I havent seen much documents on Disjioned L2 UCS deployment (on security). We have a UCS chassis (5108) and have few B230s on it.. We want to use the same chassis both for internal LAN and DMZ.
Obviously the first question that comes in is security - We know that UCS in EHM doesnt act like a switch (with regards to unicasts & broadcasts), but is the design secure enough - logically and physically ? Has anyone come across any security limiations with disjoined L2 ?
Our thinking was -
1) Isolation is anyway done on link going from FI to upstream switches - internal LAN VNICs go through a different PINNED uplink than DMZ
2) Should we consider seperate blades for DMZ ? or running both DMZ and internal on the same blade is fine (with different Vswitches) ?
3) How about the links going from 2204 FEX to FI ? I know that the VNICs are built upon automatically generated port channels - but is it possible to use 2 different sets of links for internal and DMZ ?
I guess it all depends on the organizations security posture. I am finding gov't institutions slow to adopt the segregation mechanisms that UCS and the Nexus products provides, mostly a result of their lack of understanding of the technology and how it's implemented.
Some people have issues with “mixing” data in the FIs from the different zones. On the other hand, financial institutions seem to be more willing/understanding of the technology in question. But we still see clients requesting physical hardware separation in the DMZ.
The current implementation of the L2 disjointed works quite well but requires some planning when configuring your vNICs. As you know by default, all VLANs are accessible by all ports. Disjointed L2 is similar to “switchport trunk allow” in the switching world.
Introduction This article will help you understand the steps on how to
download the UCS licenses from the Cisco Systems website and then
installing it on the UCS. The redacted (blue lines) just covers up
certain numbers for privacy please do not take them...
Introduction This article will help you understand and educate the
customer on how to clear their "expired licenses"
(license-graceperiod-expired) from their UCS-M. If a customer just
purchased a license and needs a step by step guide on how to download
==================== VIC FNIC driver does not support Virtual Volumes (
second level LUN ID ) An enhancement request has been created to track
this feature - CSCux64473 UPDATE - 12-14-2016 We made some traction on
the enhancement request - The Fix is in t...