Home » Dell Manuals » Hubs & Switches » Dell MX5108n » Manual Viewer

Dell MX5108n OS10 Enterprise Edition User Guide for PowerEdge MX IO Modules Re - Page 474

Role-based access control, Assign user role

Add to My Manuals
Save this manual to your list of manuals

Page 474 highlights

- min-length number - Enter the minimum number of required alphanumeric characters (6 to 32; default 9). - character-restriction - Enter a requirement for the alphanumeric characters in a password: ◦ upper number - Minimum number of uppercase characters required (0 to 31; default 0). ◦ lower number - Minimum number of lowercase characters required (0 to 31; default 0). ◦ numeric number - Minimum number of numeric characters required (0 to 31; default 0). ◦ special-char number - Minimum number of special characters required (0 to 31; default 0). Create password rules OS10(config)# password-attributes min-length 7 character-restriction upper 4 numeric 2 Display password rules OS10(config)# do show running-configuration password-attributes password-attributes min-length 7 character-restriction upper 4 numeric 2 Role-based access control RBAC provides control for access and authorization. Users are granted permissions based on defined roles - not on their individual system user ID. Create user roles based on job functions to help users perform their associated job function. You can assign each user only a single role, and many users can have the same role. When you enter a user role, you are authenticated and authorized. You do not need to enter an enable password because you are automatically placed in EXEC mode. OS10 supports the constrained RBAC model. With this model, you can inherit permissions when you create a new user role, restrict or add commands a user can enter, and set the actions the user can perform. This allows greater flexibility when assigning permissions for each command to each role. Using RBAC is easier and more efficient to administer user rights. If a user's role matches one of the allowed user roles for that command, command authorization is granted. A constrained RBAC model provides separation of duty as well as greater security. A constrained model places some limitations on each role's permissions to allow you to partition tasks. Some inheritance is possible. For greater security, only some user roles can view events, audits, and security system logs. Assign user role To limit OS10 system access, assign a role when you configure each user. • Enter a user name, password, and role in CONFIGURATION mode. username username password password role role - username username - Enter a text string (up to 32 alphanumeric characters; 1 character minimum). - password password - Enter a text string (up to 32 alphanumeric characters; 9 characters minimum). - role role - Enter a user role: ◦ sysadmin - Full access to all commands in the system, exclusive access to commands that manipulate the file system, and access to the system shell. A system administrator can create user IDs and user roles. ◦ secadmin - Full access to configuration commands that set security policy and system access, such as password strength, AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic keys, login statistics, and log information. ◦ netadmin - Full access to configuration commands that manage traffic flowing through the switch, such as routes, interfaces, and ACLs. A network administrator cannot access configuration commands for security features or view security information. ◦ netoperator - Access to EXEC mode to view the current configuration. A network operator cannot modify any configuration setting on a switch. 474 System management

