I'm wondering how others handle the CIMC in the Cisco ISE.
In the ISE downloads, there is one BIOS and CIMC software (3.0.3a). However, there are lot's of CIMC vulnerabilities, which needs to be closed. The hardware installation guide does not state that the 3.0.3a is the only supported BIOS.
In fact the guide states:
The following procedure is for upgrading the BIOS and Cisco IMC to version 3.0(3a). However, this procedure is generic and is applicable for newer firmware releases that are posted on Cisco.com.
Does this statement apply to the firmware posted in the "Identity Services Engine" download section or is it also supported to use a newer firmware in the downloads section of the corresponding UCS server model?
I know that other firmwares also work - the question is whether this is supported as well.
How you do handle the software of the CIMC?
My question also applies to other UCS based appliances like the WLC5520 etc. :)
Solved! Go to Solution.
The Cisco SNS 3500 Series Appliance Hardware Installation Guide has been updated. It now says why you should only use the CIMC software that is listed with the ISE downloads. It also mentions to check the download directory for other readme and upgrade files.
Currently, on the downloads page, under All Releases > Firmware > SNS35X5, there are downloads for the ISE-compliant CIMC and upgrade instructions.
yeah - I see it exactely the same way (except the fact that there is no CIMC in VM deployments because it is purely Cisco UCS related :) ).
However I don't get the point why there is exactely one offered version in the ISE download section. This implies that this is the only version to use in combination with ISE. Why isn't there just a download hint to the corresponding UCS model and the statement "use the software you want" ? :)
I think @Johannes Luther is referring to the software lifecycle management of the entire system (UCS server + ISE application) because when you purchase the SNS-3595 you should consider the life cycle management of CIMC as well. Yes of course an attacker on the ISE gig0 will never reach the CIMC (if the CIMC is running on dedicated Management Eth port) but the hacker may already be on the management network - and if they get to your CIMC then they can hose the entire server. Therefore it's probably sensible to keep patching the CIMC whenever possible. If you run CIMC and ISE application on the same GigE port, then who know what might happen (from a security risk point of view).
Server appliances are a pain in that respect because of this additional compute layer. Nevertheless, I think Johannes has an excellent question and when I recently commissioned 6 SNS-3595 servers I also looked at the CIMC version and didn't dare touch it. Not much guidance around this topic. It would be nice to know from Cisco how to maintain the SNS server CIMC software if a CVE is announced.
thanks for the feedback! At least someone understands me ;)
So what I do with the CIMC boards at the moment is to keep the recommended (downloadable) software, but I do a full blown configuration of the CIMC (SNMP, Syslog, LDAPs for admin auth, SSL certificates, SoL etc.).
I think this is really important in the ISE, because the ISE application and ADE-OS doesn't monitor all hardware related issues. I guess simple things like a power supply failure is recognized by ADE-OS (operating system).
But more complex situations like an HDD failure of the RAID-10 cluster are only recognized by the CIMC. Even if hardware failures of HDDs are recognized by ADE-OS, there are much more complex failure situations regarding storage, memory and CPU.....
So bottom line is, that the CIMC is a very very crucial part to fully monitor the SLA of the ISE service.
And no ... Configuring the CIMC is not fun :) It took me some time to build a good CLI template for my use case....
However, I'm still not sure about the SW version ...
Good point - however the last SNS-35XX appliances I got have "secure boot" disabled by default.
Furthermore, does the "secure boot" setting actually restrict CIMC/BIOS updates?
"The SNS 3515 and SNS 3595 appliances support the Unified Extensible Firmware Interface (UEFI) secure boot feature. This feature ensures that only a Cisco-signed ISE image can be installed on the SNS 3515 and SNS 3595 appliances, and prevents installation of any unsigned operating system even with physical access to the device. For example, generic operating systems, such as Red Hat Enterprise Linux or Microsoft Windows cannot boot on this appliance. "
Edit after I read some other topics:
>> Furthermore, does the "secure boot" setting actually restrict CIMC/BIOS updates?
==> Yes it does :)
Don't try corresponding UCS CIMC, I ruined 2 SNS3495 appliances this way. One time with host upgrade utility and one time with manual upgrade, it doesn't work. Probably there are some differences between CIMC on SNS Appliance and UCS
Just to add to this thread, I have recently deployed SNS-3515 with Cisco ISE 2.4 which comes with default CIMC firmware version 3.0 and when I'm tried to update the SNS-3515-K9 C220M4 Appliance Firmware from 3.0 to 4.0.1a (Cisco Recommended) using the HUU ISO, it won't allow me to boot with an error "Invalid signature detected. Check Secure Boot Policy in Setup".
So when I tried to disable the Secure boot option under the CIMC Utility, it shows another error "In ISE mode BIOS secure boot can not be disabled."
>> So when I tried to disable the Secure boot option under the CIMC Utility, it shows another error "In ISE mode BIOS secure boot can not be disabled."
Strange ... I have pretty new ISE SNS-35XX appliances here without enabled secure boot. So factory default was (in my case) disabled secure boot.
Did you enable it manually or were the ISE appliances delivered this way
@Kirk J outlined in another topic:
Also,once the secure boot is enabled, it cannot be disabled (by design).
Question is: How are the ISE appliances shipped by default?
@Tima_20 / @Mohamed Abd Elnaser Mohamed Mohamed Ali - your experience reminds me of myself when I was starting out my IT career in my mid 20's - at that time I probably would have gone ahead and tried to do the same as you and also failed (because I thought I was "just doing an upgrade" - what could possibly go wrong? - and besides, I am doing the customer a big favour by putting them on the latest and greatest software, right?).
I think many of us have been in that situation too - I have been there and also made those mistakes - left with sick feeling in my stomach when the customer's server is turned into a thousand dollar brick of nothing. And then the pain of the TAC case etc.
So I can say that getting older (and more grey hairs) has some benefits after all. Last week when I sat across 6 SNS-3595 and I looked at the CIMC, I was tempted to update them. I went to UCS web site and studied all their notes. But all the release notes there mentioned that 3.0.3 was latest for M4 model. So I Ieft it alone - thank goodness. And, as I said above, my grey hairs were telling me to stay away from this stuff because it's going to end badly. ISE servers were running just fine. Leave it alone!
No more trigger-happy fingers for me when it comes to Cisco products. Best to just follow orders.
First of all thank you for the very helpful replies. Let's summarize:
@Johannes Luther - where exactly in the ISE Download section does one find the CIMC code? I have looked at every ISE version and can only find .iso/.ova/patches/certs. But no CIMC.
If I have a SNS-3595 that was shipped from Cisco this year May, and in the version is 3.0.3a, then this is the latest available version, right? Am I also correct in saying this is a UCS-220 M4 ?
I thought firmware is kept here
Downloads Home / Servers - Unified Computing / UCS C-Series Rack-Mount Standalone Server Software / UCS C220 M4 Rack Server Software