- Preface
- Overview of Cisco Unified Computing System
- Overview of Cisco UCS Manager
- Overview of Cisco UCS Manager CLI
- Configuring the Fabric Interconnects
- Configuring Ports and Port Channels
- Managing Licenses
- Configuring Communication Services
- Configuring Authentication
- Configuring Organizations
- Configuring Role-Based Access Control
- Configuring DNS Servers
- Configuring System-Related Policies
- Managing Virtual Interfaces
- Registering Cisco UCS Domains with Cisco UCS Central
- VLANs
- Configuring LAN Pin Groups
- Configuring MAC Pools
- Configuring Quality of Service
- Configuring Network-Related Policies
- Configuring Upstream Disjoint Layer-2 Networks
- Configuring Named VSANs
- Configuring SAN Pin Groups
- Configuring WWN Pools
- Configuring Storage-Related Policies
- Configuring Fibre Channel Zoning
- Configuring Server-Related Pools
- Setting the Management IP Address
- Configuring Server-Related Policies
- Configuring Server Boot
- Deferring Deployment of Service Profile Updates
- Service Profiles
- Managing Power in Cisco UCS
- Managing Time Zones
- Managing the Chassis
- Managing Blade Servers
- Managing Rack-Mount Servers
- CIMC Session Management
- Backing Up and Restoring the Configuration
- Recovering a Lost Password
- Named VLANs
- VLAN Port Limitations
- Configuring Named VLANs
- Creating a Named VLAN Accessible to Both Fabric Interconnects (Uplink Ethernet Mode)
- Creating a Named VLAN Accessible to Both Fabric Interconnects (Ethernet Storage Mode)
- Creating a Named VLAN Accessible to One Fabric Interconnect (Uplink Ethernet Mode)
- Creating a Named VLAN Accessible to One Fabric Interconnect (Ethernet Storage Mode)
- Deleting a Named VLAN
- Community VLANs
- Viewing the VLAN Port Count
- VLAN Port Count Optimization
- VLAN Groups
- VLAN Permissions
VLANs
- Named VLANs
- VLAN Port Limitations
- Configuring Named VLANs
- Community VLANs
- Viewing the VLAN Port Count
- VLAN Port Count Optimization
- VLAN Groups
- VLAN Permissions
Named VLANs
A named VLAN creates a connection to a specific external LAN. The VLAN isolates traffic to that external LAN, including broadcast traffic.
The name that you assign to a VLAN ID adds a layer of abstraction that allows you to globally update all servers associated with service profiles that use the named VLAN. You do not need to reconfigure the servers individually to maintain communication with the external LAN.
You can create more than one named VLAN with the same VLAN ID. For example, if servers that host business services for HR and Finance need to access the same external LAN, you can create VLANs named HR and Finance with the same VLAN ID. Then, if the network is reconfigured and Finance is assigned to a different LAN, you only have to change the VLAN ID for the named VLAN for Finance.
In a cluster configuration, you can configure a named VLAN to be accessible only to one fabric interconnect or to both fabric interconnects.
Guidelines for VLAN IDs
You cannot create VLANs with IDs from 3968 to 4047 and 4092 to 4096. These ranges of VLAN IDs are reserved.
The VLAN IDs you specify must also be supported on the switch that you are using. For example, on Cisco Nexus 5000 Series switches, the VLAN ID range from 3968 to 4029 is reserved. Before you specify the VLAN IDs in Cisco UCS Manager, make sure that the same VLAN IDs are available on your switch.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
VLAN 4048 is user configurable. However, Cisco UCS Manager uses VLAN 4048 for the following default values. If you want to assign 4048 to a VLAN, you must reconfigure these values:
-
After an upgrade to Cisco UCS, Release 2.0—The FCoE storage port native VLAN uses VLAN 4048 by default. If the default FCoE VSAN was set to use VLAN 1 before the upgrade, you must change it to a VLAN ID that is not used or reserved. For example, consider changing the default to 4049 if that VLAN ID is not in use.
-
After a fresh install of Cisco UCS, Release 2.0—The FCoE VLAN for the default VSAN uses VLAN 4048 by default. The FCoE storage port native VLAN uses VLAN 4049.
