I know the current roadmap for C Series UCSM integration is to use a FEX for the management plane and the UCS FI ports for the data plane, but I would like to make a plea for another option which I am guessing/hoping others would be interested in and would not require much effort from Cisco.
Due to a number of design and security issues within our organization we cannot easily add our DMZ vlans into our UCS systems so we made the decision to use C200 servers on the DMZ which are no fun to manage compared to the blade in UCS. We looked into the C Series integration option, but were disappointed to learn we would need to either use ports on our existing UCS FIs which was not possible or buy new FIs. This is a really expensive solution when we really only need the management features of UCS and not the networking. Our DMZ networking is new and works just fine so we cannot justify the expense of the UCS only approach to the data plane.
I am asking Cisco to allow the C Series servers to use the management features of UCSM, but then use non UCS network ports for the data plane. This solution would be the best of both worlds.
I did some experimenting with a UCS FI and a 2248 FEX and found it is almost exactly what I want from UCS. I can see all the details of the C Series server, but discovery fails because the C200 did not have a CNA and none of the power control or firmware update functionality works.
Would it be at all possible for Cisco to allow discovery to complete without a CNA? Is the UCS data plane required for anyother other management features other than networking?
I am hoping other feel the same and can add to this post to hopefully get this option added to the C Series roadmap going forward.
Thanks for the comments and feedback. I'll try to address a couple of your points.
To your first point about roadmap - The current design for C-Series integration as you said requires a 2248 FEX for management and FI ports for the data plane. The next upcoming release we advance the next phase towards single wire integration by allow connectivity of both your 1G Management & 10G data via a 2232 FEX. This FEX in turn uplinks into the Fabric Interconnects. This will provide much better scaling than existing integration requirements. The next release following that we will have single wire Managment & Data. The single wire management required a phased apporach due to the complexities required to achieve this for rack servers. Blades have a much different architecture in this respect.
UCS is a complete management and provisioning suite. It handles the networking & storage policies and management access. This can't be separated in the way you'd like. We have dealt with many organizing and same requirements as yours and most organizations almost always require that DMZ resources be completely segemented from production systems - which included management. This leaves you with three options:
- Maintaining a separate UCS in the DMZ
- Maintain standalone rack servers in the DMZ
- Using C-Series integrated to your existing UCS with disjoint L2 uplinks. (Available in UCS 2.0 and later)
The last option may be feasible to you or not. The FI's would have dedicated uplinks feeding into your DMZ infrastructure. You would be relying on VLANs for traffic separation as all switching for both DMZ and non-DMZ traffic would occur within your FI's. This way you could still keep the management unified, but you would be required to uplink your FI's to your DMZ, rather than directly to the rack servers.
The whole value of UCS being your provisioning system is that it handles all the network and storage configurations (MAC/WWN resources, boot policies, QoS, CoS etc) so you don't have to modify any upstream devices other than the FI uplinks. I guess I would be curious to know, that if your DMZ rack server's data plane connected directly to your DMZ, and management connected to UCS - what would you expect UCS to be able to do in that regard? Just access power functions & FW management?
If UCS can't manage all connectivity it would be a configuration nightmare and require "touching" multiple devices for LAN/SAN connectivity and polices. UCS's design is based on a wire-once architecture. The FI's act as your connectivity point to the rest of your infrastructure installed on day 1. Then scaling and expansion are simple by atttaching more blade/rack server southbound to the FIs.
Sounds like you're looking for more of a multi-CIMC manager than Unified Computing "System".
I'm not saying it's impossible, just that it's not how UCS was designed. You're welcome to raise your business case with your local account manager who can present this to our Product Management team. This is the first request like this I've heard personally, but if there are others they may take it under advisement.
Thanks for responding. I understand how UCS works and the value of comprehensive management of hardware and networking in a single interface. But, with all the advantages of UCS blade management, those concepts break down when you start to talk about C Series integration. Having to buy a pair of FIs to manage the servers in our DMZ completely blows the ROI on using UCS in this manner. It is simply too expensive.
I would be more than pleased with just being able to attach our DMZ servers to our mission critical UCS system and only being able to manage those servers with only UCS power, firmware and fault management. Being able to see our entire production stack in one view would be invaluable. We would not have a security issue with the server management being shared across the DMZ.
I know being able to use UCS's wire once architecture is the superior option, but it is not an option I cannot justify given the expense.
Sometimes adding some flexibility to an existing design can be helpful to your customers if it does not break down your existing concept too much.
BTW - I am borrowing a C Series CNA and I am interested to see if adding the CNA will allow the C Series to pass discovery and if I can use the C Series without actually attaching the server to the FI. This will tell me how much the data plane networking is actually needed.
Thanks for your response,
I can save you the trouble. Unless both the data and management plan pass through the interconnects it will not discover. If the adaptor is not detected, discovery will fail.
Gents, I'm reading this post with utmost interest as it picks up on something one of my customers has asked me recently, and I'm pleased to say the discussion above has answered my questions, so thankyou for that. However, in terms of the original post (and apologies, I realise you've probably gone through this process already Ed), but can you not use some LAN PIN groups to PIN your DMZ VLAN to specific uplinks, which in turn go off to your DMZ switches? I realise it's probably a bit of a hybrid approach re: security, but with the limitations Roberts has outlined, would it not be better than buying expensive new FIC's?
We cannot mix LAN and DMZ VLANS in the FIs per corporate security. (the technical merits of the decree are open to debate but the rules are the rules) We would need to purchase a seperate set of FIs to use a UCS blade solution for our DMZ which is way too expensive. If we had a bigger DMZ then it would make sense, but we dont so we are using C Series servers instead which lead to my first post. The C Series servers work just fine, but they suffer from the same management issues of other rack servers. I am spoiled by the ease of UCS blade management:)
The C Series servers are so close to being what I need, but still just out of reach of perfection.
Thanks for the suggestion