Why an Administrator Role is Necessary
A user with the predefined NX-OS administrator needs to be configured in order for the Indeni Server get remote access to the Nexus switches. The Indeni Server connects to the Nexus switches via a SSHv2 connection. Once connected, the NX-OS show commands are executed in predefined intervals to collect the information required for in-depth analysis and automation.
Setting up the Indeni User Account at a Nexus Switch
The NX-OS uses the concept of the User Roles to define the access level of a user. User Roles contain rules that define which operations are allowed for a particular user assigned to a role. The Cisco NX-OS software provides four default User Roles:
Network-Admin: Complete read-and-write access to the entire NX-OS device. This is only available in the default Virtual Device Context (VDC).
Network-Operator: Complete read access to the entire NX-OS device, this is the Default User Role.
VDC-Admin: Read-and-write access limited to a VDC.
VDC-Operator: Read access limited to a VDC (Default User Role).
PLEASE NOTE: The VDC-Admin and VDC-Operator roles apply only to the Nexus 7000 & 7700 Series switches.
The Indeni user needs to be assigned to the predefined network-admin level to execute all the NX-OS commands required for analysis and monitoring. It should be noted that all the show commands executed by the Indeni server can also be executed with a Network Operator predefined role, with the exception of show running configuration. This is why it is recommended to create or use an existing account with admin level rights.
Default Role Configurations
It is important to note that the default configurations during the creation of the Indeni user in NX-OS. A new user will be assigned a default User-Role, if a Role was not configured during the authentication process when logging into a Nexus with no AAA (Authentication Authorization Accounting), or with AAA only for Authentication. Also, the default User-Role assigned depends on the Nexus model. For example, when logging into a N5K series switch, or a N7K series switch, the default User-Roles assigned is “Network-Operator”. For users logging into a VDC, the default User-Role is “VDC-Operator”. The default User Roles are limited to certain commands and cannot perform any configuration changes.
Configuring User to Switch
To configure a user to the local database of the switch with network-admin rights, execute the following command: ‘username indeni password [****] role network-admin‘
PLEASE NOTE: The username and password should be different from the one described to the example.
To see the new user and the level of access , run the following command: ‘sh user-account‘
To confirm that a user with network-admin rights is configured with permanent read-write access, run the following command: ‘sh role name network-admin‘
RADIUS and TACACS
Special attention should be taken when a RADIUS or TACACS is used for AAA. In particular, the following should be noted:
- When no AAA is configured the role is retrieved from the local “username” configuration command.
- In the case that role is not configured, the default role level (network operator) is used.
- If AAA is configured with the Authentication Only option, the Nexus switch expects the TACACS or RADIUS server to issue a Role along with the user credentials within the response, else a default User-Role is used.
- If AAA with Authentication and Authorization is configured then it overwrites the use of the default User Roles and custom User Roles.
Frequently Asked Questions
Can I limit the Indeni user to have privilege level to execute only NX-OS show commands?
You can easily do this by assigning the Indeni user level to the NX-OS predefined role of “network operator”. Although most of the NX-OS commands required by Indeni can be executed with the predefined and default network-operator role, the “show running configuration *” command cannot be executed by a user with this role. This means that the Indeni user should not be assigned to the predefined network-operator role, but rather to the predefined network-admin role. Or you may simply create a new custom role.
Can I limit the Indeni user to have access to execute only the required show commands needed to collect the information by a Nexus Switch?
Yes. NX-OS RBAC (Role Based Access Control) allows you to define the rules for an assign role that restrict the authorization that the user has access to in management operations. User roles contain rules that define the operations allowed for the user who is assigned a role.
Below is provided an example with the configuration of a role with 2 rules:
The role is assigned to the new user named indeni2
The user has been successfully created and assigned the configured“management” role
Afterwards, login to the Nexus with the indeni2 user. The user should be able to execute only the commands permitted for the assigned role. A warning message should be received when it attempts to execute a command not included to the assigned role:
PLEASE NOTE: This kind of custom role requires additional effort on the end-user to maintain in order to support any new NX-OS commands required to run future Indeni releases. More information regarding NX-OS RBAC can be found here.
Does the Indeni user need to have access-level to the NX-OS configuration mode?
No. The Indeni user is required to run only specific show commands.
Is it safe for the Indeni user to remotely login to the Nexus Switch?
Yes. The Indeni server connects remotely with a SSH session to a Nexus switch. All the commands are executed periodically, in only one SSH session.
Can I keep track of the commands executed by the Indeni user?
Yes. You can easily keep track of the commands executed to a Nexus switch either by configuring the device to log all the commands to a Syslog server, or by searching the output of the ‘show accounting log all‘ command as demonstrated below:
The configuration options of the show accounting command should be as follows:
The next configuration should be applied in order to enable the logging of the show commands:
For testing purposes the ‘sh ver‘ command should be executed:
The show accounting log all command provides detailed information regarding the date, the user and the IP address of the user connected to the Nexus.
How can I check if Indeni has been connected via ssh successfully with the nexus switch?
First, run the ‘sh users‘ command to lists the users which are connected to the Nexus switch.
The indeni server with the IP address 10.10.8.116 has established a SSH session toward the Nexus switch (check figure below)
The next command also illustrates the TCP state (e.g. ESTABLISHED) for the SSH session between the Nexus switch and the Indeni server.
How can I check the CPU/Memory utilization on a Nexus series switch? Also, how can I check that Indeni didn’t sharply increase the CPU/ Memory utilization of the device?
It should be noted that devices with low hardware capabilities, such as the Nexus 3K, may show high CPU / Memory utilization when they are discovered by Indeni. Typically all devices will have a spike in system resources during the interrogation process, but then should settle down after it’s been successfully added.
NX-OS commands recorded against CPU usage for 60 seconds, 60 minutes, and 72 hours. Be sure to check the average CPU usage (#) and the spikes (*).
The command output provides graphical views of how busy the CPU has been until 72h. This command is very useful if you want see quickly how the CPU utilization pattern has been modified when the Nexus switch has been discovered by Indeni. The CPU usage graph for the last 60 seconds, 60 minutes could provide a useful and fast CPU utilization report for review especially during the Indeni discovery phase.
PLEASE NOTE: CPU utilization spikes can be caused by a known network event or activity. For example, a spike could be caused by the network administrator entering a specific command such as the “show tech support” command on the CLI.
To order the CPU usage from highest to lowest, and at the process level, run the following command: “show processes cpu sort”
To get the CPU and Memory utilization report, run the following command: “show system resources”
PLEASE NOTE: The show system resources command displays the overall memory utilization, and the show process memory command displays memory utilization per process; e.g. per VDC
After adding a Nexus and verifying the CPU/Memory utilization is normal, I notice that the Indeni server didn’t get any information from the device. How can I be sure that the NX-OS commands are executed at the Indeni device?
You can track commands executed to a Nexus switch by to logging all commands to a Syslog server, or by searching the output of the “show accounting log all command” – The simplest and fastest method is to run the command.
PLEASE NOTE: In Release 5.x and later you can enable logging of “all” commands run on the device (not just the config commands) when you configure “terminal log-all”
Example of the relevant show command illustrated below:
It should be noted that the Indeni server with the IP address 10.10.8.116 (left circle) executes the relevant NX-OS commands, which are highlighted in the larger circle to the right.