I’m trying to learn more about Ciscos datacenter products and obviously NX-OS is a
big part of that. I’ll do some blog posts to introduce anyone not familiar with
NX-OS to it and that will help me with the learning as well.
One important thing to know about NX-OS is that features are selectively enabled.
This means that if you are not running OSPF then there is no need to have that
process running. We can check what features are running.
N7K-1# sh feature | ex not | grep enabled hsrp_engine 1 enabled sshServer 1 enabled vtp 1 enabled
As you can see NX-OS has some nice features like grep which is a nice addition
to regular IOS. There are also additional things that can be done like sort, count
and count unique instances.
N7K-1# sh feature | ex not | grep enabled | count 3
By default Telnet is not enabled which is good. It’s more secure to use SSH.
If we want to add it we can do it with the feature command.
N7K-1(config)# feature telnet N7K-1# sh feature | grep telnet telnetServer 1 enabled
In regular IOS we limit the number of VTY sessions with the line vty command.
In NX-OS the session-limit command is used instead.
N7K-1# conf t Enter configuration commands, one per line. End with CNTL/Z. N7K-1(config)# line vty N7K-1(config-line)# session-limit 5
SSH is enabled by default. A crypto key should already be generated or you can generate
a new one.
N7K-1(config)# ssh key rsa 1024 force deleting old rsa key..... generating rsa key(1024 bits)..... . generated rsa key
With the show users command we can see from which TTYs the users are logged in.
N7K-1# sh users NAME LINE TIME IDLE PID COMMENT admin pts/0 Apr 30 05:22 . 21294 (10.20.30.200) admin pts/1 Apr 30 05:28 . 21845 (10.20.30.200) session=ssh *
When logging in to a NX-OS device the user goes straight to exec mode. There
is no need to enable. There are 4 different types of accounts available in NX-OS.
These are:
- network-admin—Complete read-and-write access to the entire Cisco NX-OS device (only available in the default VDC)
- network-operator—Complete read access to the entire Cisco NX-OS device (only available in the default VDC)
- vdc-admin—Read-and-write access limited to a VDC
- vdc-operator—Read access limited to a VDC
This makes it easy to create users that should have only read access.
N7K-1(config)# username daniel password daniel role network-operator login: daniel Password: Last login: Mon Apr 29 18:56:23 from 10.20.30.200 Cisco NX-OS Software N7K-1# conf t Enter configuration commands, one per line. End with CNTL/Z. N7K-1(config)# router ospf 1 % Permission denied for the role N7K-1(config)#
SNMP should be enabled for network management. SNMP version 2C or 3 can
be enabled.
N7K-1(config)# snmp-server community public ro N7K-1# show snmp community Community Group / Access context acl_filter --------- -------------- ------- ---------- public network-operator
For more secure SNMP setup version 3 should be used. SNMPv3 can be setup to use
authentication or authentication and encryption. By default the users we create
will be created as SNMP users also which makes the configuration simple.
N7K-1# show snmp user
______________________________________________________________
SNMP USERS
______________________________________________________________
User Auth Priv(enforce) Groups
____ ____ _____________ ______
daniel md5 des(no) network-operator
New users can be created as well.
N7K-1# conf t Enter configuration commands, one per line. End with CNTL/Z. N7K-1(config)# snmp-server user SNMPadmin ? WORD Group name (ignored for notif target user) (Max Size 28) auth Authentication parameters for the user N7K-1(config)# snmp-server user SNMPadmin auth ? md5 Use HMAC MD5 algorithm for authentication sha Use HMAC SHA algorithm for authentication N7K-1(config)# snmp-server user SNMPadmin auth md5 ? WORD Authentication password for user (Max Size 130) N7K-1(config)# snmp-server user SNMPadmin auth md5 admin ? engineID EngineID for configuring notif target user (for V3 informs) localizedkey Specifies whether the passwords are in localized key format priv Encryption parameters for the user N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv ? WORD Privacy password for user (Max Size 130) aes-128 Use 128-bit AES algorithm for privacy N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 ? WORD Privacy password for user (Max Size 130) N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 secret ? engineID EngineID for configuring notif target user (for V3 informs) localizedkey Specifies whether the passwords are in localized key format N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 secret user password must be atleast 8 characters N7K-1(config)# snmp-server user SNMPadmin auth md5 admin priv aes-128 secret1234 user password must be atleast 8 characters N7K-1(config)# snmp-server user SNMPadmin auth md5 admin1234 priv aes-128 secret1234
The password must be at least 8 characters. To enforce all SNMPv3 PDUs to be
authenticated and encrypted the following command is used.
N7K-1(config)# snmp-server globalEnforcePriv N7K-1(config)#
Now to see that it works.
N7K-1# sh snmp user
______________________________________________________________
SNMP USERS [global privacy flag enabled]
______________________________________________________________
User Auth Priv(enforce) Groups
____ ____ _____________ ______
daniel md5 des(no) network-operator
SNMPadmin md5 aes-128(no) network-operator
And there you have it. A basic look at the management setup of NX-OS. More
posts will follow.
Daniel, thanks. Are you using the Nexus 1000v or is this on a rented rack online somewhere? Thanks!
This is on the Cisco cloudlabs. It’s running a virtualized version of NX-OS. Cisco calls it Titanium. Otherwise INE are starting DC racks, seems to be the most afordable from what I’ve seen so far.
Pingback:Route Reflector
Pingback:Cisco Nexus 5k configuration overview | Route Reflector