Saturday, June 22, 2013

CCIE DC: RBAC on N7k/N5k

Hi Guys!

So I am going to talk about RBAC, again it's in the blueprint, so you know the drill, I am going to have to study it :p

OK so first of all, RBAC is not too complicated, i wouldn't panic too much, I have drawn up a nice graph to explain the way the relationships work

Let's start at the top, you have users defined per VDC, there are some special case where users in the default VDC, with the privileges network admin or network-operator have read/write and read-only access to all of the VDC's respectively.

Ignoring that, you have your user (Hi!) He has multiple roles assigned to him, these roles control what he can and can't do, note that a permit role will always take priority over a deny role, i.e. if a user is assigned to two roles "totallyNotAllowedToDoOSPFConfig" and "TotallyISALLOWEDtoDoOSPFConfig", the permit rules in the totally allow OSPF config will take precedence over the deny rules in his not allowed OSPF Config,

So for example, you might have a role helpdesk that defines a bunch of rules for a helpdesk staff, then you might have level 2 helpdesk which gives access to a few more commands, you can just assign helpdesk, then assign helpdesk level 2 over the top and it will inherit all the permits of helpdesk but also any permits allowed in level 2 but not allowed in helpdesk role will be overwritten.

I hope that makes it clear!

OK next these roles consist of rules, the rules are checked IN ORDER like an ACE entry from top down and you can have a maximum of 256 rules per role.

The roles themselves consist of commands, features, and feature groups, a command is simply a regular expression allowing access to those particular commands, a feature is a collection of commands that commonly configure a particular feature, and a feature group is in turn a collection of features! All of this is designed to make config that little bit easier and less time consuming.

 It certainly beats the old privilege model!

Let's take a look at some of the built-in orles

 N7K-1-1(config)# show role name ?
*** No matching command found in current mode, matching in (exec) mode ***
  PeterRocks    User role
  priv-0        Privilege role

- output omitted- 
  vdc-admin     System configured role
  vdc-operator  System configured role

 Here we see the usual suspects in terms of all the privilege roles 0 to 15, but we are not going to be using them, I have also created a totally legitimately named role "PeterRocks", let's look at what we can configure for that.

First of all, let's see what features are available to us to make life easier

 N7K-1-1(config)# show role feature-group

feature group: L3
router-bgp      (Border Gateway Protocol related commands)
router-eigrp    (Enhanced Interior Gateway Routing Protocol related commands)
router-isis     (ISIS protocol related commands)
router-ospf     (Open Shortest Path First protocol related commands)
router-rip      (Routing Information Protocol related commands)

We can see that there is a role feature group L3 that has privileges to all the routing protocols he might want to configure, in our example let's pretend Pete (that's me! Has just been studying lots and lots of storage (Who would have thought?) so we are going to allow him to make quite a few changes to storage by assigning him feature roles to allow him access to storage commands

The show role feature   command can be used to determine what feature's might belong under the feature group, the syntax is shown below, in this example we have removed all the features that are not related to storage which is what we want to configure as part of this role :)

7K-2-2(config-role-featuregrp)# show role feature
qosmgr          (Quality of Service related commands)
acl             (FC ACL related commands)
fc-qos          (FC Quality of Service related comamnds)
fcanalyzer      (FC analyzer related commands)
fcns            (Fibre Channel Name Server related commands)
fcsp            (Fibre Channel Security Protocol related commands)
ficon           (Ficon related commands)
fspf            (Fabric Shortest Path First protocol related commands)
iscsi           (ISCSI related commands)
isns            (Internet Storage Name Service related commands)
ivr             (InterVsan Routing protocol related commands)
mpls-tunnel     (FC tunnel related commands)
rlir            (Registered Link Incident Report related commands)
rscn            (Registered State Change Notification related commands)
san-ext-tuner   (IP Network Simulator related commands)
sme             (Storage Media Encryption feature related commands)
sme-kmc-admin   (SME commands authorized to kmc admin)
sme-recovery-officer(SME commands authorized to recovery officer)
sme-stg-admin   (SME commands authorized to storage admin)
span            (SPAN session relate commands)
vsan            (VSAN configuration and show commands)
vsan-assign-intf(Assign interfaces to vsan)
wwnm            (WorldWide Name related commands)
zone            (Zone related commands)

 the show role feature detail command can be used to show all the actual commands that are part of this feature

7K-2-2(config-role-featuregrp)# show role feature name zone
zone            (Zone related commands)
  show zone *
  config t ; zone *
  zone *
  clear zone *
  debug zone *
  show zoneset *
  config t ; zoneset *
  zoneset *
  clear zoneset *
  debug zoneset *
  show zone-attribute-group *
  config t ; zone-attribute-group *
  zone-attribute-group *
  clear zone-attribute-group *
  debug zone-attribute-group *
  show fcalias *
  config t ; fcalias *
  fcalias *
  clear fcalias *
  debug fcalias *

Obviously the * means all commands after that particular command are allowed.

