Escolar Documentos
Profissional Documentos
Cultura Documentos
We
highly
recommend
creating
your
own
diagram
at
the
beginning
of
each
lab
so
you
are
able
to
draw
on
your
own
diagram,
making
it
much
easier
when
you
step
into
the
real
lab.
General Rules
Try to diagram out the task. Draw your own connections the way you like it
Take a very close read of the tasks to ensure you dont miss any points during grading!
Take
your
time.
This
is
not
a
Mock
Lab,
so
no
time
constraints
are
in
place
for
finishing
this
particular
chapter
Pre-setup
Connect
to
the
Nexus
switches
within
the
topology
Use
the
central
topology
drawing
at
the
start
of
this
workbook
The
UCS
system
and
Fabric
Interconnects
use
the
configuration
of
the
previous
chapter
as
are
the
MDS
switches
and
Nexus
switches
This
lab
is
intended
to
be
used
with
online
rack
access
provided
by
our
partner
Proctor
Labs
(www.proctorlabs.com).
Connect
to
the
terminal
server
and
complete
the
configuration
tasks
as
detailed
below
Configuration tasks
1. Ensure
that
the
UCS
chassis
connecting
to
the
UCS
Manager
has
an
easy
location
mechanism
enabled
to
physically
locate
the
chassis
2. Ensure
that
the
chassis
has
an
ID
of
2
5. The
management
interface
should
poll
the
default
gateway
every
90 seconds
5
times
with
a
maximum
timeout
of
10 seconds,
when
this
fails
for
2
consecutive
times
the
Fabric
Interconnect
should
failover.
5. Ensure
that
log
files
from
the
blade
server
are
sent
to
an
FTP
server
with
IP
address
172.16.100.102.
Using
a
username
of
IPX_ftp
and
a
password
of
IPexpert.
6. The
log
files
should
be
sent
when
a
service
profile
is
disassociated
from
the
blade
or
when
the
log
is
full.
7. Schedule
this
backup
every
24 hours
and
clear
the
log
when
the
backup
was
successful.
8. Resolve
names
in
the
UCS manager
to
IP
addresses
using
IP
address
172.16.100.101
Task
3:
Backups
1. Create
a
backup operation
of
all
the
settings
that
are
applied
after
the
initial
cluster
settings.
2. Ensure
that
all
MAC
addresses,
WWPNs
and
other
state
information
is
included
in
the
backup
3. This
backup
should
be
sent
to
an
FTP
server
reachable
at
172.16.100.102
using
a
username
of
IPX_ftp
and
a
password
of
IPexpert
4. The
file
should
be
saved
as
yourname_date.xml
5. Ensure
a
backup
is
successfully
completed
6. Download
a
binary
file
of
all
settings
in
the
UCS
to
your
local
machine
7. Create
a
backup
operation
to
the
same
FTP
server
as
before.
The
backup
file
should
only
contain
service
profiles,
policies
and
other
server
related
settings,
but
not
management
settings
Task 4: Logging
1. Create
a
file
to
use
for
filing
a
TAC
case
for
the
entire
UCS
system.
2. Download
a
file
to
your
system
containing
all
information
about
CIMCs
in
the
chassis
3. Ensure
faults
are
deleted
after
the
state
hasnt
changed
for
30
seconds
4. Keep
cleared
faults
in
the
log
for
500
seconds
5. When
a
component
crashes
and
a
core dump
is
created,
this
should
be
exported
to
a
TFTP
server
with
IP
address
172.16.100.100
in
a
folder
called
core_dumps
6. Ensure
that
emergency
messages
are
logged
to
Telnet and SSH sessions
7. All
possible
messages
should
be
sent
to
172.16.100.104
with
facility
Local0
1. The
UCS Manager
should
only
be
accessed
through
a
secure
session.
Connections
pointing
to
the
default
non-encrypted
web
interface
should
not
get
connected.
2. Limit
the
amount
of
active
sessions
to
the
UCS manager
to
64.
Each
user
can
only
use
up
to
5
connections
4. SNMP
management
systems
should
be
able
to
read
data
from
the
UCS
using
UCSsnmp
as
the
default
identifier.
5. The
configuration
should
be
compatible
with
both
version 3
and
version 2c
management
stations
6. When
using
SNMP version 3,
a
password
of
SNMP_password
should
be
used.
7. Insert
your
name
and
location
as
SNMP
properties
8. Send
SNMP
version 3
traps
to
172.16.100.105
with
a
username
of
UCStraps
and
a
password
of
IPexpert
9. When
the
trap
is
received
the
system
should
send
an
acknowledgement
of
the
received
trap
10. Ensure the SNMP traps are encrypted, use the strongest encryption possible
Task 6: Organizations
1. Create
a
container
to
place
resources
for
the
Finance
department.