The VLAN name is case sensitive.
VLAN Port Limitations
Cisco UCS Manager limits the number of VLAN port instances that you can configure under border and server domains on a fabric interconnect.
Types of Ports Included in the VLAN Port Count
The following types of ports are counted in the VLAN port calculation:
-
Border uplink Ethernet ports
-
Border uplink Ether-channel member ports
-
FCoE ports in a SAN cloud
-
Ethernet ports in a NAS cloud
-
Static and dynamic vNICs created through service profiles
-
VM vNICs created as part of a port profile in a hypervisor in hypervisor domain
Based on the number of VLANs configured for these ports, Cisco UCS Manager tracks the cumulative count of VLAN port instances and enforces the VLAN port limit during validation. Cisco UCS Manager reserves some pre-defined VLAN port resources for control traffic. These include management VLANs configured under HIF and NIF ports.
VLAN Port Limit Enforcement
Cisco UCS Manager validates VLAN port availability during the following operations:
-
Configuring and unconfiguring border ports and border port channels
-
Adding or removing VLANs from a cloud
-
Configuring or unconfiguring SAN or NAS ports
-
Associating or disassociating service profiles that contain configuration changes
-
Configuring or unconfiguring VLANs under vNICs or vHBAs
-
Receiving creation or deletion notifications from a VMWare vNIC and from an ESX hypervisor
Note
This is outside the control of the Cisco UCS Manager.
-
Fabric interconnect reboot
-
Cisco UCS Manager upgrade or downgrade
Cisco UCS Manager strictly enforces the VLAN port limit on service profile operations. If Cisco UCS Manager detects that the VLAN port limit is exceeded, the service profile configuration fails during deployment.
Exceeding the VLAN port count in a border domain is less disruptive. When the VLAN port count is exceeded in a border domain Cisco UCS Manager changes the allocation status to Exceeded. To change the status back to Available, complete one of the following actions:
Configuring Named VLANs
Creating a Named VLAN Accessible to Both Fabric Interconnects (Uplink Ethernet Mode)
You cannot create VLANs with IDs from 3968 to 4047 and 4092 to 4096. These ranges of VLAN IDs are reserved.
The VLAN IDs you specify must also be supported on the switch that you are using. For example, on Cisco Nexus 5000 Series switches, the VLAN ID range from 3968 to 4029 is reserved. Before you specify the VLAN IDs in Cisco UCS Manager, make sure that the same VLAN IDs are available on your switch.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for both fabric interconnects, names the VLAN accounting, assigns the VLAN ID 2112, sets the sharing to none, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # create vlan accounting 2112 UCS-A /eth-uplink/vlan* # set sharing none UCS-A /eth-uplink/vlan* # commit-buffer UCS-A /eth-uplink/vlan #
Creating a Named VLAN Accessible to Both Fabric Interconnects (Ethernet Storage Mode)
You cannot create VLANs with IDs from 3968 to 4047 and 4092 to 4096. These ranges of VLAN IDs are reserved.
The VLAN IDs you specify must also be supported on the switch that you are using. For example, on Cisco Nexus 5000 Series switches, the VLAN ID range from 3968 to 4029 is reserved. Before you specify the VLAN IDs in Cisco UCS Manager, make sure that the same VLAN IDs are available on your switch.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for both fabric interconnects, names the VLAN accounting, assigns the VLAN ID 2112, creates a member port on slot 2, port 20, and commits the transaction:
UCS-A# scope eth-storage UCS-A /eth-storage # create vlan accounting 2112 UCS-A /eth-storage/vlan* # create member-port a 2 20 UCS-A /eth-storage/vlan/member-port* # commit-buffer UCS-A /eth-storage/vlan/member-port #
Creating a Named VLAN Accessible to One Fabric Interconnect (Uplink Ethernet Mode)
You cannot create VLANs with IDs from 3968 to 4047 and 4092 to 4096. These ranges of VLAN IDs are reserved.
