (IPMI) enables an operating system to obtain information about the system health and control system hardware and directs the Cisco IMC to perform the required actions. You can create an IPMI Over LAN policy to manage the IPMI messages through Cisco Intersight.

1. Log in to Cisco Intersight with Account Administrator or Server Administrator role.

2. Choose Configure > Policies, and then select Create Policy.

3. Select IPMI Over LAN, and then click Start.

4. On the General page, configure the following parameters:

   Property	Essential Information
   Organization	Select the Organization.
   Name	Enter a name for your policy.
   Set Tags (Optional)	Enter a tag in the key:value format. For example, Org: IT or Site: APJ.
   Description (Optional)	Provide a short description

5. On the Policy Details page, configure the following parameters:

   Property	Essential Information
   Enable IPMI Over LAN	The state of the IPMI Over LAN service on the endpoint.
   Privilege Level	You can assign these privileges to the IPMI sessions on the server: admin—You can create admin, user, and read-only sessions on servers with the "Administrator" user role. read-only—You can only create read-only IPMI sessions on servers with the "Read-only" user role. user—You can create user and read-only sessions, but not admin sessions on servers with the "User" role. Note   This configuration is supported only on Cisco UCS C-Series Standalone and C-Series Intersight Managed Mode Servers. The value of the Privilege field must match exactly the role assigned to the user attempting to log in. For example, if this field is set to read-only and a user with the admin role attempts to log in through IPMI, that login attempt will fail.
   Encryption Key	The encryption key to use for IPMI Communication. The key must have an even number of hexadecimal characters and not exceeding 40 characters. You can use "00" to disable the encryption key use. If the encryption key specified is less than 40 characters, then the IPMI commands must add zeroes to the encryption key to achieve a length of 40 characters. Note   This encryption key configuration is supported only on Cisco UCS C-Series Standalone and C-Series Intersight Managed Mode servers. To support this configuration on Intersight Managed Mode servers, a minimum firmware version 4.2(3a) is required.

6. Click Create.