This
department
has
sub-departments
called
Contracts,
Purchase
and
Control
2. Another
department
in
the
organization
is
the
HR
department
which
has
its
own
servers
3. Ensure
that
its
possible
to
let
certain
users
only
access
resources
allocated
to
all
of
these
departments
Task
7:
Authentication
1. When
a
user
has
changed
its
password,
it
is
not
allowed
to
change
this
for
7 days
2. A
user
can
not
re-use
its
previous
5
passwords
3. When
users
log-in
to
the
UCS
system
they
should
be
shown
a
message
of
Welcome to
the IPexpert UCS1 system
5. Create
another
user
with
a
user
name
of
HRdirector
and
a
password
of
HRHRHR.
This
user
should
only
be
able
to
change
everything
inside
the
HR
organization.
You
are
not
allowed
to
create
a
new
role.
6. The
HRdirector
account
should
be
disabled
on
the
last
day
of
the
next
month
7. By
default
users
should
be
logged
in
to
the
UCS
via
RADIUS
8. There
is
a
RADIUS
server
in
the
management
network
with
IP
address 172.16.100.201
9. The AAA
server
is
using
a
key
of
IPexpertAAA
10. Users
logging
into
the
UCS
with
RADIUS
that
do
not
have
a
correct
role
assigned
should
be
able
to
view
all
settings,
but
not
change
anything
1. Create
a
new
user
role
called
UPLINK
which
is
able
to
change
all
settings
related
to
the
uplink
connections
2. Create
a
role
called
SYSTEM
which
is
able
to
change
all
system
wide
settings
and
management
operations
3. Create
a
user
called
SERVERGUY
with
a
password
of
R3b00t
which
is
able
to
change
settings
to
service
profiles
and
to
server
equipment.
Do
not
use
any
pre-defined
user
role.
The
user
is
allowed
to
change
configuration
in
any
organization,
but
should
have
a
locale
assigned
called
SERVERGUY
Pre-setup
Connect
to
the
Nexus
switches
within
the
topology
Use
the
central
topology
drawing
at
the
start
of
this
workbook
The
UCS
system
and
Fabric
Interconnects
use
the
configuration
of
the
previous
chapter
as
are
the
MDS
switches
and
Nexus
switches
This
lab
is
intended
to
be
used
with
online
rack
access
provided
by
our
partner
Proctor
Labs
(www.proctorlabs.com).
Connect
to
the
terminal
server
and
complete
the
configuration
tasks
as
detailed
below
Drawing
1:
Physical
Topology
Configuration
tasks
Task
1:
Initial
set-up
Ensure
that
the
Nexus
switches,
UCS
system
and
MDS
switches
have
their
configuration
loaded
from
the
previous
chapter
or
the
initial
configurations.
Ensure
that
the
initial
configurations
of
this
chapter
is
loaded
on
the
rack
to
pre-install
the
Nexus
1000V
Log-in
to
the
Nexus
1000V
VSM
using
a
username
of
admin
and
a
password
of
IPexpert123
The
VEMs
are
already
loaded
on
the
ESXi
servers
The
Domain ID
is
101,
the
Management VLAN
is
2000,
the
Packet VLAN
is
2001
and
the
Control VLAN
is
2002
Set-up
the
Nexus
1000V
for
Layer 2
mode
Ensure
that
Physical Uplinks on
the
ESXi
servers
are
placed
in
a
profile
with
all
control-plane
VLANs
associated.
Ensure
that
the
VSM
does
not
need
to
be
online
for
this
configuration
to
work.
Set-up
the
correct
hostname
of
N1kV1
The
VMware
Datacenter
is
named
CCIEDC
Ensure
the
VEMs
are
loaded
into
the
VSMs
and
that
a
vCenter
connection
is
established
Task
2:
Configure
VLANs
&
port-profiles
Create
VLANs 101
through
110
Create
VLANs 501
through
525
Create
the
highest
VLAN
number
possible
in
the
3000-3999
range.
Create
a
profile
so
that
VMs
can
access
hosts
in
VLAN 105
Create
a
profile
so
that
all
VLANs
can
be
transported
out
of
the
server
on
its
uplinks
The
newly
created
uplink
profile
should
be
port-channeled
using
the
best
practice
Create
another
port-profile,
which
will
support
LACP
port-channels
from
the
upstream
switch.
This
just
created
port-profile
should
only
allow
VLANs
higher
than
500,
ensure
that
all
reserved
VLANs
are
excluded
Create
another
uplink
port-profile
allowing
only
Standard VLANs.
This
profile
will
be
connected
to
uplinks,
which
are
not
connecting
to
the
same
switch.
Use
a
Cisco
proprietary
protocol
to
create
automatic
sub-port-channels.
MAC
addresses
should
be
kept
in
memory
for
3 minutes
Create
a
profile
so
VMs
can
access
hosts
in
VLAN 505. Ensure
iSCSI multi-
pathing
is
supported
on
VLAN 505
Ensure DVportIDs are
disconnected
when
a
VM
is
powered
off
using
the
VLAN 505
profile
The
maximum
amount
of
ports
should
be
automatically
adapted
based
on
the
usage
on
the
VLAN 505
profile
Create
another
port-profile
where
VMs
can
access
resources
in
VLAN 105.
You
are
not
allowed
to
configure
the
VLAN
under
the
port-profile.
Ensure
that
packets per second
records
are
taken
from
input
traffic
on
this
last
created
port-profile
Task
3:
Implement
QoS
There
are
Voice
servers
on
VLAN 105.
Ensure
that
Voice
data
packets
are
recognized
when
entering
the
Nexus 1000V
on
IP
packet
level
using
the
most
common
ports.
You
are
not
allowed
to
use
an
ACL.
Voice
data
traffic
tagged
with
802.1P
bits
comes
in
on
VLAN 105.
Ensure
traffic
coming
from
all
uplinks
is
trusted
using
the
most
commonly
used
802.1P
value.
Voice
traffic
coming
from
VMs
is
untagged.
Ensure
that
traffic,
which
goes
out
on
the
uplinks,
is
tagged
with
the
correct
DiffServ
and
802.1P
marking.
Voice
traffic
should
be
limited
to
50Mbps.
The
traffic
may
be
oversubscribed
by
70%,
after
which
traffic
will
be
marked
as
Best Effort
traffic.
When
Voice
traffic
goes
over
100%
oversubscription
it
should
be
dropped.
Ensure
Nexus 1000V control-plane
packets
are
given
5%
of
the
uplink
bandwidth.
VMware
IP Storage
protocols
should
receive
30%
of
the
bandwidth
and
other
VMware
protocols
should
receive
30%
of
the
uplink
bandwidth.
The
remainder
of
the
bandwidth
should
be
given
to
the
rest
of
the
traffic.
Task
4:
Network
Monitoring
Traffic
should
be
monitored
from
VLAN 505
to
a
monitoring
server
connected
to
a
dedicated port-profile.
The
Port-profile
of
VLAN 105
should
be
monitored,
but
the
monitoring
server
is
connected
to
a
Nexus
switch
outside
the Nexus 1000V.
Use
a
Layer 3
transportation
to
accomplish
this.
Assume
the
IP
address
of
the
Nexus
switch
is
10.198.0.11.
Ensure
this
Layer 3
monitoring
traffic
receives
a
high priority
treatment
throughout
the
network.
Use
an
MTU
of
1100
bytes.
Flow
information
should
be
exported
to
the
server
with
IP
address
of
172.16.100.109
Task
5:
Management
Protocols
Ensure
the
management
server
172.16.100.110
receives
version 2c traps
This
server
should
also
be
able
to
read
information
while
using
a
classical
community
string
of
IPexpert
We
highly
recommend
creating
your
own
diagram
at
the
beginning
of
each
lab
so
you
are
able
to
draw
on
your
own
diagram,
making
it
much
easier
when
you
step
into
the
real
lab.
General
Rules
Try
to
diagram
out
the
task.
Draw
your
own
connections
the
way
you
like
it
Create
a
checklist
to
aid
as
you
work
thru
the
lab
Take
a
very
close
read
of
the
tasks
to
ensure
you
dont
miss
any
points
during
grading!
Take
your
time.
This
is
not
a
Mock
Lab,
so
no
time
constraints
are
in
place
for
finishing
this
particular
chapter
Estimated
Time
to
Complete:
4
hours
Pre-setup
Connect
to
the
Nexus
switches
within
the
topology
Use
the
central
topology
drawing
at
the
start
of
this
workbook
The
UCS
system
and
Fabric
Interconnects
use
the
configuration
of
the
previous
chapter
as
are
the
MDS
switches
and
Nexus
switches
including
the
Nexus
1000V
This
lab
is
intended
to
be
used
with
online
rack
access
provided
by
our
partner
Proctor
Labs
(www.proctorlabs.com).
Connect
to
the
terminal
server
and
complete
the
configuration
tasks
as
detailed
below
Drawing
1:
Physical
Topology
Configuration
tasks
Task
1:
Private
VLANs
You
are
allowed
to
create
new
port-profiles
to
finish
this
task.
A
virtual 3rd party routing appliance
is
connected
to
VLAN 510,
which
should
receive
all
traffic
from
DMZ
hosts.