The VLAN IDs you specify must also be supported on the switch that you are using. For example, on Cisco Nexus 5000 Series switches, the VLAN ID range from 3968 to 4029 is reserved. Before you specify the VLAN IDs in Cisco UCS Manager, make sure that the same VLAN IDs are available on your switch.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for fabric interconnect A, names the VLAN finance, assigns the VLAN ID 3955, sets the sharing to none, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # scope fabric a UCS-A /eth-uplink/fabric # create vlan finance 3955 UCS-A /eth-uplink/fabric/vlan* # set sharing none UCS-A /eth-uplink/fabric/vlan* # commit-buffer UCS-A /eth-uplink/fabric/vlan #
Creating a Named VLAN Accessible to One Fabric Interconnect (Ethernet Storage Mode)
You cannot create VLANs with IDs from 3968 to 4047 and 4092 to 4096. These ranges of VLAN IDs are reserved.
The VLAN IDs you specify must also be supported on the switch that you are using. For example, on Cisco Nexus 5000 Series switches, the VLAN ID range from 3968 to 4029 is reserved. Before you specify the VLAN IDs in Cisco UCS Manager, make sure that the same VLAN IDs are available on your switch.
VLANs in the LAN cloud and FCoE VLANs in the SAN cloud must have different IDs. Using the same ID for a VLAN and an FCoE VLAN in a VSAN results in a critical fault and traffic disruption for all vNICs and uplink ports using that VLAN. Ethernet traffic is dropped on any VLAN which has an ID that overlaps with an FCoE VLAN ID.
The following example creates a named VLAN for fabric interconnect A, names the VLAN finance, assigns the VLAN ID 3955, creates a member port on slot 2, port 20, and commits the transaction:
UCS-A# scope eth-storage UCS-A /eth-storage # scope fabric a UCS-A /eth-storage/fabric # create vlan finance 3955 UCS-A /eth-storage/fabric/vlan* # create member-port a 2 20 UCS-A /eth-storage/fabric/vlan/member-port* # commit-buffer UCS-A /eth-storage/fabric/vlan/member-port #
Deleting a Named VLAN
If Cisco UCS Manager includes a named VLAN with the same VLAN ID as the one you delete, the VLAN is not removed from the fabric interconnect configuration until all named VLANs with that ID are deleted.
Before you delete a VLAN from a fabric interconnect, ensure that the VLAN was removed from all vNICs and vNIC templates.
Note | If you delete a VLAN that is assigned to a vNIC or vNIC template, the vNIC might allow that VLAN to flap. |
The following example deletes a named VLAN accessible to both fabric interconnects and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # delete vlan accounting UCS-A /eth-uplink* # commit-buffer UCS-A /eth-uplink #
The following example deletes a named VLAN accessible to one fabric interconnect and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # scope fabric a UCS-A /eth-uplink/fabric # delete vlan finance UCS-A /eth-uplink/fabric* # commit-buffer UCS-A /eth-uplink/fabric #
Community VLANs
Cisco UCS Manager supports Community VLANs in UCS Fabric Interconnects. Community ports communicate with each other and with promiscuous ports. Community ports have Layer 2 isolation from all other ports in other communities. A promiscuous port can communicate with all interfaces.
Creating a Community VLAN
The following example shows how to create a Community VLAN:
UCS-A# scope eth-uplink UCS-A /eth-uplink # create vlan vlan203 203 UCS-A /eth-uplink/vlan* # set sharing community UCS-A /eth-uplink/vlan* # set pubname vlan200 UCS-A /eth-uplink/vlan* # commit-buffer UCS-A /eth-uplink/vlan* # exit UCS-A /vlan-group #
Allowing Community VLANs on vNICs
The following example shows how to assign the community VLAN cVLAN101 to the vNIC vnic_1 and commits the transaction.
UCS-A# scope org / UCS-A /org # scope service-profile GSP1 UCS-A /org/service-profile # scope vnic vnic_1 UCS-A /org/service-profile/vnic # create eth-if cVLAN101 UCS-A /org/service-profile/vnic* # commit-buffer
Deleting a Community VLAN
If Cisco UCS Manager includes a named VLAN with the same VLAN ID as the one you delete, the VLAN is not removed from the fabric interconnect configuration until all named VLANs with that ID are deleted.