Section	Page
OS10 Enterprise Edition User Guide — PowerEdge MX I/O Modules Release 10.4.0E(R3S)	3
Getting Started	21
Supported Hardware	21
OS10 image for MX Ethernet I/O modules	21
Download OS10 image and license	22
Installation	23
Automatic installation	24
Manual installation	24
Log into OS10	25
Install OS10 license	26
Remote access	27
Configure Management IP address	27
Management Route Configuration	28
Configure user name and password	28
Upgrade OS10	29
CLI Basics	29
User accounts	29
Key CLI features	29
CLI command modes	30
CLI command hierarchy	30
CLI command categories	30
CONFIGURATION Mode	31
Command help	31
Check device status	33
Candidate configuration	35
Change to transaction-based configuration	38
Copy running configuration	38
Restore startup configuration	39
Reload system image	39
Filter show commands	40
Alias command	40
Batch mode commands	44
Linux shell commands	44
SSH commands	45
OS9 environment commands	46
Common commands	46
alias	46
alias (multi-line)	47
batch	48
boot	48
commit	49
configure	49
copy	49
default (alias)	51
delete	51
description (alias)	52
dir	52
discard	53
do	53
feature config-os9-style	53
exit	54
license	54
line (alias)	55
lock	55
management route	56
move	56
no	57
reload	57
show alias	57
show boot	59
show candidate-configuration	59
show environment	61
show inventory	62
show ip management-route	62
show ipv6 management-route	63
show license status	63
show running-configuration	64
show startup-configuration	66
show system	67
show version	69
start	69
system	70
system identifier	70
terminal	70
traceroute	71
unlock	72
write	72
PowerEdge MX Ethernet I/O modules	74
Operating modes	74
Changing operating modes	76
Restrictions	76
Port groups on I/O modules	76
Double-density QSFP28 interfaces	76
Virtual ports	79
Single-density QSFP28 interfaces	82
Server-facing interfaces	83
Interfaces	85
Ethernet interfaces	85
L2 mode configuration	85
L3 mode configuration	86
Fibre Channel interfaces	86
Management interface	88
VLAN interfaces	88
User-configured default VLAN	89
VLAN scale profile	89
Loopback interfaces	90
Port-channel interfaces	90
Create port-channel	91
Add port member	91
Minimum links	92
Assign Port Channel IP Address	92
Remove or disable port-channel	92
Load balance traffic	93
Change hash algorithm	93
Configure interface ranges	93
Switch-port profiles	94
S4148-ON Series port profiles	95
S4148U-ON port profiles	96
Unified port groups	97
Configure breakout mode	99
Breakout auto-configuration	99
Reset default configuration	100
Forward error correction	101
Energy-efficient Ethernet	102
Enable energy-efficient Ethernet	103
Clear interface counters	103
View EEE status/statistics	103
EEE commands	104
View interface configuration	107
Interface commands	110
channel-group	110
default interface	110
default vlan-id	113
description (Interface)	113
duplex	114
feature auto-breakout	114
fec	115
interface ethernet	115
interface loopback	115
interface mgmt	116
interface null	116
interface port-channel	116
interface range	117
interface vlan	117
link-bundle-utilization	118
mode	118
mode l3	119
mtu	120
port-group	120
scale-profile vlan	121
show discovered-expanders	121
show interface	122
show inventory media	123
show link-bundle-utilization	124
show port-channel summary	124
show port-group	125
show switch-operating-mode	126
show switch-port-profile	126
show unit-provision	126
show vlan	127
shutdown	127
speed (Fibre Channel)	128
speed (Management)	128
switch-port-profile	129
switchport access vlan	131
switchport mode	131
switchport trunk allowed vlan	132
unit-provision	132
Fibre channel	134
Fibre Channel over Ethernet	134
Configure FIP snooping	135
Terminology	136
Virtual fabric	136
Fibre Channel zoning	139
F_Port on Ethernet	141
F_Port, NPG, and FCoE commands	141
clear fcoe database	141
clear fcoe statistics	141
fc alias	142
fc zone	142
fc zoneset	143
fcoe	143
fcoe max-sessions-per-enodemac	144
feature fc	144
feature fc npg	144
feature fip-snooping	145
fip-snooping enable	145
fip-snooping fc-map	145
fip-snooping port-mode fcf	146
member (alias)	146
member (zone)	147
member (zoneset)	147
name	147
show fc alias	148
show fc ns switch	148
show fc statistics	149
show fc switch	150
show fc zone	150
show fc zoneset	151
show fcoe enode	152
show fcoe fcf	152
show fcoe sessions	153
show fcoe statistics	153
show fcoe system	154
show fcoe vlan	154
show npg devices	154
show running-config vfabric	155
show vfabric	156
vfabric	157
vfabric (interface)	157
vlan	157
zone default-zone permit	158
zoneset activate	158
Layer 2	159
802.1X	159
Port authentication	160
EAP over RADIUS	161
Configure 802.1X	161
Enable 802.1X	162
Identity retransmissions	163
Failure quiet period	164
Port control mode	164
Reauthenticate port	165
Configure timeouts	166
802.1X commands	167
Link aggregation control protocol	172
Modes	172
Configuration	172
Interfaces	173
Rates	173
Sample configuration	174
LACP commands	177
Link layer discovery protocol	183
Protocol data units	183
Optional TLVs	184
Organizationally-specific TLVs	185
Media endpoint discovery	186
Network connectivity device	186
LLDP-MED capabilities TLV	186
Network policies TLVs	187
Define network policies	188
Packet timer values	188
Disable and re-enable LLDP	189
Disable and re-enable LLDP on management ports	190
Advertise TLVs	190
Network policy advertisement	191
Fast start repeat count	191
View LLDP configuration	192
Adjacent agent advertisements	193
Time to live	194
LLDP commands	194
Media Access Control	206
Static MAC Address	206
MAC Address Table	207
Clear MAC Address Table	207
MAC Commands	208
Multiple spanning-tree protocol	210
Configure MST protocol	211
Create instances	211
Root selection	213
Non-Dell hardware	213
Region name or revision	213
Modify parameters	214
Interface parameters	215
Forward traffic	215
Spanning-tree extensions	216
Debug configurations	218
MST commands	218
Rapid per-VLAN spanning-tree plus	228
Load balance and root selection	229
Enable RPVST+	229
Select root bridge	230
Root assignment	231
Loop guard	232
Global parameters	232
RPVST+ commands	233
Rapid spanning-tree protocol	241
Enable globally	241
Global parameters	242
Interface parameters	243
Root bridge selection	244
EdgePort forward traffic	245
Spanning-tree extensions	245
RSTP commands	247
Virtual LANs	253
Default VLAN	253
Create or remove VLANs	254
Access mode	255
Trunk mode	256
Assign IP address	256
View VLAN configuration	257
VLAN commands	259
Port monitoring	260
Local port monitoring	260
Remote port monitoring	261
Encapsulated remote port monitoring	263
Flow-based monitoring	264
Remote port monitoring on VLT	265
Port monitoring commands	266
Layer 3	272
Border gateway protocol	272
Sessions and peers	273
Route reflectors	274
Multiprotocol BGP	274
Attributes	275
Selection criteria	275
Weight and local preference	276
Multiexit discriminators	277
Origin	277
AS path and next-hop	278
Best path selection	278
More path support	279
Advertise cost	279
4-Byte AS numbers	280
AS number migration	280
Configure border gateway protocol	281
Enable BGP	281
Configure Dual Stack	283
Peer templates	283
Neighbor fall-over	285
Fast external fallover	286
Passive peering	288
Local AS	288
AS number limit	289
Redistribute routes	290
Additional paths	290
MED attributes	291
Local preference attribute	291
Weight attribute	292
Enable multipath	293
Route-map filters	293
Route reflector clusters	293
Aggregate routes	294
Confederations	295
Route dampening	296
Timers	297
Neighbor soft-reconfiguration	297
BGP commands	298
Equal cost multi-path	323
Load balancing	323
ECMP commands	323
IPv4 routing	326
Assign interface IP address	326
Configure static routing	327
Address resolution protocol	328
IPv4 routing commands	328
IPv6 routing	332
Enable or disable IPv6	332
IPv6 addresses	333
Stateless autoconfiguration	334
Neighbor discovery	335
Duplicate address discovery	336
Static IPv6 routing	337
IPv6 destination unreachable	337
IPv6 hop-by-hop options	338
View IPv6 information	338
IPv6 commands	338
Internet group management protocol	349
IGMP snooping	349
IGMP snooping commands	352
Open shortest path first	357
Autonomous system areas	357
Areas, networks, and neighbors	358
Router types	359
Designated and backup designated routers	360
Link-state advertisements	360
Router priority	361
Shortest path first throttling	362
OSPFv2	363
OSPFv3	394
Object tracking manager	413
Interface tracking	414
Host tracking	415
Set tracking delays	416
Object tracking	416
View tracked objects	416
OTM commands	417
Policy-based routing	420
Policy-based route-maps	420
Access-list to match route-map	420
Set address to match route-map	420
Assign route-map to interface	421
View PBR information	421
PBR commands	422
Virtual routing and forwarding	424
Configure management VRF	424
VRF commands	426
Virtual router redundancy protocol	430
Configuration	431
Create virtual router	432
Group version	432
Virtual IP addresses	433
Configure virtual IP address	433
Set group priority	434
Authentication	435
Disable preempt	435
Advertisement interval	436
Interface/object tracking	437
Configure tracking	437
VRRP commands	438
UFT modes	444
Configure UFT modes	444
UFT commands	445
hardware forwarding-table mode	445
show hardware forwarding-table mode	445
show hardware forwarding-table mode all	446
System management	447
Dynamic host configuration protocol	447
Packet format and options	447
DHCP server	448
Automatic address allocation	449
Hostname resolution	450
Manual binding entries	451
DHCP relay agent	451
View DHCP Information	452
System domain name and list	452
DHCP commands	453
DNS commands	458
Network time protocol	460
Enable NTP	460
Broadcasts	461
Source IP address	461
Authentication	462
NTP commands	463
System clock	468
System Clock commands	468
User session management	470
User session management commands	470
Telnet server	471
Telnet commands	472
Security	472
User re-authentication	473
Password strength	473
Role-based access control	474
Assign user role	474
RADIUS authentication	475
TACACS+ authentication	475
SSH Server	476
Virtual terminal line	477
Enable login statistics	477
Security commands	478
Simple network management protocol	490
SNMP commands	490
Uplink Failure Detection	492
Configure uplink failure detection	493
UFD commands	494
OS10 image upgrade	498
Boot system partition	498
Upgrade commands	499
Access Control Lists	504
IP ACLs	504
MAC ACLs	505
IP fragment handling	505
IP fragments ACL	505
L3 ACL rules	506
Permit ACL with L3 information only	506
Deny ACL with L3 information only	506
Permit all packets from host	506
Permit only first fragments and non-fragmented packets from host	506
Assign sequence number to filter	506
User-provided sequence number	507
Auto-generated sequence number	507
L2 and L3 ACLs	507
Assign and apply ACL filters	508
Ingress ACL filters	509
Egress ACL filters	509
Clear access-list counters	510
IP prefix-lists	510
Route-maps	511
Match routes	512
Set conditions	512
continue Clause	513
ACL flow-based monitoring	513
Flow-based mirroring	513
Enable flow-based monitoring	514
ACL commands	515
clear ip access-list counters	515
clear ipv6 access-list counters	515
clear mac access-list counters	516
deny	516
deny (IPv6)	517
deny (MAC)	517
deny icmp	518
deny icmp (IPv6)	519
deny ip	519
deny ipv6	520
deny tcp	520
deny tcp (IPv6)	521
deny udp	522
deny udp (IPv6)	523
description	524
ip access-group	524
ip access-list	524
ip as-path access-list	525
ip community-list standard deny	526
ip community–list standard permit	526
ip extcommunity-list standard deny	527
ip extcommunity-list standard permit	527
ip prefix-list description	527
ip prefix-list deny	528
ip prefix-list permit	528
ip prefix-list seq deny	529
ip prefix-list seq permit	529
ipv6 access-group	530
ipv6 access-list	530
ipv6 prefix-list deny	530
ipv6 prefix-list description	531
ipv6 prefix-list permit	531
ipv6 prefix-list seq deny	532
ipv6 prefix-list seq permit	532

