CCIE Data Center Lab Preparation Workbook

Chapter 13: Data

Center Unified
Computing
Management

Chapter 13: Data Center Unified Computing Management is intended to let you be familiar with the
management features of the Unified Computing System. In this lab we will be configuring all settings
related to management of the system itself and how to backup and restore a configuration.

We highly recommend creating your own diagram at the beginning of each lab so you are able to draw
on your own diagram, making it much easier when you step into the real lab.

Multiple topology drawings are available for this chapter.

Copyright by IPexpert. All rights reserved. 1

CCIE Data Center Lab Preparation Workbook

General Rules

Try to diagram out the task. Draw your own connections the way you like it

Create a checklist to aid as you work thru the lab

Take a very close read of the tasks to ensure you dont miss any points during grading!

Take your time. This is not a Mock Lab, so no time constraints are in place for finishing this
particular chapter

Estimated Time to Complete: 4 hours

Copyright by IPexpert. All rights reserved. 2

CCIE Data Center Lab Preparation Workbook

Pre-setup

Connect to the Nexus switches within the topology
Use the central topology drawing at the start of this workbook

The UCS system and Fabric Interconnects use the configuration of the previous chapter as are
the MDS switches and Nexus switches
This lab is intended to be used with online rack access provided by our partner Proctor Labs
(www.proctorlabs.com). Connect to the terminal server and complete the configuration tasks
as detailed below

Drawing 1: Physical Topology

Copyright by IPexpert. All rights reserved. 3

CCIE Data Center Lab Preparation Workbook

Configuration tasks

Task 1: Hardware management

1. Ensure that the UCS chassis connecting to the UCS Manager has an easy location
mechanism enabled to physically locate the chassis
2. Ensure that the chassis has an ID of 2

3. Set the time-zone of the system to your own location

4. Synchronize time with IP address 172.16.100.254

5. The management interface should poll the default gateway every 90 seconds 5
times with a maximum timeout of 10 seconds, when this fails for 2 consecutive times
the Fabric Interconnect should failover.

Task 2: System policies

1. Assume 4 power supplies are connected. 2 of the power supplies should be able to
fail without impacting the UCS configuration

2. Apply a setting so that port-channels towards the servers are preferred

3. Assume 4 FEX links to the blade chassis are connected to the Fabric Interconnect
4. MAC addresses learnt on the UCS system should time-out after 540 seconds

5. Ensure that log files from the blade server are sent to an FTP server with IP address
172.16.100.102. Using a username of IPX_ftp and a password of IPexpert.

6. The log files should be sent when a service profile is disassociated from the blade or
when the log is full.

7. Schedule this backup every 24 hours and clear the log when the backup was
successful.
8. Resolve names in the UCS manager to IP addresses using IP address 172.16.100.101

Copyright by IPexpert. All rights reserved. 4

CCIE Data Center Lab Preparation Workbook

Task 3: Backups
1. Create a backup operation of all the settings that are applied after the initial
cluster settings.

2. Ensure that all MAC addresses, WWPNs and other state information is included in the
backup
3. This backup should be sent to an FTP server reachable at 172.16.100.102 using a
username of IPX_ftp and a password of IPexpert
4. The file should be saved as yourname_date.xml
5. Ensure a backup is successfully completed
6. Download a binary file of all settings in the UCS to your local machine

7. Create a backup operation to the same FTP server as before. The backup file should
only contain service profiles, policies and other server related settings, but not
management settings

Task 4: Logging

1. Create a file to use for filing a TAC case for the entire UCS system.
2. Download a file to your system containing all information about CIMCs in the chassis
3. Ensure faults are deleted after the state hasnt changed for 30 seconds
4. Keep cleared faults in the log for 500 seconds
5. When a component crashes and a core dump is created, this should be exported to a TFTP
server with IP address 172.16.100.100 in a folder called core_dumps
6. Ensure that emergency messages are logged to Telnet and SSH sessions
7. All possible messages should be sent to 172.16.100.104 with facility Local0

8. All UCS Major warnings should be sent to syslog2.ipexpert.com

Task 5: Management protocols

1. The UCS Manager should only be accessed through a secure session. Connections pointing
to the default non-encrypted web interface should not get connected.
2. Limit the amount of active sessions to the UCS manager to 64. Each user can only use up
to 5 connections

Copyright by IPexpert. All rights reserved. 5

CCIE Data Center Lab Preparation Workbook

3. Enable a standards based protocol on TCP port 5988

4. SNMP management systems should be able to read data from the UCS using UCSsnmp as
the default identifier.
5. The configuration should be compatible with both version 3 and version 2c
management stations
6. When using SNMP version 3, a password of SNMP_password should be used.
7. Insert your name and location as SNMP properties
8. Send SNMP version 3 traps to 172.16.100.105 with a username of UCStraps and a
password of IPexpert