Before you delete a VLAN from a fabric interconnect, ensure that the VLAN was removed from all vNICs and vNIC templates.
Note | If you delete a VLAN that is assigned to a vNIC or vNIC template, the vNIC might allow that VLAN to flap. |
The following example deletes a Community VLAN and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # delete commnity vlan vlan203 UCS-A /eth-uplink* # commit-buffer UCS-A /eth-uplink #
Viewing the VLAN Port Count
| Command or Action | Purpose |
|---|
The following example displays the VLAN port count for fabric interconnect A:
UCS-A# scope fabric-interconnect a UCS-A /fabric-interconnect # show vlan-port-count VLAN-Port Count: VLAN-Port Limit Access VLAN-Port Count Border VLAN-Port Count Alloc Status ---------- --------------- ---------------- ---------- 6000 3 0 Available
VLAN Port Count Optimization
VLAN port count optimization enables mapping the state of multiple VLANs into a single internal state. When you enable the VLAN port count optimization, Cisco UCS Manager logically groups VLANs based on the port VLAN membership. This grouping increases the port VLAN count limit. VLAN port count optimization also compresses the VLAN state and reduces the CPU load on the fabric interconnect. This reduction in the CPU load enables you to deploy more VLANs over more vNICs. Optimizing VLAN port count does not change any of the existing VLAN configuration on the vNICs.
VLAN port count optimization is disabled by default. You can enable or disable the option based on your requirements.
-
Enabling VLAN port count optimization increases the number of available VLAN ports for use. If the port VLAN count exceeds the maximum number of VLANs in a non-optimized state, you cannot disable the VLAN port count optimization.
-
VLAN port count optimization is not supported in Cisco UCS 6100 Series fabric interconnect.
- Enabling Port VLAN Count Optimization
- Disabling Port VLAN Count Optimization
- Viewing the Port VLAN Count Optimization Groups
Enabling Port VLAN Count Optimization
| Command or Action | Purpose |
|---|
The following example shows how to enable VLAN port count optimization:
UCS-A# scope eth-uplink UCS-A /eth-uplink # set vlan-port-count-optimization enable UCS-A /eth-uplink* # commit-buffer UCS-A /eth-uplink#
Disabling Port VLAN Count Optimization
If you have more Port VLAN count than that is allowed in the non port VLAN port count optimization state, you cannot disable the optimization.
| Command or Action | Purpose |
|---|
The following example shows how to disable VLAN port count optimization:
UCS-A# scope eth-uplink UCS-A /eth-uplink # set vlan-port-count-optimization disable UCS-A /eth-uplink* # commit-buffer UCS-A /eth-uplink#
Viewing the Port VLAN Count Optimization Groups
| Command or Action | Purpose |
|---|
UCS-A# scope eth-uplink
UCS-A /eth-uplink # show vlan-port-count-optimization group
VLAN Port Count Optimization Group:
Fabric ID Group ID VLAN ID
-------- ------- -------
A 5 6
A 5 7
A 5 8
B 10 100
B 10 101
VLAN Groups
VLAN groups allow you to group VLANs on Ethernet uplink ports, by function or by VLANs that belong to a specific network. You can define VLAN membership and apply the membership to multiple Ethernet uplink ports on the fabric interconnect.
Note | Cisco UCS Manager supports a maximum of 200 VLAN Groups. If Cisco UCS Manager determines that you create more than 200 VLAN groups, the system disables VLAN compression. |
You can configure inband and out-of-band (OOB) VLAN groups to use to access the Cisco Integrated Management Interface (CIMC) on blade and rack servers. Cisco UCS Manager supports OOB IPv4 and inband IPv4 and IPv6 VLAN groups for use with the uplink interfaces or uplink port channels.
After you assign a VLAN to a VLAN group, any changes to the VLAN group are applied to all Ethernet uplink ports that are configured with the VLAN group. The VLAN group also enables you to identify VLAN overlaps between disjoint VLANs.
You can configure uplink ports under a VLAN group. When you configure an uplink port for a VLAN group, that uplink port will support all the VLANs that are part of the associated VLAN groups and individual VLANs that are associated with the uplink using LAN Uplinks Manager, if any. Further, any uplink that is not selected for association with that VLAN group will stop supporting the VLANs that are part of that VLAN group.
You can create VLAN groups from the LAN Cloud or from the LAN Uplinks Manager.
Creating a VLAN Group
The following example shows how to create a VLAN group:
UCS-A# scope eth-uplink UCS-A /eth-uplink # create vlan-group eng UCS-A /eth-uplink/vlan-group* # create member-vlan 3 UCS-A /eth-uplink/vlan-group* # commit-buffer UCS-A /vlan-group #
Creating an Inband VLAN Group
Configure inband VLAN groups to provide access to remote users via an inband service profile.
The example below creates a VLAN group named inband-vlan-group, creates a member of the group named Inband_VLAN and assigns VLAN ID 888, creates member ports for Fabric A and Fabric B, and commits the transaction:
UCS-A# scope eth-uplink UCS-A /eth-uplink # create vlan-group inband-vlan-group UCS-A /eth-uplink/vlan-group* # create member-vlan Inband_VLAN 888 UCS-A /eth-uplink/vlan-group/member-vlan* # exit UCS-A /eth-uplink/vlan-group* # create member-port a 1 23 UCS-A /eth-uplink/vlan-group/member-port* # exit UCS-A /eth-uplink/vlan-group* # create member-port b 1 23 UCS-A /eth-uplink/vlan-group/member-port* # commit-buffer UCS-A /eth-uplink/vlan-group/member-port # exit UCS-A /eth-uplink/vlan-group # exit
Assign the inband VLAN group to an inband service profile.
Deleting a VLAN Group
| Command or Action | Purpose |
|---|
The following example shows how to delete a VLAN group:
UCS-A# scope eth-uplink UCS-A /eth-uplink # delete vlan-group eng UCS-A /eth-uplink* # commit-buffer UCS-A /eth-uplink #
Viewing VLAN Groups
| Command or Action | Purpose |
|---|
The following example shows the available VLAN groups in the root org:
UCS-A# scope org
UCS-A# /org/# show vlan-group
VLAN Group:
Name
----
eng
hr
finance
VLAN Permissions
VLAN permissions restrict access to VLANs based on specified organizations and on the service profile organizations to which the VLANs belong. VLAN permissions also restrict the set of VLANs that you can assign to service profile vNICs. VLAN permissions is an optional feature and is disabled by default. You can enable or disable the feature based on your requirements. If you disable the feature, all of the VLANs are globally accessible to all organizations.
Note | If you enable the org permission in, when you create a VLAN, the Permitted Orgs for VLAN(s) option displays in the Create VLANs dialog box. If you do not enable the Org Permissions, the Permitted Orgs for VLAN(s) option does not display. |
Enabling the org permission allows you to specify the organizations for the VLAN. When you specify the organizations, the VLAN becomes available to that specific organization and all of the sub organizations below the structure. Users from other organizations cannot access this VLAN. You can also modify the VLAN permission anytime based on changes to your VLAN access requirements.
 Caution | When you assign the VLAN org permission to an organization at the root level, all sub organizations can access the VLANs. After assigning the org permission at the root level, and you change the permission for a VLAN that belongs to a sub organization, that VLAN becomes unavailable to the root level organization. |
Creating VLAN Permissions
The following example shows how to create a VLAN permission for an organization:
UCS-A# scope org UCS-A /org # create vlan-permit dev UCS-A /org* # commit-buffer UCS-A /org #
Deleting a VLAN Permission
| Command or Action | Purpose |
|---|
The following example shows how to delete a VLAN permission from an organization:
UCS-A# scope org UCS-A /org # delete vlan-permit dev UCS-A /org* # commit-buffer UCS-A /org #
Viewing VLAN Permissions
| Command or Action | Purpose |
|---|
The following example shows the VLAN groups that have permission to access this VLAN:
UCS-A# scope org
UCS-A# /org/# show vlan-permit
VLAN Group:
Name
----
eng
hr
finance
Feedback