VDC Management
When several departments share a single physical device and each department has its own administrator, it presents a security concern to share one administrator account with every department admin. VDC user roles comes to the rescue here. Using VDC user roles, each VDC can be managed by a different VDC administrator. An action taken by a VDC administrator in one VDC does not impact users in other VDCs. A VDC administrator within a VDC can create, modify, and delete the configuration for resources allocated to VDC with no impact to other VDCs.
The Cisco NX-OS software has default user roles that the network administrator can assign to the user accounts that administer VDCs. These user roles make available a set of commands the user can execute after logging into the device. All commands the user is not allowed to execute are hidden from the user or return an error. You must have the network-admin or vdc-admin role to create user accounts in a VDC.
The Cisco NX-OS software provides default user roles with different levels of authority for VDC administration as follows:
- network-admin: The first user account created on a Cisco Nexus 7000 Series switch in the default VDC is the user “admin.” This user is automatically assigned the network-admin role. The network-admin role, which exists only in the default VDC, allows access to all the global configuration commands (such as reload and install) and all the features on the physical device. A custom user role is not granted access to these network-admin-only commands or to other commands that are scoped admin-only. Only the network administrator can access all the commands related to the physical state of the device. This role can perform system-impacting functions such as upgrading software and running an Ethernet analyzer on the traffic. Network administrators can create and delete VDCs, allocate resources for these VDCs, manage device resources reserved for the VDCs, and configure features within any VDC. Network administrators can also access nondefault VDCs using the switchto vdc command from the default VDC. When network administrators switch to a nondefault VDC, they acquire vdc-admin permissions, which are the highest permissions available in a nondefault VDC.
- network-operator: The second default role that exists on Cisco Nexus 7000 Series switches is the network-operator role. This role gives a user read-only rights in the default VDC. The network-operator role, which exists only in the default VDC, allows users to display information for all VDCs on the physical device. Users with network-operator roles can access nondefault VDCs using the switchto vdc command from the default VDC. By default, there are no users assigned to this role. The role must be specifically assigned to a user by a user who has network-admin rights.
- vdc-admin: When a VDC is created, the first user account created on that VDC is the user “admin,” similar to the way the admin user was created for the whole physical switch in default VDC. The admin user on a nondefault VDC is automatically assigned the vdc-admin role. Users who have the vdc-admin role can configure all features within a VDC. Users with either the network-admin or vdc-admin role can create, modify, or remove user accounts within the VDC. All configurations for the interfaces allocated to a VDC must be performed within the VDC. Users with the vdc-admin role are not allowed to execute any configuration commands related to the physical device.
- vdc-operator: The vdc-operator role has read-only rights for a specific VDC. This role has no rights to any of the other VDCs. Users assigned the vdc-operator role can display information only for the VDC. Users with either the network-admin or vdc-admin role can assign the vdc-operator role to user accounts within the VDC. The vdc-operator role does not allow the user to change the configuration of the VDC. When a user who has the network-admin or network-operator role accesses a nondefault VDC using the switchto command, that user will be mapped to a role of the same level in that VDC. A user with the network-admin role will get the VDC-admin role in the nondefault VDCs. A user with the network-operator role will get the VDC-operator role in the nondefault VDCs.
Figure 5-19 shows various default user roles available for VDC administration.
Default VDC access is restricted to a select few administrators who are allowed to modify the global configuration (network-admin role). Few features (such as CoPP and rate limits) can only be configured in the default VDC. If the default VDC is used for data plane traffic, administrators who require default VDC configuration access but not global configuration access should be assigned with the vdc-admin role. This role restricts administrative functions to the default VDC exclusively and prevents access to global VDC configuration commands.
Figure 5-19 Default User Roles for VDC Administration
Out-of-Band VDC Management
The Cisco NX-OS software provides a virtual management (mgmt0) interface for out-of-band management for each VDC so that VDCs can be individually managed. You can configure a separate IP address of the virtual management interface from within each VDC by entering the VDC with VDC-admin privileges and assigning an IP address to the virtual mgmt0 interface that is accessed through the physical mgmt0 interface on the supervisor. Because the virtual management interface allows the use of only one management network, the AAA servers and syslog servers can be shared among the VDCs.
Figure 5-20 illustrates that all the VDCs share the management network, but their virtual management interface IP addresses are unique. Also, the services are using shared or separate external services, such as syslog.
Figure 5-20 Out-of-Band VDC Management Example
In-Band VDC Management
VDCs also support in-band management, which allows a VDC to be managed within its specific network. In this case, they function as if they were managed as separate physical devices. You can access the VDC using one of the Ethernet interfaces allocated to the VDC. Because the in-band management allows the use of only separate management networks, separate AAA servers and syslog servers can be used among the VDCs.
Figure 5-21 illustrates how each VDC has management access from its own unique network, and external services such as RADIUS and syslog are unique to each VDC.
Figure 5-21 In-Band VDC Management Example