9. When the trap is received the system should send an acknowledgement of the received
trap

10. Ensure the SNMP traps are encrypted, use the strongest encryption possible

Task 6: Organizations

1. Create a container to place resources for the Finance department. This department
has sub-departments called Contracts, Purchase and Control
2. Another department in the organization is the HR department which has its own servers

3. Ensure that its possible to let certain users only access resources allocated to all of these
departments

Task 7: Authentication
1. When a user has changed its password, it is not allowed to change this for 7 days
2. A user can not re-use its previous 5 passwords

3. When users log-in to the UCS system they should be shown a message of Welcome to
the IPexpert UCS1 system

4. Create a user with username network-operator and a password of

networkingIsCool. This user is only allowed to change networking and service
profile settings without using a pre-defined role when components are placed in the
contracts or control organization, you are only allowed to assign 1 previously
configured locale.

Copyright by IPexpert. All rights reserved. 6

CCIE Data Center Lab Preparation Workbook

5. Create another user with a user name of HRdirector and a password of HRHRHR. This
user should only be able to change everything inside the HR organization. You are not
allowed to create a new role.
6. The HRdirector account should be disabled on the last day of the next month
7. By default users should be logged in to the UCS via RADIUS
8. There is a RADIUS server in the management network with IP address 172.16.100.201
9. The AAA server is using a key of IPexpertAAA

10. Users logging into the UCS with RADIUS that do not have a correct role assigned should
be able to view all settings, but not change anything

Task 8: Roles and Locales

1. Create a new user role called UPLINK which is able to change all settings related to the
uplink connections

2. Create a role called SYSTEM which is able to change all system wide settings and
management operations

3. Create a user called SERVERGUY with a password of R3b00t which is able to change
settings to service profiles and to server equipment. Do not use any pre-defined
user role. The user is allowed to change configuration in any organization, but should
have a locale assigned called SERVERGUY

Copyright by IPexpert. All rights reserved. 7

CCIE Data Center Lab Preparation Workbook

Chapter 14: Data

Center Virtualization
with Nexus 1000v



Chapter 14: Data Center Unified Computing Management is intended to let you be familiar
with the basic features of setting up, provisioning, configuring and implementing a Cisco Nexus
1000V virtual switch inside a virtualized environment.

We highly recommend to create your own diagram at the beginning of each lab so you are able
to draw on your own diagram, making it much easier when you step into the real lab.

Multiple topology drawings are available for this chapter.

General Rules
Try to diagram out the task. Draw your own connections the way you like it
Create a checklist to aid as you work thru the lab
Take a very close read of the tasks to ensure you dont miss any points during grading!
Take your time. This is not a Mock Lab, so no time constraints are in place for finishing
this particular chapter

Estimated Time to Complete: 4 hours

Copyright by IPexpert. All rights reserved. 1

CCIE Data Center Lab Preparation Workbook

Pre-setup
Connect to the Nexus switches within the topology
Use the central topology drawing at the start of this workbook
The UCS system and Fabric Interconnects use the configuration of the previous chapter
as are the MDS switches and Nexus switches
This lab is intended to be used with online rack access provided by our partner Proctor
Labs (www.proctorlabs.com). Connect to the terminal server and complete the
configuration tasks as detailed below

Drawing 1: Physical Topology

Copyright by IPexpert. All rights reserved. 2

CCIE Data Center Lab Preparation Workbook

Configuration tasks
Task 1: Initial set-up
Ensure that the Nexus switches, UCS system and MDS switches have their configuration
loaded from the previous chapter or the initial configurations.
Ensure that the initial configurations of this chapter is loaded on the rack to pre-install
the Nexus 1000V
Log-in to the Nexus 1000V VSM using a username of admin and a password of
IPexpert123
The VEMs are already loaded on the ESXi servers
The Domain ID is 101, the Management VLAN is 2000, the Packet VLAN is 2001
and the Control VLAN is 2002
Set-up the Nexus 1000V for Layer 2 mode
Ensure that Physical Uplinks on the ESXi servers are placed in a profile with all
control-plane VLANs associated. Ensure that the VSM does not need to be online for this
configuration to work.
Set-up the correct hostname of N1kV1
The VMware Datacenter is named CCIEDC
Ensure the VEMs are loaded into the VSMs and that a vCenter connection is
established

