Cisco NX-OS Role-Based Access Control

RBAC allows you to define the rules for an assigned user role to restrict the authorization of a user that has access to the switch management operations.

I- RBAC on Nexus 5000 & 6000 series

* User Requirements:

These are some user requirements which are needed to be fulfilled:

  • Only users with network-admin role can create roles.
  • Only users with network-admin role can view the output of show role
  • Even if users are permitted to perform all show commands, they are not allowed to view show role output, unless these users are assigned a network-admin role.
  • A user account must have at least one user role.



User Role Rules

The rule is the basic element of a role.

A rule defines what operations the role allows the user to perform.

You can apply rules for these parameters:

  • Command- A command or group of commands defined in a regular expression.
  • Feature- Commands that apply to a function provided by the NX-OS software.
  • Feature group- Default or user-defined group of features.

These parameters create a hierarchical relationship. The most basic control parameter is the command.

The next control parameter is the feature, which represents all commands associated with the feature.

The last control parameter is the feature group. The feature group combines related features and allows you to easily manage rules.

The user-specified rule number determines the order in which rules are applied.

The rules are applied in descending order. For example, rule 1 is applied before rule 2, which is applied before rule 3, and so on.

The rule command specifies operations that can be performed by a specific role. Each rule consists of a rule number, a rule type (permit or deny), a command type (for example, configuration, show, exec, debug), and an optional feature name (for example, FCOE, HSRP, VTP, interface).


* User Roles:

Each role can be assigned to multiple users and each user can be part of multiple roles.

For example, role A users are allowed to issue show commands, and role B users are allowed to make configuration changes.If a user is assigned to both role A and Role B, this user can issue a show command and make changes to the configuration.

Permit access command takes priority over deny access command.

For example, if you belong to a role that denies access to configuration commands. However, if you also belong to a role that has access to configuration commands, you then have the access to configuration commands.

There are five default user roles:

  • network-admin : Complete read-and-write access to the entire switch.
  • network-operator : Complete read access to the entire switch.
  • vdc-admin : Read-and-write access limited to a VDC
  • vdc-operator : Read access limited to a VDC
  • san-admin : Complete read-and-write access to SAN administrators.



II- RBAC on Nexus 7000 series

The Cisco NX-OS software in Nexus 7000 provides four default user roles:

  • network-admin: Complete read-and-write access to the entire Cisco NX-OS device (only available in the default VDC)
  • network-operator: Complete read access to the entire Cisco NX-OS device (only available in the default VDC)
  • vdc-admin: Read-and-write access limited to a VDC
  • vdc-operator: Read access limited to a VDC


Virtualization Support for RBAC:

The users with the network-admin and network-operator roles can operate in all virtual device contexts (VDCs) when logged in from the default VDC and use the switchto vdc command to access other VDCs. All other user roles are local to the VDC. Roles are not shared between VDCs. Each VDC maintains an independent user role database.The following guidelines and limitations apply to the switchto vdc command:

  • Only users with the network-admin or network-operator role can use the switchto vdc command. No other users are permitted to use it.
  • No user can grant permission to another role to use the switchto vdc command.
  • After a network-admin uses the switchto vdc command, this user becomes a vdc-admin for the new VDC. Similarly, after a network-operator uses the switchto vdc command, this user becomes a vdc-operator for the new VDC. Any other roles associated with the user are not valid after the switchto vdc command is entered.
  • After a network-admin or network-operator uses the switchto vdc command, this user cannot use this command to switch to another VDC. The only option is to use the switchback command to return to the original VDC.




III- RBAC on Nexus 9000 series

The Cisco NX-OS software provides the following user roles:

  • network-admin: Complete read-and-write access to the entire Cisco NX-OS device
  • network-operator or vdc-operator: Complete read access to the entire Cisco NX-OS device
    • The Cisco Nexus 9000 Series switches do not support multiple VDCs; however, the vdc-operator role is available and has the same privileges and limitations as the network-operator role.
    • The Cisco Nexus 9000 Series switches support a single VDC due to which the vdc-admin has the same privileges and limitations as the network-admin.




Default User Accounts and RBAC Parameters:

ParametersDefault
User account passwordUndefined.
User account expiry dateNone.
User account role in the default VDCNetwork-operator if the creating user has the network-admin role, or vdc-operator if the creating user has the vdc-admin role.
User account role in the non-VDCsVdc-operator if the creating user has the vdc-admin role.
Default user roles in the default VDCNetwork-operator.
Default user roles in the non-default VDCsVdc-operator. (only for Nexus 7000)
Interface policyAll interfaces are accessible.
VLAN policyAll VLANs are accessible.
VRF policyAll VRFs are accessible.
Feature groupL3.



Notes:

  • If you belong to multiple roles, you can execute a combination of all the commands permitted by these roles. Access to a command takes priority over being denied access to a command. For example, suppose a user has RoleA, which denied access to the configuration commands. However, the user also has RoleB, which has access to the configuration commands. In this case, the user has access to the configuration commands.

  • Only Cisco Nexus 7000 Series switches support multiple VDCs; however, the vdc-operator role is available on all Nexus switches and has the same privileges and limitations as the network-operator role.

  • All Cisco Nexus Series switches except Nexus 7000 support a single VDC, consequently the vdc-admin has the same privileges and limitations as the network-admin.

  • Only the network-admin user can perform a checkpoint or rollback in the RBAC roles. Though other users have these commands as a permit rule in their role, user access is denied when you try to execute these commands.

Reference:

https://www.cisco.com/c/en/us/support/docs/switches/nexus-5000-series-switches/211984-Nexus-N5500-5600-and-N6000-Role-Base-Ac.html

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5-x/b_Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5-x_chapter_01010.html

https://www.cisco.com/c/en/us/td/docs/switches/datacenter/nexus9000/sw/7-x/security/configuration/guide/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x/b_Cisco_Nexus_9000_Series_NX-OS_Security_Configuration_Guide_7x_chapter_01000.html#con_1394886

Bilel Ameur

Enthusiastic Network Engineer specializing in Cisco ACI, passionate about solving challenges. A lifelong learner who loves gaining and sharing knowledge. Profile: https://www.linkedin.com/in/bilel-ameur-71116b2b5
0 0 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
0
Would love your thoughts, please comment.x
()
x