This exercise has been done on Nexus 7010 chassis with the following pieces installed:-
- Dual supervisor modules, dual power supplies, dual system fans, dual fabric fans, and three fabric modules per chassis.
- One 48-port 1 Gigabit Ethernet I/O module per chassis.
- One 32-port 10 Gigabit Ethernet I/O module per chassis with SFP+ SR optical transceivers installed.
- Cisco NX-OS LAN Enterprise License.
- Cisco NX-OS LAN Advanced Services License.
First, we verify the hardware discussed above.
The above output shows One 48-port 1 Gigabit Ethernet I/O module, one 32-port 10 Gigabit Ethernet I/O module, and three fabric modules per chassis installed in the Nexus 7010. The rest of the hardware can be easily seen by our ancient IOS familiar command “Show environment,” and the “Show Version” command can see the NXOS version.
Without AAA, IOS relies on privilege levels. Privilege levels (0-15) define locally what level of access a user has when logged into an IOS device, i.e., what commands are permitted.
- Privilege Level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
- Privilege Level 15 — Includes all enable-level commands at the router# prompt.
NX-OS uses a different concept for the same purpose, known as User Roles. User Roles contain rules that define the operations allowed for a particular user assigned to a role. There are default User Roles:
- Network-Admin—Complete read-and-write access to the entire NX-OS device (only available in the default VDC).
- Network-Operator—Complete read access to the entire NX-OS device (Default User Role).
- VDC-Admin—Read-and-write access limited to a VDC (VDCs are not yet available on Nexus 5000).
- VDC-Operator—Read access limited to a VDC (Default User Role).
VDC(s) allow the partitioning of a single physical Nexus 7000 device into multiple logical devices. This logical separation provides the following benefits:
- Administrative and management separation
- Change and failure domain isolation from other VDCs
- Address, VLAN, VRF, and vPC isolation
We will discuss VDC in detail in upcoming posts.
When an NX-OS device is set up for the first time, during the first login, a Network-Admin account must be specified and subsequently be used for login. Arguably a bit more secure than IOS. Any additional users created locally after that will by default receive the User Role “Network-Operator“unless specified implicitly.
Note:-User Roles are local to a switch and only relevant in the absence of AAA being configured.
When logging into an N5K or an N7K system VDC, the default User-Roles assigned is “network-operator.” When logging into a VDC, the default User-Roles is “VDC-operator.”
Apart from the above system default roles, we can create custom roles as per our requirements. Let us create a new role AFROZ and assign read and write privileges to this role.
In the below figure, we have created a new role AFROZ, assigned read and read-write privileges with feature-group L3-ROUTE, feature-group L3-ROUTE has all routing protocol features.
Additionally, we can configure our role(AFROZ) to permit or deny a feature. Here we will deny all Vlans except the range 1-100 and deny all VRF instances except for VRF INTERSWITCH and Limit access to all interfaces except the first two 1 Gigabit Ethernet and port-channel interface and verify our configuration.
We will ensure that strong passwords are supported and that any roles are distributed
between adjacent Cisco Nexus devices. We will check our password strength by attaching the role AFROZ to a new user. Create a new user named “afroz” and assign the password “afroz123” obviously without quotes. As we have already enabled password strength now, NXOS tells us that the current password is weak, so now we will assign a password [email protected], and now the NXOS system excepts it.
Then we will check the status of the configured “roles” and apply the user role configuration changes in the temporary database to the running configuration and distribute the user to role configuration by “role distribute” to adjacent nexus devices.