Task 2: Configure VLANs & port-profiles
Create VLANs 101 through 110
Create VLANs 501 through 525
Create the highest VLAN number possible in the 3000-3999 range.
Create a profile so that VMs can access hosts in VLAN 105
Create a profile so that all VLANs can be transported out of the server on its uplinks
The newly created uplink profile should be port-channeled using the best
practice
Create another port-profile, which will support LACP port-channels from the
upstream switch.
This just created port-profile should only allow VLANs higher than 500, ensure that
all reserved VLANs are excluded
Create another uplink port-profile allowing only Standard VLANs. This
profile will be connected to uplinks, which are not connecting to the same switch.
Use a Cisco proprietary protocol to create automatic sub-port-channels.
MAC addresses should be kept in memory for 3 minutes
Create a profile so VMs can access hosts in VLAN 505. Ensure iSCSI multi-
pathing is supported on VLAN 505

Copyright by IPexpert. All rights reserved. 3

CCIE Data Center Lab Preparation Workbook

Ensure DVportIDs are disconnected when a VM is powered off using the VLAN 505
profile
The maximum amount of ports should be automatically adapted based on the usage on
the VLAN 505 profile
Create another port-profile where VMs can access resources in VLAN 105. You are
not allowed to configure the VLAN under the port-profile.
Ensure that packets per second records are taken from input traffic on this last
created port-profile

Task 3: Implement QoS
There are Voice servers on VLAN 105. Ensure that Voice data packets are recognized
when entering the Nexus 1000V on IP packet level using the most common ports. You
are not allowed to use an ACL.
Voice data traffic tagged with 802.1P bits comes in on VLAN 105. Ensure traffic
coming from all uplinks is trusted using the most commonly used 802.1P value.
Voice traffic coming from VMs is untagged. Ensure that traffic, which goes out on the
uplinks, is tagged with the correct DiffServ and 802.1P marking.
Voice traffic should be limited to 50Mbps. The traffic may be oversubscribed by 70%,
after which traffic will be marked as Best Effort traffic. When Voice traffic goes over
100% oversubscription it should be dropped.
Ensure Nexus 1000V control-plane packets are given 5% of the uplink bandwidth.
VMware IP Storage protocols should receive 30% of the bandwidth and other
VMware protocols should receive 30% of the uplink bandwidth. The remainder of the
bandwidth should be given to the rest of the traffic.

Task 4: Network Monitoring
Traffic should be monitored from VLAN 505 to a monitoring server connected to a
dedicated port-profile.
The Port-profile of VLAN 105 should be monitored, but the monitoring server is
connected to a Nexus switch outside the Nexus 1000V. Use a Layer 3
transportation to accomplish this. Assume the IP address of the Nexus switch is
10.198.0.11.
Ensure this Layer 3 monitoring traffic receives a high priority treatment
throughout the network. Use an MTU of 1100 bytes.
Flow information should be exported to the server with IP address of
172.16.100.109

Task 5: Management Protocols
Ensure the management server 172.16.100.110 receives version 2c traps
This server should also be able to read information while using a classical community
string of IPexpert

Copyright by IPexpert. All rights reserved. 4

CCIE Data Center Lab Preparation Workbook

Configure your name and current location.

Ensure the Nexus 1000V does not accept SNMPv3 unencrypted requests
User version3 with password version3password should be able to access the
switch using SNMP version 3
The Telnet and SSH sessions should see Informational messages
Debugging messages should be visible in a separate logfile
Ensure logfiles are using the most precise timestamps
Logging up to Notifications level should be sent to 172.16.100.110 with a
facility of local3

Task 6: Miscellaneous features
Ensure First Hop Redundancy Protocols are supported to run on VMs running
on the VLAN 105 and VLAN 105
Force the uplink of module 3 to join Multicast group 233.3.3.3 in VLAN 105
Disable a multicast security mechanism on VLAN 502
Enable the Nexus 1000V to support Jumbo frames
Ensure unused vEth interfaces are not automatically deleted
Network Tracking should be enabled on vPC-HM interfaces

Copyright by IPexpert. All rights reserved. 5

CCIE Data Center Lab Preparation Workbook

Chapter 15: Nexus

1000V Security

Chapter 15: Nexus 1000V security is intended to let you be familiar with the security features
of a Cisco Nexus 1000V virtual switch inside a virtualized environment. These security features
will primarily be about configuring Private VLANs, DHCP Snooping and ACLs on the virtual
switch.

We highly recommend creating your own diagram at the beginning of each lab so you are able
to draw on your own diagram, making it much easier when you step into the real lab.

Multiple topology drawings are available for this chapter.