Match case Limit results 1 per page

–

min-length

number

— Enter the minimum number of required alphanumeric characters (6 to 32; default 9).

–

character-restriction

— Enter a requirement for the alphanumeric characters in a password:

◦

upper

number

— Minimum number of uppercase characters required (0 to 31; default 0).

◦

lower

number

— Minimum number of lowercase characters required (0 to 31; default 0).

◦

numeric

number

— Minimum number of numeric characters required (0 to 31; default 0).

◦

special-char

number

— Minimum number of special characters required (0 to 31; default 0).

Create password rules

OS10(config)# password-attributes min-length 7 character-restriction upper 4 numeric 2

Display password rules

OS10(config)# do show running-configuration password-attributes

password-attributes min-length 7 character-restriction upper 4 numeric 2

Role-based access control

RBAC provides control for access and authorization. Users are granted permissions based on

deﬁned

roles — not on their individual system

user ID. Create user roles based on job functions to help users perform their associated job function. You can assign each user only a single

role, and many users can have the same role. When you enter a user role, you are authenticated and authorized. You do not need to enter

an enable password because you are automatically placed in EXEC mode.

OS10 supports the constrained RBAC model. With this model, you can inherit permissions when you create a new user role, restrict or add

commands a user can enter, and set the actions the user can perform. This allows greater

ﬂexibility

when assigning permissions for each

command to each role. Using RBAC is easier and more

eﬃcient

to administer user rights. If a user’s role matches one of the allowed user

roles for that command, command authorization is granted.

A constrained RBAC model provides separation of duty as well as greater security. A constrained model places some limitations on each

role’s permissions to allow you to partition tasks. Some inheritance is possible. For greater security, only some user roles can view events,

audits, and security system logs.

Assign user role

To limit OS10 system access, assign a role when you

conﬁgure

each user.

•

Enter a user name, password, and role in CONFIGURATION mode.

username

password

role

–

username

— Enter a text string (up to 32 alphanumeric characters; 1 character minimum).

–

password

— Enter a text string (up to 32 alphanumeric characters; 9 characters minimum).

–

role

— Enter a user role:

◦

sysadmin

— Full access to all commands in the system, exclusive access to commands that manipulate the

ﬁle

system, and

access to the system shell. A system administrator can create user IDs and user roles.

◦

secadmin

— Full access to

conﬁguration

commands that set security policy and system access, such as password strength,

AAA authorization, and cryptographic keys. A security administrator can display security information, such as cryptographic

keys, login statistics, and log information.

◦

netadmin

— Full access to

conﬁguration

commands that manage

traﬃc

ﬂowing

through the switch, such as routes,

interfaces, and ACLs. A network administrator cannot access

conﬁguration

commands for security features or view security

information.

◦

netoperator

— Access to EXEC mode to view the current

conﬁguration.

A network operator cannot modify any

conﬁguration

setting on a switch.

474

System management