Nexus 5500 SAN Admin RBAC

It’s been a while since I have posted anything on my blog. I just haven’t had the motivation to do it.

The current unified fabric project I am working on and the newly released CCIE DC has sparked a renewed interest in digging deeper into NX-OS.

As I stated above I am working on a unified fabric project where the customer is using a pair of Nexus 5596s for both 10G server access and SAN FC switching for host HBAs and SAN connectivity.

The customer network team owns the Nexus gear and want the SAN team to have limited access to only manage FC related functions.

I was happy to see that the latest NX-OS release for Nexus 5ks has a new built-in san-admin role. My plan was to use this new role as I assumed it had all of the necessary permissions and is limited to only FC management.

In our lab I upgraded to the latest NX-OS and checked out this new san-admin role. Here is the switch output

lab-n5k-a# show role name san-admin

Role: san-admin
Description: Predefined system role for san  administrators. This role  cannot be modified.
vsan policy: permit (default)
Vlan policy: permit (default)
Interface policy: permit (default)
Vrf policy: permit (default)
———————————————–
Rule   Perm    Type        Scope       Entity
———————————————–
27    permit  read
26    permit  read-write  feature     fcdomain
25    permit  read-write  feature     rdl
24    permit  read-write  feature     trunk
23    permit  read-write  feature     fcmgmt
22    permit  read-write  feature     fcfe
21    permit  read-write  feature     port-track
20    permit  read-write  feature     fcoe
19    permit  read-write  feature     port-security
18    permit  read-write  feature     copy
17    permit  read-write  feature     rmon
16    permit  read-write  feature     rscn
15    permit  read-write  feature     fspf
14    permit  read-write  feature     fdmi
13    permit  read-write  feature     fcsp
12    permit  read-write  feature     fcns
11    permit  read-write  feature     span
10    permit  read-write  feature     zone
9     permit  read-write  feature     wwnm
8     permit  read-write  feature     vsan
7     permit  read-write  feature     vsanIfvsan
6     permit  read-write  feature     fabric-binding
5     permit  read-write  feature     interface
4     permit  read-write  feature     trapRegEntry
3     permit  read-write  feature     snmpTargetAddrEntry
2     permit  read-write  feature   snmpTargetParamsEntry
1     permit  read-write  feature     snmp

At first glance I figured this role was just what I needed. I created a new sanadmin user and assigned it the san-admin role. I then logged in as sanadmin to test and quickly realized that this role had more access than what I wanted it to have. Fist off I was able to modify all interfaces; Ethernet and FC and I was able to create/delete VLANs. I also discovered that I wasn’t able to managed device-aliases, Cisco clearly has some work to do on this built-in system role.

Well, now I had to create my own custom role. It took me a little while to get it just right and to figure out how to add device-alias management. I was surprised that device-alias commands weren’t included in any of the role features. If you want to see what commands are allowed in each role feature run this command

“show role feature detail” – I wont include the output here as it is quite a bit of text.

Here is the role I ended up with that has everything I want.

lab-n5k-a# show role name sanadmin

Role: sanadmin
Description: SAN Admin role
vsan policy: permit (default)
Vlan policy: deny
Permitted vlans: none
Interface policy: deny
Permitted interfaces:
fc1/33-48,fc3/1-16
Vrf policy: deny
Permitted vrfs:
————————————————
Rule  Perm    Type        Scope        Entity
————————————————-
19   permit  command                debug device-alias *
18   permit  command                clear device-alias *
17   permit  command            config t ; device-alias *
16   permit  read-write  feature    zone
15   permit  read-write  feature    wwnm
14   permit  read-write  feature    vsanIfvsan
13   permit  read-write  feature    vsan
12   permit  read        feature    snmp
11   permit  read-write  feature    trunk
10   permit  read-write  feature    rscn
9    permit  read-write  feature    rdl
8    permit  read-write  feature    ping
7    permit  read-write  feature    interface
6    permit  read-write  feature    fspf
5    permit  read-write  feature    fdmi
4    permit  read-write  feature    fcmgmt
3    permit  read-write  feature    fcfe
2    permit  read-write  feature    copy
1    permit  read

Here are the commands to created the new role:

role name sanadmin
description SAN Admin Role
interface policy deny
permit interface fc1/33-48,fc3/1-16
vlan policy deny
vrf policy deny
rule 1 permit read
rule 2 permit read-write feature copy
rule 3 permit read-write feature fcdomain
rule 3 permit read-write feature fcfe
rule 4 permit read-write feature fcmgmt
rule 5 permit read-write feature fdmi
rule 6 permit read-write feature fspf
rule 7 permit read-write feature interface
rule 8 permit read-write feature ping
rule 9 permit read-write feature rdl
rule 10 permit read-write feature rscn
rule 11 permit read-write feature trunk
rule 12 permit read feature snmp
rule 13 permit read-write feature vsan
rule 14 permit read-write feature vsanIfvsan
rule 15 permit read-write feature wwnm
rule 16 permit read-write feature zone
rule 17 permit command config t ; device-alias *
rule 18 permit command clear device-alias *
rule 19 permit command debug device-alias *

Here is a link to the Nexus 5500 configuration guide I used – http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/system_management/521_n1_1/b_5k_System_Mgmt_Config_521N11_chapter_0111.html

Advertisement