General Rules
Try to diagram out the task. Draw your own connections the way you like it
Create a checklist to aid as you work thru the lab
Take a very close read of the tasks to ensure you dont miss any points during grading!
Take your time. This is not a Mock Lab, so no time constraints are in place for finishing
this particular chapter

Estimated Time to Complete: 4 hours

Copyright by IPexpert. All rights reserved. 1

CCIE Data Center Lab Preparation Workbook

Pre-setup
Connect to the Nexus switches within the topology
Use the central topology drawing at the start of this workbook
The UCS system and Fabric Interconnects use the configuration of the previous chapter
as are the MDS switches and Nexus switches including the Nexus 1000V
This lab is intended to be used with online rack access provided by our partner Proctor
Labs (www.proctorlabs.com). Connect to the terminal server and complete the
configuration tasks as detailed below

Drawing 1: Physical Topology

Copyright by IPexpert. All rights reserved. 2

CCIE Data Center Lab Preparation Workbook

Configuration tasks
Task 1: Private VLANs
You are allowed to create new port-profiles to finish this task.
A virtual 3rd party routing appliance is connected to VLAN 510, which
should receive all traffic from DMZ hosts.
Ensure that hosts in VLAN 511 are not able to communicate with each other, but only
to the routing appliance.
Hosts in VLAN 512 are able to communicate to each other in the VLAN and to the
routing appliance, but not to other hosts
The rest of the network should be able to reach VMs connected to VLAN 510.
Create a new uplink port-profile to complete this task

Task 2: Port Security
Ensure that all VMs connected to the second VLAN 105 profile only allow 10
hosts. The port should go into errdisable when the 11th VM is connected to the
profile.
Ensure that the learnt MAC addresses are cleared on the VLAN 105 profile after they
did not send any traffic for 6 minutes.
Only the following MAC addresses are able to access VMs connected to VLAN 505
o 0010.4431.a1b3
o 10:22:a0:f5:b3:de
o 0011.99ff.22aa
o 55:81:a0:9a:b0:0c
o ba01.dad3.c0ff
Ensure packet count is logged for all violating packets on VLAN 505
Only the following MAC addresses are able to access VMs connected to the Nexus 1000V
switch coming in over the Private VLAN based uplink port-profile
o 0a:ff:dB:AA:88:99
o aa22.99ff.112a
o 12:34:ab:df:78:90
o 00a0.112a.bbdc
Ensure all 25 possible learnt MAC addresses on the VLAN 514 are saved in the
configuration. You are allowed to create a port-profile to finish this task. Additional MAC
addresses trying to access the VM connected to the port-profile should be denied
access.

Task 3: DHCP Snooping, DAI, IP Source Guard
A DHCP server is connected in VLAN 105. Hosts in other VLANs are not allowed to
send DHCP OFFER messages to clients. Create a separate port-profile for this.
Ensure the DHCP server never sends more than 3 DHCP packets per second.

Copyright by IPexpert. All rights reserved. 3

CCIE Data Center Lab Preparation Workbook

When a DHCP REQUEST message is received on an interface, the Source MAC address
and the DHCP Client Hardware Address should be verified to match
Ensure VLAN 105 is protected for ARP Spoofing attacks
The Nexus 1000V should not check ARP packets received on the uplink profiles
Ensure that invalid or unexpected IP addresses in ARP packets are dropped
Ensure that all IP traffic is checked for spoofing attacks on the uplinks using the DHCP
Snooping database.
A host with MAC address 4019.a201.b04e, and a statically configured IP address of
198.18.50.254 is connected to VLAN 501. Ensure this host is allowed access.

Task 4: Access Control Lists
Use a protection on VLAN 509 to protect it against denied traffic according to the
following rules. Be as specific as possible.
The 198.18.255.100 host is allowed to access hosts in VLAN 509 which uses IP
addresses in the range of 198.18.59.0/24
Secure Web traffic coming from servers in 198.18.128.0/18 to VLAN 509 is
allowed. Clients in VLAN 509 are using non-reserved ports.
The Server farm is located in the 198.19.0.0/16 subnet and the
198.18.192.0/24 subnet. Hosts in VLAN 509 want to access Web servers, DNS
servers and Mail (to receive mail through POP3 and send mail) servers.
You are prohibited to configure these applications in the ACL.
A host connected in VLAN 501 (198.18.51.0/24) through interface
vEthernet145 is not allowed to access the IMAP server with IP address
198.19.0.25. Ensure this is enforced.
In addition to the IP security of VLAN 501 your manager also wants to only allow valid
MAC addresses from the Server farm to access hosts in VLAN 501. The servers have
MAC addresses in the range of 0bad.c0ff.ee00 up to 0bad.c0ff.eeff. This policy
should be of immediate effect when new port-profiles are configured in the future.

Copyright by IPexpert. All rights reserved. 4