Month: October 2014

Cisco N7K view ACL log

2014-10-29

This example displays how view logs of the mgmt0-access ACL:

# sh ip access-lists
IP access list mgmt0-access
 statistics per-entry
 10 permit tcp addrgroup NOC addrgroup RouterBlock eq 22 [match=2611]
 20 permit udp addrgroup NOC addrgroup RouterBlock eq snmp [match=0]
 40 permit udp addrgroup NOC eq ntp addrgroup RouterBlock [match=0]
 50 permit tcp addrgroup NOC eq tacacs addrgroup RouterBlock [match=2055]
60 permit tcp addrgroup NOC addrgroup RouterBlock eq www [match=0]
 500 permit ip addrgroup NOC addrgroup RouterBlock log [match=818]

To view the log, you need to use the following command :

# sh log ip access-list cache
Src IP Dst IP S-Port D-Port Src Intf Protocol
 Hits
--------------------------------------------------------------------------------
----------------
10.200.0.20 10.200.0.11 40196 161 mgmt0 (6)TCP
 65
10.200.0.20 10.200.0.11 56267 80 mgmt0 (6)TCP
 0
Number of cache entries: 2
--------------------------------------------------------------------------------

 

Nexus RBAC

2014-10-29

When logging into a N5K or a N7K system VDC, the default User-Roles assigned is “network-operator”. When logging into a VDC, the default User-Roles is “vdc-operator”.

You need to add a new shell role or you also can add multiple roles:

shell:roles="\"network-admin vdc-admin\""
# sh user-account
user:admin
 this user account has no expiry date
roles:vdc-admin
user:account1
 roles:vdc-operator
account created through REMOTE authentication
Credentials such as ssh server key will be cached temporarily only for this user
 account
Local login not possible

After modify your tacacs+ configuration, you need to clear the user account cached.

(config)# no username account1

Your user in cache disappears

# sh user-account
user:admin
 this user account has no expiry date
 roles:vdc-admin

Verification :

# sh user-account
user:admin
 this user account has no expiry date
 roles:vdc-admin
user:account1
 roles:vdc-admin

Now your user have the good right.

 

 

How remove switch-profile

2014-10-24

If you want remove switch-profile, you can use this command. Make sure you have a copy of the config before doing this. Just in case 🙂

switch(config-sync)# no switch-profile <your profile> profile-only all

You have three possibility :

# no switch-profile your_profile ?
 all-config Deletion of profile, local and peer configurations
 local-config Deletion of profile and local configuration
 profile-only Deletion of profile only and no other configuration

Estimate memory to allocate for IPv4 unicast route

2014-10-09

Estimate memory to allocate for a vdc :

# sh routing ipv4 unicast memory estimate routes 600000 next-hops 2
Shared memory estimates:
 Current max 96 MB; 36526 routes with 32 nhs
 Current max 96 MB; 32013 routes with 32 IPv6 nhs
 in-use 1 MB; 11 routes with 1 nhs (average)
 in-use 1 MB; 11 routes with 0 IPv6 nhs (average)
 Configured max 8 MB; 2651 routes with 32 nhs
 Configured max 8 MB; 2324 routes with 32 IPv6 nhs
 Estimate memory with fixed overhead: 215 MB; 600000 routes with 2 nhs and 0 IPv6 nhs
 Estimate with variable overhead included:
 - With MVPN enabled VRF: 233 MB
 - With OSPF route (PE-CE protocol): 267 MB
 - With EIGRP route (PE-CE protocol): 307 MB

N7K – Configure Tacacs server

2014-10-03

Example of configuration for N7K with redundant Tacacs servers

tacacs+ distribute
tacacs-server key 7 "xxxxxxxx"
ip tacacs source-interface mgmt0
tacacs-server host x.x.x.x
tacacs-server host y.y.y.y
tacacs+ commit
aaa group server tacacs+ TACACS+Server
 server x.x.x.x
 server y.y.y.y
aaa authentication login default group TACACS+Server
aaa authorization commands default group TACACS+Server local
aaa accounting default group TACACS+Server