3.3(5) Role wierdness

Update on this issue: TAC has come back and said this is a documentation issue. The behavior of VSAN restrictions when using RBAC in 3.x has always been that show commands were restricted for any VSAN you did not have access to. You can only see a TE port if the VSAN you have access to is a member of it.

However, apparently this behavior has changed in 4.x. In NX-OS 4.x, show commands are not restricted by VSAN in RBAC, only config/exec commands. Version 3.3(5) behaves like 4.x in this regard, and so rather than fix it, since that is the new behavior anyways, they are leaving it alone. I disagree with this however. This particular issue in 3.3(5) is when you do “show int brief”. It shows you TE ports that include the VSAN’s you have access to, Fx ports in the VSAN’s you have access to, E ports in the VSAN’s you don’t have access to, and does not show you TE ports in the VSAN’s you don’t have access to. So in other words, why hide the TE ports but not the E ports?

I found a bug the other day in 3.3(5), which was confirmed and logged by TAC as bug id CSCth32151.  Basically if your doing VSAN restrictions on roles, and you do “show int brief” command, it shows you VSAN information you should not be able to see.  This is on E ports.  I believe it properly restricts for TE and Fx ports.  Also Device Manager properly blocks, but if your logged into a role with only access to say VSAN 10 and VSAN 20, but there is a E port in VSAN 50, then it will show up.  Not a big deal for lab work, but something to keep in mind.  I do not recall this behavior when working with 3.2.

This entry was posted in CCIE Storage, RBAC and tagged , , , , . Bookmark the permalink.

Leave a Reply