For the sake of ease, let's allow PeterRocks role access to zoning and a few other small storage commands

 role feature-group name Storage
  feature zone
  feature vsan
  feature vsan-assign-intf
  feature iscsi
  feature fcns
  feature qosmgr

Next we assign this feature group role to our actual role storage

N7K-2-2(config-role-featuregrp)# role name storage

N7K-2-2(config-role)# rule ?
  1-256  Enter the rule number

As we discussed, the rules are sequenced

N7K-2-2(config-role)# rule 1 ?
  deny    Deny rule
  permit  Permit rule

You permit or deny the rule

N7K-2-2(config-role)# rule 1 permit ?
  command     Command line
  read        Read access
  read-write  Read and write access

You can define if it's just read or read AND write for the particular feature or feature group

N7K-2-2(config-role)# rule 1 permit read-write ?
  feature        Feature name
  feature-group  Feature group name

Is it a feature group or a feature your assigning?

N7K-2-2(config-role)# rule 1 permit read-write feature-group

We now have our nice role for storage!

N7K-2-2# show role  name storage

Role: storage
  Description: new role
  Vlan policy: permit (default)
  Interface policy: permit (default)
  Vrf policy: permit (default)
  Rule    Perm    Type        Scope               Entity
  1       permit  read-write  feature-group       Storage

We could give it a description and also define what vlan, interface and VRF the role is allowed, let's look at this next

Lets say we wanted to keep this storage role down to a particular set of vlan interfaces, or maybe we created a layer 3 role and wanted to restrict what VLAN's and interfaces it was allowed to modify, we can do so under the orle:

N7K-2-2(config-role)# interface policy ?
  deny  Deny access to a interface unless specifically permitted

The default policy is to permit access to all interface, vlan or VRF's, but we can change that as per above

N7K-2-2(config-role)# interface policy deny
N7K-2-2(config-role-interface)# permit ?
  interface  Enter the range of interfaces accessible the role

If we do change it, we have to say which interfaces we do allow

N7K-2-2(config-role-interface)# permit int ?
  ethernet      Ethernet IEEE 802.3z
  loopback      Loopback interface
  mgmt          Management interface
  port-channel  Port Channel interface

N7K-2-2(config-role-interface)# permit int eth1/1 - 32

In this example I have allowed this role access to all the F1 card interfaces eth1/1 - 32

 Let's finally assign this to a user:

N7K-2-2(config)# user storage password storage role storage

I will then login as this user and see what commands are available:

N7K-2-2# show ?
  class-map   Show class maps
  debug       Show debug flags
  logging     Show logging configuration and contents of logfile
  policy-map  Show policy maps
  qos         Qos
  queuing     Queuing related information
  table-map   Table maps

Oh dear! as you can see not many commands are available, now this is simply because the feature itself is not actually enabled on that particular VDC, 

Let's enable OSPF, then turn on L3 feature-group for this user:

N7K-2-2(config)# feature ospf
N7K-2-2(config)# role name storageN7K-2-2(config-role)# rule 2 permit read-write feature-group L3

N7K-2-2# show ?
  class-map   Show class maps
  debug       Show debug flags
  ip          Display IP information
  ipv6        Display IPv6 information
  ipv6        Display IPV6 information
  logging     Show logging configuration and contents of logfile
  policy-map  Show policy maps
  qos         Qos
  queuing     Queuing related information
  table-map   Table maps
Suddenly I have many more commands to work with :).

OK last but not least for RBAC on the N7K/N5K

Role config can be distributed via CFS, like many other configuration items to save time when your configuring multiple devices at once.

It is super easy, first of all you need to turn on the role distribution on both switches:

N7K-2-2(config)# role distribute
Role distribution is via FC or IP, so if you have an FC connection between them fine, but if you don't, you will need to enable IPv4 distribution, otherwise they will never become peers:

N7K-2-1(config)# cfs ipv4 distribute

N7K-2-1# show cfs status
Distribution : Enabled
Distribution over IP : Enabled - mode IPv4IPv4 multicast address :
IPv6 multicast address : ff15::efff:4653
Distribution over Ethernet : Disabled

Before going any further, make sure it all shows as peers:

7K-2-1# show cfs peers

Physical Fabric
 Switch WWN              IP Address
 20:00:00:24:98:e8:01:c3                              [Local]

You should and can also check if this is actually being done for the particular role application

N7K-2-1# show cfs peers name role

Scope      : Physical-fc-ip
 Switch WWN              IP Address
 20:00:00:24:98:e8:01:c3                              [Local]

Ok, so the role distribution CFS adjacency is definately up, now we just need to commit it for it to replicate to the other switch:

 Go to our first switch and make some role changes..

N7K-2-2(config)# role name peter
N7K-2-2(config-role)# rule 1 permit read-write feature-group L3
N7K-2-2(config)# role commit

IMPORTANT NOTE: If you enable interface restrictions, you will have trouble distributing them via commit! and will receive this error message:

You have interface configuration. Do you want to proceed? [no] yes