Ensure
that
hosts
in
VLAN 511
are
not
able
to
communicate
with
each
other,
but
only
to
the
routing
appliance.
Hosts
in
VLAN 512
are
able
to
communicate
to
each
other
in
the
VLAN
and
to
the
routing
appliance,
but
not
to
other
hosts
The
rest
of
the
network
should
be
able
to
reach
VMs
connected
to
VLAN 510.
Create
a
new
uplink
port-profile
to
complete
this
task
Task
2:
Port
Security
Ensure
that
all
VMs
connected
to
the second VLAN 105 profile
only
allow
10
hosts.
The
port
should
go
into
errdisable
when
the
11th
VM
is
connected
to
the
profile.
Ensure
that
the
learnt
MAC
addresses
are
cleared
on
the
VLAN 105 profile
after
they
did
not
send
any
traffic
for
6 minutes.
Only
the
following
MAC
addresses
are
able
to
access
VMs
connected
to
VLAN 505
o 0010.4431.a1b3
o 10:22:a0:f5:b3:de
o 0011.99ff.22aa
o 55:81:a0:9a:b0:0c
o ba01.dad3.c0ff
Ensure
packet
count
is
logged
for
all
violating
packets
on
VLAN 505
Only
the
following
MAC
addresses
are
able
to
access
VMs
connected
to
the
Nexus
1000V
switch
coming
in
over
the Private VLAN based
uplink port-profile
o 0a:ff:dB:AA:88:99
o aa22.99ff.112a
o 12:34:ab:df:78:90
o 00a0.112a.bbdc
Ensure
all
25
possible
learnt
MAC
addresses
on
the
VLAN 514
are
saved
in
the
configuration.
You
are
allowed
to
create
a
port-profile
to
finish
this
task.
Additional
MAC
addresses
trying
to
access
the
VM
connected
to
the
port-profile
should
be
denied
access.
Task
3:
DHCP
Snooping,
DAI,
IP
Source
Guard
A
DHCP
server
is
connected
in
VLAN
105.
Hosts
in
other
VLANs
are
not
allowed
to
send
DHCP
OFFER
messages
to
clients.
Create
a
separate
port-profile
for
this.
Ensure
the
DHCP server
never
sends
more
than
3 DHCP
packets
per
second.
When
a
DHCP
REQUEST
message
is
received
on
an
interface,
the
Source
MAC
address
and
the
DHCP
Client
Hardware
Address
should
be
verified
to
match
Ensure
VLAN
105
is
protected
for
ARP
Spoofing
attacks
The
Nexus 1000V
should
not
check
ARP
packets
received
on
the
uplink profiles
Ensure
that
invalid
or
unexpected
IP
addresses
in
ARP
packets
are
dropped
Ensure
that
all
IP
traffic
is
checked
for
spoofing
attacks
on
the
uplinks
using
the
DHCP
Snooping
database.
A
host
with
MAC
address
4019.a201.b04e,
and
a
statically
configured
IP
address
of
198.18.50.254
is
connected
to
VLAN 501.
Ensure
this
host
is
allowed
access.
Task
4:
Access
Control
Lists
Use
a
protection
on
VLAN
509
to
protect
it
against
denied
traffic
according
to
the
following
rules.
Be
as
specific
as
possible.
The
198.18.255.100
host
is
allowed
to
access
hosts
in
VLAN 509 which
uses
IP
addresses
in
the
range
of
198.18.59.0/24
Secure
Web
traffic
coming
from
servers
in
198.18.128.0/18
to
VLAN 509
is
allowed.
Clients
in
VLAN 509
are
using
non-reserved
ports.
The
Server
farm
is
located
in
the 198.19.0.0/16
subnet
and
the
198.18.192.0/24
subnet.
Hosts
in
VLAN 509
want
to
access
Web
servers,
DNS
servers
and
Mail
(to
receive
mail
through
POP3
and
send
mail)
servers.
You
are
prohibited
to
configure
these
applications
in
the
ACL.
A
host
connected
in
VLAN 501 (198.18.51.0/24)
through
interface
vEthernet145
is
not
allowed
to
access
the
IMAP
server
with
IP
address
198.19.0.25.
Ensure
this
is
enforced.
In
addition
to
the
IP
security
of
VLAN
501
your
manager
also
wants
to
only
allow
valid
MAC
addresses
from
the
Server
farm
to
access
hosts
in
VLAN
501.
The
servers
have
MAC
addresses
in
the
range
of
0bad.c0ff.ee00
up
to 0bad.c0ff.eeff.
This
policy
should
be
of
immediate
effect
when
new
port-profiles
are
configured
in
the
future.