I’m trying to learn more about Ciscos datacenter products and obviously NX-OS is a
big part of that. I’ll do some blog posts to introduce anyone not familiar with
NX-OS to it and that will help me with the learning as well.

One important thing to know about NX-OS is that features are selectively enabled.
This means that if you are not running OSPF then there is no need to have that
process running. We can check what features are running.

N7K-1# sh feature | ex not | grep enabled
hsrp_engine           1         enabled 
sshServer             1         enabled 
vtp                   1         enabled

As you can see NX-OS has some nice features like grep which is a nice addition
to regular IOS. There are also additional things that can be done like sort, count
and count unique instances.

N7K-1# sh feature | ex not | grep enabled | count
3

By default Telnet is not enabled which is good. It’s more secure to use SSH.
If we want to add it we can do it with the feature command.

N7K-1(config)# feature telnet
N7K-1# sh feature | grep telnet
telnetServer          1         enabled

In regular IOS we limit the number of VTY sessions with the line vty command.
In NX-OS the session-limit command is used instead.

N7K-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
N7K-1(config)# line vty
N7K-1(config-line)# session-limit 5

SSH is enabled by default. A crypto key should already be generated or you can generate
a new one.

N7K-1(config)# ssh key rsa 1024 force
deleting old rsa key.....
generating rsa key(1024 bits).....
.
generated rsa key

With the show users command we can see from which TTYs the users are logged in.

N7K-1# sh users
NAME     LINE         TIME         IDLE          PID COMMENT
admin    pts/0        Apr 30 05:22   .         21294 (10.20.30.200)
admin    pts/1        Apr 30 05:28   .         21845 (10.20.30.200) session=ssh *

When logging in to a NX-OS device the user goes straight to exec mode. There
is no need to enable. There are 4 different types of accounts available in NX-OS.
These are:

  • network-admin—Complete read-and-write access to the entire Cisco NX-OS device (only available in the default VDC)
  • network-operator—Complete read access to the entire Cisco NX-OS device (only available in the default VDC)
  • vdc-admin—Read-and-write access limited to a VDC
  • vdc-operator—Read access limited to a VDC

This makes it easy to create users that should have only read access.

N7K-1(config)# username daniel password daniel role network-operator
login: daniel
Password: 
Last login: Mon Apr 29 18:56:23 from 10.20.30.200
Cisco NX-OS Software
N7K-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
N7K-1(config)# router ospf 1
% Permission denied for the role
N7K-1(config)#

SNMP should be enabled for network management. SNMP version 2C or 3 can
be enabled.

N7K-1(config)# snmp-server community public ro
N7K-1# show snmp community
Community            Group / Access      context    acl_filter
---------            --------------      -------    ----------
public                network-operator           

SNMPwalk1

For more secure SNMP setup version 3 should be used. SNMPv3 can be setup to use
authentication or authentication and encryption. By default the users we create
will be created as SNMP users also which makes the configuration simple.

N7K-1# show snmp user
______________________________________________________________
                  SNMP USERS 
______________________________________________________________

User                          Auth  Priv(enforce) Groups                        
____                          ____  _____________ ______                        
daniel                        md5   des(no)       network-operator

New users can be created as well.

N7K-1# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
N7K-1(config)# snmp-server user SNMPadmin ?

  WORD   Group name (ignored for notif target user) (Max Size 28)
  auth   Authentication parameters for the user

N7K-1(config)# snmp-server user SNMPadmin auth ?
  md5  Use HMAC MD5 algorithm for authentication
  sha  Use HMAC SHA algorithm for authentication

N7K-1(config)# snmp-server user SNMPadmin auth md5 ?
  WORD  Authentication password for user (Max Size 130)

N7K-1(config)# snmp-server user SNMPadmin auth md5 admin ?

  engineID      EngineID for configuring notif target user (for V3 informs)
  localizedkey  Specifies whether the passwords are in localized key format
  priv          Encryption parameters for the user

N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv ?
  WORD     Privacy password for user (Max Size 130)
  aes-128  Use 128-bit AES algorithm for privacy

N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 ?
  WORD  Privacy password for user (Max Size 130)

N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 secret ?

  engineID      EngineID for configuring notif target user (for V3 informs)
  localizedkey  Specifies whether the passwords are in localized key format

N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 secret 
user password must be atleast 8 characters
N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 secret1234 
user password must be atleast 8 characters
N7K-1(config)# snmp-server user SNMPadmin auth md5 admin1234 priv aes-128 secret1234

The password must be at least 8 characters. To enforce all SNMPv3 PDUs to be
authenticated and encrypted the following command is used.

N7K-1(config)# snmp-server globalEnforcePriv 
N7K-1(config)#

Now to see that it works.

N7K-1# sh snmp user
______________________________________________________________
                  SNMP USERS [global privacy flag enabled]
______________________________________________________________

User                          Auth  Priv(enforce) Groups                        
____                          ____  _____________ ______                        
daniel                        md5   des(no)       network-operator              

SNMPadmin                     md5   aes-128(no)   network-operator    

SNMPwalk2

And there you have it. A basic look at the management setup of NX-OS. More
posts will follow.

Introduction to NX-OS – Basic system setup
Tagged on:                             

4 thoughts on “Introduction to NX-OS – Basic system setup

Leave a Reply

Your email address will not be published. Required fields are marked *

%d bloggers like this: