Cisco Nexus 7000 User Accounts and RBAC

This exercise has been done on Nexus 7010 chassis with following pieces installed:-

  • Dual supervisor modules, dual power supplies, dual system fans, dual fabric fans, and three fabric modules per chassis.
  • One 48-port 1 Gigabit Ethernet I/O module per chassis.
  • One 32-port 10 Gigabit Ethernet I/O module per chassis with SFP+ SR optical transceivers installed.
  • Cisco NX-OS LAN Enterprise License.
  • Cisco NX-OS LAN Advanced Services License.

First we verify the hardware discussed above.

N7K Module

The above output shows One 48-port 1 Gigabit Ethernet I/O module and One 32-port 10 Gigabit Ethernet I/O module and three fabric modules per chassis installed  in the Nexus 7010. The rest of the hardware can be easily seen by our very old IOS familiar command “Show environment” and NXOS version can be seen by “Show Version” command.

Without AAA, IOS relies on privilege levels.  Privilege levels (0-15) defines locally what level of access a user has when logged into an IOS device, i.e. what commands are permitted.

  • Privilege Level 1 — Normal level on Telnet; includes all user-level commands at the router> prompt.
  • Privilege Level 15 — Includes all enable-level commands at the router# prompt.

NX-OS uses a different concept for the same purpose, known as User Roles. User Roles contain rules that define the operations allowed for a particular user assigned to a role. There are default User Roles:

  • Network-Admin—Complete read-and-write access to the entire NX-OS device (only available in the default VDC).
  • Network-Operator—Complete read access to the entire NX-OS device (Default User Role).
  • VDC-Admin—Read-and-write access limited to a VDC (VDCs are not yet available on Nexus 5000).
  • VDC-Operator—Read access limited to a VDC (Default User Role).

VDC(s) allow the partitioning of a single physical Nexus 7000 device into multiple logical devices. This logical separation provides the following benefits:

  • Administrative and management separation
  • Change and failure domain isolation from other VDCs
  • Address, VLAN, VRF, and vPC isolation

We will discuss VDC in detail in upcoming posts.

When a NX-OS device is setup for the first time, during the first login, a Network-Admin account must be specified and subsequently be used to login. Arguably a bit more secure that IOS. Any additional users created locally after that will by default receive the User Role “Network-Operator“, unless specified implicitly.

Note:-User Roles are local to a switch and only relevant in the absence of AAA being configured.

When logging into a N5K or a N7K system VDC, the default User-Roles assigned is “network-operator”. When logging into a VDC, the default User-Roles is “vdc-operator”.

Apart from above system default roles we can create custom roles as per our requirement.Lets create a new role AFROZ and assign read and write privileges to this role.

In the below figure we have created a new role AFROZ, assigned read and read-write privileges with feature-group L3-ROUTE , feature-group L3-ROUTE has all routing protocol feature.

N7k role

Additionally we can configure our role(AFROZ) to permit or deny a feature. Here we will deny all Vlans except the range 1-100 and deny all VRF instances except for vrf INTERSWITCH and Limit access to all interfaces except the first two 1 Gigabit Ethernet and port channel interface  and verify our configuration.

N7k role deny

Now we will assure that strong passwords are supported and that any roles are distributed
between adjacent Cisco Nexus devices. We will check our password strength by attaching the role AFROZ to a new user. Create a new user named “afroz” and assign the password “afroz123” obviously without quotes. As we have already enabled password strength now NXOS tells us that the current password it weak , so now we will assign a password [email protected], and now the NXOS system excepts it.

Then we will check the status of the configured “roles” and apply the user role configuration changes in the temporary database to the running configuration and distribute the user to role configuration by “role distribute” to adjacent nexus devices.

N7k rbac



  1. Hi, just wanted to say i liked this article.

  2. v v impressive…keep it up bro…

  3. […] lab has been completed on Nexus 7010 with following hardware and software installed, it can be seen here in my previous […]

  4. Hi, i have reading out and i will definitely bookmarrk your site, just wanted to say i liked this article.

  5. I installed Nexus Titanium VM in Vmware workstation.
    I have another windows server 2008 r2 VM with Putty client.

    When i use my putty client in windows 2008 VM to connect to Nexus Titanium over serial Port i get following error:
    unable to open connection to \\.\pipe\com_1 unable to open serial port

    Can you please help.

  6. gps

    Cisco Nexus 7000 User Accounts and RBAC – Afroz Ahmad

  7. single is working fine.
    how to connect two or three device?

    • I think one should try cisco VIRL now, as cisco officially released it recently. There are lots of discussion going on in cisco learning network and other networking forums, you will get more insights from there or from cisco official VIRL site (

Leave a Reply