Cisco N5K-C5010P-BF Troubleshooting Guide - Page 131
Role's interface or VLAN policy does not appear to work correctly
![]() |
UPC - 882658212208
View all Cisco N5K-C5010P-BF manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 131 highlights
Chapter 6 Troubleshooting Security Issues Roles Send document comments to [email protected]. Role's interface or VLAN policy does not appear to work correctly When a user-defined role is assigned to a user account and the role's interface or VLAN policy is set to deny access to a certain interface, the user account can still use show commands to display configuration, status, setting, or statistics on the access-denied interface or VLAN. Possible Cause You are checking the interface or VLAN role policy with CLI commands, such as show interface brief or show vlan. Solution RBAC does not support filtering when displaying commands. Interface or VLAN role policies only apply to configuration or operational commands. Possible Cause You are not assigned to the role properly. Solution • Check the user role assignment with the show user-account command. • Verify the role definition with the show role name command. Assigning multiple roles to single user does not seem to work correctly When a user account is assigned to multiple roles, the user can access commands that are denied by one of the roles that it gets assigned to. This gives the appearance that the command parser does not work with multiple roles. Possible Cause You might expect that multiple roles on the same user account are parsed sequentially. Solution The NX-OS design is to parse multiple roles in a union-to-permit function, that each command is examined and compared to all the roles. If any of the roles permit the command, then the CLI allows the user to continue. For example, if the role permits the interface eth1/1 command, then the CLI allows the you to enter the interface eth1/1 configuration mode. Each role applies their policies (that is, interface, VLAN, VSAN, and so on) separately. If a role has an interface policy that denies eth1/1 as in the example, then that role would reject the command, but other roles might have a different interface policy allowing the same interface. Change to role configuration does not get applied When a user account is assigned to a role and you are logged into the Nexus 5000 switch, any changes made to the role configuration does not get applied immediately. Possible Cause While a user account is logged in and has been assigned to role A, the administrator makes some changes to role A with the expectation that the change would immediately affect the user that is logged in. However, the user is not assigned to the role properly. OL-25300-01 Cisco Nexus 5000 Series Troubleshooting Guide 6-3
![](/manual_guide/products/cisco-n5kc5020pbf-troubleshooting-guide-17dba74/131.png)